100 - Overflow Buffers
Buffer overflow vulnerabilities are commonly targeted by exploiting buffer sizes. For example, if a buffer is set to allow 8 bytes however 10 are pushed to the buffer, the bytes can overflow into the next buffer. Below is a simple example depicting two buffers with a size of 8 bytes each. The second step depicts the push of 10 bytes to buffer 1, followed by the resulting buffer overflow of the extra two bytes that are ultimately pushed into buffer 2. Although the example depicts only 10 bytes being pushed to the buffer, this number can be increased and cause an overflow to multiple areas of memory that are located after the buffer. Buffer overflow will often result in an application crashing as integral data is overwritten by the overflow data.
Buffer Overflows can be controlled to allow shellcode execution and the ability for an attacker to gain root/system access on a host or have the targeted application perform contradictory operations such as allowing authentication in some instances.
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an adversary. As a consequence, an adversary is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the adversaries' choice.
Techniques
Explore
Identify target application: The adversary identifies a target application or program to perform the buffer overflow on. Adversaries often look for applications that accept user input and that perform manual memory management.
Experiment
Find injection vector: The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer.
Provide large input to a program or application and observe the behavior. If there is a crash, this means that a buffer overflow attack is possible.
Craft overflow content: The adversary crafts the content to be injected. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary crafts the payload in such a way that the overwritten return address is replaced with one of the adversary's choosing.
Create malicious shellcode that will execute when the program execution is returned to it.
Use a NOP-sled in the overflow content to more easily "slide" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs
Exploit
Overflow the buffer: Using the injection vector, the adversary injects the crafted overflow content into the buffer.
Steps to Conduct a Buffer Overflow
Vulnserver and Immunity Debugger must be run as administrator during the testing. {: .prompt-info }
To setup the environment, two hosts are required: a Kali Linux host and a Windows 10 host. Install both Vulnserver and Immunity on the Windows 10 host.
Explore
Identify target application: Vulnserver is being used for this example.
Experiment
Find injection vector: Kali Linux has a built-in tool called
generic_send_tcp
that is used to generate TCP connections with the Vulnserver application and send data to the various inputs. The following is a sample of some of the inputs that are present on the Vulnserver application. This method of finding the injection vector is also referred to as spiking.
Using the
generic_send_tcp
, each buffer can be sent a large input in an attempt to identify buffer overflow vulnerabilities. The tool requires aspike_script
to be compiled before running against an application. The generic command parameter to run the tool isgeneric_send_tcp host port spike_script SKIPVAR SKIPSTR
. The spike_script should contain the following information, the%INPUT%
field should be replaced with the application input being tested.
Craft overflow content:
Once the script has completed, the byte count will be printed to the terminal. In this example, the application crashed at 3300 bytes and did not overwrite another registers apart from the
EAX
.The next phase once the byte count has been determined is to identify the memory offset for the
EIP
register as it is the one in which requires to be overwritten with attacking code. Metasploit contains a module to create a pattern that will be used for the offset. Running the Metasploit module can be achieved via the below command with the switch-l
indicating the byte count.Copy the output of the command, and either create a new Python script or alter the previous one used for the byte count discovery as per the example snippet below. Paste the copied offset string into
%OFFSET%
and enter the%IP%
and%PORT%
details.Run the python script and it should again cause the application to crash and identify the
EIP
register address within the Immunity Debugger output, which can be seen in the below image. Of particular note is the memory address of theEIP
which in this example is386F4337
.With the memory address of the
EIP
register obtained, another metasploit similar to that run to create the offset pattern can be executed to find the exact point in which theEIP
is located in the offset code. The Metasploit command is as follows with the switch-l
indicating the byte count and-q
representing theEIP
memory location. Executing the tool will print the offset byte in which theEIP
begins, in this example that is after byte 2003.With the previously identified module
essFunc.dll
, there are two other mona.py functions that can be run to identify pointers within the application that reference the module. First, the opcode forJMP ESP
must be identified using!mona assemble -s "JMP ESP"
which will output the opcode\xff\xe4
. Using this opcode, the pointers can be printed for the module using!mona find -s "\xff\xe4" -m essfunc.dll
. Ultimately, in this example, 9 pointers were identified that can be leveraged along with their attributed return memory addresses as per the image below. Any of the return addresses can be used, however0x625011d3
is selected for this example.The
-b
switch is used to list bad characters, if there are any additional they should be added. The example above depicts the NULL byte character. {: .prompt-info }Executing the Msfvenom command will output an unsigned char buf string, copy this code and add it to the python script as shown above within the
overflow
variable.
Exploit - The
shellcode
variable is now structured to complete the exploit. With an open a netcat listener (nc -nvlp &PORT%
) on the port chosen, the exploit can be executed with the result being a root shell via the buffer overflow.
Sources
Last updated