Hey guys, Sec solutions Back again with another Blog,
Today we will be learning about Buffer Over flow Exploit, the most critical Exploit currently in Industry.
What is BufferOverflow?
Buffer Overflow Happens when we try to write a piece of string or some other variables in the memory which is only certain length, so Attacker can Use those kind of scenario to upload their payload to exploit the system or network
When a program runs it will call the main function of the program to execute the code and the process will be holding the memory in a specific way, and its consistent between different processes. Here memory points out the RAM.
Lets look at RAM structure, RAM Memory sizes may differ but we use Virutal Memory Address Translation to save everything which uses addresses from 0x0000… to 0xfffff…. it go untill it becomes 0x111111…. and all the way upto 32 or 64 bits.
This is how RAM structure looks like to handle the processes from the programs start from text to up to kernel level.
TEXT is the container which contains our actual code of our program, the machine instructions we need to be compiled.
DATA is the container which holds uninitialized and initialized variables.
HEAP is allocated to store large things, you can store large amount of data, code or anything you want, it depends on your code or program.
STACK stores the local variables to call upon, if you are adding an new function like scanf or printf it will be added to the end of the stack.
So, Stack grows downwards cause of adding functions to it and Heap Grows upwards because of storing things in that.
Now we will be focusing on Stack only, because Buffer over Flow Happens mostly in STACK part.
What is STACK?
Stack follows a particular order in which the operations are performed, Most of the computer science relies on stack. Ok let’s get back what stack is doing here in BOF.
In Every Block of Code, we will be having functions, to call other variables to work, then it will come back to its Original position.
Functions will be needing Variables to perform its function so lets add two Variables a & b in the stack for example.
Return will give the instruction to return after the completion of Block of Code.
So, Let assume we have an application which have access that anyone can access with a buffer size of 500.
If we pass more information larger than buffer size it will go up to RETURN block which it should not it will return an segmentation error (i.e there is no such thing that it can proceed). If it is not accessing the Return Block, nothing could happen, if our Instruction Pointer Moves into there, so anyone can Include Malicious payload(To get the SU shell) into buffer to execute it.
In the Below image You can see that if you pass some extra string into the buffer with the help of Debugger, it goes upto RETURN pointer where it will instruct the instruction pointer to address where it is assigned to return, but an attacker can put his return address of his Malicious Code.
The determining of the size of buffer values, Stack pointer Registries, Instruction pointer addresses are necessary to check for the flow of Program that we are passing into it. This can be Done by with the help of Debuggers like GDB(Linux).
Here we can use Simple Garbage Values of characters in Multiples, to check for the pointer addresses, but while attacking you cannot go with the garbage values of Characters, it might not work all the time, so we can add a NoP sled(/x90) instead of Garbage characters we used check. by calculating the buffer size, Payload size and Return address.
So the compiler will check NoP sled and will skip that part and it will end up with our Malicious Payload, then it will Go for the Return address where it is meant to be. So Obviously it’s our shell code there to get the SU shell.
Assume Buffer is 500 here, we found it is reaching the RETURN address at 510 by giving garbage characters, now we are adding Payload and padding so we need to calculate things before we use it in debugger as input.
Finall Input [510] = {[NoP sled() + Payload Size(Your payload size) + Return Address (4)* padding(10)}
NoP sled size = 510 – payload size – (10*4)
We need padding between our shell code and stack that is moving around.
So if give this input it will go up to return address then it will return to NOP then skips it and Obviously it will execute our Payload.
We can get a SU shell if an application is Vulnerable to BOF with any user access.
Practical Thing of BOF is little Tricky, I will be posting the Practical Blog of BOF in the upcoming days.
Stay with us, Learn More.
Be safe, Be cool.
Thanks Guys, Bye Bye!
