Buffer overflow - hard coded return address

Question

I am working on a project (in fact a competition) to exploit an application that is running on a remote server. I do have the binaries they are compiled with some debug information (no source code) and no stack protection. I managed to inject shellcode onto the stack and overwrite the return address so that it is also executed with no problem.

The only thing is that I inject a hard coded return address. I guess there may be small differences of addresses depending on the operating system and architecture (should be 32 bit).

I don't know if the server executes the binary with ASLR or not. But it was deactivated - is there a method to inject a dynamic suitable return address?

I also locally tried to brute-force a possible ASLR address by connecting to the server running on my own machine. As the forked process crashes if the return address is incorrect, the file descriptor is not released and after 1024 tries no more connections are possible. Is there a possibility to brute-force the addresses?

Thank you!

Answer 1

is there a method to inject a dynamic suitable return address?

Yes but it hardly depends on the application, you will seek a leaked pointer allowing you to compute usable addresses like the module base address. How do ASLR and DEP work?

You can also - assuming no ASLR - identify the maximum ammount of data you can send to the remote server and setup a nop sled as big as possible, then try jumping into it. This will slightly increase your success chances.

Is there a possibility to brute-force the addresses?

There is alwyays a possibility, yet you probably don't want to rely on it's probability - especially if it is a 64 bits application. Still this paper might interest you : Protecting Against Address Space Layout Randomization ...

Have fun and good luck!