Anatomy of a Buffer
Overflow Attack
Rob Gillen
@argodev
Don’t Be Stupid
The following presentation describes
real attacks on real systems. Please
note that most of the attacks
de...
Disclaimer
The content of this presentation
represents my personal views and
thoughts at the present time. This
content is...
Credits
The vulnerability that we’ll be discussing
was initially discovered by C4SS!0 G0M3S
(louredo_@hotmail.com) and was...
Overview
• Scenario
– Machine 1: Kali Linux (BackTrack)
– Machine 2:
• Windows 7 Professional x64, SP1
• Freefloat FTP Ser...
Attack Process
• Identify target of interest
• Identify software/versions being
used
• Setup local Instance
• Fuzz to iden...
Terminology
•
•
•
•
•
•
•

CPU Registers
Debugger
Buffer Overflows
Fuzzing
Shellcode
Encoding
Bind Shell/Reverse Shell
CPU Registers (8086)
•
•
•
•
•
•
•
•

EAX
EBX
ECX
EDX
ESI
EDI
EBP
ESP

–
–
–
–
–
–
–
–

Accumulator Register
Base Register...
CPU Registers (8086)
• EIP – program counter or commonly
“instruction pointer” – a processor
register that indicates where...
Debugger
Buffer Overflow

Content from: http://en.wikipedia.org/wiki/Buffer_overflow
Fuzzing
• Identify points where application
or service accepts data
• Send varying lengths/types of data
until we crash th...
Shellcode
• Small piece of code used as the
payload in the exploitation of a
software vulnerability
• Name comes from the ...
Shellcode Example
[BITS 32]
mov ebx, 0x00424F52
push ebx
mov esi, esp
xor eax, eax
push eax
push esi
push esi
push eax
mov...
[BITS 32]
mov ebx, 0x00424F52 ; Loads a null-terminated string “ROB” to
ebx
push ebx
; pushes ebx to the stack
mov esi, es...
Shellcode Example
BB 52 4F 42 00 53 89 E6
31 C0 50 56 56 50 B8 8A
05 45 7E FF D0
Encoding
• There are often restrictions as to
what data can be sent via the
exploit (NULLs, etc.)
• Self-extracting (small...
Encoded Shellcode
xbex13xafx49x81xdaxc7
xd9x74x24xf4x58x31xc9
xb1x06x83xe8xfcx31x70
x0fx03x70x1cx4dxbcx3a
x70xdex7dx3dx27x...
Bind Shell/Reverse Shell
• Bind Shell
– Target exposes a shell on a given port
– Attacker connects to that port and
execut...
Bind Shell
Code executes on
target and exposes
a listener on a
specific port
(i.e. 4444)

Attacker connects
(Binds) to cli...
Reverse Shell
Code executes on
target and
connects to the
attacker ip:4444

Attacker exposes
a listener on a
specific port...
Fuzzing Pseudo-Code
• Build array of increasing length
strings (“A”)
• Build array of valid commands
• For each command in...
Demonstration

FUZZING THE SERVICE
Design The Exploit
• Iterate with various malicious
buffer sizes to see how much space
is available
• Locate where within ...
Design The Exploit
• Select / configure / encode
shellcode
• Integrate into exploit script (NOP
slide, breakpoints, etc)
•...
Demonstration

DESIGNING THE EXPLOIT
Solutions?
•
•
•
•

This was an “easy” scenario
Bounds checking is critical!
Fuzz your own applications
Address Space Layo...
Questions/Contact

Rob Gillen
rob@gillenfamily.net
http://rob.gillenfamily.net
@argodev
Upcoming SlideShare
Loading in …5
×

ETCSS: Into the Mind of a Hacker

1,045 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,045
On SlideShare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

ETCSS: Into the Mind of a Hacker

  1. 1. Anatomy of a Buffer Overflow Attack Rob Gillen @argodev
  2. 2. Don’t Be Stupid The following presentation describes real attacks on real systems. Please note that most of the attacks described would be considered ILLEGAL if attempted on machines that you do not have explicit permission to test and attack. I assume no responsibility for any actions you perform based on the content of this presentation or subsequent conversations. Please remember this basic guideline: With knowledge comes responsibility.
  3. 3. Disclaimer The content of this presentation represents my personal views and thoughts at the present time. This content is not endorsed by, or representative in any way of my employer nor is it intended to be a view into my work or a reflection on the type of work that I or my group performs. It is simply a hobby and personal interest and should be considered as such.
  4. 4. Credits The vulnerability that we’ll be discussing was initially discovered by C4SS!0 G0M3S (louredo_@hotmail.com) and was published on June 17, 2011. http://www.exploit-db.com/exploits/17539/ James Fitts created a MetaSploit module that I also reviewed while building this module http://www.exploit-db.com/exploits/17540/
  5. 5. Overview • Scenario – Machine 1: Kali Linux (BackTrack) – Machine 2: • Windows 7 Professional x64, SP1 • Freefloat FTP Server v1.0 • Tasks – Discover a vulnerability exists – Craft & test an exploit • Goal: Obtain reverse shell
  6. 6. Attack Process • Identify target of interest • Identify software/versions being used • Setup local Instance • Fuzz to identify vulnerability • Design/Develop Exploit • Test • Package/Weaponize
  7. 7. Terminology • • • • • • • CPU Registers Debugger Buffer Overflows Fuzzing Shellcode Encoding Bind Shell/Reverse Shell
  8. 8. CPU Registers (8086) • • • • • • • • EAX EBX ECX EDX ESI EDI EBP ESP – – – – – – – – Accumulator Register Base Register Counter Register Data Register Source Index Destination Index Base Pointer Stack Pointer Content from: http://www.swansontec.com/sregisters.html
  9. 9. CPU Registers (8086) • EIP – program counter or commonly “instruction pointer” – a processor register that indicates where a computer is in its program sequence. • Holds the memory address of (“points to”) the next instruction that would be executed. • Any thoughts on why this specific register is particularly interesting? Content from: http://en.wikipedia.org/wiki/Instruction_pointer
  10. 10. Debugger
  11. 11. Buffer Overflow Content from: http://en.wikipedia.org/wiki/Buffer_overflow
  12. 12. Fuzzing • Identify points where application or service accepts data • Send varying lengths/types of data until we crash the service and/or overwrite key buffers. • Increase buffer length until no longer successful (identify upper bounds of memory space available for exploit)
  13. 13. Shellcode • Small piece of code used as the payload in the exploitation of a software vulnerability • Name comes from the purpose – usually spawns a shell and performs some action • Often written in assembly code • Types: – “normal”, Staged, Egg-hunt, Omelette Content from: http://en.wikipedia.org/wiki/Shellcode
  14. 14. Shellcode Example [BITS 32] mov ebx, 0x00424F52 push ebx mov esi, esp xor eax, eax push eax push esi push esi push eax mov eax, 0x7E45058A call eax
  15. 15. [BITS 32] mov ebx, 0x00424F52 ; Loads a null-terminated string “ROB” to ebx push ebx ; pushes ebx to the stack mov esi, esp ; saves null-terminated string “ROB” in esi xor eax, eax ; Zero our eax (eax=0) push eax ; Push the fourth parameter (uType) to the stack (value 0) push esi ; Push the third parameter (lpCaption) to the stack (value ROB00) push esi ; Push the second parameter (lpText) to the stack (value ROB00) push eax ; Push the first parameter (hWnd) to the stack (value 0) mov eax, 0x7E45058A ; Move the MessageBoxA address in to eax call eax ; Call the MessageBoxA function with all parameters supplied.
  16. 16. Shellcode Example BB 52 4F 42 00 53 89 E6 31 C0 50 56 56 50 B8 8A 05 45 7E FF D0
  17. 17. Encoding • There are often restrictions as to what data can be sent via the exploit (NULLs, etc.) • Self-extracting (smaller shellcode) • Self-decrypting (avoid IDS signatures) • Tools such as msfencode offer many options.
  18. 18. Encoded Shellcode xbex13xafx49x81xdaxc7 xd9x74x24xf4x58x31xc9 xb1x06x83xe8xfcx31x70 x0fx03x70x1cx4dxbcx3a x70xdex7dx3dx27x69x67 x0cx07x39x3ex39xd7x02 x34xc0x92x0cxb6x1b
  19. 19. Bind Shell/Reverse Shell • Bind Shell – Target exposes a shell on a given port – Attacker connects to that port and executes commands – Remote Administration • Reverse Shell – Attacker listens for connections on a given port – Shell code on target connects to attacker and sends a shell – NAT-safe!
  20. 20. Bind Shell Code executes on target and exposes a listener on a specific port (i.e. 4444) Attacker connects (Binds) to client ip:4444 Attacker Target Target sends shell to attacker
  21. 21. Reverse Shell Code executes on target and connects to the attacker ip:4444 Attacker exposes a listener on a specific port (i.e. 4444) Attacker Target Target sends shell to attacker
  22. 22. Fuzzing Pseudo-Code • Build array of increasing length strings (“A”) • Build array of valid commands • For each command in arrayOfCommands – For each string in arrayOfStrings • Establish FTP connection • Submit command + string • Watch for application hang/crash • Inspect register values/pointers
  23. 23. Demonstration FUZZING THE SERVICE
  24. 24. Design The Exploit • Iterate with various malicious buffer sizes to see how much space is available • Locate where within the evil buffer we actually overwrite EIP • Locate where within the evil buffer we can locate our shellcode (pointed to by other register)
  25. 25. Design The Exploit • Select / configure / encode shellcode • Integrate into exploit script (NOP slide, breakpoints, etc) • Identify reusable jump address to consistently move to shellcode • Test with breakpoints • Test in “real world” scenario
  26. 26. Demonstration DESIGNING THE EXPLOIT
  27. 27. Solutions? • • • • This was an “easy” scenario Bounds checking is critical! Fuzz your own applications Address Space Layout Randomization (ASLR) makes life harder • Operating System Support – Data Execution Prevention
  28. 28. Questions/Contact Rob Gillen rob@gillenfamily.net http://rob.gillenfamily.net @argodev

×