Slides from my talk at CodeStock 2012 describing the process of exploiting a buffer overflow vulnerability.

1. Anatomy of a Buffer
Overflow Attack
Rob Gillen
@argodev

2. CodeStock is proudly partnered with:
RecruitWise and Staff with Excellence - www.recruitwise.jobs
Send instant feedback on this session via Twitter:
Send a direct message with the room number to @CodeStock
d codestock 413a This session is great!
For more information on sending feedback using Twitter while at
CodeStock, please see the “CodeStock README” in your CodeStock guide.

4. Don’t Be Stupid
The following presentation describes
real attacks on real systems. Please
note that most of the attacks
described would be considered ILLEGAL
if attempted on machines that you do
not have explicit permission to test
and attack. I assume no responsibility
for any actions you perform based on
the content of this presentation or
subsequent conversations. Please
remember this basic guideline: With
knowledge comes responsibility.

5. Disclaimer
The content of this presentation
represents my personal views and
thoughts at the present time. This
content is not endorsed by, or
representative in any way of my
employer nor is it intended to be a
view into my work or a reflection on
the type of work that I or my group
performs. It is simply a hobby and
personal interest and should be
considered as such.

6. Credits
The vulnerability that we’ll be discussing
was initially discovered by C4SS!0 G0M3S
(louredo_@hotmail.com) and was published
on June 17, 2011.
http://www.exploit-db.com/exploits/17539/
James Fitts created a MetaSploit module
that I also reviewed while building this
module
http://www.exploit-db.com/exploits/17540/

7. Example Overview
• Scenario
– Machine 1: BackTrack 5 SR1
– Machine 2:
• Windows 7 Professional x64, SP1,
fully patched
• Freefloat FTP Server v1.0
• Tasks
– Discover a vulnerability exists
– Craft & test an exploit
• Goal: Obtain reverse shell

8. Attack Process
• Identify target of interest
• Identify software/versions being
used
• Setup local Instance
• Fuzz to identify vulnerability
• Design/Develop Exploit
• Test
• Package/Weaponize

9. Terminology
• CPU Registers
• Assembler Debugger
• Buffer Overflows
• Fuzzing
• Shellcode
• Encoding
• Bind Shell/Reverse Shell

10. CPU Registers (8086)
• EAX – Accumulator Register
• EBX – Base Register
• ECX – Counter Register
• EDX – Data Register
• ESI – Source Index
• EDI – Destination Index
• EBP – Base Pointer
• ESP – Stack Pointer
Content from: http://www.swansontec.com/sregisters.html

11. CPU Registers (8086)
• EIP – program counter or commonly
“instruction pointer” – a processor
register that indicates where a
computer is in its program sequence.
• Holds the memory address of (“points
to”) the next instruction that would
be executed.
• Any thoughts on why this specific
register is particularly
interesting?
Content from: http://en.wikipedia.org/wiki/Instruction_pointer

12. Assembler Debugger

13. Buffer Overflow
• Software accepts input, but doesn’t ensure
that it is only as long as supported.
• In this case, software accepts a value into
the variable A, but the user sends an
overly-long string (“excessive”) and
overflows the space allocated to A and
overwrites the integer previously stored in
B
Content from: http://en.wikipedia.org/wiki/Buffer_overflow

14. Fuzzing
• Identify points where application
or service accepts data
• Send varying lengths/types of data
until we crash the service and/or
overwrite key buffers.
• Increase buffer length until no
longer successful (identify upper
bounds of memory space available
for exploit)

15. Shellcode
• Small piece of code used as the
payload in the exploitation of a
software vulnerability
• Name comes from the purpose –
usually spawns a shell and
performs some action
• Often written in assembly code
• Types:
– “normal”, Staged, Egg-hunt, Omelette
Content from: http://en.wikipedia.org/wiki/Shellcode

16. Shellcode Example
[BITS 32]
mov ebx, 0x00424F52
push ebx
mov esi, esp
xor eax, eax
push eax
push esi
push esi
push eax
mov eax, 0x7E45058A
call eax

17. [BITS 32]
mov ebx, 0x00424F52 ; Loads a null-terminated string “ROB” to
ebx
push ebx ; pushes ebx to the stack
mov esi, esp ; saves null-terminated string “ROB” in esi
xor eax, eax ; Zero our eax (eax=0)
push eax ; Push the fourth parameter (uType) to the
stack (value 0)
push esi ; Push the third parameter (lpCaption) to
the stack (value ROB00)
push esi ; Push the second parameter (lpText) to the
stack (value ROB00)
push eax ; Push the first parameter (hWnd) to the
stack (value 0)
mov eax, 0x7E45058A ; Move the MessageBoxA address in to eax
call eax ; Call the MessageBoxA function with all
parameters supplied.

18. Shellcode Example
BB 52 4F 42 00 53 89 E6
31 C0 50 56 56 50 B8 8A
05 45 7E FF D0

19. Encoding
• There are often restrictions as to
what data can be sent via the
exploit (NULLs, etc.)
• Self-extracting (smaller
shellcode)
• Self-decrypting (avoid IDS
signatures)
• Tools such as msfencode offer many
options.

20. Encoded Shellcode
xbex13xafx49x81xdaxc7
xd9x74x24xf4x58x31xc9
xb1x06x83xe8xfcx31x70
x0fx03x70x1cx4dxbcx3a
x70xdex7dx3dx27x69x67
x0cx07x39x3ex39xd7x02
x34xc0x92x0cxb6x1b

21. Bind Shell/Reverse Shell
• Bind Shell
– Target exposes a shell on a given port
– Attacker connects to that port and
executes commands
– Remote Administration
• Reverse Shell
– Attacker listens for connections on a
given port
– Shell code on target connects to
attacker and sends a shell
– NAT-safe

22. Bind Shell
Code executes on
target and exposes
a listener on a Attacker connects
specific port (Binds) to client
(i.e. 4444) ip:4444
Attacker
Target sends shell
to attacker
Target

23. Reverse Shell
Attacker exposes
a listener on a
specific port
(i.e. 4444)
Code executes on
target and
connects to the
attacker ip:4444
Attacker
Target sends shell
Target to attacker

24. Fuzzing Pseudo-Code
• Build array of increasing length
strings (“A”)
• Build array of valid commands
• For each command in arrayOfCommands
– For each string in arrayOfStrings
• Establish FTP connection
• Submit command + string
• Watch for application hang/crash
• Inspect register values/pointers

25. Demonstration
FUZZING THE SERVICE

26. Design The Exploit
• Iterate with various malicious
buffer sizes to see how much space
is available
• Locate where within the evil
buffer we actually overwrite EIP
• Locate where within the evil
buffer we can locate our shellcode
(pointed to by other register)

27. Design The Exploit
• Select / configure / encode
shellcode
• Integrate into exploit script (NOP
slide, breakpoints, etc)
• Identify reusable jump address to
consistently move to shellcode
• Test with breakpoints
• Test in “real world” scenario

28. Demonstration
DESIGNING THE EXPLOIT

29. Solutions?
• Bounds checking is critical!
• Fuzz your own applications
• Address Space Layout Randomization
(ASLR)
• Operating System Support
– Data Execution Prevention

30. Questions/Contact
Rob Gillen
rob@gillenfamily.net
http://rob.gillenfamily.net
@argodev