Kali Linux 2016.1 - Buffer Overflow Tutorial

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

today I'm going to show you how to do a buffer overflow attack it's the basis for a disturbingly large number of security vulnerabilities we find nowadays the buffer overflow attack basically takes advantage of the fact that variables for a given function are stored in memory and sometimes copied so as many vulnerable functions in C and Java programming that can be used to overflow the buffer which by itself would just cause the program to crash but when used in a very special manner can be used to run whatever arbitrary code you choose now this video is actually a response and a outgrowth of the computer file buffer overflow video which was originally created by dr. Michael pound so I definitely suggest checking out that video first and then coming back to this one so in a nutshell what is a buffer overflow well if you ever done C programming or Java programming or really program of any kind variables for a function call or stored memory that's pretty obvious what's interesting is the order in which they are stored in memory so for this video I'm going to show you to do this with Kali Linux which is based on Debian now the details of how memory is stored mostly how variable the storage memory will change a bit between the platform operating system as well as how the program was compiled but for this video for argument's sake we're going to assume this now in this image here which is from split fun WordPress com really good website this is upper memory this is the highest memory address so if you have 4 gigs of RAM this is the top 4 so at the high memory which is up here on the top versus the low memory we can see the stack layout so first few don't worry we have arrgh fee which is the arguments being passed in the function rxc which is the count int value of the number of arguments the return address in other words where the function should go next after it's done running the callers EBP also known as the frame pointer which is basically saying you know now that we returned we're to go back to a little bit of alignment space because again we're dealing with a 32-bit processor or a 64-bit processor and things generally run faster when things are aligned to the memory address which is a power of 2 4 and 8 respectively and then our buffer this buffer right here is what we're going to be exploiting and then way at the bottom we have the value ESP which is the stack pointer which is made to point to the quote unquote top of the stack which is actually the lower memory address so we have the top address and the bottom address now EBP stands for the extended buffer pointer ESP stands for the extended stack pointer these are actually register values in the processor itself so this extends to things like Intel processors AMD arm and a bit of the motorola processors and it's a general way of kind of managing how the stack itself is used and referenced on the assembly level so and we have a lot going hopen up kali linux open terminal type in you name - space - a now you'll notice i'm actually using the 32-bit version of kali linux the reason i'm doing this is because I want to make this tutorial as quick and easy as possible so if you want to follow along make sure that you're using Kali Linux 2016 point 1 32-bit you can verify this by seeing the kernel I'm running here Linux Kali 4.3 0.0 kali 1 - 6 8 6 - PA as long as using this version of Kali you can follow along very quickly and easily so next up is if you go to my github page and look for the buffer overflow tutorial in Kali these are the commands I'll be using throughout this video so you can see here I tell you to use the specific version of Kali and where to grab the torrent file now buffer overflows have been known about for a very long time since the 60s 70s etc so there's actually been a bit of security features built into the operating system as well as the processor itself to help prevent these things so we're going to disable a few of these to get this example to work again the example we showing to you is a quote unquote best-case scenario assuming everything is set up perfectly but again this is just for teaching when you do a real exploit you're going to actually have to work around these but for now let's just turn these off so the first time we turn off is memory address randomization so you can see here when you do cat /proc sis kernel randomized VA space usually this will be set to live to the value of 2 so the way you disable that is typing sudo bash space - C space single quote echo quotation mark kernel randomized be a space equal to 0 and you append that into the Etsy system control.com file and reload that you type sudo systole space /p alright that's all set and then you run the command cat praxis kernel read minds be a space one more time and as long as this says the value of 0 you're good to go with that next up we need to enable debugging and core dumps so by default this will usually be set to negative 1 or 0 so we've set that to unlimited which means unlimited size verify that all right cool so we've prepped the OS itself to make it easier for us to do buffer overflows now one thing that's a little bit annoying is every time you run a program by default it'll actually be in a different location in memory and that actually depends on the environmental variables so if you ever use bash if you type print env and press Enter this will show you all the environmental variables are running around don't worry too much what the particulars of this just know that they're constantly changing so when you run your program your memory address will change a little bit too so let's close that out type Nano now I've already copied this from the browser's when you're press control shift V to paste ctrl o call this env exec dot Sh there we go env exec Sh write that out type control X to exit we're going to CH mo d space plus sine X this will make this script executable okay an v exec Sh all right go type LS and there we go this should appear as a color of neon green for being executable all right next up is our vulnerable program so we're going to copy this control C type nano control ship of E and we're going to press ctrl o recall this vuln dot C press Enter alright so if you different program super force is actually a very simple program we're going to do include the standard i/o input/output header which allows us to read and write from the standard library and they're also going to import the library for string that's it quick and easy by default C programs call the int main function and the default values pass to that are int Arg e which is the count of arguments being passed on as well as a character pointer to our V which is a character array of values basically a string so next line we create a character buffer with 500 bytes and we run the very vulnerable and very insecure e function string copy this says copy the Arg V value in the first position in other words the first value we pass to our V and copy that into buffer now the problem with this function call is that if Arg V is more than 500 bytes it will quote-unquote overflow the buffer now you can see in this diagram here we start writing in the lower memory addresses so when the function is first created it writes from the high values down to the low values and the assembly code I'll show you a little bit later actually tells it to give itself around 530 bytes so we start at the lower value here and we actually write up so ends up happening is we actually end up over writing things like the caller's EBP value as well as the aterna s this is where the danger comes this is a very insecure function there's another version of this called string and copy for C which will tell you to only copy 500 bytes string copy by default will continue copying values until it hits a null pointer I was like a null character which is usually indicating the end of a string so that's basically we're going to be doing with this let's go ahead and control X exit out type ls' so you can see here we're in our home folder we have en be exact on SH and our vuln now we're going to pile this using the gnu compiler to create an executable file so again control control should be to paste it now this is interesting value because we're using the new c compiler and we're telling it z exec stack function no stack protector in other words we're actually turning off again more of the security features and we're saying m first act boundary is equal to 2 in other words try to align things to a 2-byte value and include the whereas i compile the file volm dot c include the disassembly comments and create the file vault which is actually going to be an e LF Linux executable so go ahead and run that type ls' and there we go we have the vuln executable so that's all well and good in order to properly debug this and make the vulnerabilities work what we're going to do is call env exec dot sh send it the command dash D vuln what this will do is clean up our bash environment and strip it of every setting possible and except the ones that are required and then run the canoe debugger gdb loading up the file ball and this will make it a lot easier for us to run the exploit all right now we're inside gdb so we'll go over a quick overview of some of the common commands to run gdb so you can type quit you're done press up back in you can type ctrl L and that will clear the screen for you nice and easy can type list and this shows you some of the debug symbols so this case we have the debug symbols for C code and there we go we can do it based on function calls we have one of one function and we can actually disassemble this or you dis ass space main and this will convert the C code remembers like this will show you the seek this will show you the assembly code that's powering the function known as main so if you look through here you'll notice a very interesting value this right here 0 x1 f4 so I'm going to do is go ahead and control shift C to copy this we're going to do a hex converter go ahead and paste it convert and there we go that's our buffer right there use those 500 characters so that's the assembly code defining the buffer and I won't really go over the specifics of what's actually happening here you can look it up yourself sometimes you'd really like to but just know that our string code here car buffer is being allocated right there with that assembly call all right we can little you can fill in the operating system info os you can get more details you know info os CPUs now if you find it interesting it's nice to help debugging sometimes more interesting ones are info functions these are all the various functions so you can see even though we only to find one main function is after you lot of other sub functions that are floating around their info variables these are all the global variables that are created by C automatically so let's go ahead and run and pass with a value hello this will run the vuln program there we go ran the program and exited normally nothing too interesting instead let's try overloading it and actually causing a crash so we type in run space dollar sign open parenthesis Python space forward slash where's like minus sign C space single quote print space double quote forward slash X 41 double quote and this was times 408 single quote close parenthesis what this is actually doing is the dollar sign parenthesis is creating a bash sub shell and calling the Python program and dash C is the command so past Python the command print X 41 508 x x 41 is the hexadecimal for the a character so because the buffer was defined as being 500 characters we're going to pass with 508 and overflow it and this should crash the program so I'll go ahead and press Enter run the program and there we go program received signal sig seg V in other words a segmentation fault all right so we just crash the program which is a good thing if you're trying to do pen testing and explore viruses the most interesting thing you can possibly do is cause a program to crash because if you cause that crash there's probably something interesting in there that you can exploit so let's go ahead and look at the registers so info registers enter and again we're looking back at some of our es P and our EBP values here which is very interesting so again we pass this thing the value of 41 and you'll notice the EIP in other words the extended index pointer and the EBP the extended base pointer have been overwritten with the values for one for 141 so that's all well and good but what can we actually do with that well let's look at the memory addresses here we can see X forward slash 2o X in other words show 200 X characters parentheses dollar sign ESP in other words take the address of the extended stack pointer go back not only 500 characters let's go back 550 so a little bit before that run that command and here we go we can actually scroll through the memory itself so if you look here at this address you'll notice it's the very beginning of the for 14141 values you press down or return you can start seeing where the buffer itself exists in memory and where it was being overwritten so that's all well and good in order to actually make this exploit work we're going to need to take control of the extended base pointer the way we do that is we're going to say instead of typing 41 which is the ASCII character a we're going to type the character 90 the reason that's interesting is that in assembly the hexadecimal character 90 is a no op in other words a no operation in common usage the no off command is used purely for padding purposes doesn't actually do anything it literally is the effect of saying go to next go to next go to next that's it so because we know that we can crash the program with 508 bytes we're going to say print ninety four hundred twenty six times and then we're going to pass it this is the hexadecimal version of running bin - zsh which is another shell type synonymous with bash so in other words we have the given vulnerable other program and then we're going to Pat it out with the values five one five one 10 times what this will do is we'll fill up the buffer will overwrite the alignment space and our goal here is to overwrite the callers EBP and the return address with the values five one five one and if we do this correctly we should see the registers EBP be overwritten and an EIP overwritten with the values 51 copy that control shift V type Y so again we say folded with this time the return value was 5 1 instead of 41 that's useful that means we were able to successfully overwrite the return address and the caller zbp select site info registers one more time and there we go a IP and EBP have been overwritten now this is good because we know how large the buffer is and how many bytes we have to overwrite afterward to change and control the EVP value maybe ask yourself why is this actually matter it's because the return address and the caller's EBP we can tell the program is running in memory to actually go to another memory address and that's cool is by default this will go back to the function that called the int main function but instead we're doing instead of going back to the parent function we're going to redirect it somewhere else we're going to redirect it back into the buffer and within the buffer we're going to be using what's called an op sled a no op sled and we're going to pass the value 90 and we're to keep sliding it sliding and sliding it along until it finally hits our shell code to run another shell bin zsh so one of the things we have to do first is we're going to double check memory to make sure we see things correctly so copy and paste that press Enter here we can see the value 90 so our now it does exist and we're going to have to choose a value we're going to choose someplace in the middle of an OP sled here to run so let's go ahead and pick this value right here 0xb F F F F a BA right in the middle of our knobs lid so what will happen is if we can redirect the execution of the program to look at and start reading this value memory it'll continue sliding until it gets our exploit so that looks pretty good now one of the things we have to do with first is convert this memory address value here into big-endian so we make you have to reverse the order of the bytes so here we can see B F F F F a B a B comes at the very end B F F F F a B a so it's not exactly reversing it but it's similar to reversing it but anyways so here we have our exploit from before so we have the padding for the knob sled which includes 500 425 bytes our payload and then way at the end instead of using the value five one five one we're using the very specific memory address ba B F F F F a BA let's go ahead and copy that press Q to quit out of this ctrl L ctrl shift V to paste it and if we run this successfully we stood should see a new shell come out type why ah-ha-ho so that's pretty interesting now it says kali pound sign so we can type in things like Who am I I'm route PWD where's my present working directory LS and there you go we just created a buffer overflow so again by default a buffer overflow will just crash the program but if you're crafty and malicious and a little creative you can actually redirect the program to do whatever you want for good or bad so I hope this video helped you a little bit understanding that buffer overflows are created what they're capable of and generally how they operate if you have any questions leave them in the comments thank you

Info

Channel: Apollo Clark

Views: 55,259

Rating: undefined out of 5

Keywords: software security, swsec, appsec, kali linux, exploits, tutorial

Id: eYrfWpkvMxA

Channel Id: undefined

Length: 22min 45sec (1365 seconds)

Published: Mon Apr 11 2016