5. Basic Types of Buffer Overflows And Demo 01
Is as we’re coming back here, here’s several instructions, okay? This happens to be an if instruction in a symbol. It tells us to jump if zero to this particular memory address. We need to keep in mind that there are three main programming constructs and I may have talked about this a little bit before, but basically there are three main programs programming constructs and those constructs are processing. Which means the instruction pointer is going to point to this one, to this one, to this one, to this one until it gets to the end of the program. That’s what’s known as processing. The next one is called Decision. And Decision basically says, I’m going to point to this instruction, this instruction, and if this value is greater than some other value, and this is jump down to here and start executing these instructions.
This is very similar to an if then statement or a case statement. And then we also have execute all of these instructions and then start over again executing them. This is a do while loop or a for next loop. Okay? So every program that’s ever been written and ever will be written, I would venture to say, will follow one or more of those three programming constructs. So back to our machine here. We’re back here. We jumped zero to this address. And I want you to notice, after we’ve gone to the subroutine, we’re going to now pop things back off. This is what the explanation that I gave you in a previous lecture where we talked about somebody coming up to the table and just a second, let me replace the things on my desk in these various locations.
I e push them on the stack. So because I was interrupted, quote unquote interrupted by this student, I answer their question and then I repopulate my desk exactly the way it was before it I was interrupted after the student has gone back to their chair. This is exactly what’s going on right here. Now, here’s the rub. This is what we need to understand. Let’s say that we were down here in the subroutine. Let’s say the subroutine started here, all right? While we were down in the subroutine, we asked for data. Now, the data would be placed right here in this data segment, okay? Now let’s say, for example, that we asked for information, but when we put this into the data segment, it didn’t stop right there.
What actually happened right here was we took an area of memory. This is our array. And rather than putting in 25 characters, we put in 2500 characters. It’s going to write all the way through the data segment overriding what we pushed in on the Stack segment. And if craftily done, when we pop things back off of this, when we come back out, we can get that instruction pointer to land anywhere in the series of memory addresses we have access to. Now, I always use the example of if you’re hunting for birds and you’re a hunter, you’re more than likely going to use a shotgun rather than a rifle. Let’s assume for just a moment, using our imagination here, that from the start of this machine, code instruction to this one is what we pushed in.
But we’re going to need to get it to land right here on number three to start executing these instructions. Well, if we just simply pad that frontal portion with a field of no ops, we could get it to land anywhere in this field of no ops before it executes its first lethal instruction. All right, this is what I was referring to as a no op sled or a no op slide. Okay, great. Now we’re going to go ahead and do a little demonstration here of how we use this buffer overflow. All right? So I’m going to just tell it to fit my guest. I’m going to kind of get out of this right now, and I’m going to demonstrate a buffer overflow for you guys to this particular machine, to this Windows 2000 machine should look for.
All right, great. Now I’m going to actually use an older version of Metasploit to do this with. Now, guys, I know there’s a newer version and we’re going to cover this probably in a bonus section, but there is not really any metasploit information on the test. So I’m going to use this to make it very simple for everyone to understand. I’m going to use this little Metasploit web utility right here, and it tells me to open up a browser and run it from this particular IP address. I’m going to type in http forward slash 1270-1555. All right, if I press Enter on here, if everything goes correctly, it should come up with a Metasploit console. All right. Now, Metasploit consists of ways of being able to utilize an exploit that’s knocking the wall down, if you will.
Then it’s going to take and shove in a payload. Now, the payload is going to be what we’re going to try and get it to run by shoving that in and overriding that buffer. So the payload has to fit into whatever the application’s buffer size was and stack size was. That needs to be understood. You may or may not be able to shove in these applications unless they’ll fit into this buffer. Okay? And then finally, a session is the result of running that payload. Now, what I’m going to do is I’m going to use a very lame old utility called Microsoft RPC Decom. And the reason I’m using it is because you could fly a 747 or an A 300 through its stack area. I mean, it’s huge. You’re going to see. The targets are Windows Nt Service Pack six, two K XP and Windows 2003.
All versions. So I’m going to click on this default. And you know what I should have done was find out what the IP address of this was hang on. Okay, so its IP address was 1010 1109. So I’m going to go ahead and just tell this right here to log off as administrator, as I talked about before. And I’m going to pick one of these payloads. Now I could pick a payload for it to add a user. I could click what’s called a bind connection. And a Bind connection means that I can reach out and directly touch that machine so I don’t have any firewall in my way or anything. I could push in what’s called a meterpreter, which is its interpreter, very similar to a command show but a lot more powerful. And then various other ones that I could do, which is a staged exploit.
And then what I’m going to actually use is called this Vnc inject. Now if you’ve noticed right here, vnc for Virtual Network Connection is how I can produce a Gui for this machine. It’s very unusual to be able to hack into a machine and get a Gui. The reason I’m able to do this is because all the stack area RPC decom had, again, we could fly a 747 through its Stackery. It’s huge. All right, so if I did have a firewall, I’m going to have to coerce someone on the inside to open up that firewall and do these things. That’s what the reverse connection is for. All right, so I’m going to go ahead and click on Bind Vnc inject here and it’s asking for that IP address. Now notice this no op generator right here? That’s for our no op sled, okay? So I’m going to click on Ten 109.
All right. Now I can check it or just throw caution to the wind. And it’s what I’m going to do on this because I know that it should work. So I’m going to go ahead and click on Exploit right here and if all goes well, it should start a session showing me that on that machine. Now the common question I typically get, well, does that pop up on their machine? Yes, it does in this particular instance. But if we had just a command shell, it typically doesn’t. But let’s go ahead and take a look at what I’ve got. I’m just going to type in Whoami and press iter and look what kind of permissions I have. I own this box. I own this thing completely. And so what I could do if I wanted to is I could basically add another user. And that’s what I’m going to do.
But I want you to understand what’s going on right now. At this point in time, I typically ask the question in my classes, is anything that Windows gives us to audit itself if you will be able to detect what actually is going on. All right? And somebody might say, well, it started a new process. Did it start a new process? No, it didn’t. It actually took over the RPC decomp process injecting all of that code to create this Bnc shell inside of the RPC decomp. So if you ran your task Manager on Windows 2000, you would see what looks perfectly normal. I’m going to now create a usernet user Timid. And at this point in time is command completed successfully? Yes, it would detect this if you’re auditing creating new users.
What I’ve done right here is I basically created a user called Tim and added Tim to the local administrators group. In reality, I really don’t even need this anymore. So I’ll just go ahead and get rid of this guy. Close this window right here, and I’ll go ahead and open up a tool right here and send a control all delete to this. All right, so I’m going to basically take out administrator right here, and I’m going to put in Tim. Now, I did not add a password to it. So when I press Enter, if all goes well, if I’m administrator, the first thing that’s going to come up is configure your server. And let’s see if that happens here. Well, there we go. So I have basically done a buffer overflow, went in using a Gui, created a new user, and made that user administrator of this box.
6. Basic Types of Buffer Overflows And Demo 02
Okay guys, basically what we’ve done up to this point is we’ve seen a demonstration of what a buffer overflow looks like and that type of thing. And I’m going to now go into the more technical jargon of a buffer overflow. The first thing we want to understand is what we’ve been talking about up to this point is the most popular kind which is called a stack based buffer overflow. We’re going to look at that one first and then we’re going to go ahead and look at another type of buff overflow in just a few minutes here. So basically the technical aspects of what’s going on is the use of special prologues and epilogues. In other words, beginning sections and ending sections around functions can easily detect now and rely on stack overflows.
This is a term known as stack smashing and it’s actually performed and how it’s detected. Even today after buffer overflows are a threat to computer system security. Over the last few years, vendors of operating systems have set up their products with different strategies to prevent buffer overflows. For example, when Vista came out, they came out with something Vista and I should say Vista and above came out with something called address based layout randomization. Now what this does is it basically scrambles, if you will, and I’m taking a little bit of political license here, I guess, or a creative license you might call it, because that’s not absolutely correct, but it scrambles it in a way where the same exploit can’t be used on the same class of machines.
In other words, they’d have to create an exploit for every kind of machine and once it’s rebooted, it could randomize itself. So it makes it very difficult for individuals to create a standard type stack based buffer overflow because they don’t know exactly where all of the memory addresses are. And then we have something called non executable stacks and I’m going to talk a lot about that and that’s where we’re looking at things like data execution, prevention and the no execute and execute disable registers that are in our modern day processors. We’ll talk about that on the Prevention slide. Okay, so we also have compiler vendors which added techniques against buffer overflows, especially stack overflows their problems to their products.
For example, all major vendors of C and C plus plus compilers have added detectors to their compilers that can sense stack smashing. They’re using something called a canary word or some people refer to it as a stack cookie. And basically it’s the willful use of the stack overflows to gain control of the system before any harm can be done. They cannot prevent the stack itself from being smashed, but they can detect the smashing and avoid executing that malware payload. For example, buffer overflow protectors include things like stack smashing protector or SSP for Gano’s C compiler, pro Police for IBM’s XLc, and buffer overflow security check for Microsoft’s Visual compilers.
In other words the forward slash GS option. Before understanding the solution, you have to understand the problem. And I think we’ve got a pretty good idea, but let’s go ahead and walk through it. Technically, what happens in the case of a stack overflow whenever a program calls a subroutine, like we did in example by a CPU instruction or a call branch, it saves the current instruction porter onto the stack. It marks its position before it branches, so it knows where to return after the termination of the routine. This saved address on the stack is called a return address. Upon termination of the routine, high level languages first clean up the stack by removing local variables, and after that the stack pointer and again points to the return saved address.
Add an RET or return instruction, the processor reads the return address of the stack and jumps back to the former instruction pointer position and continues the original flow. Now, the flexible layout allows theoretically infinite levels of recursion. And recursion in computer science simply means calling a function from within itself. But several problems are also inherent. If a program does not check the boundaries of local variables at writing, it could write beyond the intended space of these variables. In the best case, from an operating system perspective, that is, this will overwrite other variables. In worst case, it will override the return address. Why? Well, in most systems, including state of the art systems, the stack and heap of the program are growing towards the same point in memory.
Where the heap grows from the lower to higher addresses, the stack grows from higher to lower addresses. Since the stack grows from higher to lower addresses, the local variables on the stack work the normal way they grow from lower to higher addresses. Any string in any array store their values of lower indexes at lower addresses and higher addresses. So let’s assume for just a moment that a program writes data to a local string by the use of the strip. About this more on the Prevention slide. STR doesn’t check for any boundary. In other words, it’s not going to check to see how long the string is just going to keep on flowing in. It copies data to the destination variable until it reads a null byte for the source variable.
That the null happens when we press the entered key. So you’re never going to find a null, which is so you’re not going to ever see that in any kind of a payload because it would stop right there if that happened. Thus it’s able to write more bytes onto the stack. Then there is space dedicated to provide the string variable. So as a result, it could override the other data in higher and lower addresses on the stack. So if the process is not stopped, sooner or later the program will override the return address too. The return address will be destroyed, or more precisely, given a new value at termination of the subroutine. When the program retrieves the return address, that address has changed.
Under normal circumstances, the program flow jumps to an unpredictable address. Chances are very good the jump leads to a segment outside the program’s own memory. The system detects a segmentation violation and then kills the process with a signal number. Now, that’s if they didn’t do it right. Now, remember we talked about in the demonstration, if it’s craftily done, then we’re going to jump within our own memory, all right? But so far, so good. What happens at the target of the changed return address is not outside the program’s own memory. In this case, the jump might succeed and execution will go on. If there is valid machine code, it will be executed. If not, the process will create an illegal instruction exception.
Now, attackers change the return address via a buffer overflow, not a predictable location. So they basically create that sled of no ops that they’re going to before they get to the payload. All right, so let’s take a look at this. Right here on this, you can see the character buffer has 200 in it. And here is its return address it’s going to jump back to. But if we smash the stack after the overflow, we overwrite that return address with whatever we pushed in it and it’s going to return to whatever that that we put into it is pointing to. Now, let’s talk real quickly about a heap based buffer overflow. This is more difficult, but it can be done. And there’s a lot of heat based buffer overflows.
Now, the heap of memory itself when it’s allocated to the program, but it basically is a linked list. For those of you who’ve taken computer science, it’s control data which controls this is at the beginning of the memory segment. Now, the way that I like to think of this is kind of like the Tetris game. Now, here’s a real good example of what I’m talking about. I’m sure most of you guys have probably played this where the little pieces will come in. You got to try and fit them in where they are. And sometimes it makes up where you got these holes in here. Well, think about that as being memory that’s being allocated and de allocated. And sometimes we have these holes in there and then the memory ends up filling up because we don’t have enough room and the Tetris game starts over.
But in our case, this is when the program crashes due to what’s called a quote unquote memory leak. That’s what we typically have happen when things aren’t put away and allocated and de allocated properly. Let’s go back over here to our buffer overflow portion and let’s then take a look at the memory section. Now, we said the control data itself is at the memory. Let’s say we had a buffer overflow that overwrote whatever is in the memory contents. And here it’s going to overwrite the control data of this portion of memory, getting it to point perhaps to another area of memory because we overwrote it, maybe allocating it, and pointing over here and executing this, that’s what’s considered to be a heap based buffer overflow.
