Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Ceh v8 Labs - Module18: Buffer Overflow.

3,348 views

Published on

Cehv8 labs
Module18: Buffer Overflow

Download here:
CCNAv5: ccna5vn.wordpress.com
CEHv8: cehv8vn.blogspot.com

Published in: Education
  • Be the first to comment

Ceh v8 Labs - Module18: Buffer Overflow.

  1. 1. CEH Lab Manual Buffer Overflow Module 18
  2. 2. ICON KEY E7 Valuable information 3*’. Test your knowledge U V'eb exercise @ Workbook review CEH Lab Manual Page 902 Modu| o1B—Bul'loI'OvBlIlow Buffer Overflow Attack I /1 ll b/ fir/ ' 0L'? {fl0ll; u/9/'/ e 1) 7‘/ ‘ii/ lg r/ /Ifa f0 (I b/ fie/ ; I/ Je b/ fir/ '3 be/ /// I/11/)’ [Ir 0l'PI‘l‘/ /ll (I/ Id flqyflffllf Ill? )/100) lit’ 01/PI? ) ‘I'll/ T?/ I. Lab Scenario www. ic. unicam . br ~stolti urna buffer-oflow Hackers continuously look for vulnerabilities in software or a computer to break into the system by exploiting these vulnerabilities. The most common vulnerability often exploited is the buffer overflow attack, where a program failure occurs either in allocating sufficient memory for an input string or in testing the length of string if it lies within its valid range. A hacker can exploit such a weakness by submitting an extra—long input to the program, designed to overflow its allocated input buffer (temporary storage area) and modify the values of nearby variables, cause the program to iuinp to imintended places, or even replace the program's instructions by arbitrary code. If the buffer overflow bugs lie in a network service daemon, the attack can be done by directly feeding the poisonous input string to the daemon. If the bug lies in an ordinary system tool or application, with no direct access, the hacker attaches the poisonous string with a document or an email which, once opened, will launch a passive buffer overflow attack. Such attacks are equivalent to a hacker logging into the system with the same user ID and privileges as the compromised program. Buffer overflow bugs are especially common in C programs, since that language does not provides built—in array bound checking, and uses a final null byte to mark the end of a string, instead of keeping its length in a separate field. To make things worse, C provides many library functions, such as street and getline, which copy strings without any bo1u1ds—checking. As an expert ethical hacker and penetration teeter, you must have sound knowledge of when and how buffer overflow occurs. You must Iuiderstand stacks- based and heap-based buffer overflows, perform penetration tests for detecting buffer overflows in programs, and take precautions to prevent programs from buffer overflow attacks. Lab Objectives The objective of this lab is to help students to learn and perform buffer overflow attacks to execute passwords. In this lab, you need to: ' Prepare a script to overflow buffer ' Run the script against an application Ethical Hacking and Countenneasures Copyright © EC—Cou. ncil All Rights Reserved. Reproduction is Strictly Prohibited
  3. 3. Modu| e18—Buller0vevI| ow ' Perform penetration testing for the application ' Enumerate a password list E “‘i’ ""’°“" Lab Environment be demonstrated "'5i"9 Backhack ' A computer running with Windows Sewer 2012 as Host machine Virtual Machine _ _ _ _ ' A Virtual lIachine running with Back Track 5 R3 ' A web browser with Internet access ' Administrative privileges to run tools Lab Duration Time: 20 Minutes Overview of Buffer Overflow Buffer overflow is an anomaly where a program, while writing data to a buffer. overrtuis the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety. Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program operates. This may result in erratic program behavior, including memory access errors, incorrect results. a crash, or a breach of system security. Thus, they are the basis of many software vulnerabilities and can be maliciously exploited. Lab Tasks overview Recommended labs to assist you in butter overflow: I] _ TASK 1 ' Enumerating Passwords in “Default Password List” V'iite a Code Compile the Code Exealte the Code Perform Buffer Overflow Attack Obtain Command Shell Lab Analysis Analyze and document the results related to the lab exercise. Give your opinion on your target’s security posture and exposure. OOOOO I'I. F.ASF. TALK TO YOUR INSTRIICTOR IF YOI' HAVE QUESTIONS RI-ZI. A'l'}-II) 'l'() THIS LAB. CEH Lab Matlual Page 903 Ethical Hacking and Countermeasures Copyright © EC—Cou. ncil All Rights Reserved. Reproduction is Strictly Prohibited
  4. 4. ICON KEY E Valuable information Test your knowledge E V'eb exercise EQ Workbook review CEH Lab Manual Page 904 Module17—ButlerOverl| ow Buffer Overflow Example I / I (1 b/ gfl/ ' are/ flan; M/ J/'/ e 11'/ ‘iii/ /pg (fair: to (I b/ gfe/ ; f/ Jr b/ gfl? /‘fr b0/I/ ll/ III)’ / Zr om‘/7//1 (I/ Id nrfirlre/ /I / //e/ /10/y ix 01/ml‘/ '/"fie/ /. Lab Scenario In computer security ai1d programming, a b11ffer overflow, or buffer overrun, vulnerability appears where an application needs to read external information such as a character string, the receiving buffer is relatively small compared to the possible size of the input string, and the application doesn't check the size. The buffer allocated at run-time is placed on a stack, which keeps the information for executing functions, such as local variables, argument variables, and the return address. The overflowing string can alter such information. This also means that an attacker can change the information as he or she wants to. For example, the attacker can inject a series of machine language commands as a string that also leads to the execution of the attack code by changing the return address to the address of the attack code. The ultimate goal is usually to get control of a privileged shell by such methods. Programming languages commonly associated with buffer overflows include C and C++, which provide no built—in protection against accessing or overwriting data in any part of memory and do not automatically check that data written to an array (the built—in buffer type) is within the boundaries of that array. Bounds checking can prevent buffer overflows. As a penetration tester, you should be able to implement protection against stack- smashing attacks. You must be aware of all the defensive measures for buffer overflow attacks. You can prevent buffer overflow attacks by implementing run- time checks, address obfuscation, randomizing location of functions in libc, analyzing static source code, marking stack as non—execute, using type safe languages such as Java, I[I_. , etc. Lab Objectives The objective of this lab is to help students to learn and perform buffer overflow to execute passwords. In this lab, you need to: Ethical Hacking and Countenneasures Copyright © EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  5. 5. IE7 Th lab can be demonstrated using Backtrack Virtual Machine «E TASK 1 Writeacode Modle17—DuI'ler0verl| ew ' Prepare a script to overflow buffer ' Run the script against an application ' Perform penetration testing for the application ' Enumerate a password list Lab Environment ' A comp11ter rmming with Vfindowe Server 2012 as Host machine ' A Virtual Machine running with Back Track 5 R3 ' A web browser with Internet access ' Administrative privileges to run tools Lab Duration Time: 20 Minutes Overview of Buffer Overflow Buffer overflow takes place when data written to a butler because of insufticient bounds checking corrupts the data values in memory addresses, which are adjacent to the allocated buffer. Most often this occurs when copying strings of characters from one buffer to another. ‘(/ hen the following program is compiled and fun, it will assign a block of memory 11 bytes long to hold the attacker string. strcpv function will copy the string “DDDDDDDDDDDDDD” into an attacker string, which will exceed the buffer size of 11 b_vtes, resulting in buffer overflow. . .., ,.. .,. .u. .,. . . .,, ,,, flflflflflflflflflflflflfl Sm MUUUUIBUOW M-'I"I ai1a4ss1ovio ; Iinc| ude«Inio. n> ; int main ( ml avgr . that "avgvl : ( , rharBuffer[‘l1]—'AAAAAM'AAA'; : strcvv(B<mer, 'l)DDowI)DDI)w'): ; pvinrf1'9£ n", Ruflu]; ; lflullim DDDDDDDDDDD :1 A Overflow This type of vulnerabllity is prevalent in UNIX- and NT-based systems Lab Tasks 1. Launch your Back Track 5 R3 Virtual Machine. 2. For btlogin, type root and press Enter. Type the password as toor, and press Enter to log in to BackTrack virtual machine. CEH Lab Manual Page 905 Ethical Hzicking and Counlenneasures Copyright © by EC—Cou. ncil All Rights Reserved. Reproduction is Strictly Prohibited
  6. 6. Module 17- Buffer Overflow r. :.Lu' wnunw. -. uzsw . tll")tH" 11 0.’ ll H >4 ms: 01!; Iqme pr-nlncnl run; 17 ME“ I-ll: HT Vlfillld 303 Z Ifl| |MI. fll' I-In ant»- lanl um. not I: Much! ml we-rlc no rm -any : an H I “in -ellfi u. larval roll--Ilu In 3 . ~ . arnrsi In: curl run-Itur Juan and mi: gum: /n-n. -ll FIGURE 1.1: BackTr'ack Login Buffet ovexflowoccms 3. Type startx to launch the GUI. “'IlC1l 3 program OI PIOCCSS I mks to Sm“ more data in a lhikkimtl ur wt» g: —:u: s4. J. . bufier. 1.1:) uAi; it: i“ii‘un. “ much: In! uelurll: up ll): tun IE nus : .unmI~IIup«-cu u-In in-I-uni u’ 11 Lznnzu huh‘ n-I1-uni mu -1 mas: nu -nu-ml. »-my an . . lrllnlux tn unu m In In new '1 nu-u ll: ennui: -u‘ mtfimtn mam: IE1». FIGURE 1.2: BackTiack GUI Login-Startx Command 4. BackTI'ack 5 R3 GUI desktop opens, as shown in the following screensl1ot. / -~t Code which is entered in kcdit is case-sensitive. CEH Lab . VL1nual Page 906 Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  7. 7. Module 17- Butler Overllow FIGURE 1.3: BackTrack 5 R3 Desktop 5. Select the BackTrack Applications menu, and then select Accessories -) gedit Text Editor. << back | track § Q Pr languages commonly assomted with bufler overflows include C mmc++ FIGURE 1.4; Launching gedit Text Editor 6. Enter the following code in gedit Text Editor (Note: the code is case- sensitive). #include<stdio. h> void main ( ) { char *name; char ‘command; name= (char *)mallo<: (lO); command: (char *)malloc (128) ; printf ("address of name is : %dn", name); printf ("address of command is: %dn", command); printf ("Difference between address is : %dn", command- CEH Lab Nlanual Page 907 Ethical Hacking and Counternieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  8. 8. J“ . - 2. Code is compiled using the following commend: git b/ gferx brfiv. r x . z;: :«. No tool can solve completely the problem of butfer overflow, but they surely can decrease the probability of stack attacks Q TASK 2 Compile the Code Module 11—Bu1‘l'er0ved| ow name) ; printf ("Enter your name: "); gets (name) ; printf ("Hello %sn", name); system (command); 52'. 52'}: ""‘ . 0;» Saw 1.)’ iv lr kg *. ,‘K ‘l/ "’~aver1 Docwmmt 1 )1 art it e<sM1o. h> . O1fl ‘= i1'7l ( that 'v a >: , that ‘to ’1nd; '1: e= (<*mv ‘)"ill0(il0l; (C ix'H'l= l(Vh‘lI’ ')rmllO(lI28); pv1wtH‘.1ddvess of ll<1"l€ 15 : ’. dn“, n.r»: J, prntft ‘address of towand 1s: ‘.dn“, co rardi; pr147tfI‘D1i‘ference between address 15 “mm , rc arz1~v*a'e): prmtfl ‘Enter your na~ve: "); getsim 2): print? ! ‘Hello ’. sn“, na'e); syste'Icc"'awd); Pl1llTL‘Il V VI‘ '1" 3 V L! 15 C’‘‘ 3 INS FIGURE 1.5: Wlititig code for execution 7. Now save the program by selecting File 9 Save A39 root or simply click Save as shown in the following screenshot screenshot as huffer. c. v 'U"saved Document 1 it : :r(lur1e<std1o. h> void " nv-M Sri. t- r ic‘r1m root v . BvD. ‘.‘. »c (or ulhuv (older-, Cr 1l)f'l‘l Fnronng Cuvw-it LO(“ii‘ (UTF RI v I in-E'ir1rg Umx [mm v ‘V D I . u . gt. ’ '1 l Crmce Plum Tuxl V lnll '. ‘. 9')‘ 5 V L" 15 Co‘ 2 INS FIGURE 1.6: Saving the program 8. Now launch the command terminal and compile the code by running: gcc buffer. c -o buffer CEH Lab Manual Page 908 Ethical Hacking and Countermeasures Copyright © by EC—Couucil All Rights Reserved. Reproduction is Strictly Prohibited.
  9. 9. Module 17- Bufleroverllow rootgbt: ~ r le; i:: _ The program executes using following command: . / izrfir FIGURE 1.7: BackT1ack compiling the code 9. If there are any errors, ignore them. roottgabtz - FIGURE L8: BackTrack Error Message Yindov Q T A 3 K 3 10. To execute the program type . /buffer Execute the Code CEH Lab lIaunal Page 909 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Suictly Prohibited.
  10. 10. Module 17- Buffer Overflow 113- 1-iv Uh wt-1 3l<: l." 1-A An executable program on a disk contains a set of binary instxuctious to be executed the processor. FIGURE 1.9: BackTrack Executing Program 11. Type any name in the Input field and press Enter, here, using Jason as an example. £1 Bufier overflows work stored addresses). FIGURE 1.10: Input Field 12. Hello Jason should be printed. Ethical Hacking and Countermeasures Copyright © by EC—Couur_il CEH Lab Manual Page 910 All Rights Reserved. Reproduction is Strictly Prohibited.
  11. 11. TASK 4 NH Perfonn Buffer Overflow Attack . _ Buffer overflow 'u. l.ne1b1]ilties typically occur in code that a programmer cannot accrarely predict butler overflow behvior. Q TASK 5 Obtain Command Shell Module 17- Bufleroverllow - roottgbt: ~ FIGURE 1.1]: I-Iellojason 13. Now. overflow the buffer a11d execute the listed system commands. 14. Run the program agai11 by typing Jbuffer. Type 12345678912345678912345678912345cat / etc/ passwd ill the Input field. 16. You can ’IE’‘ a printout of the password tile. FIGURE 1.12: E'ecuI: ing Password 17. Now, obtain a Command Shell. 18. Run the program agai11 Jbuffer a11d type 12345678912345678912345678912345/bin/ sh iii the Input field. CEH Lab lIannal Page 911 Ethical Hacking and Corltrtenneasrlres Copyright © by EC-Council All Rights Reserved. Reproduction is Suictly Prohibited.
  12. 12. Code scrutiny (writing secure code) is the best possible solution to buflcrflaw attacks. Module 17- Buffer Overllow l234567891234567B9123456739R345 Inn 5 r _ , ‘,'§' ', -5' ' ! I_| ,/ *l—" FIGURE 1.13: Executing 1B4567891W56789154567891345/bin/ sh 19. Type Exit in Shell Konsole or close the program. . , , o . c ). ‘f; ";’ "S 3 Analize and document the results related to the lab exercise. Give your opinion on your target’s security posture and exposure. ' Address of name is: 24616976 ' Address of command is: 24617008 ' Difference between address is: 32 ' Enter your name: 12345678912345678912345678912345/bin/ sh Bufier Overflow ' Hello 12345678912345678912345678912345/bin/ sh ' sh—4.1# ' sh—4.1# ' sh—4.1# I’l. l | I 1,l l() ()1’R l'. l R1 (II()1{ 11 ()l l1'l. Q1 1 l1() Rl'. l.‘'1lZI) 10 I111‘ l. H. CEH Lab Manual Page 912
  13. 13. Mofi. h17-Buflor0vIlflUw Questions 1. Evaluate various methods to prevent buffer overflow. 2. Analyze how to detect rLu1-time buffer overflow. 3. Evaluate and list the common causes of buffer—overfloW errors under . NET language. Internet Connection Required Cl Yes Platform Supported Classroom CEH Lab Manual Page 91.‘! Ethical Hacking and Coumenneasures Copyright C by EC-Council All Reserved. Reproduction is Stn'cdy Prohibimd.

×