Now that we’ve discovered the password and both of the secrets, lets see if we can break the program to execute some shellcode.
You’ll find that the program will consistently crash if a string longer than ~60 characters is entered for the password. More importantly, it is failing because we are overflowing a buffer, and modifying the EIP register.
It may be possible to leverage this overflow to execute some shellcode.
First, lets try to determine exactly how many bytes are necessary to overflow the buffer. I am going to use a script provided in Kali called “pattern_create”, which will spit out a string which will help us to determine the number of bytes necessary to overwrite EBP and EIP.
After pasting the string from pattern_create into badfile.exe, we can see that EIP now has a value of “62413762”
After pasting this value into the tool “pattern_offset”, we can see that the value in EIP is part of the string that we pasted in, at an offset of 52.
This means that with 52 bytes, we can overwrite the stored base pointer, and with 52 + 4 bytes, we can overwrite the stored return pointer.
Stay tuned for some exploitation in part 6…