Buffer Overflows (BOF)
Last updated
Was this helpful?
Last updated
Was this helpful?
The most vulnerable languages are those that provide the programmer with pointer and raw memory access control. Interpreted languages are typically safe from BOF because functions are patched and users cannot easily code in vulnerabilities unknowingly.
If you have code access hunting for BOFs becomes quite easy.
- sulley - peach fuzzing platform - sfuzz - filefuzz
Vulnerable Functions: strcpy -> new non exploitable version -> strncpy strcat gets fgets scanf fscanf vsprintf printf memcpy
- splint - (payload injections) - cppcheck BOF Shells: Rshell - victims sets up connection to remote box then provides a shell as a process/service Bind - Binds a shell to a port for anyone to connect to Socket reuse - grabbing a socket that was being used by a program that is now closing but we keep it open. Not common because of its difficulty. Staged Payloads: - Egg-hunt This is where we are really limited on space and we find a code cave somewhere else in the program. We may not know where the address will be for this code cave. We can then stage with a (egg-hunter) that then searches for our (egg) - Omelet Similar to the egg-hunter but rather than pointing to the one large egg we have several smaller bits of shellcode spread out that then get combined together. This is also good for not raising alarms for bof detection.
Reverse Engineering and Fuzzing are your friend here.
Fuzzing involves sending malformed data into application input and watching for unexpected crashes. An unexpected crash indicates that the application might not filter certain input correctly.
Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). DEP is a set of hardware, and software, technologies that perform additional checks on memory, to help prevent malicious code from running on a system. The primary benefit of DEP is to help prevent code execution from data pages, by raising an exception, when execution occurs. ASLR randomizes the base addresses of loaded applications, and DLLs, every time the Operating System is booted. If the protocol/port is unknown then we would either need to look up the RFC of the protocol format, or learn it ourselves, using a tool like Wireshark
DEP: Data execution prevention -wont let pages in memory execute code that are not marked as executable. -bypass with ROP(return oriented programming), works best if aslr has already been turned off. Stack Canaries: Stack cookies prolog places a value right before the return address, and function epilogue will then check that its still accurate on function exit. SafeSEH: this is used to prevent attacks like "David Litchfield's" stack cookie/exception handler bypass
Turn any program to asm:
objdump -d Mintel goodpwd.exe > goodpwd_disassembled.txt
Launching vuln app with ollydbg and passing it arguments on start:
Use the opcode sub eax,0x10 rather than using ‘nops’ (\x90) if memory space is an issue. This is important when there is precious little buffer space, it subtracts 16 bytes from the memory address in EAX and is a shorter command where nops are a full shift..
TL(code) TR(registers) BL(Hexdumps) BR(Stack)
Click a memory address and hit f2 to set break point. So we can place a BP on the main function and run till then. F7 steps into F8 step over
!mona bytearray
badchars = ( "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" )
#bad: \x00
!mona compare -f bytearray.bin -a esp
or !mona compare -f bytearray.bin -a 002af534
msfvenom -p linux/x86/shell_bind_tcp LPORT=4444 -f c -b "\x00\x0a\x0b\x20" --platform linux -a x86 -e x86/shikata_ga_nai
EMET: Enhanced Mitigation Experience Toolkit Made to enable security it can also be used to disable it. Download: This utility offers mitigation tools and vuln management patches for things like DEP, ASLR, SEHOP and more. ASLR: address layout randomization Creates randomness of load locations to prevent from hooking addresses and make progmatic modification more difficult. Loads programs base address into different locations but offset will always be the same for the same state machine route ;) . ASLR is not always used though for things like side loaded dlls which can be used to bypass the mech. -process explorer can show us what has aslr enabled.
