Buffer Overflow - Creating Vulnerable Server - Part II

• Buffer Overflow - Overview - Part I

• Buffer Overflow - Creating Vulnerable Server - Part II

• Stack Based Buffer Overflow Exploit - Part III

• SEH Based Buffer Overflow Exploit - Part IV

• Buffer Overflow Mitigation & Recommendation Technique - Part V

• Secure Development Lifecycle (SDLC) - Part VI

In the previous part of the Buffer overflow exploit we went through the basic overview of buffer overflow. In this tutorial we will create a server that is vulnerable to buffer overflow attack and create a simple client or attacker that connects to the server and sends a simple message.

Github - https://github.com/RihaMaheshwari/Buffer-Overflow-Exploit

Creating a Server

We need to create a server where we can perform the attack. We are using Windows 10 as a target for an attack. Below is the server code that is written in C programming language that is vulnerable to buffer overflow attack stored in C:/VulnerableServer. Copy and paste the code in Visual Studio 2017 and compile it. 

//VulnerableServer.c #include “stdafx.h” #include “winsock.h” #include “windows.h” //load windows socket #pragma comment(lib, “wsock32.lib”) //Define Return Messages #define SS_ERROR 1 #define SS_OK 0void sError(char * str) { printf(“Error %s”, str); WSACleanup(); } char str[5000]; int  main(int argc, char * argv[]) { WORD sockVersion; WSADATA wsaData; int rVal; int bytesRecv; u_short LocalPort = 1200; SOCKET clientSocket; SOCKADDR_IN sin; SOCKET serverSocket;//Loading Library File HINSTANCE hDLL = LoadLibrary(_T(“C:\\ConsoleApplication4\\Debug\\dll.dll”)); char message[100] = “”; if (argv[1] == ‘\0’) { //wsock32 initialized for usage sockVersion = MAKEWORD(1, 1); WSAStartup(sockVersion, &wsaData);//create server socket serverSocket = socket(AF_INET, SOCK_STREAM, 0);if (serverSocket == INVALID_SOCKET) { sError(“Failed socket()”); return SS_ERROR; } sin.sin_family = AF_INET; sin.sin_port = htons(LocalPort); sin.sin_addr.s_addr = htonl(INADDR_ANY); //bind the socket rVal = bind(serverSocket, (LPSOCKADDR)&sin, sizeof(sin)); if (rVal == SOCKET_ERROR) { sError(“Failed bind()”); WSACleanup(); return SS_ERROR; } //get socket to listen rVal = listen(serverSocket, 10); if (rVal == SOCKET_ERROR) { sError(“Failed listen()”); WSACleanup(); return SS_ERROR; } else { printf(“Listening”); } //wait for a client to connect clientSocket = accept(serverSocket, NULL, NULL); if (clientSocket == INVALID_SOCKET) { sError(“Failed accept()”); WSACleanup(); return SS_ERROR; } else { printf(“\nConnected”); } bytesRecv = SOCKET_ERROR; printf(“%d”, bytesRecv); while (bytesRecv == SOCKET_ERROR) { //receive the data that is being sent by the client max limit to 5000 bytes. bytesRecv = recv(clientSocket, str, 5000, 0); printf(str); strcpy(message, str); if (bytesRecv == 0 || bytesRecv == WSAECONNRESET) { printf(“\nConnection Closed.\n”); break; } } //close client socket closesocket(clientSocket); //close server socket closesocket(serverSocket); WSACleanup(); return SS_OK; } else { printf(“argument :%s”, argv[1]); strcpy(message, argv[1]); } WSACleanup(); }

The above program will open a port (i.e. 1200) and start listening. The buffer size is 100 and the use of strcpy () function is made. In the above code, a dll file is loaded. The reason for why we need to load the dll file is explained in Buffer Overflow - part 1. The dll file is stored in the same address as the Server (i.e. C:/VulnerableServer/Debug/dll.dll). You can also download the dll file by clicking here. Compile the code and run it in Visual Studio 2017. The given Figure is the output when the code is compiled and running. 

Figure 1. Output of the Vulnerable server

Attaching Server with Immunity debugger

We will need to attach the server in an immunity debugger to see how the memory looks when running the server. When you run the server code in Visual Studio, it automatically generates an exe file that is stored in C:/VulnerableServer/Debug/VulnerableServer.exe. To attach the server in the immunity debugger, Open Immunity debugger and go to File → Open→ Select the VulnerableServer.exe file → Open as shown in figure.

Figure 2.  Opening the executable file in debugger

An alert may be displayed, you need to allow access and click on the run button to get the port listening. The output of this is the same as shown in figure 1.

Verifying Port is Listening

To check whether it is actually listening to the port number we provided open command prompt and type the following command:

netstat -an |find /i "listening" or netstat -an |find /i "1200"

The output of the command will give the result as Listening as shown in the below diagram.

Figure 3.  Verifying if the port 1200 is listening

Now we know the server is listening to the port number that we provided. Now the next step is to create a client/attacker which will send the data to the server through that port number.

Creating Attacker’s Script

Till now we just created a vulnerable Server that opens a port 1200 and listens to it. Now we need to create an attacker’s script that will connect to the port number 1200 and send a message. So we are going to use Kali Linux as an attacker’s machine. For this tutorial both the attacker and server are in the same network.

Before proceeding forward make sure you install python 2.7 in Kali Linux. Copy the following code written in Python and run it.

import socket host = 192.168.x.x            # Target Machine’s IP Address port = 1200                   # The same port as used by the server s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port))       # Connects to the Port in Target machine s.sendall(b'Hello, world')    # Sends msg(Hello World) to the server s.close()                     # Connection is closed print("The message has been sent.")

To run you need to open the terminal in the same folder where the above python script is saved. And type the following-

Python ./script.py

When you press enter, it will send message (i.e. Hello World) to the server. The following figure shows you the output on the server side when the message is sent. Whereas from the attacker’s side you will see the text as “The message has been sent”. If you don’t get this output, you may not be in the same network. Make sure in the script you change the ip address with the server’s ip.

Figure 4. Message sent from attacker to server