50
About Mike SaundersPrincipal Consultant –Red SiegeStarted in IT in 1998Security since 2007Fishing / hiking / cooking / baking / cigars / getoffmylawn
https://redsiege.com/
Motivation
https://redsiege.com/
redsiege.com
Assumptions
32-bit x86 architectureDealing with stack-based overflows & overwriting return address onlyNo stack canariesNo DEP or ASLR protections
https://redsiege.com/
WHAT IS BUFFER OVERFLOW?
https://redsiege.com/
NOT A BUFFER OVERFLOW
https://redsiege.com/
redsiege.com
What is a Buffer Overflow?
Program incorrectly allows writing more data into a buffer than it had previously allocated, causing adjacent memory to be overwritten.
https://redsiege.com/
redsiege.com
Background – The Stack
Data structure – stores data in contiguous blocksTemporary storage in RAMTypical usage is to store local data, parameter values, and return addressLIFO – Last in, first out
https://redsiege.com/
The Stack Visualized
https://redsiege.com/
adapted from: https://en.wikipedia.org/wiki/Stack_buffer_overflow
https://redsiege.com/
adapted from: https://en.wikipedia.org/wiki/Stack_buffer_overflow
https://redsiege.com/
redsiege.com
ESP Register
Stores location of the top of the stackAddress moves lower as stack growsAddress moves higher as stack shrinks
https://redsiege.com/
redsiege.com
General Purpose Registers
EAX - AccumulatorEBX – BaseECX - CounterEDX - DataESI – Source IndexEDI – Destination IndexEBP – Stack Base PointerESP – Stack Pointer
https://redsiege.com/
redsiege.com
Special Purpose Registers
EIP – Extended Instruction PointerStores address of next instruction to be executedControl of EIP allows control of execution flowCan only be modified through specific instructions or indirectly though the kernel
https://redsiege.com/
Stack Buffer Overflow Visualized
https://redsiege.com/
adapted from https://en.wikipedia.org/wiki/Stack_buffer_overflow
https://redsiege.com/
adapted from: https://en.wikipedia.org/wiki/Stack_buffer_overflow
https://redsiege.com/
https://redsiege.com/
adapted from: https://en.wikipedia.org/wiki/Stack_buffer_overflow
https://redsiege.com/
https://redsiege.com/
adapted from: https://en.wikipedia.org/wiki/Stack_buffer_overflow
https://redsiege.com/
Demo Time
https://redsiege.com/
https://redsiege.com/
redsiege.com
Input Length – Key Points
Program broke between 1900 - 2100 bytes of inputEIP is 41414141 → AAAA
https://redsiege.com/
redsiege.com
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2500
Generates a non-repeating character pattern 2500 bytes in length
PATTERN_CREATE.RB- A Better Way
https://redsiege.com/
https://redsiege.com/
redsiege.com
ESP starts with Cp0CEIP is 396F4338
Hmm... What is that?– Hex representation of 8Co9 ASCII character codes– 8 → 38– C → 43– o → 6F– 9 → 39x86 is little-endian, so values are reversed
PATTERN_CREATE Input – Key Points
https://redsiege.com/
redsiege.com
pattern_offset.rb
2006 bytes of input needed to trigger overflow and control EIP
Finding Offset
https://redsiege.com/
redsiege.com
Verifying Our Offset
Confirming that our offset is correct2006 bytes of A4 bytes of B50 Bytes of C
If we’re correct, EIP should be 42424242
https://redsiege.com/
https://redsiege.com/
redsiege.com
From Controlling EIP to Code Execution
ESP is pointing to the start of CCCC... in our previous exampleIf we could tell the processor to start executing here, could we control execution?
https://redsiege.com/
redsiege.com
Introducing JMP ESP
JMP ESP – Tells processor the next instructions are in the memory address pointed to by ESPWe can’t just put JMP ESP into our code
We can’t write directly to EIPWe can’t load opcodes into EIPEIP must contain a location in memory of the next code to execute
We need to find a reliable location in memory containing JMP ESP
https://redsiege.com/
redsiege.com
Locating a JMP ESP
JMP ESP = FFE4
https://redsiege.com/
redsiege.com
Locating a JMP ESP
Using mona.py with Immunity debugger, we can search for modules in memory containing a JMP ESP opcode
https://redsiege.com/
https://redsiege.com/
https://redsiege.com/
Encoding Shellcode
x86/shikata_ga_nai used to ensure our shellcode doesn’t include “bad” characters - \x00 \x0A\x0D
CR/LF are used to signal end of input\x00 – null terminator for strings in C/C++This would result in our shellcode being truncated
https://redsiege.com/
https://redsiege.com/
redsiege.com
Return address is reversed (little endian)8 NOPs (\x90) - needed to provide space for shikata_ga_naiencoder to decode shellcode
Without this, shikata_ga_nai decoder overwrites our shellcode
We used EXITFUNC=THREAD to allow parent program to continue operating when our exploit finishes execution
If we don’t, the exploited program will crash
Injecting Shellcode – Key Points
https://redsiege.com/
redsiege.com
More Learning Opportunities
https://redsiege.com/
redsiege.com
Credits
Stephen BradshawPeter Van Eeckhoutte - @corelanc0d3r
https://www.corelan.be/
Ron Bowes - @iagox86https://wiki.skullsecurity.org/indexs.php?title=Fundamentals
https://redsiege.com/
redsiege.com
Special Thanks
@c0mmiebstrd@bigendiansmalls@jaredbird
https://redsiege.com/
redsiege.com
Resources For This Talk
vulnserverhttp://www.thegreycorner.com/p/vulnserver.html
Mona.pyhttps://github.com/corelan/mona
https://redsiege.com/
redsiege.com
Learning Resources
http://www.thegreycorner.com/2010/01/beginning-stack-based-buffer-overflow.htmlhttps://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/http://www.securitysift.com/windows-exploit-development-part-1-basics/
https://redsiege.com/
redsiege.com
Learning Resources
https://en.wikipedia.org/wiki/Stack_buffer_overflowhttps://en.wikibooks.org/wiki/X86_Disassembly/The_Stackhttps://wiki.skullsecurity.org/index.php?title=Fundamentals
https://redsiege.com/
redsiege.com
Practice Resources
http://overthewire.org/wargames/https://www.vulnhub.com/https://www.hackthebox.eu/
https://redsiege.com/
redsiege.com
Questions?
[email protected]@hardwaterhacker @RedSiegehttps://www.redsiege.com/blog/Slides available at https://redsiege.com/buffer101Source available at: https://github.com/hardwaterhacker/eip
https://redsiege.com/
Slide Number 1Slide Number 2About Mike SaundersMotivationAssumptionsWHAT IS BUFFER OVERFLOW?Slide Number 7What is a Buffer Overflow?Background – The StackThe Stack VisualizedSlide Number 11Slide Number 12ESP RegisterGeneral Purpose RegistersSpecial Purpose RegistersStack Buffer �Overflow VisualizedSlide Number 17Slide Number 18Slide Number 19Slide Number 20Slide Number 21Slide Number 22Demo TimeSlide Number 24Input Length – Key PointsSlide Number 34Slide Number 35Slide Number 37pattern_offset.rbVerifying Our OffsetSlide Number 41From Controlling EIP to Code ExecutionIntroducing JMP ESPLocating a JMP ESPLocating a JMP ESPSlide Number 48Slide Number 49Encoding ShellcodeSlide Number 56Slide Number 59More Learning OpportunitiesCreditsSpecial ThanksResources For This TalkLearning ResourcesLearning ResourcesPractice ResourcesQuestions?Slide Number 68Slide Number 69
