Hi guys, if you are here it means you are stuck somewhere doing buffer overflow or want to perform it. I decided to write a simple tutorial on buffer overflow for beginners or people who are interested in the field.
What will this tutorial cover?
This tutorial will teach you the basics of buffer overflow. Well there are different parts of it. Overall at the end of this tutorial you will understand how the Stack Based and SHE based buffer overflow attack are performed. We will be performing a buffer overflow attack over windows 10 by creating a server in C language and write a python script for attacking from kali Linux. For a simple attack I have both the server and the attacker in same network. If you want to perform the attack successfully I recommend you go through each and everything.
What is Buffer Overflow?
Buffer overflow is also known as stack smashing and is a very common attacks performed by the attacker. When more data is inserted into a fixed-length buffer the data overflows thus known as buffer overflow or buffer overrun. Let me give you a simple example to understand it more clearly. You have a small room that can fit 50 people in there. If you try to adjust 100 people in the same room it won’t be possible thus it will overflow the room and people will be standing in the gate overflowing. In more simple words you have a glass full of water and you are trying to put more water in it overflowing it.
History
The following Table.3.1 gives the overview of all the Buffer Overflow Attacks since the beginning with the Morris Internet Worm.
Table 1. Overview of Buffer Overflow Attacks
Requirement:
Table 2. H/W Configuration
Table 3. S/W Configuration
Windows Memory Structure
The Memory Structure of Windows Operating System have multiple sections that can be broken down in different components. To understand the depth of writing exploits and taking advantage of poor coding, we first need to understand all these components. So let us understand all the components in detail. The following figure shows a basic representation of the Memory Structure / Memory Map of Windows Operating System.
Stack-Based Buffer Overflow-The stack is a continuous space in memory used to organize data associated with function calls, including function parameters, function local variables and management information, such as frame and instruction pointers.
Heap Based Buffer Overflow-The heap is a memory structure used to manage dynamic memory.
Program Image- The Program Image portion of memory is where the executable resides.
Dynamic Link Library- DLLs are similar to executables, but they cannot be called directly, and instead they have to be called by an executable. of DLLs is to provide a method for the capabilities to upgrade without requiring the entire program to be recompiled when OS is updated.
Process Environment Block (PEB)- It is where non kernel components of a running process are stored. Information that is needed by systems that should not have access to kernel components is stored in memory.
Thread Environment Block (TEB)- It is spawned for each thread that a process has established. The first thread is known as the primary thread and each thread after that has its own TEB. Each TEB share the memory allocations of the process that initiated them, but they can execute instructions in a manner that makes task completion more efficient.
Kernel- The most critical component of the OS. All communication is brokered as necessary through OS features. The attacks we are highlighting here do not depend on a deep understanding of the kernel.
We need to understand the difference between Stack and heap. The following diagram explains the Stack and heap structure.
Figure 2. Stack and Heap
Immunity Debugger
Immunity Debugger is a powerful new way to write exploits, analyse malware, and reverse engineer binary files. It builds on a solid user interface with function graphing, the industry's first heap analysis tool built specifically for heap creation, and a large and well supported Python API for easy extensibility. We need to first start with the way Immunity is setup. Immunity debugger is based on Python. Many of the plugins to include Mona are written in Python, which means if you need to change something, you just modify the scripts.
Figure 3. Interface of Immunity Debugger
As you can see, the CPU window is broken up into four panes depicting the following information:
The CPU Instructions – displays the memory address, opcode and assembly instructions, additional comments, function names and other information related to the CPU instructions
The Registers – displays the contents of the general purpose registers, instruction pointer, and flags associated with the current state of the application.
EAX – The Accumulator Register.
EBX – The Base Register.
ECX – The Counter Register
EDX – The Data Register
ESI – The Source Index
EDI – The Destination Index
EBP – The Base Pointer
ESP – The Stack Pointer
EIP - The Instruction Pointer
The Stack – shows the contents of the current stack
The Memory Dump – shows the contents of the application’s memory
How will we perform Stack Based Buffer Overflow?
The following is a pictorial diagram that will explain how the stack overflow works.
Figure 4. Pictorial View of working of Buffer overflow in memory
In brief, the buffer size given is 100. We send the junk file i.e. A’s more than 100 to overwrite EBP and EIP. Then we find the offset of EIP and replace it with BBBB to confirm it overwrites in exact position. Then we will overwrite the EIP address with the JMP ESP address which will point towards the ESP and then the Shellcode. We will understand all these in detail in other parts.
How will we perform SEH Based Buffer Overflow?
The following is the pictorial view of the working of SHE Based buffer overflow.
Figure 5. SEH Based Buffer Overflow
The buffer is set to 100.We send more than 100 A’s to overwrite the EBP and then the Next SEH Record and then the SEH Handler. We overwrite the SHE Handler with BBBB to ensure and replace it with POP+POP+RET address which would jump to Next SEH where we enter the address of SHORT JMP which points to the Nops and then the Shellcode. We will talk about it in detail in the further parts.
Loading a DLL
A DLL is a piece of code which, when used, is made apparent into the address space of the application, as code which can be executed. Loading a DLL is an important part for the EIP to point to our Shellcode. Thus here is the DLL file you could use.
There are multiple methods of forcing the execution of Shellcode:
jump (or call) a register that points to the Shellcode. With this technique, we basically use a register that contains the address where the Shellcode resides and put that address in EIP. We try to find the opcode of a “jump” or “call” to that register in one of the DLL’s that is loaded when the application runs. When crafting the payload, instead of overwriting EIP with an address in memory, you need to overwrite EIP with the address of the “jump to the register”. This only works if one of the available registers contains an address that points to the Shellcode. This is how we are going to exploit the Server.
pop return : If none of the registers point directly to the Shellcode, but you can see an address on the stack (first, second, … address on the stack) that points to the Shellcode, then we can load that value into EIP by first putting a pointer to pop ret, or pop pop ret, or pop pop pop ret (all depending on the location of where the address is found on the stack) into EIP.
push return : This method is only slightly different than the “call register” technique.If we cannot find a or opcode anywhere, we could simply put the address on the stack and then do a ret. So we basically try to find a push , followed by a ret. Find the opcode for this sequence, find an address that performs this sequence, and overwrite EIP with this address.
jmp [reg + offset] : If there is a register that points to the buffer containing the Shellcode, but it does not point at the beginning of the Shellcode, we can also try to find an instruction in one of the OS or application DLL’s, which will add the required bytes to the register and then jumps to the register. We can refer to this method as jmp [reg]+[offset].
blind return : A RET instruction will ‘pop’ the last value (4 bytes) from the stack and will put that address in ESP. So if you overwrite EIP with the address that will perform a RET instruction, we will load the value stored at ESP into EIP. If we are faced with the fact that the available space in the buffer (after the EIP overwrite) is limited, but we have plenty of space before overwriting EIP, then you could use jump code in the smaller buffer to jump to the main Shellcode in the first part of the buffer.
SEH : Every application has a default exception handler which is provided for by the OS. So even if the application itself does not use exception handling, you can try to overwrite the SEH handler with your own address and make it jump to your Shellcode. Using SEH can make an exploit more reliable on various windows platforms, but it requires some more explanation before you can start abusing the SEH to write exploits. The idea behind this is that if we build an exploit that does not work on a given OS, then the payload might just crash the application (and trigger an exception). So if we can combine a “regular” exploit with a SEH based exploit, then we have build a more reliable exploit. Note that a typical stack based overflow, where you overwrite EIP, could potentially be subject to a SEH based exploit technique as well, giving you more stability, a larger buffer size (and overwriting EIP would trigger SEH).
We will be adding a dll file in the Server machine. So download the DLL file and keep it in the same folder as the server. You will need it further.
Shell
Shell is a piece of code or program which can be used to gain command execution on a device. There are two types of Shell which is explained below:
Bind Shell
Bind shell is a type of shell in which the target machine opens up a communication port or a listener on the victim machine and waits for an incoming connection. The attacker then connects to the victim machine’s listener which then leads to code or command execution on the server.
Figure 6. Bind Shell
Reverse Shell
A reverse shell is a type of shell in which the target machine communicates back to the attacking machine. The attacking machine has a listener port on which it receives the connection, which by using, code or command execution is achieved.
Figure 7. Reverse Shell
The above details are the basic thing that you should know to perform the attack. The Part 2 of Buffer overflow Attack will contain a much detailed view of a vulnerable server and Stack Based Buffer Overflow.
No comments:
Post a Comment