Buffer overflow Exploitation tutorial - Simple Stack Based Exploit - part 5

Namaste Hackers,




Introduction


Friends, This is my fifth part of buffer overflow exploitation and in this post, I am going to show you how we can play with the stack to buffer overflow program and then, we will also manipulate Stack Pointer to execute our favorite function from the same program.


So, Let's Start Our Tutorial With a quick revision of previous important point that going to help us to understand what actually happing under the hood.

If you already aware of this concept, Skip Part 1 and Part 2.
CPU Memory Management Device - Part 1
CPU Memory Management System - Part 2 

Pay Attention here,
CPU Memory Organization/Registers - Part 3
CPU Virtual Memory Model/Stack/heap - Part 4



Pre-Requested Skill

1. Basic Knowledge of Computer memory organization/registers/stack/head etc. (If you don't know, read above-provided posts carefully)
2. Intermediate Knowledge Of C.
3. Basic Knowledge Of x86 assembly
4. Little familiar with Linux commands, gcc, gdb and objdump.


Machine Requirement.

Actually, For This Tutorial, here I am using Virtual Box and Live Image Of Linux 32-bit. (Note: Here, I am going to demonstrate 32-bit system overflow vulnerability. So, your compile file should be 32-bit binary.)



1. Vulnerable Sample Code (Save As SimpleBufferOverflow.c ):

// include header file
#include <stdio.h>

// third function
void third()
{
 printf("Third Function Activated.\n");
}

//second function
void second()
{
 // char buffer
 char buffer[5]; // define variable
 printf("Second Function Activated \n");
 printf("Enter Your First Name : ");
 scanf("%s", buffer);
 printf("Hey!, %s Nice to Meet you\n", buffer);
}

// main
int main()
{
 second(); // call second function
 return ;

}

My Virtual Box ScreenShot


2. Now, We need to compile this script into binary. Open your Terminal And Type

gcc -ggdb -mpreferred-stack-boundary=2 -o BufferVuln SimpleBufferOverflow.c


Here, My Screen Shot



Now, our binary file is ready to execute.

3. Turn Off Random Virtual Space Security Feature.

I know, exactly now, a new question rise in your mind that what is random virtual space security. basically, New Linux kernels, come with security features which change allocated virtual space address every time during execution of the program. Hence, this feature makes buffer overflow exploitation more difficult to implement.


Actually, To Turn off this features, we just need to replace 2 with 0  in

/proc/sys/kernel/randomize_va_space file.


Just Open Terminal And Type Below Command :

echo 0 > /proc/sys/kernel/randomize_va_space



4. Run Compiled Program And try to smash it stack.

Now, Our Vulnerable environment and a 32-bit vulnerable binary program are ready to use. Before trying to exploitation, let's test this program normally.

Basically, to run this binary file you just need to type below Commands:

./BufferVuln





So, As you can see now our program is working fine. but friends, I hope you noticed that during execution of this program, this program waits for user input in "Enter Your First Name:" line where we have to provide input. so, friends, there is one more useful way available in Linux to provide user input in advance to prevent the program from waiting. well, for this we just need to provide input as I given below in command preview


:~# printf "0123456789" | ./BufferVuln


In this command preview, basically, printf is for printing output in terminal, "|" means piping argument from one program to another program and at the end ./BufferVuln is for executing the program.  So, basically, we just piping printf function output into another binary file.


5. Disassemble File With Objdump.


Now, Our Next setup is to create and enter a special type of hex code input that will help us to play with stack memory. basically, here in our compiled binary program, there is not any legal way left to execute the third function because, In our compiled program, the main function only calls the second function and then exit. so, our goal is to execute the third function with the help of stack memory overflow execution.

As I already explained in my previous tutorials about stack memory, we just need to overwrite the return instruction into stack memory located after the empty memory blocks, allocated for buffer char character from the second function.

Well, To overwrite return instruction of the second function from the third function starting memory block address into the stack, we need to find the exact starting memory block address of the third function and for this purpose, here we are going to use objdump program. this program provides us the facility to extract program functions and instruction with there memory block addresses and machine codes.

To run the objdump program, just open your terminal and type :


:~$ objdump -d BufferVuln 





As you can see in above image, In my virtual box our third function memory address is 0804849c.
(Note: Memory Address In your System will be different).

6. Design Payload

After finding exact memory block address of the third function, now our goal is to insert that third function address in place of second function return address stored in stack memory.


Simplest Format Of Stack Memory Layout to represent our plaining.


----------------------------------------------------------------|
| <other> | <char (8 bit)> | <return-secondfunc> | <Other>
----------------------------------------------------------------|

As you can see in above format, char has an 8-bit limited size, empty memory blocks but because of scanf function disability (scanf don't check input data size before storing it into the stack). so, we are going to insert data (size of 12-bit).


  <InjectableCode(12-bit)> = <Char(8-bit)> + <ThirdReturn(4-bit)> 

Method Of Inserting Memory Address Through input function.


Basically, For this, we just need to insert memory address in the form of hexadecimal in reverse.

For example:


|----------------------------------------------------------------|
|                    Method Of Conversion                        |
|----------------------------------------------------------------|
| 1 | Actual Third Function Address     |  0804849c              |
|----------------------------------------------------------------|
| 2 | Arrange In Hexadecimal format     | \x08 \x04 \x84 \x9c    |
|----------------------------------------------------------------|
| 3 | In Reverse Order                  |  \x9c \x84 \x04 \x08   |
|----------------------------------------------------------------|



So, Now Our Hexadecimal is ready to inject in the program.



|------------------------------------------------------------------|
|  <InjectableCode(12-bit)> = <Char(8-bit)> + <ThirdReturn(4-bit)> |
|------------------------------------------------------------------|
                               |
                               |
                               V
|------------------------------------------------------------------| 
|   Our Injectable Data     =      01234567 +  \x9c\x84\x04\x08    |
|------------------------------------------------------------------|




So, As You can see in above image, the Third Function executed successfully.



This tutorial ends here. I hope you all enjoyed it.

For any further Question Or Suggestion Comment Below.

In next tutorial, we will do more advanced exploitation.

Have A Nice Day







Share this

Related Posts

Previous
Next Post »