airomon Lab

This lab demonstrates the basic process of a buffer overflow from start to impact, including the testing and evaluation of the buffer overflow in a simple C Program. [toggle_content title="Transcript"] Hi Leo Dregier here. I want to talk to you guys about buffer overflows and how you can one learn about the basic processes of buffer overflows. I want to take you pass some of the theory and show you some of the hands on testing and evaluating buffer overflows. So basically what we are going to do is look at a stack based buffer over flow that I have written in c programming. So I open up the document here and I just want to explain this to you that way. You can follow along and try to reproduce this on your own. This is definitely going to be a monkey see, monkey do type of lab. Give me one second here and I am trying to resize the text here. Let us do – it starts with talk about the basics first. You basically have the first section here and then the second section down here. So the first section is in main closed parentheses in arguments c, character Asterix argument value and whatever that is and parenthesis and then bracket. So if the argument that can't be less than two characters basically print a statement. You need a value and then exit out otherwise if we do - it is going to basically copy that and then basically print the statement. The value is whatever which is actually listed down here. So we are basically supplying that value and then printing that value and then you can see that there is a string copy of the buffer overflow and then the arguments from the previous value up here. We set the buffer here to ten characters and so we are going to prove here is that what we are going through here. Just because we choose something beyond ten characters - doesn't realistically mean that the program is going to crash or bad stuff is going to happen and in many cases programs buffer overflow all the time and they work just fine. So it is only in certain instances where you get a lot of buffer overflow that the program actually crashes. So when we compile this and execute it. You are going to through a series of commands we are going to use the GDB. We are going to go through and we are going to look at the compiling this in GDB and you can see actually how this works and I will show you some of the variables that you can use to actually see this run. So nonetheless it is a very, very basic program clearly these could be pages long but that is okay. Let us go ahead and open up a terminal and the first thing we are going to do here is basically compile this number. Compile I will show you the syntax any way - you want to follow all - so what I am going to do is do a gcc. The name of our source code which in this case minus stack.c and we are going to do this with the dggb compiler switch and what that does is that allows us to kind of set some of the break points inside of the program as opposed to actually putting them in the source code which is actually helpful and then you can set your output file to whatever you want to call this and since I have already have this card stack.c you could do it whatever output name you want. Whatever you want to execute or refer to this file as so. Stack.c is what I did before just to share that this works. I am going to do stack one - so if we get an error here. Then you can basically see start trouble shooting, so in this case if you look at the working directory I am not actually in the right directory. So let us go ahead and change directories to - in this case I am working in desktop. We just want to run the command again because that should be where the name it is - and it compiles and it gives us information and in function main, morning. Implicit declaration of built in functions string copies. Enabled by the full however it is just a warning - so it should still be and execute just fine. But nonetheless you will realistically be looking for error messages here. If you get an error message then things went bad for example if I take out my end bracket here and this piece here. You will see that it will basically be error or if I put too many brackets in or something like that. Let us go ahead and save the set as stack two and then I will show basically what an error message looks like. So in this case same exact thing - stack two and let us call this stack two and boom there you go. Now we have got the error message expected declaration or statement of value. Now most of the time when you are compiling c code or writing c code. Then it acts at at time it is going to be a syntax error somewhere in extra declaration too many, too little. Go ahead and look at syntax and trouble shoot that first because if doesn't work don't freak out. It is all part of my learning experience think of it as hide and seek for errors and that is the way you want to approach this. Don't get frustrated - don't want to give up - continue through because this is very much a problem solver. I did that once without an error just a couple of warning and then I created an error just so you can see what syntax look like if happen to this wrong the first time itself. So let us next us go ahead and another way we have actually got this ran and we got it compiled. Let us go into gdb and you are going to want to run this basically like you would any other program. So I am going to run stack which is the name of my program and you can see copyright information here at the top. This gdb was configured as i46 linux. Now what one thing to do here is make things easier for your eyes and to illustrate to basically to put this in easy syntax. So you can actually read it like a human is going to go ahead and set the dis-assembly flavor to intel and you basically do that by declaring, set disassembly-f and then you can tab your way through for flavor and set it to intel and if you come back no problems should be there and then go ahead and you can type list and list is a hopeful command to know when we are using this because it starts showing you what you are source code look like and you can use that especially when you start getting into break points and deleting breakpoints and things like that. Because you can test this out by declaring this - now again I want to back up to what I did in the beginning when I actually compiled this I compiled this with the -ggdb switch that allows me to set the break points now that I am actually inside this program as opposed to having it in the compiled code. So we set the disability flavor then we listed out the contents of the source code which we can see here but let us go ahead and run this. Now to run this we basically can - basically do a false statement and you can do this by basically typing run the program. $ sign [perm.execute single tick print a which is the value that we want to print into the product copy into our buffers. Time this ten send me coal and single tick and the parenthesis and see what it looks like and you can see starting the program the location which we ran the program. $pearl print a ten times and if count that up there should be ten and you can say that the program accepted that and fine. Great - let us basically buffer overflow this - let us use the value of eleven. You can see the range is fine I am not going to increment this by once. So let us do twenty - so let us put twenty a's in there. You can see the program still work fine. If we do 25 we get a fault and I am just going to auto program some values in here. So if I do like 50 start it from the beginning you can still get a whole bunch of 50 a's in this point and you can also see that it is actually stating the memory register here and we are going to come to this in a second but 401 401 401 this is all a - you can actually prove that. If you were to change it to for example b's start to program from the beginning 401 401 and 402 402 a b you want to get creative here and this is how you learn. This is how you learn the stuff - start off from the beginning again and you can see that it is 403. If I wanted to see what the value of ten is - it starts from the beginning there you go. That is 30, 31 or 1010 so we are going to back to a's just for the simplicity and again there it works. So now what we are going is we are basically supplying value to the executable it is copying it to the buffers and it is basically buffer overflow. Now there is not a convenient way to l look at what is actually happening to your buffers at this time. So in order to do that we basically have to look at the buffers. So let us do an x/ 20xw and let us look at the extended stack pointer. So basically simply doing or reacting to print where it is in the stack. Now this is going to be helpful and I can change this. If I want to change from 20 to 40 or 400 or whatever I want. I can print as much or as little of the buffer as I want. Twenty is fine - but basically we would be looking directly right in here. Right in the section here because you can see all the 401 401 401 all the way through here. So if I change this - if I go back to print 500 a's to the buffer start to program from the beginning have it air up and then go look at the buffers and let us look at the first 500 characters. You can see that now my buffer is all 401 401 401 401 so I am actually proving that the buffer is doing in fact get over written at the different memory locations as here on the left. So it is nothing but overflowed buffers at this point and I hit enter a few times and you can actually see where that ends and then it picks up other values at the end of that and so what I am proving here is that the buffers are in fact getting overflowed. Let us go ahead and listen things out here. I want to show you guys a couple of more things here before you wrap it up. I want to show you how to set break points in here. So we go back to our program you can see that we have got and you could do this with a list command earlier but basically it is right in here. So if you want to look at this right before the buffer gets copied and check the buffers and check the stack foyers and then let the buffer overflow happen and then check the buffers again and kind of look at that just one line at a time and you can do that. A couple of different ways you could do that - you could actually count the lines down like this or 1,2,3,4,5,6,7,8,9,10 so it is right around nine and ten is where we want to set break points again and this is the value of actually compiling this with doing a -ggdb because I can set the break point to nine and it says break point to nine and it says break point ten set and I would set another one. Now if I run the code it will execute it 0:14:24and I am going to change this back to ten but it will basically break right at the nine and allow you to basically look. So it has ran the program copied the ten a's and then break here for me to see and then I can look at the first 40 of the extended stack pointer. So if I look at that here you can see basically the buffers look fine. I mean I get all sorts of stuff in here. So nothing really to see and then if I change this again and let us go back to 500 and start from the beginning and then look at the values in here and we will just look at the first 40. If I look at the first break point before the buffer happens - I am proving that the buffers look absolutely fine. Just a bunch of random stuff I don't see - no operators. I don't see your repeated values from the string that I copied which is why I wanted to do like all a's or 1 & 0's just to make it completely obvious - no operator 0x90 just look at that pattern all the way through. You want to make this obvious when you want to learn this - you can actually distinguish what normal buffers look like versus complex buffers and then you can go through and actually see more of what it looks like and if you want to delete the break points and remove them completely. You can actually just put a delete and then delete all the break points, yes. That will get those to go away and then run the command again from the beginning and then check your registers now buffers are overflowed. So that is the absolute basics to doing a buffer overflow. Now we haven't looked at exactly how this gets exploited. What is being disclosed - what code is being arbitrarily executed. How they are crashing the system - what memory is it taking? What is task manager or top look like. So if I just give you an example here - if I am going to look at the top - you know what does that look like. These are all things that you could at in the grand scheme of things to really understand what your buffers are doing on your system. So that is a summary, just to give you one summary real quick we basically took some buffers copied them, printed them, we compiled the program using the -ggdb we ran the program gdb ./ then the name of your program. We set the disassembly flavor to intel, we listed the code, we looked the code we ran a basic pearl statement to basically just supply input to the program. We looked at the different stacks pointers showed you how to change the stack pointers with x/20xw or 500 if you want to look at the first 500 and things like that. Very, very basic - very, very easy way. Now that you have seen this the key to actually making this makes sense is it go ahead and reproduce this make your own errors and work through these and get through these on your own and then you will start having a better understanding of how buffer overflow works and then hey at the end of the day. If you want to tell your friends and family. I created the buffer overflow and then you can say I actually do it but if you cannot do this and you don't know how to do this. There are lots of hackers out there that do not know how to write a buffer overflow and I have just clearly proven that it is not that hard. So I want you guys to practice and I want you guys to understand this and if you have any problems with the video. Why don't you send me a link on the contact me section and answer any questions you have about buffer overflows. My name is Leo Dregier thanks for watching - don't forget to check me out on Facebook LinkedIn YouTube and twitter. Also by now you should be well familiar with the website be sure that you are sharing, connecting because that is how you move up in the application. Use it, learn from it share it and take it for all it is worth because that is why it is here. [/toggle_content]
Recommended Study Material
Learn on the go.
The app designed for the modern cyber security professional.
Get it on Google Play Get it on the App Store

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?