Part 3 Classic BufferOverflow Demo
Video Activity
In this lesson, participants receive a demonstration of a classic buffer overflow attack. The goal of a buffer overview attack is for an attacker to deploy arbitrary code onto a users machine and take it over, accessing the person's information. In this demo, Kali Linux is the attacker machine and the victim's machine is a Windows XP. Using the vul...
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Description
In this lesson, participants receive a demonstration of a classic buffer overflow attack. The goal of a buffer overview attack is for an attacker to deploy arbitrary code onto a users machine and take it over, accessing the person's information. In this demo, Kali Linux is the attacker machine and the victim's machine is a Windows XP. Using the vuln function, bytes are copied and a buffer overflow is created and a root shell on the box is the final goal. Participants learn how to create this using pre-staged code in the Python programming language.
Video Transcription
00:04
Hello and welcome to the cyber very secure coding course. My name is Sonny Wear, and this is the Buffer Overflows Demo Classic Buffer Overflow Attack. Before I start the demo, I wanted to give a little bit of background so that
00:20
the viewer can better understand what's happening in the demo. So first,
00:25
the buggers are often used to show buffer overflow attacks. The reason being that you can
00:33
see the contents of memory you can seethe stack. You can see the program an assembly code as it's being executed. And so you're going to see me in the demo. Actually use a command line to bugger called G D B. Now G D B is generally standard on
00:52
all UNIX type platforms,
00:55
and so it's because it's commonly available. It's it's widely used.
01:02
In addition, you're gonna hear me refer to PETA.
01:04
Now PETA is an extension to G D. B, and what that does is just provides a more user friendly stack viewing, and you'll see that in the demo
01:17
a quick reminder that I'm referring to the i p e b p in E. S. P. We had spoken about these in the explanations portion of the module.
01:29
E I p, of course, is our instruction Pointer. This is what's pointing to the next line of instruction in our program
01:37
based Pointer is where we have our function in our local variables, inside of that function declared and then the E S p, of course, is always gonna point to the top of the stack
01:49
realize that everything in the demo is showing in an Intel architecture of 32 bit.
01:57
There are two machines shown in the demo. There's a Kelly Lennox machine, which is basically the attacker machine, so that runs on a Lennox platform,
02:07
and then windows X p is thieve victim machine.
02:13
The goal, of course, of this buffer overflow attack is that as an attacker on the Kelly Lennox machine,
02:21
we want to deploy our arbitrary code. Of course, in this case, it's shell codes. Specifically, it's just a TCP bind.
02:30
And we want to deploy that show code onto our victim's machine via this buffer, overflow attack and, of course, take over the machine.
02:38
The moment I know I've taken over the machine is when, of course, I have a root prompt. I basically
02:45
I am actually literally on the UNIX machine. But I can get a prompt to the Windows X P machine on my Kelly Lennox machine and you'll see that in the demo as well.
02:59
So let's start with our source code. Here we have a C program. Very, very simple.
03:06
Basically, we have a function here called Bones,
03:10
and we are going to copy 200 bytes into an 80 bite array to create our buffer overflow.
03:21
Now, the purpose of this is to actually get a root show on the box and so that will be the final goal.
03:30
Then we have our main function here.
03:34
It's going thio try to execute, been show
03:38
call. The function returns zero So not much there.
03:43
And so we compile that
03:46
and then what we can do is take a look at how that looks inside of our GDP. PETA.
03:53
So you're going to type execute file
03:57
classic. So
04:00
okay. And so now I know that it is available in PETA,
04:04
and in order to actually see something done, we're going to have to send in some
04:13
some arguments, right? So we want to create our arguments
04:17
in a python script.
04:20
Now I do have some staged python scripts that I can share with you.
04:26
But I want to go through each one and
04:29
look at what the changes are. So we start off with just the exploit that p Y
04:35
here were just going to send in 200 bytes into our buffer.
04:42
Actually, what we're doing is creating 200 bytes that air the letter A and then we're just creating a file called in one dot t x t.
04:51
And then what we're gonna do is feed that in to the binary inside of GDP. PETA.
05:00
So for this, we just execute
05:04
and it creates
05:08
the file
05:10
in that T X t, which, as I mentioned, is all the aids.
05:15
Okay,
05:15
so then we just come over here and I'm going to read that file.
05:25
So PETA gives us a lot of really good information. First of all, it shows that, you know, we've got a segmentation fault. That's fine.
05:34
Now
05:35
we're we're reading inthe e 200 bytes. This is our buffer that the file that we created, right,
05:42
we don't We're not getting a show yet. That's true because, you know, we're not controlling, um e i p at this point.
05:50
So all I'm trying to show here is that I was able to
05:57
to overwrite e i p with some A's,
06:00
and I can see my ayes are repeated. So that basically tells me that
06:05
this program is susceptible to a buffer overflow attack. Okay, great.
06:11
But the program crashed. You know, I don't have control of it, so how can I gain control of it?
06:17
So now we can do is we can actually put our show code
06:23
in an environment variable
06:26
and run it through this program called getti n v a d d. Are. Now what this is going to do is basically tell us the return address that we can use for E i p. In order to point to our shell code,
06:41
we're just going to creating an environment variable that we're then going to plug into the sea program.
06:47
But basically, it will spit out,
06:49
um, that memory location that we need
06:53
in order to feed to e i P. So let's go ahead and
07:00
take a look at that. First, I want to show you the shell code. I'm running a 32 bit instance of Cali Lennox here.
07:09
And because of that, the shell code that I'm using is meant for 32 bit.
07:15
So what we're gonna do is we're actually going to create an environment variable called upon,
07:19
and we're going to export that into out of environment,
07:25
and we're gonna use python to help us.
07:30
So now it's exported in our environment
07:32
and we are going to
07:36
go ahead and execute our get e n v a d d are. By the way,
07:42
the source code that I showed you is is dot c So you need to go ahead and compile that. So now I'm going to pass in my pawn environment, variable. And, of course, my binary classic.
07:57
All right, so what that does is it gives me a memory location for where I can return from the function and place my shell code. Okay, great.
08:09
So want to grab this value here
08:15
and I want to actually go into the next generation of my exploits group exploit three dot p y
08:22
and I want a place that value instead of having the bees,
08:28
I'm going to place
08:31
that new value there.
08:35
So now we're going to go ahead and run our exploit
08:41
script,
08:43
and so what we can do is just go ahead and
08:48
passed into our binary classic
08:52
the the end three dot t x t that we just produced
08:56
and in private pipe it into the binary and just do a cat on that.
09:03
So what that means is we are actually able to execute our shell code. Now it says no show for you.
09:11
But if I do a who am I?
09:15
You can see that I'm route. So I'm I'm actually at a shiny shell, and I could execute a cat on Say,
09:26
it's your password.
09:28
Right?
09:30
Uh,
09:31
I could basically do any command that I like. And of course, I can exit out of the
09:37
out of the shell, so this concludes wth e exploit for buffer overflow attack.
Up Next
Instructed By
Similar Content
