Time
14 hours 26 minutes
Difficulty
Advanced
CEU/CPE
15

Video Description

This lesson covers creating GNU compilers to perform overflow testing and discovering vulnerabilities that can be exploited. Participants learn the cdb command along with step by step directions to debug programs and build exploits.

Video Transcription

00:04
get If you're using my VM don't have to worry about doing this. There's already a compiled version
00:11
of this program,
00:13
but if you are not, for some reason, we do need to compile it.
00:18
So we want to do G C C G a new compiler,
00:22
and we can put debug symbols in there with Dez G.
00:27
And let's see, we need to put a flag in there. F no dash deck stack dash protector.
00:37
What that's going to do is turn off
00:40
stack protector or canary. As it's called. We're not going to cover the canary in this class. If you continue with exploit development, do on exploit development class. Prefer instance. You probably will work with canaries, but we're going to start with the basics here, so we just want to turn it off
00:58
and dash over the output. I'll just call my overflow test, just going to overwrite the one that 30 there, and the input file is over for the test. Ought see.
01:11
The main thing we need to do is just ethno stack protector, the debugging symbols we don't really need, but
01:19
on If you change the output of something else, it will
01:23
give it that name. And if you don't put the dad Joe it, we'll call it a day. Out, out, out, out, out. It's fine. You don't really care what it's called.
01:30
It does through a warning.
01:33
Basically, it says that mean is not an energy. I made it a void.
01:38
Whatever still compiled.
01:41
That's not the source of our buffer overflow. That's just it, complaining about things it doesn't really need to complain about. All right, so now that it has compiled, But you go ahead and run it
01:51
overflow test from our current directory. And remember, it does want user input on. Since we know the source code, we know that it wants basically
02:00
four characters.
02:01
Yes,
02:04
string ends with the knoll bites. Someone pointed out to me in a class a few years ago, so it could be five characters and you'll see that it can be. But technically we will have actually overflowed the buffer. I say that with air quotes that you can't see. It doesn't actually call the cries or anything. It doesn't
02:21
particularly matter, but technically it would give it five characters we have
02:24
overflowed are variable, at least by one character that no light at the end, we'll actually make us right to adjacent memory. So let's stick with four characters to be precise.
02:37
So overflow test with four uppercase age
02:40
and it prints out executed normally as expected from the source code.
02:46
But what happens if we say overflow tests in the additional Be heavy handed about? It doesn't particularly matter how many we put in at this point is held down the big A for a while,
02:58
would you not get executed? Normally we get something called a segmentation fault. So we have made the program crash,
03:06
so it clearly has some sort of. It is not exploitable vulnerability that, at least you know, it's not very good at dealing with unexpected input, which is generally a good place to start looking for vulnerabilities that could be exploited
03:22
so naturally has exploit researchers. We would want to know more information about what exactly is going on here.
03:30
So what, We're going to use it a debunker. We move over, Windows will use more graphical de bugger
03:37
called immunity bugger here and Lennox, we're going to use the man line tool called the Nudie Bugger or P T. B,
03:46
we GTB and hell it open, overflow test.
03:53
Get some stuff written out to the screen. Says this is gonna be bugger, eh?
04:00
All right, So if you don't know anything about the community Bugger, don't worry. You can read manuals about it. I've never found the minerals to be very beginner friendly,
04:10
but
04:12
there's a good tutorial series security to that. I would recommend or, you know, just playing with it. But for this class,
04:18
we don't really need much community. Bugger, information, Anything we are gonna do, I'll show you.
04:26
We're certainly not gonna cover all the things that I can do is look a basically example here the voters aren't made specifically for exploit research. They are
04:34
primarily made so developers can be, but their programs see what's going on. But they are widely used by excellent developers
04:44
to try and build exploits as we will do.
04:48
All right, let's go ahead and take a look at the source code. Since the source code is time holder, we can do that. Who actually list out
04:58
our source code. That's going to make life a little bit easier for us. Naturally, since he's compiled, Lee will not always have our source codes. We may have to work a little bit harder willing to our Windows examples. We won't have a source.
05:12
We'll have to work entirely with memory.
05:15
But here we do have our thirst codes. We do list
05:18
and say, one common 16. There are 16 lines, so that's going to list out one through 16. As we see here,
05:26
what we really want to do is actually get some break points, which are break points, as the name might employ is they're going to
05:34
called the program to polls or break when we hit them. We don't have to set them on a line like we are here. We're just and put in line numbers,
05:43
but you can also have them set on a function or a memory address all the different ways to set them again. We'll start with something simple here,
05:51
and I want to get three break points. Gonna start here in Maine. I want to take a look at the state of memory
06:00
right before we call function. Remember, function is where the bad stuff is gonna happen. We have that string copy function that since we have the source code, we can probably tell that that is the source of our problems. Why we're getting that segmentation fault.
06:15
Let's go ahead and set a break point here right before they call the functions. If we set a break point online 14 that will pause execution right before function is called right before that line is executed.
06:29
So break
06:30
14 to tell it to break online. 14.
06:34
It's break 0.1 at the memory address of Line 14
06:42
and then if we do a break in function, so then we will be in function
06:47
and I want to do a break point right before string Gabi executing in string copies the source of our troubles. So we're really interested in what happens there for reference will basically get a snapshot of memory right before the strength coffee happens for their break 10
07:05
and then right after we'll just break it. Line 11. Right before function returns, we'll see what happens
07:14
during string copy so we'll see the state of memory after the street copy has occurred. Finally, our third break point will be break at Line 11.
07:25
The three break points again break 14 Break 10 and break 11 break in Maine right before function is called for reference. Break right before the string copy again for reference to see what memory looks like before the vulnerable function. And then finally, right after the vulnerable function
07:44
that line 11.
07:46
All right now I've got a break point
07:50
and let's go ahead and run this.
07:53
So do that. Would you say Run
07:56
and we give it any input that we need to begin? Let's start with forays.
08:01
You have four bites here
08:05
and hit Enter that will have it start little either run the program until it finishes or the break point.
08:13
We had our first break point, which is the break 0.0.1 that line 14 right before the called a function.
08:20
Another word out of break point. We can examine our memory
08:24
so there's lots of different ways you can do examine like it has lots of different ways. You conform at the output and say how much data you want
08:33
so we can say help.
08:37
Thanks.
08:39
So that's one way of getting data. Like most programs, we could say health, and it'll give us some help information. So he tells us more details about examined.
08:52
Yeah, basically, we say explosion, the format we want And then the address
08:58
we want, which we can give it, like a registered name or a memory address.
09:01
And so what, we're gonna D'oh! It's certainly not the only way to do this. But this was just
09:07
the way I was taught. I guess what has been useful for me. So I'm going to examine Flash.
09:16
So it's explosion, and then we tell it the format we want, which I want Hexi Decimal because he lost of Hexi Decimal and exploit development. So they'll have to get used to reading some hex of that school. You continue and exploit development,
09:31
and I'm gonna tell it. I want
09:33
words W.
09:39
And I'm gonna tell it.
09:41
I want How about 16 words, but probably more than we need.
09:48
We'll see how many we need to get to the bottom of main stack brain. But I'm just gonna tell it. I want to examine 16 Hexi decimal words from dollar sign E S P so that remember, E S P is the top or Louis memory address of our current staff frame. We're currently in Maine, so Paul is right before we called function.
10:11
So this should show us main stack frame and probably a little more depending on how big mane is. We did ask it for 16 words. Probably more than we need.
10:20
All right, So how we can read this is these are the memory dresses over here, and here's the data in them. So this is in Hexi Decimal. So it is going to be
10:30
based 16 before right here,
10:33
8 12 16 And then we wrap back around. So
10:37
we go up to nine and an A B C D.
10:43
On loop back around to zero.
10:46
All right, so this will be the memory location of E. S. P s, the top of Maine, and this would be
10:54
rivers in there. So to get a reference of where main ends, we would need to examine you just need one
11:03
has the deaths of more word here from E v P, which again is the bottom or highest memory address to notice that
11:09
we do go to hire memory dresses, we get on the stacks of c d. E f going higher there.
11:16
So it says
11:18
U P is at sea eight. So indeed, 16 Hexi decimal words is way more than we need. It looks like
11:26
this is main stack frames, and not much to it at all. In fact, only 12 bytes.
11:31
Then again, Main doesn't do very much, so that's not entirely surprising.
11:37
All right, so, again, it's just a reference. Nothing really interesting happens in Maine, at least from an exploit developments perspective. So to move on and let the program continue, we say continue. So that will again either go to the end of the program
11:54
or the next break point.
11:56
So we hit great 0.2. We're now inside a function right before the string copy.
12:05
So we can again we can have the out barrow to get our
12:09
old instructions back. So I just go up to my examined 16. Hector doesn't words from SP now that we're in function as P will now be pointing at the top of functions that crane, which should have been
12:20
put on top of
12:22
main stack frame. So we should have,
12:26
um, lower memory addresses to the stack moves up towards lower memory dresses. So we should see the zero. A zero
12:37
over here
12:39
doesn't did exactly what we see. So here's a zero at the end here,
12:45
and we can again get EVP, which again should be pointing at now the bottom of function stack frame.
12:52
Who says that? That be eight.
12:56
So this is part of function stack frame as well as this here
13:01
a little bit bigger. Stack for him here.
13:03
Five of those bites are going to be for a buffer. We don't know which five lives are yet, but we will see that presumably after the string copy. We should see our A's show up and we should be able to tell when we hit our next break point.
13:18
So remember, we look up here, so starting at r C zero
13:22
where main is.
13:24
So this is Maine
13:26
stack frame,
13:28
Mrs Function.
13:31
So what's this?
13:33
So we remember our picture. I showed you the slides. One of the prettiest it is We have main stack frame on top of main stock crane, which have the return address to the memory address. But the next instruction to be executed when function returns and we get back to Maine, then we should have functions sack train.
13:52
So this should probably be In fact, my theory is correct. This should be our safe return address. 08048443 should be a memory address in Maine. That should be our next instruction to be executed.
14:09
We can disassemble functions of I say disassemble
14:13
and then main Tell it to disassemble, man.
14:16
Here's some assembly
14:20
may not be too familiar with assembly. And I, particularly this is in
14:24
80 and tea for at and I put for intel format. So even though I do know a fair amount of this and lay it rather hard for me to read these because the formatting is a bit different than what I'm used to we can change that if we want to do set
14:39
disassembly
14:41
flavor. You don't need to do this
14:45
if you don't want to.
14:48
I can't spell disassembly. Apparently, no, I can't. All right, to sit one s here.
14:56
Um,
14:58
just awesome
15:01
flavor.
15:03
My spelling is getting worse by the minute until,
15:11
uh, almost. But again, there's a either they're finally no error. So set disassembly die flavor to intel and you don't have to do that. I just prefer intel. Four months of this format is once a year for me to read, but luckily it doesn't particularly matter
15:26
if we know assembly because we're interested in what is
15:31
you call the function. You can't read assembly,
15:35
Cole and function.
15:37
But even if we can't reduce and believe that pretty much jumps out of it out us that that is indeed to call the function. So our next instruction to be executed is probably this one. I mean, that would make logical sense of 08048443 run off the page because I can't spell this assembly.
15:56
So I go back and examine again
16:00
from E S P. So we have 08048443 is our safe return address. So that's where the memory address of the next instruction to be executed. Sure enough, that's exactly what the next assembly instruction in May after the call. The function is so it looks like everything is exactly like the picture said it would be.
16:21
How interesting.
16:22
All right, so let's go ahead and continue again. Let's let that string copy execute so we can see what happens in memory. So we have this as a reference
16:32
who this again is function stock room. Now we'll see what changes who we let's drink coffee run,
16:40
so we'll continue we had our third break point
16:42
Right before function
16:45
exits line 11. So after the string copy.
16:48
Let's examine our memory.
16:55
So, you know, quick reference here.
16:57
Looks like a few things have changed. But in particular
17:03
41 is Hexi decimal for
17:07
on upper case A. You can look at a man page for asking and it will actually show you all of this. Or you could go to, like, asking table dot com if you need to reference what is what I mean, certainly I can't expect anyone
17:22
since I don't even
17:22
to know all of
17:25
the asking table, but a CZ You spend more time with it like 41. You'll probably remember for whatever reason, typically people to start overflowing buffers with Bunches of large aids. So you see lots of 40 ones and memory. But, you know, if you need to check what
17:41
it correlates to, you can always look Att A nasty table again ish man asking or I like asking table the outcome. You like something a little bit more graphical. They have 41 here.
17:56
That's the first character here we have 41 41 41 then a novel which again terminates a string but looks like that's where our four A's showed up. So that should be
18:07
where that buffer variable is. And it did indeed fit nicely inside
18:14
over
18:15
stack frames again, the return addresses all the way over here. You kind of start to see an idea of what we're gonna try and do, since we want to
18:22
get control of that safe return and drastically instead of putting Foray. Then we just kept putting a then and that string copy would allow us to overwrite adjacent memory would eventually
18:34
could overwrite as much as we liked. Really.
18:38
But for now, I did all fit nicely. Are only question is, why is this went off by itself? And why is it, like, turned around? It's like the knoll That's the end. Seems to be a fight. Number two. This is but one and two. It looks like things are a bit backwards, which, when I was first starting, exploit development.
18:56
It's really baffled me and they'd be waste a lot of time,
19:00
so we will see exactly what's going on here. And if I teach you one thing about exploit development, you will never make the same mistakes I did. So we'll see that in our next video.
19:10
But for now, let's just go ahead and continue.
19:12
I'm not the program finish. It does turn out executed normally,
19:18
and the program exits. So since we only used four characters, is their input here, Everything work flying again? Naturally, the next thing we're gonna do is try and overflow it.

Up Next

Advanced Penetration Testing

The Advanced Penetration Testing course teaches the cyber attack lifecycle from the perspective of an adversary. Become more familiar with the most widely used penetration-testing tools, manipulate network traffic, and perform web application attacks such as cross-site scripting and SQL injection.

Instructed By

Instructor Profile Image
Georgia Weidman
Founder and CTO at Shevirah and Bulb Security
Instructor