Now, Starting this course I knew nothing about C, or assembly language for that matter, however after several hours of going through the courseware for Buffer overflows I thought I had a decent enough clue as too what I was doing and felt prepared as I moved onto the fixing exploits section. As I looked at the code I managed to follow the execution flow of the 643.c script and got to work on changing the easy bits that I knew needed to be fixed.
–Spoilers from here onwards beware–
I then cracked on changing the return address to that of the one I used in my python script being that I was executing against the same OS and Software I figured I could steal this which indeed I could. Next I generated my own shellcode and just used a basic reverse shell generated by msfvenom in order to replace the one existing in the code and changed the ip to that of my kali machine. Simple enough… however something caught my eye and I realised that the shellcode that existed in the exploit was smaller than the one I copied in, this meant I had to mess about with the memory allocation sizes and the size of the NOP sled and buffer. After adjusting these values and running the exploit I managed to get a reverse shell simply enough and I was happy with myself for managing to fix it in about 20 or so minuets.
Now this is where the real fun begins, all you have to do is type in 646.c into the offsec forums and see the litany of post regarding this exercise… In hindsight I probably should of looked at the forums regarding this but I was fulled with confidence and determination from the last exercise and that drove me to dive in head first. Now I am not going to post a spoiler about how this one works because it seriously improved my knowledge on C and if you are taking the course it is well worth the struggle, stick with it trust me it will be worth it in the end, but what I can tell you is that what I did in the previous exercise applied tenfold on the next one. I spent six hours adjusting memory parameters and messing about seeing the effect it had in immunity bugger. I knew what was wrong I just had no idea how to fix it. Unfortunately I can’t really say more apart from it is gut wrenchingly painful when you finally solve it and wonder why it took you so long, however I felt a bit better after looking at the forums and seeing that people had spent over two days with no luck. Oh and if you are currently stuck on it my only advise is follow the execution flow of the code re read all sections of the code and know what each part does (steep learning curve if you don’t know C) and look at all the registers in immunity and understand what the hell is going on.
Good luck and Soldier on,