Buffer Overflows (BOF)

Languages:

The most vulnerable languages are those that provide the programmer with pointer and raw memory access control. Interpreted languages are typically safe from BOF because functions are patched and users cannot easily code in vulnerabilities unknowingly.

White Boxing Tools

If you have code access hunting for BOFs becomes quite easy.

Fuzzing tools:

- sulley - peach fuzzing platform - sfuzz - filefuzz

Vulnerable Functions: strcpy -> new non exploitable version -> strncpy strcat gets fgets scanf fscanf vsprintf printf memcpy

General bof tools:

- splint - Shellter (payload injections) - cppcheck BOF Shells: Rshell - victims sets up connection to remote box then provides a shell as a process/service Bind - Binds a shell to a port for anyone to connect to Socket reuse - grabbing a socket that was being used by a program that is now closing but we keep it open. Not common because of its difficulty. Staged Payloads: - Egg-hunt This is where we are really limited on space and we find a code cave somewhere else in the program. We may not know where the address will be for this code cave. We can then stage with a (egg-hunter) that then searches for our (egg) - Omelet Similar to the egg-hunter but rather than pointing to the one large egg we have several smaller bits of shellcode spread out that then get combined together. This is also good for not raising alarms for bof detection.

BlackBox BOF Recon:

Reverse Engineering and Fuzzing are your friend here.

Fuzzing

Fuzzing involves sending malformed data into application input and watching for unexpected crashes. An unexpected crash indicates that the application might not filter certain input correctly.

Protections

Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). DEP is a set of hardware, and software, technologies that perform additional checks on memory, to help prevent malicious code from running on a system. The primary benefit of DEP is to help prevent code execution from data pages, by raising an exception, when execution occurs. ASLR randomizes the base addresses of loaded applications, and DLLs, every time the Operating System is booted. If the protocol/port is unknown then we would either need to look up the RFC of the protocol format, or learn it ourselves, using a tool like Wireshark

EMET: Enhanced Mitigation Experience Toolkit Made to enable security it can also be used to disable it. Download: https://www.microsoft.com/en-us/download/details.aspx?id=50802 This utility offers mitigation tools and vuln management patches for things like DEP, ASLR, SEHOP and more. ASLR: address layout randomization Creates randomness of load locations to prevent from hooking addresses and make progmatic modification more difficult. Loads programs base address into different locations but offset will always be the same for the same state machine route ;) . ASLR is not always used though for things like side loaded dlls which can be used to bypass the mech. -process explorer can show us what has aslr enabled.

DEP: Data execution prevention -wont let pages in memory execute code that are not marked as executable. -bypass with ROP(return oriented programming), works best if aslr has already been turned off. Stack Canaries: Stack cookies prolog places a value right before the return address, and function epilogue will then check that its still accurate on function exit. SafeSEH: this is used to prevent attacks like "David Litchfield's" stack cookie/exception handler bypass

Reverse Engineering

Turn any program to asm: objdump -d Mintel goodpwd.exe > goodpwd_disassembled.txt Launching vuln app with ollydbg and passing it arguments on start:

BOF Tips:

OLLYDBG windows:

TL(code) TR(registers) BL(Hexdumps) BR(Stack)

HotKeys:

Click a memory address and hit f2 to set break point. So we can place a BP on the main function and run till then. F7 steps into F8 step over

Mona: (OllyDGB module)

!mona bytearray

badchars = ( "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" )

#bad: \x00

Check for Bad Chars

!mona compare -f bytearray.bin -a esp or !mona compare -f bytearray.bin -a 002af534

Payload gen example

msfvenom -p linux/x86/shell_bind_tcp LPORT=4444 -f c -b "\x00\x0a\x0b\x20" --platform linux -a x86 -e x86/shikata_ga_nai

Template Scripts: