Jump to content
Sign in to follow this  
ghancock

Buffer Overflow Video

Recommended Posts

ghancock

This is not a video to explain every last detail as I'm still lost on the primary purpose of this section. I hope to upload a better video once all this sinks into my head. However, I did figure out some of the stuff that some of you may be interested in seeing so figured I'd upload a video to show what I've learned so far. If anyone can help me with the last part or primary purpose of this section I'll upload a final video that others can watch.

I'm very interested in this stuff and its a bit frustrating for me at the moment. I hope to get it through my thick skull soon though. Cool stuff.

Hope you enjoy and feel free to correct me where I goofed as this is all a learning process.

http://www.nizex.com/videos/Elearn/Stack1.mov

Glenn

Share this post


Link to post
ghancock

I have to tell you, while this topic is among my favorite for wanting to learn it, your material lacks a lot to be desired. You seem to just skim the surface yet expect me to understand the internals. When I figure out what you're talking about I'll create a video to go through it for others, but right now I have to tell you, I'm very very frustrated going through this course material. I'm learning very little at the moment.

Do you have anything put together that actually covers this stuff in a reasonable manor or can someone recommend somewhere else to go to learn what is meant to be taught in this section?

Thanks,

glenn

Share this post


Link to post
Destron

Hello Glenn

Here are 2 sites/links that teach the basics and beginnings for those who have an interest in learning about stack overflows and exploitation in general:

1- http://grey-corner.blogspot.com/2010/01/beginning-stack-based-buffer-overflow.html

2- http://www.corelan.be:8800/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/

I find these two sites to be great for those beginning exploit development and can probably shed some insight in regards to the issues you're having with the buffer overflow module(s).

I hope this helps and good luck with everything.

Destron

I have to tell you, while this topic is among my favorite for wanting to learn it, your material lacks a lot to be desired. You seem to just skim the surface yet expect me to understand the internals. When I figure out what you're talking about I'll create a video to go through it for others, but right now I have to tell you, I'm very very frustrated going through this course material. I'm learning very little at the moment.

Do you have anything put together that actually covers this stuff in a reasonable manor or can someone recommend somewhere else to go to learn what is meant to be taught in this section?

Thanks,

glenn

Share this post


Link to post
ghancock

Hello Glenn

Here are 2 sites/links that teach the basics and beginnings for those who have an interest in learning about stack overflows and exploitation in general:

1- http://grey-corner.blogspot.com/2010/01/beginning-stack-based-buffer-overflow.html

2- http://www.corelan.be:8800/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/

I find these two sites to be great for those beginning exploit development and can probably shed some insight in regards to the issues you're having with the buffer overflow module(s).

I hope this helps and good luck with everything.

Destron

Thanks Destron, Those were exactly what I was looking for. Let me be more specific about my confusions with the course so far. I understand what we're doing as I"ve been programming a very long time and understand buffer overflows. What I've not done is a lot of reverse engineering applications in order to find the vulnerable parts. The site you sent was perfect for helping me to see the exact steps and to actually write my own exploit against his exe in this case. However, back to the slides. They continuously mention drawing the stack. So far out of a book I'm reading and 3 different website tutorials, not a single mention of drawing any stacks has been brought up. In fact, none of the exploits and processes I've followed have even mentioned looking at anything in the bottom right side of Olly. So I still fail to see its significance or purpose.

I want very much to understand everything I can about the subject, but so far it eludes me. In the future I'd suggest the course be outlined more like the website link you sent so that we can actually follow through from one step to the next until we've actually exploited our program ourselves. The way this section has been approached just leaves me very very frustrated.

Thanks again for the awesome links though.

Glenn

Share this post


Link to post
Armando

If you don't know how to draw a stack frame you will probably never write your own exploit. This is a sad truth.

I understand that you may not like drawing stacks or understanding them, but teaching someone from the basics involves teaching how stack works first of any security issue.

Share this post


Link to post
ghancock

If you don't know how to draw a stack frame you will probably never write your own exploit. This is a sad truth.

I understand that you may not like drawing stacks or understanding them, but teaching someone from the basics involves teaching how stack works first of any security issue.

Armando,

Could you please provide a better example then of what you're talking about when you're talking about drawing a stack frame? I've not been able to find a single thing that discusses even the concept of drawing a stack frame so I do not understand what your course is talking about when it discusses it. The course material that I've gone through does a terrible job of making any sense of it to me. If I ever get it figured out I'll write you up something to explain it better. Maybe if I already knew how to do it I would understand what is being discussed but the current material jumps across things and at the end of the day served nothing but to confuse the heck out of me.

Thanks,

Glenn

Share this post


Link to post
ghancock

I have a question about one of the links listed above, the first one specifically. About half way down he's talking about find a place to place our exploit code and he has us open a dll and search for jmp esp. He then makes a statement that basically says: "and we can see there are no nulls or other characters that will mess us up so we are good to use this spot".

My question is, once he searches for the jmp, where is he looking to determine what is in that area and how large it is for our exploit? That is the only part of this whole process that I'm not 100% clear on. If anyone can help me out there I'd appreciate it.

Glenn

Share this post


Link to post
Armando

Drawing the stack means picturing the memory locations, the registers pointing to them and the content they hold.

The piece of stack we are interested are the ones created by function calls.

This means that whenever a new function is created a new frame is pushed on the stack with a specific scheme and specific position for each kind of contents (eg. the return address that a stack overflow would overwrite, the local variables, the parameters, the EBP...)

Drawing a stack frame means understanding where each item is located on the stack when a new function is called.

Understanding where these items (specifically the return address of the function), will let you deeply understand what's going on.

I am ok with explaining things over and over, I'm paid for this, but I have dozens of people who found that module enlightening and well done.

So while it can be improved, I wouldn't say it's this terrible.

Share this post


Link to post
matugm

I wish my English was better I would walk you throught making a exploit over skype,if you want to know the available space for the shellcode what you have to do once you crash the program with a placeholder shellcode of lets say 1000 A's you can check the memory at esp and then find the last A of ur fake shellcode,look at the memory position you are at and do last shellcode byte-esp pos then translate that to decimal and you get the bytes of space you have available,here is a screenshot please notice how our buffer get mangled at this point so its our last usable byte

Screenshot

hope this helps!

Share this post


Link to post
matugm

I would appreciate an answer :)

Share this post


Link to post
ghancock

I would appreciate an answer :)

Sorry, it was Saturday here and was out messing around last night.. :-) Anyway, thanks for your replies. I'm going to take the information and go back today and retrace what I was doing and see if I can get my head wrapped around it all. I'm very close to understanding, its just in the tutorial listed above it was talking about searching inside one of the loaded dll's for a space to put the code. That was the part I was confused about because he made a comment about seeing there were no nulls but didn't really point out where in olly he was looking to discover this.

I'll go back and try again and let you know,

Thanks,

glenn

Share this post


Link to post
Destron

Hello Glenn,

What he's doing in order to determine where exactly the correct memory placement would be for the exploit to be successfully is the following:

1- He sends his buffer to overwrite EIP (Extended instruction pointer)with junk buffer such as "A"'s or whatever.

2- He gets a crash and now he needs to determine where EIP gets over written at precisely

3- In order to do this, he's using a script that's called pattern_create which is good for sending let's say for example, he used 2500 bytes of "A"s to crash the application.Now he can send the same buffer amount but using 2500 bytes of "unique characters"

4- Once he sends this buffer, he'll get a crash, however it won't just be a generic amount of "A"'s but now a unique sequence of alphanumeric characters that would helps to determine where exactly(using the pattern_create script that was generated)where EIP gets overwritten at.

5- Once he knows this by using the same tool but using the pattern_offset command along with the 8 unique characters that was shown in the EIP register (In this case - 36684335)as well as taking the first 4 bytes that are seen in the ESP register( In this case - Ch7C)and putting this into pattern_create script to know the 4 byte placement that would be needed to overwrite EIP

6- Now that we know this, we need to find a place in memory that will provide the following:

6A- Contain a useable memory address that contains either a "JMP ESP" or a "CALL ESP" as this will re-direct us to our malicious buffer and give us control execution.

6B- Also to note that the memory address containing the opcode instruction we need must not contains any "00" or better known as null bytes or any other bad characters (0a,0d,20,etc)because this can potentially break our exploit which we don't want.

6C- Key DLL's such as kernel32.Dll, and such are likely to get "re-based" or "randomize" due to defense mechanisms like aslr and such so choosing from a memory Dll that's more likely not to get re-based (Or from the application itself but since the memory addresses contains nulls, so we can't use those)would make the exploit more portable...so to speak.

7- He choose User32.Dll in this example and needed to known where within this Dll a "JMP ESP" function pointer was located at. In this case, he found one located at memory address 7CA58265 (Please note - Due to the 32 bit Architecture we need to input the memory address fashion - or in "little endian" format which would be like this: "\x65\x82\xA5\x7C")

***Also note that the memory addresses might be different on your testing system so don't follow the tutorial blindly.

8- He revise his exploit script to include this information and if everything is calculated correctly, he should overwrite EIP with the "JMP ESP" memory address ("\x65\x82\xA5\x7C")that was use from User32.DLL. However, he still need a proper way to get to our payload (Which in this case, was a tcp reverse shell that will spawn a shell back to the attacker)

9- One way to do this is to use a series of "\x90" or "NOPs" which is an opcode instruction for "no operation".A common practice with stack EIP overwrite exploits is to place a series of "Nops" after our chosen "JMP ESP" address because it would create more reliability to "slide" into our payload, which in this case, is our reverse shellcode.In this case, he used 16 nops - or to put in more formally - a 16 byte nopsled.

10 - From this point, he sends the exploit and the buffer should overwrite memory and then EIP should get overwritten and should now contain the memory address of 7CA58265 - which contains our "JMP ESP" instruction.Once this is hit...we will now hit our nopsled and it will slide us into our shellcode in which should spawn a reverse shell back to the attacker(in this case - ip address:192.168.20.11 port 443)

I hope this helps to generally sum up what the tutorial is trying to teach and get you closer to understanding this stuff.

good luck

Destron

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
×