Download
buffer overflow walk through n.
Skip this Video
Loading SlideShow in 5 Seconds..
Buffer Overflow Walk-Through PowerPoint Presentation
Download Presentation
Buffer Overflow Walk-Through

Buffer Overflow Walk-Through

269 Views Download Presentation
Download Presentation

Buffer Overflow Walk-Through

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Buffer Overflow Walk-Through

  2. TheCode

  3. Change name of notesearch program in our exploit code to match course naming convention strcpy(command, “./bettersearchnote.exe\’”); bettersearchnote.exe 16

  4. Change name of notesearch program in our exploit code to match course name in convention

  5. Normally, Jose runs bettersearchnote program to search for notes with keywords of his choosing jose@EC310-VM $ ./ bettersearchnote.exe “Life” Life is Beautiful

  6. The exploit program is crafted to run the program on his behalf, using the function “system()” jose@EC310-VM $ ls unix_basicsbooksrc work desktop ec310code For example system(“ls”) would list the content of the current directory as though it was run from the command line • } like this except no one ever enters this at the command prompt

  7. The exploit program is crafted to run the program on his behalf, using the function “system()” jose@EC310-VM $ ./system_example.exe unix_basicsbooksrc work desktop ec310code system_example.c #include… int main() { system(“ls”); }

  8. Now, lets look at what the exploit program does… Standard inclusion of C libraries

  9. The goal of our exploit program is to open a root shell This is machine language that opens a shell prompt for the user running the program

  10. First, the set-up… This is the standard way to start a program and take in command line arguments… But you already knew that

  11. Building the stack… These lines declare the variables to be used in the program Address buffer Address command Integer Variables are placed on the stack for the main function offset270 Integer ret Address ptr Integer i

  12. Allocating memory on the heap for our string command, which will be called by the function system() . Allocates 200 bytes on the heap for the string command 0x__ 200 Bytes The address of this location on the heap becomes the value of the pointer command buffer command&command offset 270 This string will eventually be run with the function system() ret ptr i

  13. Allocating memory on the heap for our string command, which will be called by the function system(). The bzero function places 200 0x00’s starting at the location to which command points 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 200 Bytes buffer command&command offset270 ret ptr i

  14. Building the String command This copies the string “./bettersearchnote.exe ‘“ into the location pointed to by the pointer command 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . / b e t t e r s e a r c h n o t e . e x e ‘ 00 00 00 00 00 00 00 00 buffer command&command offset 270 ret ptr i

  15. This string will eventually overflow the bettersearchnote buffer, have the program execute our malicious code, and open a shell Next we need to find the address where the command line arguments for bettersearchnotewill start! Take the number of bytes in the current string command, until the null terminator (24 bytes). Add this to the address pointed to by the variable command and store that address in the pointer buffer. . / b e t t e r s e a r c h n o t e . e x e ‘ 00 00 00 00 00 00 00 00 24 Bytes + buffer &command command &command offset 270 ret ptr i

  16. Specifying our custom return address . / b e t t e r s e a r c h n o t e . e x e ‘ 00 00 00 00 00 00 00 00 This takes the command line argument to create our own custom offset value, but it is not used. buffer &command+24 command &command offset 270 ret ptr i

  17. Specifying our custom return address This takes the address of i and subtracts the value of offset. This value is placed in the variable ret . / b e t t e r s e a r c h n o t e . e x e ‘ 00 00 00 00 00 00 00 00 , this value represents the address of our desired shell code execution entry point. buffer &command+24 - 270 command &command offset 270 ret ptr &i i

  18. And place enough copies of our custom return address in the buffer to overwrite the original return address. . / b e t te r s e a r c h n o t e . e x e . ‘ 00 00 00 00 00 00 00 00 00 00 00 00 Takes the address contained in ret and places it in the address pointed to by the buffer. This repeats every 4 bytes for 40 iterations. buffer &command+24 command &command offset 270 &i - 270 &i - 270 &i - 270 ret &i-270 ptr i

  19. Now the entire heap looks like this

  20. Next create a buffer of filler commands, called NOPs, to help find the shell code . / b e t te r s e a r c h n o t e . e x e . ‘ &I - 270 &I - 270 &i - 270 ret 0x I – addr - 270 &i- 270 &i - 270 &i- 270 &i - 270 &i- 270 memset() sets a byte in memory to the value specified. In this case it puts the value 0x90 in the address pointed to by the buffer and into the next 59 addresses as well. 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 buffer &command+24 command &command 0x90 is machine code for “No Operation,” Which literally means do nothing. offset 270 ret &i-270 ptr i

  21. Now the entire heap looks like this NOP sled

  22. Then place our shell code into the buffer immediately following the NOPs . / b e t te r s e a r c h n o t e . e x e . ‘ 0x90 0x900x900x90 0x90 0x900x900x90 0x90 0x900x900x90 ret 0x I – addr - 270 ret 0x I – addr - 270 ret 0x I – addr - 270 ret 0x I – addr - 270 ret 0x I – addr - 270 ret 0x I – addr - 270 buffer &command+24 command &command Copies the shell code into memory after the NOP sled offset 270 ret &i-270 ptr i

  23. Now the entire heap looks like this With the newly inserted shell code here

  24. Close the string command with a quote so it is ready to be run by the function system() Concatenates a single quote at the end of the string command ‘

  25. Now the string command is finished and ready for execution. jose@EC310-VM $ ./bettersearchnote.exe ‘\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x31\xc0\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe2\x53\x89\xe2\x53\x89\xe1\xcd\x80\x80\x&i-270\x&i-270 \x&i-270\ x&i-270\ x&i-270\ x&i-270 \ x&i-270 \ x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 ’

  26. exploit_notesearch bettersearchnote.exe searchstring 100 characters allotted to searchstring by bettersearchnote.exe fd exploit_notesearchcommand buffer contains 184 bytes, so it writes 84 bytes beyond the end of searchstring’s allotted space. printing user id sfp return address Ensuring one of our custom return addresses replaces the original return address