The other more practicable way is to use a nice Ruby script in the Metasploit Framwork, called “pattern_create.rb” which creates unique patterns to use for such kinds of attacks. The most unreliable: You can try to overwrite the whole memory space using your desired EIP, but you cannot say if you exactly “hit” the address of the EIP and beside this it looks badly. The next step is to find out at which position exactly we have overwritten the EIP. Having control over parts of the registers especially the EIP is a enormous benefit, because you can simply point the EIP to somewhere else! Good for us, bad for the application and the security of the user running the malicious. If you have a look down at the Stack view, you see that enormous parts of the stack including some registers like the EBX and the EIP have been overwritten. That’s the reason why the application is being interrupted by the debugger. So if you have the possibility to put in your own piece of junk or code to overwrite the EIP, it crashes here, because “41414141” is not a valid address. wav file including the most important – the EIP aka the instruction pointer. What you can see here is that some of our registers have been overwritten by our malicious. Have a look at the registers during the crash: (You can try this using other chars too of course, try to put some “\x42” in, and have a look how this message changes). wav file, which only consists of “\x41” bytes. And if you have a look at our small Python script again, you see that it looks like the application tries to execute something within our malicious. The interesting thing you recognize here is the error message saying that the instruction at “0x41414141” referenced memory, which cannot be read. It crashes again, but now the debugger jumps in: Start the application again, launch your favorite debugger, in my example the powerful IDA, attach it to the running process of the application: Now let’s have a deeper look at this bug. Looks like we have crashed the application using 5000 A’s. The application dies silently and without an error message. Open up the target again and use the wizard to convert our bad. Use the script above and increment the value of the A’s to 5000. wav-header and only a bunch of A’s (“\x41” – have a look at ) ? Easy to say: The buffer of the application is big enough to handle 2500 A’s! Ok next logical step: Let’s create a. Surprise ? Nothing ?! Uhm !! That’s crazy, why does nothing happen even if we do not have a correct. Open the file using the Convert-Wizard and see what happens…. wav file containing 2500 A’s (by the way, this method of penetration testing in AppSec is also called “fuzzing”): file="fuzzing.wav" wav file, using a small Python – Script, which simply creates a. Let’s fire up the application and see how it will behave if you input a random. The application is vulnerable to a local buffer overflow, which means that malformed local input could lead to an exploitation and therefor misbehavior of the application and could also lead to a system compromise when using the right shellcode and the application is run by an administrator. By the way I assume you have some basic knowledge of your x86 architecture, debugging with your favorite Debugger (I like IDA □ ), and at least some knowledge in Python which is not needed as you can write your scripts in any other language too, but it’s a nice and quick scripting-language. I am not yet familiar with shellcoding at all, so I decided to use and inject a shellcode made by the Metasploit Framework Team for first. This vulnerability is quite easy to understand and therefor a nice target to learn how things work. I will improve my exploit in further articles, so do not panic about the unreliable way at the moment -). There has been posted a local buffer overflow over at Exploit-DB which I will recreate in a slightly different way: “Free MP3 CD Ripper 1.1 Local Buffer Overflow” ( ). Since I am still getting deeper into penetration tests in AppSec, it helps quite a lot to write about things to get new ideas and thoughts – so I decided to write a little tutorial on how a buffer overflow basically works using a real world example.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |