Time
14 hours 43 minutes
Difficulty
Advanced
CEU/CPE
15

Video Transcription

00:00
Hello, everybody. And welcome to the episode Number 28. We'll be starting a new model, which is both for our flow.
00:08
And we'll see in this video the basic concepts.
00:12
My name is Alejandro Gonna and I'll be your instructor for today's session.
00:16
The learning argue Tibbs, is to understand the concepts behind the buffer off overflow attack on applying techniques to implement a buffer overflow attack. So let's get down to business, shall we?
00:30
First of all, let me give you some basics about the buffer overflow which is also known by buffer overrun. By the way, On this problem, we're program or a tool or, you know, whatever that goes up, you created programmatically ah
00:50
that while the data is being written to the buffer of runs and you know the data of around the buffer boundaries on our rights, other memory locations
01:03
before you know buffers in this case are areas off memories set aside to hold the data often while moving, you know, moving it from one section to off a program to another or between programs
01:19
before overflows can often be triggered by no
01:23
my foreign inputs. For example, if one assumes all inputs will be a smaller dance dance. Routine size on the buffer is created to be that size. Then you know a transaction with an ambulance. Are you know,
01:42
martyr foreign input can produce more data on, you know, and can cost to ride the bus the end of the buffer. So it overwrites any, you know, Data or executive Executive Okoth
02:00
Um and, you know, overwrites the buffer and these my results.
02:06
I mean, you know, denial of service, because the application will stop. Um, in the worst case, it could give us remote control of the machine over. You know, it can it can actually execute a reverse shell code
02:23
on send his back. You know, I shall back to us to the attacking machine.
02:28
Ah, you know,
02:30
program languages,
02:32
which is which are commonly associated with this before our powerful problem R C or C plus plus
02:40
Ah c sharp. You know, at this point, I live in the future, Will they will actually implement a security control. But let's just live. It would see playing, See? And why is that? Because they they provide not built in protection
02:59
against accessing our overrating
03:01
the data in any part of the program. You know, they don't sanitize any but valuable, and, you know that can lead to a before I will throw attack. Now, the problem is that, yeah, I can hear you scream. In truth, you're screaming to the screen.
03:20
That's not
03:23
something that the programming language should do. I mean, that's up to the program the programmer should do. And I agree with you. I mean, when your programming or you're creating some code, you had to be sure that you sanitize our burials. You check all the, uh,
03:42
input Bay of also in any any feel that will receive data to check all of this. You know, check that if you're actually receiving Oppa's work, remember that we So we split of the Lin ability in SL Male. What? They had a problem with Paz work
03:59
eyes because when they were creating the code,
04:02
they didn't actually check that boundaries in the password. I mean, nobody is going to actually have a password. I don't know more than
04:13
even even even a pass phrase more than 50 characters. So why am I? What am I doing at, you know? Send in two time 202,000 characters that doesn't make sense.
04:25
Bounce checking can prevent a buffer overflows but requires additional code. You know I'm processing time. That's
04:32
that's expected, right? Some operating system nowadays use some techniques to actually, you know, protect Protect the operating system against, um, you know, before overflows. For example, random izing
04:48
the memory. We'll see that later in more detail. But, you know, random ends in the memory layout
04:55
can actually help you with that. Or, you know, live in space between buffers and looking for actions that right into those areas, for example, these are well known as calories on day, you know, once a cannery is reached Oh, are you are you can actually rich.
05:14
Ah, memory. Rather is where canneries
05:16
that we loved alert, and it will germinate the program. I mean, I know this cut could cast
05:24
the sale of service, but you know, it is better than actually getting, um,
05:30
you know, remote control or given remote control to an attacker. So hope story. Let's let me give you a really, really basic introduction to buffer overflow here. Basically, we have the buffer has several pointers,
05:48
but for this module will be interested in three main pointers.
05:54
Ah, the E s P e e i, p and a VP.
05:59
The SP is basically the pointed to the top of the stack thistles. You know, if we start depending on how the start was built, you know, like first in first out or last in first out,
06:13
Um,
06:15
depending on the stock, how would this that was built? It could start sending data are saving their from from the bottom to the top or two from the top to the bottom. But in this case, let's assume that it's from the bottom to the top and we'll sell freeing data
06:31
and we could rich this pointer. Now,
06:35
you know, it's obvious that the E v p is the bottom of the stack pointer the E S p at the top of the stack pointer. But the E i p is a pointer that points to the next instruction to be executed is not the
06:53
is not this the next X truck instruction to be executed.
06:56
It points to the next instruction to be executed. So if we can actually control this, I mean, I know that if something ineffable for our foe is, you know a bearable is actually vulnerable
07:12
to both for overflow. You can just fill up all of this. And, you know, once you reach this point,
07:17
um,
07:18
it will, you know, the application will crash because you will not have any more space memory space t do. It can function properly. But, you know, the point is, you can actually just if you're not interested in gaining a reverse shell,
07:34
Yeah, you can. Or performing other tasks. You can just fill up the stocking. That's it.
07:40
But if you actually want to do a little something a little bit more malicious or, you know, I go a little bit further in your penetration testing you actually control the E I. P. And you know, that's the tricky part is
07:55
is not exactly in the middle. It could be right here. It could be right here. He could be right here.
08:01
Um,
08:01
we cannot know the location on. We cannot say, OK, the stacks, right that they be e e e I P is right in the middle of stock. That doesn't work that way. So the tricky part is finding where this guy is
08:18
and finding if in any position of this stuck. We have something called jump DSP, so we can actually tell it. Okay, you know what? From this location. I don't want you to continue here. I just want you to jump to another E S p
08:35
from a different stack so we can have all this space to execute or program or execute or payload. And that's, you know, the basic concepts of half will be where we use him for these All the sessions for the before overflow attack.
08:54
So, uh,
08:54
let me give you some example. Remember that we told that c doesn't have
09:01
building protection against these attacks. Or let me just right out there with a piece of code here.
09:07
Um, I don't know. What can I pull it? See Program?
09:13
That's C
09:15
right
09:18
in. Ah,
09:20
let me use
09:20
All right. A piece of gory here include
09:24
Lordy, sissy.
09:28
And we will tell it. Thio,
09:33
copy the function string copy to copy
09:39
whatever we enter. Ah
09:43
Thio Another string which obviously doesn't have enough space so I can give you some so you can understand how how these buffer overflow actually works.
09:54
What? Let me It's created code.
10:03
You know what? Let me use copy based it.
10:09
I didn't want to do that because sees kind of picky program or programming language. Because at the end, if I mean something, All right, if I don't see a return carriage at the energy of some line, it will fail. But let me just see if this works. So basically, we're creating a buffer of 32 bytes.
10:28
Ah, you know, if whatever pretty error, you have to enter one more value because we're not entering anything. Return Sara. Otherwise, it will use the function of string coffee, and, uh, well, whatever we entered, remember
10:46
here will copy to Buffer, and we offer is a 32 bytes long. So if we enter something like three tree, you can see that there is no boundary checking here, so just save it
11:01
and we compile it.
11:09
Okay? Does it matter?
11:11
Well, it's telling me that this street copy maybe have some problems, but I don't care about it.
11:20
Let me just see if it was generated.
11:22
Yeah, There you go. So I would just see pro and put it once, and I don't know
11:31
like
11:31
that and no problem, because at the end he was less than 32. But what happens when I put more than treat you
11:41
segment intial fault, you know? Ah, because at the end, I'm overriding, um,
11:48
this
11:50
string copy. I mean, I'm copy. I don't know, maybe 35 characters into this buffer, which is three to Curtis long or writes long. So whenever I did this, uh, I obviously overruns this exam. I'm passing the 32 characters size of the string
12:09
off the buffered, and, you know, it gives me a segmentation fault.
12:13
So this is why
12:16
so far, this sea program doesn't have any bills in protection for that. But I am suman that other programming languages will do the exact same thing. I mean, at the end, you can, you know, have something like the garbage collector or some building security features or, you know, a performance features.
12:35
But the end, uh,
12:37
you cannot depend on that. You have to create programs. Actually, you know, when you create programs, you have to actually think in security and not just, you know, uh, go, uh, to pretend to.
12:52
I don't know that the program or the operating system will take care of that without any and any other additional security programming techniques. So there's that.
13:07
What is the difference between EVP An E S P?
13:11
Okay. EVP points to the bottom of the stack and e S p points to the top of the stack. Those are the two pointers we see. Remember, guys, this stock has several pointers. But we're interested in these three main pointers, which is the EVP, the ESPN, the AP,
13:31
and talking about the where does a P points too?
13:35
Well, it points to that next instruction to be executed again. I like to clarify this because this could be confusion confusing. I'm sorry,
13:46
e i p is not the neck. The next extraction to be executed is not like okay, It it contains,
13:56
I don't know, execute something O r ah, terminal instruction or common on instruction is not. It points to the direction that contains that instruction. So overwriting that for
14:11
is the role is one of the main goals or one of the main milestones while creating your buffer overflow exploit.
14:16
Because at the end, if you can control that, you can actually leave that a stack or leave that execution program or execute execution path and go to a different path where you can actually control and put whatever instructions you want.
14:33
Uh, this video will learn some concepts behind the before overflow attack, and we planned something next to execute the before off low attack. Remember, at the sea program, you have to be very careful when you're actually creating a program. And when you are actually, you know,
14:52
checking the input variables. Remember that we already saw the precise crept in the SQL injection so you can start to realize that a good programming or a given problem in life cycle or, you know, into introducing security from the first moment off where you start programming
15:11
or where you started that there
15:13
they're so for development. Life cycle is key If you don't have securing mind from Moment Zero or you start, you know, even thinking about creating a CE, a program or software or a tool. Um,
15:28
if you don't think in security from that point, if you try to introduce security at the end of the Subway Development life cycle, you'll have a headache. You have. You'll have a lot off nights without sleeping, because at the end, security needs to be included for a moment zero where you start planning
15:48
off creating a program.
15:52
Supplements materials have playbook. So it's always remember this thesis book contains several techniques are several attacks and it also contains the buffalo off attack. And I like to allow you to check the buffer overflow attack
16:11
from from these guys on YouTube.
16:14
They continue on a really cool basic explanation off. What are how to
16:19
maybe not how to implement it, but how it works, what it is and so much more than that. And you know, that's a good reference. If you want to find out more about this attack
16:33
looking forward in the speedier, remember will stay in the mood for over four module will see how to use immunity. Immunity the barker on Apply fussing to find Abu Abu for overflow vulnerability.
16:48
Okay, that's it for today, folks, I hope in your the video and talk to you soon

Up Next

Offensive Penetration Testing

This is a deep course about penetration testing. In this course, you’ll learn from basic to the most advanced and modern techniques to find vulnerabilities through information gathering, create and/or use exploits and be able to escalate privileges in order to test your information systems defenses.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor