Presented By:Amit Malik

a.k.a DouBle_Zer0m.amit30@gmail.com

Application overview

Debuggers

Stack based buffer overflow

Demo

Filecopa FTP (File Transfer Protocol) server

Port 21

Vulnerable to buffer overflow

All time favorite ollydbg

Why debuggers ?

Breakpoints

Immunity Debugger

Others

Discovered in 1972. Computer Security

Planning Study.

Exploited in 1988. Morris Worm.

Published in Phrack in 1994. Aleph One.

“Smashing the stack for fun and profit.”

Each function creates its own stack. Caller function stack: known as parent stack. Called function stack: known as child stack.For e.g.

main(){ ASM Pseudo: sum(); _main:

} 123: push ebp 124: mov ebp,esp

125: sub esp,val 126: call _sum 127: mov esp,ebp

128: pop ebp 129: ret

123: push ebp 124: mov ebp,esp125: sub esp,val126: call _sum127: mov esp,ebp128: pop ebp129: ret

Ret startup()

Ret startup()

ebpebp

Locals main()Locals main()

Ret(127)Ret(127)

ebpebp

Locals sum()Locals sum()

Unallocated spaceUnallocated space

StackGrowt

h

123: push ebp 124: mov ebp,esp125: sub esp,val126: call _sum127: mov esp,ebp128: pop ebp129: ret

Ret startup()

Ret startup()

ebpebp

Locals main()Locals main()

Ret(127)Ret(127)

ebpebp

Locals sum()Locals sum()

Unallocated spaceUnallocated space

StackGrowt

h

123: push ebp 124: mov ebp,esp125: sub esp,val126: call _sum127: mov esp,ebp128: pop ebp129: ret

Ret startup()

Ret startup()

ebpebp

Locals main()Locals main()

Ret(127)Ret(127)

ebpebp

Locals sum()Locals sum()

Unallocated spaceUnallocated space

StackGrowt

h

if the input for localvariables is greater than

thespace allocated tothem..Then……….

Ret startup()

Ret startup()

ebpebp

Locals main()Locals main()

Ret(127)Ret(127)

ebpebp

Locals sum()Locals sum()

Unallocated spaceUnallocated space

StackGrowt

h

it will overwrite ret(saved EIP)

Ret startup()

Ret startup()

ebpebp

Locals main()Locals main()

AAAAAAAA

AAAAAAAA

AAAAAAAAAAAA…AAAAAAAAAAAA…

Unallocated spaceUnallocated space

StackGrowt

h

Ret startup()

Ret startup()

ebpebp

Locals main()Locals main()

jmp espjmp esp

AAAAAAAA

AAAAAAAAAAAA…AAAAAAAAAAAA…

Unallocated spaceUnallocated space

BeforeBefore AfterAfter

Vulnerable to Buffer Overflow (LIST

command)

But how we know that server is vulnerable ?

Three methods to find out security bugs.

1.Fuzzing

2.Reverse Engineering

3.Source Code Auditing

Fuzzing - Send invalid, unexpected, or

random data to the inputs of a program. If

the program fails/crash, the defects can be

noted.

Ok lets send invalid input to our server.

Still listening ? Umm no..gud.

But we don’t know which function is causing

this problem.

Reverse engineering – is the process of

analyzing a subject system to create

representations of the system at a higher

level of abstraction.

Generally used after Fuzzing.

Provide in-depth information about target.

Sometimes more than source code.

Calculate offset for EIP.

ESP is pointing to our buffer.

Aahhh.. problem we don’t have much space

on stack (only 13-14 bytes approx.).

Now what ?? Check other registers.

ECX is pointing but not directly.

But we have some bytes on stack. Use these

bytes to adjust ecx and then jump to ecx.

We need a jmp esp (address) first.

Note: hard coding the stack address is not a

good practice. Contains null bytes, address

may change.

Search the address in DLLs. Because DLLs

are static at least for same service packs.

ECX is at 00652984 but our data is at 006529cc (on my system).

Increase ECX, but a little problem that data is used to overwrite EIP.

So increasing ECX to that address gives little space (only 234 bytes approx.)

So increase ECX, that will jump over saved EIP.

So add ecx,152 bytes. Does it work ??

Nop.. It generate null bytes, can’t use.

Ok add cx,152 bytes.. Should work. Else

increase bytes.

Now jump to ecx. (instruction). And we have our hellcode ready.