June 5th, 2005, 08:19 PM
::::What I Know::::
I'm not really sure if this belongs in the newbie section, but relative to most on these forums I still consider myself a newb. Anyways, I'm currently trying to understand buffer overflows the best that I possibly can. I've read through "Smashing the Stack for Fun and for Profit" by Aleph One, another paper "STACK OVERFLOW EXPLOiTS ON LiNUX/BSDOS/FREEBSD/SUNOS/SOLARiS/HP-UX" over at Thc.org, and even attempted the cDc #351: The Tao of Windows Buffer Overflows. Other things I have enjoyed were Anti-online: Shellcode Thread and Antionline: How buffer overflows work.
Using this 'knowledge' *still would like to read over everything again* I have attempted to try and use a proof of concept exploit using the Old Aim goaway: protocol overflow. I've compiled this proof of concept with an intoductory edition of Visual C++ 6.0 and created a specially crafted html page that would automattically use the vulnerable AIM client to establish a connection back to my 192.168.0.13 internal network address. I'm using VMWare with bridged networking (192.168.0.14) and a vulnerable AIM client v. 5.53595 and accessing the html page to hopefully connect back to my actual address (.13) with netcat listening on the port specified (5194 in this case). I've tried having the proof of concept code connecting back through my external Ip 24.xxx.xxx.xxx and port forwarding 5194 to address 192.168.0.13, and then tried directly connecting from .14 (vmware vuln. address) to .13. On BOTH occasions netcat was left static with nothing happening apparently.
I don't know what to expect from the community here regarding this particular problem, but if anyone has anything that I might be able to try just to get a feel for a proof of concept actually working.
Also, if there is any other material that I could possibly tackle to understand how would I actually catch these Buffer Overflows in the wild then that would be very helpful. If I remember correctly whenever I used to attempt to overflow the goaim: protocol it would give me a Dr. Watson box with alot of details regarding the current EIP and other registers. Would there be anyway of attaining this knowledge by other means? Sorry for the length and if it was anyway confusing.
WigHtOloRE <--- pay attention to the capitalization.. jk
Also, I've created a .bmp that illustrates some of the key points on the stack. Take a look if you want and feel free to correct me if I've made any mistakes.
--- ONE MORE THING---
I am NOT a script kiddie. If this was an attempt to gain access to anyone's computer I would have chose a newer exploit. I'm simply trying to further my knowledge with hand's on 'real world' examples. Thank you.