What is Stack-based Buffer Overflow? How does it work?
How does BOF occur?
It occurs when an attacker overflows the application’s memory. This allows the program to use the system without its authorization by pointing to the code it wants by changing the program’s execution path.
BUFFER OVERFLOW TYPES
Stack Based Buffer Over Flow Easier to fill the memory. It works Only filling one applications stacks.
Heap Based Buffer Over Flow Harder to make it. Because heap is not limited like a stack.
WHY DOES BOF OCCUR? WHY WE DO NOT HAVE A PERMANENT SOLUTİON?
The main reason why there are still BOF vulnerabilities is the developed languages. The languages most prone to BOF are C and C++. This is because these languages are not protected against overwriting or accessing data in their memory. Mac OSX, Windows, and Linux are written with C and C++. Low-level languages process programs faster, while High-Level languages are more user and developer-friendly. This is basically why we are still using low-level languages.
STACK IN A NUTSHELL
•Easy to use.
•Created variables are automatically destroyed when they leaked the stack limit.
•Memory allocation and de-allocation are faster as compared to Heap-memory allocation.
•Created variables can be used without pointers.
•It is created at compile time.
- If you know the exact size of the place you will use it, it will be convenient for you to use the Stack.
ANATOMY OF A STACK
ESP: Stack pointer. Based on the LIFO (Last In First Out) rule it shows the last in element. It is a kind of upper limit.
EBP: It shows the first in. It is a kind of lower limit.
EIP: CPU’nun an itibariyle code segment’i içerisindeki hangi instruction’i çalıştıracağını gösterir.It is referred to as an instruction pointer. It shows which instruction on the the code segment will be run by CPU.
Our goal is to change the EIP and lead to run an exploit that we want. We will change EIP for point our exploit instead of normal code segment.
Step By Step BOF
Spiking = At this stage, we make the program crash by filling the program stack.
Fuzzing = At this stage, we find exactly where we broke the program. It’s not random. How many bytes did we have to send to break the program?
Finding offset = The stage where we find the exact byte when the program crashed.
EIP overwrite exploitation
-Finding the bad char = Characters that should not be used in the shellcode we will write.
-Finding the right module = Finding the module where the EIP will point to the ESP
Creating shell code.
Programs used in the POC.
- Immunity Debugger
- Kali Linux Kullanılmıştır.
- PCMan FTP Server 2.0.7 (Win xp de çalışıyor)
By opening PCMan with the Immunity debugger, we examine the effect of the operations we have made on the program.
The piece of code sends 5000 A characters to the USER parameter of the application.
PACMan crashes when the operation occurs. Based on this, we look for a possible vulnerability.
we have succeeded to write EIP (a= 41 İN Hex)
But when we write to EIP?
In order to find the answer to this question, we send the pattern we created with “pattern_create.rb” so that we can find out which part of the pattern is in eip. It’s like measuring the depth of water, by sticking a stick.
What is EIP now?
We see that value is 6F43376F
We find the number of characters with pattern_offset.
We write in 2002.
EIP Control and Writing the Desired Value
We prove that. EIP İS DEADBEEF. We sent EFBEADDE. Please note that First in first out. This is why we sent it in reverse.
The next step is to determine the maximum values of the size of the sheel code to be created (the code that will allow us to do the reverse sheel ).
For this, as seen in the screenshot above, we fill the EIP with the “A” character and then fill the ESP field with the “C” character.
When we find and subtract the start and end addresses where the “C” VALUE is written, the maximum byte value that can be written to the ESP field can be found.
The maximum value that can be written to the ESP field is 4104 bytes. While developing the exploit code, the shellcode written should not exceed this value.
JMP ESP (FFE4)
In the program, we need to find the address to pass the value written to the JMP ESP, that is, the EIP address, to the ESP. (We should assign a value to EIP that should point to ESP)
The shellcode which we will prepare will work in the ESP area. ( Size max 4104 bytes )
How to find JMP ESP (FFE4)?
We should find the correct module for this. The correct module should be one without memory write protection so that we can write. In the image below, we are looking for a module that does not use protections such as SafeSEH Rebase ASLR.
Searching for jmp esp after selecting the correct module FINDS THE ADDRESS 7E429353
Alternatively !mona find -s “\xff\xe4” -m ‘MODULE NAME’ can be used.
By typing this address into the EIP value, the program will be able to switch to the ESP area.
The characters that we do not want to be included in the shellcode, the characters that are blocked by the program should be detected and these characters should not be used while preparing the shellcode.
Finally, our beloved FF, the last hex character, is here.
In short, our characters that should not be used are x00, x0a ve x0d
Beloved Shell code
Latest Version of Exploit
In our code, the code buff+=”\x90″*40 just below the JMP ESP is referred to as NOPs.Nop is the abbreviation of No Operation. It is the assembly command that can make it easier for us to write wait routines.
Since we are working on x86 processor architecture, x90 was used. The peculiarity of this command is that it does nothing and most of the time it only takes up a single byte. The CPU will go over the instruction. Shellcode reliability can be increased by pre-filling it with NOPs before the shellcode is processed. Added 40 NOPs to the beginning of our final code to increase reliability. Of course, we were able to do this where the payload size is much smaller than the esp size (4104 bytes).
The reverse shell has been successfully executed. This application is made with an old and easy-to-exploit operating system and application for instructive purposes. Most of the screenshots I use here are taken from the information articles I have mentioned in the sources.