## https://sploitus.com/exploit?id=2484337C-A971-585C-B187-82067959BCB5
# Stack-Based Buffer Overflow: From Bug to Code Execution
## Introduction
This repository contains a technical Proof of Concept (PoC) for a **Stack Buffer Overflow** vulnerability in a 32-bit Windows application (`stackBuff.exe`). The goal of this project is to demonstrate how an uncontrolled input can lead to arbitrary code execution by overwriting the return address on the stack.
## 1. Vulnerability Validation
The program `stackBuff.exe` uses the `strcpy` function to copy user input into a local buffer of 128 characters without length validation.
- **Initial Test**: Sending a buffer of 300 "A"s causes a crash.
- **Root Cause**: The program attempts to execute memory at `0x41414141` (Hex for "AAAA"), confirming that the **EIP (Extended Instruction Pointer)** is under our control.
## 2. Dynamic Analysis with Immunity Debugger
Using **Immunity Debugger** and the **Mona.py** plugin, I analyzed the process state at the time of the crash.
- **Tools**: Immunity Debugger + Mona.py.
- **Opcodes used for debugging**:
- `\x90` (NOP): No operation sled for stability.
- `\xCC` (INT 3): Software breakpoint to pause execution at the start of the payload.
## 3. Calculating the Offset
To find the exact distance from the buffer start to the EIP, I generated a cyclic pattern.
- **Command**: `!mona pc 300`
- **Offset Identification**: After analyzing the crash with `!mona findmsp`, the EIP was found at an **offset of 140 bytes**.
- **Verification**: Sending 140 "A"s + 4 "B"s (`\x42\x42\x42\x42`) resulted in EIP containing `42424242`.
## 4. Controlling Execution Flow (The Trampoline)
Directly jumping to a stack address is unreliable due to memory shifts. To solve this, I searched for a **JMP ESP** instruction within a loaded module that does not have "Null bytes" (`\x00`).
- **Command**: `!mona jmp -r esp`
- **Selected Pointer**: `0x7c86467b` (located in `kernel32.dll`).
- **Endianness**: Since x86 uses **Little Endian**, the address is written in reverse: `\x7b\x46\x86\x7c`.
## 5. Payload Execution
The final exploit structure is as follows:
`[ 140 Bytes of Junk ] + [ JMP ESP Address ] + [ NOP Sled ] + [ Shellcode ]`
The shellcode used in this PoC executes the Windows Calculator (`calc.exe`) or the FreeCell game (`freecell.exe`) as a demonstration of successful exploitation.
## Tools Used
- **Immunity Debugger**: Dynamic analysis.
- **Mona.py**: Offset calculation and JMP pointer discovery.
- **Python**: Exploit automation script.
## Results
## Disclaimer
This project is for **educational purposes only**. The techniques demonstrated here are intended to help developers and security researchers understand memory corruption vulnerabilities to build more secure software.