Exploitation Of Windows Buffer Overflows

What is a Buffer Overflow A buffer overflow is when memory is copied to a location that is outside of its allocated space This is bad because it will override data that has been stored to control the flow of the data and other stored values Exploitation could (and does) lead to the process giving a cracker access to your system remotely

What is Shellcode Shellcode in the strictest definition is a program that will bring up a shell terminal from a remote location In the more practical since shell code is any program which is injected into another program for some malicious purpose

How a Buffer Overflow Works While windows is running it protects the code portion of the executable file from being written to So to get a buffer overflow a cracker must write to the stack where all of the temporary data is stored

Example of Buffer Overflow (part 1) #include using std::cin; using std::cout; using std::endl; void function() { char buffer1[10]; char buffer2[10]; cin >> buffer1; strcpy(buffer2, buffer1); cout << buffer2 << endl; } int main() { function(); cout << "if you see this then you didn't overflow the buffer“ << endl; return 0; }

Example of Buffer Overflow (part 2) Return Address 123\0 ABCDEFGHIJ Return Address Buffer1 Buffer2 With this code the stack would normally look like this But if we enter the string ABCDEF GHIJ123

Example of Buffer Overflow (part 3) If a long enough string was inserted into the buffer it could override the Return Address which could jump to the beginning of a program and overrun the process

How to Locate Functions in the Kernel32.dll Download a program to disassemble the dll file. (I used disasm.exe from Take the disassembled file and do a search for the file that you are looking for You will find the address in a line that looks like this Addr:7C80BC69 Ord: 830 (033Eh) Name: SizeofResource Addr:7C Ord: 831 (033Fh) Name: Sleep Addr:7C80239C Ord: 832 (0340h) Name: SleepEx

Basics of x86 Assembly (Part 1) Because of the simplicity of most shellcode the simplest and most useful assembly code will be discussed in this section One thing that should be noted is that because Shellcode is injected as a string it CANNOT HAVE ANY NULL CHARACTERS IN IT!!!!

Basics of x86 Assembly (Part 2) Registers EAX – EDX are 32-bit general purpose registers AX – DX access the lower 16-bit of the general purpose registers AL – DLaccess the lower 8-bit of the general purpose registers Assembler Code STRING_LABLE db ‘string$’ - declares a string and assigns it to STRING_LABLE. In c++ this would look like STRING_LABLE = ‘string$’. The string needs to end with a $ or any other symbol because a NULL character will have to be placed into it later. jmp short LABLE – jump a short distance to the section of code designated by LABLE: push/pop REGISTER – place what is in REGISTER onto the top of the stack / remove what is on the top of the stack and place it into REGISTER

Basics of x86 Assembly (Part 3) call LABLE db ‘string$’ – jumps to location LABLE and places string$ onto the stack call REGISTER – calls whatever function address is sitting in the register Because some functions have arguments that need to be passed to them you will need to place then onto the stack in reverse order. Ex.) foo(int x, int y, int z) push edx;place z push ecx;place y push ebx;place x call eax;eax has the address of foo which pulls x, ;y and z off of the stack mov Dest, Source – place what is in the register Source into the register Dest xor REG, REG – A good way to clear out a register is to xor the register with itself

Example of a way to place a NULL at the end of a string jmp short START ADD_NULL: pop ecx;move the address of the string ;‘Hey Man$’ into ecx xor edx, edx;clear edx mov [ecx + 8], dl;ecx now has the ;address of the string ‘Hey Man\0’ START: call ADD_NULL db ‘Hey Man$’

Example of how to exit the process without alerting the parent process xor eax, eax push eax mov eax 0xFFFFFFFF;address of ExitProcess function – note ;FFFFFFFFF is not its address call eax

Turning Assembly to Shellcode Create an assembly file on a *nix machine which contains the whole shellcode (it should not be to long) Run the on a *nix box command: nasm –f elf SHCODE.asm; ld –o SHCODE SHCODE.o; objdump –d SHCODE What will pop up on your screen is the hex interpretation of your assembly code Take out all of the hex numbers and add a \x before each pair of them You should end up with something like this - \xe5\xf4\x04\x22 – if not longer. This is your shellcode. If any part of it equals \x00 you screwed up!

Testing the Shellcode This c file was written by Steve Hanna who wrote Shellcoding for Linux and Windows Tutorial /*shellcodetest.c*/ char code[] = "bytecode will go here!"; Int main(int argc, char **argv) { int (*func)(); func = (int (*)()) code; (int)(*func)(); }

Source Steve Hanna - Shellcoding for Linux and Windows Tutorial - hellcode.html hellcode.html Honestly this is the best place to begin trying to learn. His examples are fast and simple.