Buffer overflows of the web security and the software

Anatomy of memory:

Its content of Kernel at top and text at the bottom, the kernel is the command line having the pleas of it in the memory is bunch of ones because it is at the top of it. The text is read only code, the pleas of it in the memory is bunch of zeros because it at the bottom of it. The buffer overflow attack happens in the stack of the memory.

Anatomy of stack

Zoom is the stack from the memory, it divides into 4 parts ESP (Extended stack pointer), Buffer space, EBP (Extended Base pointer), and EIP (Extended instruction pointer)/ Return address.

So, the ESP in the top of the stack and the EBP in the bottom; in normal use for buffer the buffer space fills up with characters, so the buffer space is going to go downward, and the characters should stop when it reaches the EBP. However, if their buffer overflow attacks the overflow, the buffer space reaches over EBP and EIP. The EIP is the pointer address or return address. The attacker uses this address to point to directions that instruct. These directions are going to be the malicious code that give a reverse shell, which will lead to root.

Steps to conduct a buffer overflow:

Spiking: is a method that is used to find a vulnerable part of program once fined the vulnerable of the program will move to next step.

Fuzzing: is kind of similar to spiking. Fuzzy sends a bunch of characters at a program and see if can be break, if broken, it will move to next step.

Finding the offset: this step is finding in what point it has been broken and get the offset before moving to next step.

Overwriting the EIP: in the offset that found overwrite the EIP pointer address, it allowed to control the EIP.

Finding bad characters and right module: clean up things and then move to next step.

Generating Shell code: after doing the step 5, shell code is generated (malicious shell code) that allow to get the reversed shell. Use that to point EIP to malicious shell code then move to next step.

Root.

Tool for doing the buffer overflow

Victim machine: Windows 10

Vulnerable software Vulnserver.

Attacker machine: Kali Linux.

Debugger: immunity debugger.

Buffer overflow walk through

Staring with Spiking, after install and setup the windows 10, appendix (1) install in it the Vulnserver and immunity debugger appendix (2). So, after that in windows 10 disable Real-time protection, do that because the Vulnserver will be blocked by windows defender. Note (run all the program as administrator).

For installing Kali Linux, see appendix (3) form Kali command prompt connect to Vulnserver and see if it possible, note (by default Vulnserver runs on port 9999, change the IP address for both machines to 209.165.201.18 for windows and 209.165.201.18 for Kali and make the virtual box internal network by name internet see appendix (4), figure 1 shows the Vulnerable server connected after second try.

Moving on, writing help in caps to see if command can be used in the Vulnerable server the command shown in figure 2

To do spiking, all commands will be tried above one at time to do the attack. For example, stats by send bunch of characters and see if can overflow the buffer. If the command does the work the program will crash, then will know the stats is vulnerable, if not will move to next one.

The tool used for spiked called (generic TCP) this tool is show in figure 3

To use the generic TCP, one needs to know IP address, the port number, spike script, and the skip variables.

For the IP address, the is pre-set 209.165.201.18

For the port number, it by default 9999

For the spike script, it per write the file called stats.spk show in figure 4

For the skip variables it is zero.

So, will start to use the stats command in first try, this shown in figure 5

After hitting enter, it is starting to run but nothing happing, getting that from the immunity debugger, as figure 6. In figure 6 the right side is Kali run the spike with stats command in the left side the immunity debugger taking the command, and nothing happened. Killing the TCP by control +C to stop the attack so it is clear the stats are not vulnerable.

After some research about what command will be vulnerable to do spiking, I found the TRUN.

So, Trun need to change the script the deferent will be shows in figure 7 saved as trun.spk

Then, run the Trun same as the stats but the name of the file of the script will be different.

After running the Trun command found the immunity debugger start blinking and give paused sign shown in figure 8

That means their access violation when executing the Trun script. There is a need to stop the attack by killing the script by control +C. the Vulnserver it crashed that mean the attacks happened, and the immunity debugger write in the registers the overflow also can get information from it as shown in figure 9 some of this information is in the first line show that the Trun command sent this command sending hundreds of A’s that fill up the buffer space and it is over the buffer to the EBP and EIP. This is clear because 41414141 in Hex means AAAA because it 4 bytes. So, the overflow happened.

The next step is Fuzzing, python code will be created that do the overflow and stop when the Vulnserver is crashed, as the first step shows the Trun command is the working one will be used the code shown in figure 10. The first line is identifying the type of language used which is python, the second line is identifying sys and socket and then the sleep method. Moreover, the buffer = A multiply by 100 that means in each time the program run, it will write 100 A’s, then the while loop with try, the try to try connect and do the buffer overflow the first line inside the loop is for connect to the Vulnserver and the AF_INET it means the IPV4 and the SOCK_STREAM for the port number. Then, send over the Trun command + the buffer which is 100 A’s, then close and sleep for one second. If it still is connected, keep sending buffers. If the buffer is flowed, then print (Fuzzing crashed and print the number of buffers been sent.

So, run that script and the result is shown in figure 11 so it crashed on 2300 the script does not stop when the flow happened need to be stopped when overflow happened because of that the first try was give 5500 bytes, in this time of overflow the flow doesn’t retch to the EBP and EIP. The step will demonstrate three crashes happened. 

Now need to find the offset, to find offset that means to look at where the overwrite the EIP because that’s what need to be controlled, the tool using for finding the offset, this tool is provided by Metasploit framework it is called pattern create, this in the Kali machine.

To set the tool from the terminal that shown un figure 12 the tool has switch L that for length and switch for L is 3000, the 3000 because the Vulnserver is crashed in 2300 bytes. Therefore, the 3000 to be sure the buffer will flow.

After typing this in Kali terminal and hitting enter, it will give the result as figure 12 shows, by copying this code generated by pattern, write python code similar to the fuzzing one, to send this to Vulnserver.

The python code is in figure 13, which has the code generated by pattern, with value of 3000 to be sent to the Vulnserver, after sending this to the Vulnserver will get the value on the EIP, so this code will crash the Vulnserver and give back by the EIP value, then by use the tool of Metasploit and can get the offset, by use the pattern tool but this time in different way.

After running the python code, the Vulnserver is crashed and from the debagger, see the TRUN command with cyclical value generated it come cross the ESP, and the target is the EIP to control this value. The EIP is 386F4337.

To use the pattern, offset kali terminal is shown in figure 15.

This time, by using the pattern offset with length switch of 3000 and Q for finding and the finding is 386F4337. So, after hit enter that gives the pattern offset, that means inside the 3000 bytes, it found pattern and it relayed back to it. The result is getting the exact offset match at 2003 bytes, sure that is critical because that at 2003 bytes EIP can be controlled.

Now will overwriting the EIP, from pattern offset discovered that the offset is 2003 bytes, that means there is 2003 bytes before getting to EIP, the EIP is fore bytes long. Will try to overwrite the four bytes.

To do that, modified python code is required. Other than this the second option is to rewrite it to write 2003 A’s and write 4 B’s in EIP. The code shown in figure 16.

After running this code from kali to Vulnserver, as shown in figure 17 in the EAX, the TRUN is write A’s and EBP with A’s as well and finally the EIP it has 42 42 42 42 that means B’s but in hex, so result of that it is controlling the EIB.

Now, there is need to find bad characters, finding bad characters in relation to generate shellcode, when generating shellcode, there is need to know what characters are good for the shellcode and what characters are bad for the shellcode, that can be done by running all the hex characters through the program and seeing if any of them act up by default the null byte x00 acts up.

To that need to find in google the bad charts and from bulbsecurity.com copy all the lists and will use it for python code that shown in figure 18. Deleting x00 is of this list.

After running that code, check out debugger the ESP and right click it before following in dump, so from the Hex dump window look at the hex and see if anything out of place, that show in figure 19 after finding the missing characters.

Now, right module is required which means looking for a dll or something similar inside of a program that has no memory protections, which means no depth no ASLR no safe SEH etc.

For doing that, there is a tool called Mona modules that can be used with immunity debugger to do this this tool will be installing from github.com and then add it to the immunity debugger in the path following C:/Program File (x86)/ immunity lnc/ immunity debugger/pyCommands then go back to immunity debugger and add in the down bar (!mona modules) will open new window shown in figure 20

The mona modules shows the protection settings in the table, so looking for something attached to the Vulnserver, which is in the second line, this line it also is all false.

So, there is another way to do it as finds the opcode equivalent of a jump. That from kali and from terminal and locate NASM shell, and run it, so try to convert assembly language into hex code that shown in figure 21.

Going to use this as a pointer, the pointer going to jump the malicious shellcode. The hex code of the JMP ESP is FFE4.

Then go back to immunity debugger and type this in the down bar (!mona find -s “\ xff \ xe4” -m essfunc.dll) and the result shown in figure 22

The first line that the address is looking for, so, going back to kali and modifying the python code, the code is shown in figure 23.

In this code, add the return address that is found in MONA, that replaces the B’s by the pointer, will have the EIP by the jump code and then the jump code is going to go to malicious code. Adding the pointer in reverse, this reverse is for a special reason that is when talking with x86 architecture do something called Indian format, x86 architecture stores the low order byte at the lowest address and high order byte at the highest address. This code should throw the same code, but it is going to hit a jump point.

Need to edit some setting in to immunity debugger first before running the code to catch it. Expression is required to follow the pointer, and then set the breakpoint, when buffer overflow if hit this pint will not go to next instruction will break the program and pause into the breakpoint because we need to know that this pint it been hit.

Now back to kali and execute the script, after executing it the result is shown in the figure 25, see the breakpoint at essfunc.625011AF happened at the program is paused because it hits the breakpoint that means controlling EIP.

So, generate shellcode point directly to that shellcode and it can use the root.

To gain shell, use tool called MSF venom, that tool help to generate shellcode, the command shown in figure 26. This is MSF venom by Metasploit and set switch P for payload, the payload for Windows because the target is Windows machine and shell revers TCP, and assume x86 will declare that later, so the reverse shell do get the victim connect back, so need to provide the information of the connect back, that is kali machine IP address, this is LHOST and the port listening on that is LPORT, and set the exit func equal thread all that make the exploit more stable, then the -F for file type that will export in C, then -A architecture x86 and then -B for bad characters and the bad characters fund.

Then, hit enter and the code will be generated, so copy this code highlighted in figure 27 and add them to the python code. Can see in figure 27 the payload size is 351 bytes.

Modifying the python code by adding a new variable called overflow and paste the generated shellcode, also edit the shellcode variable by add the new variable and

This code is working by executing the shellcode variable and 2003 bytes that get to the EIP then hit the pointer address as known the pointer address is the jump address, so will jump to the set of instruction that provide, which is overflow variable, but before submitting that, there is need to add knops, knops is padding that means no operation, that little pad space between jump command and the overflow shellcode, so 32 bytes is the best fit of padding.

Open a new terminal window in kali to set netcat to listen which is shown in figure 29.

Before launching the attack, there is need to make sure the Vuln server is running and execute the python code.

As shown in figure 30, it can control the Vuln server from kali that’s mean having the root of it