Buffer Overflows : An Introduction

On the Agenda
 Definition
 Vulnerability Detection
 Skeleton Exploit
 Controlling EIP
 Relative jump
 Shell-code
(Importing from Metasploit ) (! Development)
 An Owned territory!

Buffer Overflow

Vulnerability Detection
 Code Review
Applied in open –source application analysis where the entire code is
checked for unchecked buffer at the language definition level.
 Reverse Engineering
Applied in both open and closed source applications .. Where an exe
is analyzed on the basis of memory interaction and the source code
is presented at machine level interaction
 Fuzz-ing the application
The applications’ communication standards are analyzed using
protocol reader and test data confirming standards are prepared and
send to the application – the crash is analysed.

Protocol Analysis

A simple protocol Fuzzer
Usage :
fuz <ipadress> <portnumber> <username> <password> <command> <number of bytes to start
with>
 while((sizeof(super_buffer)- buff_size)>25)
{ char *rec_buf_1;
rec_buf_1 = (char*)malloc(buff_size);
memcpy(buff,super_buffer,buff_size);
sprintf(buff1,"%s %srn",command,buff);
printf("Sending buffer of %d length n",buff_size);
send(shesh_in, buff1,strlen(buff1),0);
recv(shesh_in,rec_buf_1,buff_size,0);
buff_size = buff_size +300; sleep(1);} free(buff);
//close(shesh_in);

* Bang >> Crrrrrrrrrash !!!

Crash Analysis

Creating Smart Buffer

Calculating Size of Payload

jmp esp >The Golden Jump
Location

jmp> esp in user32.dll

Where not to jump ;)
bt ftp # grep badchar*

Automated shellcode development
 Lets do it live :
http://www.metasploit.com/shellcode/
Why encoder ??

Doing nothing is so so important

 Use of nop-sledge to increase reliability

Elementary ,My dear Watson!!!