Linux stack buffer overflow

Stack-Based Buffer Overflows on Linux x86

Buffer overflows are common vulnerabilities in software applications that can be exploited to achieve remote code execution (RCE) or perform a Denial-of-Service (DoS) attack. These vulnerabilities are caused by insecure coding, resulting in an attacker being able to overrun a program’s buffer and overwrite adjacent memory locations, changing the program’s execution path and resulting in unintended actions.

Summary

This module introduces buffer overflow attacks, principles such as CPU architecture and CPU registers, and walks through the basics of exploit development and shellcode generation. We will also walk through a public exploit proof of concept and cover techniques for preventing these types of attacks.

In this module, we will cover:

• An introduction to buffer overflows
• The basics of exploit development
• Dealing with shellcode length and bad characters
• Public exploit modification
• Buffer overflow prevention

This module is broken down into sections with accompanying hands-on exercises to practice each of the tactics and techniques we cover. The module ends with a practical hands-on skills assessment to gauge your understanding of the various topic areas.

As you work through the module, you will see example commands and command output for the various topics introduced. It is worth reproducing as many of these examples as possible to reinforce further the concepts introduced in each section. You can do this in the Pwnbox provided in the interactive sections or your own virtual machine.

You can start and stop the module at any time and pick up where you left off. There is no time limit or «grading,» but you must complete all of the exercises and the skills assessment to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.

The module is classified as «Medium» but assumes a working knowledge of the Linux command line and an understanding of information security fundamentals.

A firm grasp of the following modules can be considered prerequisites for successful completion of this module:

Buffer Overflows Overview

Buffer overflows have become less common in todays world as modern compilers have built in memory-protections that make it difficult for memory corruption bugs to occur accidentally. That being said languages like C are not going to go away anytime soon and they are predominate in embedded software and IOT (Internet of Things). One of my favorite somewhat recent Buffer Overflows was CVE-2021-3156, which was a Heap-Based Buffer Overflow in sudo.

These attacks aren’t limited to binaries, a large number of buffer overflows occur in web applications, especially embedded devices which utilize custom webservers. A good example is CVE-2017-12542 with HP iLO (Integrated Lights Out) Management devices. Just sending 29 characters in an HTTP Header parameter caused a buffer overflow which bypassed login. I like this example because there is no need for an actual payload that you’ll read more about later since the system «failed open» upon reaching an error.

In short, buffer overflows are caused by incorrect program code, which cannot process too large amounts of data correctly by the CPU and can, therefore, manipulate the CPU’s processing. Suppose too much data is written to a reserved memory buffer or stack that is not limited, for example. In that case, specific registers will be overwritten, which may allow code to be executed.

A buffer overflow can cause the program to crash, corrupt data, or harm data structures in the program’s runtime. The last of these can overwrite the specific program’s return address with arbitrary data, allowing an attacker to execute commands with the privileges of the process vulnerable to the buffer overflow by passing arbitrary machine code. This code is usually intended to give us more convenient access to the system to use it for our own purposes. Such buffer overflows in common servers, and Internet worms also exploit client software.

A particularly popular target on Unix systems is root access, which gives us all permissions to access the system. However, as is often misunderstood, this does not mean that a buffer overflow that «only» leads to the privileges of a standard user is harmless. Getting the coveted root access is often much easier if you already have user privileges.

Buffer overflows, in addition to programming carelessness, are mainly made possible by computer systems based on the Von-Neumann architecture.

The most significant cause of buffer overflows is the use of programming languages that do not automatically monitor limits of memory buffer or stack to prevent (stack-based) buffer overflow. These include the C and C++ languages, which emphasize performance and do not require monitoring.

For this reason, developers are forced to define such areas in the programming code themselves, which increases vulnerability many times over. These areas are often left undefined for testing purposes or due to carelessness. Even if they were used for testing purposes, they might have been overlooked at the end of the development process.

However, not every application environment will likely exhibit a buffer overflow condition. For example, a stand-alone Java application is least likely compared to others because of how Java handles memory management. Java uses a «garbage collection» technique to manage memory, which helps prevent buffer overflow conditions.

Sign Up / Log In to Unlock the Module

Sections

• Buffer Overflows Overview PREVIEW
• Exploit Development Introduction
• CPU Architecture
• Stack-Based Buffer Overflow
• CPU Registers
• Take Control of EIP
• Determine the Length for Shellcode
• Identification of Bad Characters
• Generating Shellcode
• Identification of the Return Address
• Public Exploit Modification
• Prevention Techniques and Mechanisms
• Skills Assessment — Buffer Overflow

Источник

Saved searches

Use saved searches to filter your results more quickly

You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session.

Stack Based buffer overflow attack

License

B1rby/Stack-Based-Buffer-Overflows

This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Sign In Required

Please sign in to use Codespaces.

Launching GitHub Desktop

If nothing happens, download GitHub Desktop and try again.

Launching GitHub Desktop

If nothing happens, download GitHub Desktop and try again.

Launching Xcode

If nothing happens, download Xcode and try again.

Launching Visual Studio Code

Your codespace will open once ready.

There was a problem preparing your codespace, please try again.

Latest commit

Git stats

Files

Failed to load latest commit information.

README.md

Available on gitbook with an Introduction to Binary Exploitation module. There will be 3 big sections:

• Introduction to Assembly Language (Netwide Assembler)
• Simple stack-based buffer overflows
• Return Oriented Programming

Stack overflow is a type of buffer overflow vulnerability. When we pour water in a glass more than its capacity the water spills or overflow, similarly when we enter data in a buffer more than its capacity the data overflows to adjacent memory location causing program to crash. This is know as buffer overflow 1 .

The stack has a Last-in, First-out (LIFO) design which means that we can only pop the last argument we push ed on the stack.

Imagine someone want to put 20 bytes of data into a buffer that had only been allocated 8 bytes of space, that type of action is allowed, even though it will most likely cause the program to crash. We can see that the 20 bytes that we sent overwrited the other existing values. The program will crash because the fucntion will try to return to the address of eip which is 0x1234565 . But this value no longer existed. This is known as a buffer overrun or buffer overflow, since the extra 12 bytes of data will overflow and spill out of the allocated memory, overwriting whatever happens to come next. If a critical piece of data is overwritten, the program will crash. If we determine exactly the number of bytes we have to send before reaching eip / rip we will be able to put after this string a shellcode for our program to execute. Or If we calculate our input precisely, we can place a valid address in the location of eip . So after that the program is overwritted it will return to the adress that we have put.

The Buffer Overflow attack is defined by 6 steps:

1. Crash the binary
2. Take control of eip / rip
3. Determine the lenght of our shellcode
4. Identify the bad characters
5. Generating the shellcode
6. Identification of the return adress

All these steps are explained here.

This vulnerability can be more or less difficult to exploit depending on the security put on the binary. The securities can be:

Writeup about the Stack-Based Buffer Overflows on Linux x86 module of HackThebox Academy. The module was made by Cry0l1t3. In this writeup you will learn how I exploit a binary with a simple stack-based buffer overflow without any bypassing to do etc. And may be learn new things about stack-based buffer overflow.

A couple of images in the writeup that you have seen are providing from the HTB Academy website and the buffer images were modified by me for illustrate what I were doing

Academy, H. T. B. (n.d.). HTB Academy : Cyber security training. Cyber Security Training : HTB Academy. Retrieved December 14, 2021, from https://academy.hackthebox.com/module/details/318

Footnotes

1. Thakur, A. S. (2019, December 4). Stack overflow vulnerability. Hacker Noon. Retrieved December 14, 2021, from https://hackernoon.com/stack-overflow-vulnerability-xou2bbm↩

Источник