Ads 468x60px

17 de septiembre de 2018

Windows Buffer Overflow Example



I’m learning these days how to exploit Buffer Overflow Vulnerabilities and how to find this kind of vulnerabilities. I think the best way to learn about Buffer Overflow is exploiting these vulnerabilities in a laboratory by ourself. Therefore, I’ve installed a vulnerable server in a Windows machine along with Immunity Debugger and Mona tools. I’ve also installed a Kali Linux machine, which has been the attacker machine. This is the laboratory I’ve deployed to test a simple buffer overflow vulnerability that you can check in the next video.


Firstly, I've scanned the vulnerable server with the Nmap tool to know whether POP3 service is open. I’ve also tested a simple script to send 3000 ‘A’s to the vulnerable server. We can see the program crashes and ESP registry contains many ‘A’s or ‘41’ in hex. However, we have to find the specific EIP memory location thus I’ve created a unique string which is sent to the vulnerable server through the malicious script. Once I’ve controlled the EIP registry, we have to know which bytes cause problems within the vulnerable server such as truncation with bad characters \x00\x0a\x0d. The next challenge is to locate a JMP ESP instruction into the memory to insert it into the EIP register. Finally, I’ve created a payload with the msfvenom tool to add it into the script, which give us a Windows reverse shell.

Regards my friends. This has been an amazing demo to know how Buffer Overflow works. I recommend you do it by yourself.

10 de septiembre de 2018

Buffer Overflow Attack



I remember when I was at University and I studied the “Computer Introduction” and “Operating Systems” subjects. I learnt about registers and how computers use them. I learnt about assembly language. I learnt about Little-Endian and Big-Endian. When I was studying these subjects, I just wanted to pass my exams. However, I realise this knowledge is useful to discover vulnerabilities. It’s also useful to understand attacks such as Buffer Overflow attacks. These knowledge which I learnt 14 years ago is still useful and it’s the basis of new vulnerabilities and attacks.

If we want to understand how Buffer Overflow attacks work, firstly, we have to understand how the memory is segmented and organized, secondly, why the registers are used and what they are used for, lastly, how attackers take advantages of Buffer Overflow vulnerabilities to take control of computers. If we have these knowledge, we will be ready to discover this kind of vulnerabilities and we will also be ready to develop exploits. However, this is not easy because there are different CPU architectures to take into account and there are increasingly security protections such as ASLR or DEP.


The memory model for an x86 Processor is segmented and organised from higher address to the lower address where the stack is at the top of the memory and the program code is at the bottom of the memory. On the x86-32bit architecture there are 8 general purpose registers that are used to store data and address that point to other positions in memory. The most important registers for Buffer Overflow attacks are ESP, EBP and EIP. The first one, ESP, tells us where on the stack we are, thus, the ESP register always mark the top of the stack. The second one, EBP, points to the base address of the stack. Finally, the EIP register contains the address of the next instruction to read on the program, thus, points always to the “Program Code” memory segment.


When we are developing applications, we can use functions like strcpy, gets, scanf, and others. If we call these functions without previously limiting the buffer, we can allow the program writes out of the buffer. For instance, if the parameter value is higher than the memory buffer space, the EIP register could be overwritten by the parameter value. Obviously, the program will crash and it will stop because the CPU doesn’t know where is the next instruction to read on the program.


What an attacker does to exploit a Buffer Overflow vulnerability? Actually, the attacker writes the address of a malicious code in the EIP section. In other words, the attacker overflows the buffer to write into the EIP section the address which points to the exploit.

 
However, a Buffer Overflow attack is not so simple. There are some problems. First, we don’t really know where the address of the EIP register is located. Second, we have to capture the ESP value when the buffer overflow exception occur. Third, there are some values that could cause a problem if the address of ESP contains one of this bad characters. Of course, these problems can be resolved. The first one can be resolved sending a unique pattern of characters to find the offset position in the original string. The second one can be resolved using any Disassembler/Debugger. The last problem can be resolved sending all the characters (from 0x00 to 0xFF) and monitor manually with a Disassembler/Debugger thus when a bad character is sent, the string sent is truncated just before the bad character revealing one of the bad characters

Regards my friends. Maybe, this is a very technical post. I've obviated many things. I’ll try making a video.

3 de septiembre de 2018

I’ve been reading ...



I got back from holiday. This is my first post of this new season. I want to start writing about reading books. Six years ago, I opened this blog where I write weekly and I think writing is important to organize ideas and improve writing skills. However, today, I want to write about reading books. I think it’s the best for learning new techniques, concepts, ideas. It’s the best way to get knowledge from others. Therefore, I’m going to tell you what books I’ve been reading during this summer. I’m sorry, none of them are tech books.

At the beginning of the summer, I read “Aprendiendo de los mejores” by Francisco Alcaide. It’s a book where Francisco has written sentences and comments from important people such as Steve Jobs, Bill Gates or Amancio Ortega, among others. We can read their lifestyles and their thoughts to discover that the patience, persistence and discipline have been their abilities to be successful. I think, this is an excellent book for getting motivation because you can easily realise that success is built step by step and happiness is a feeling that it should be throughout the process.


I’ve also read “Thinking, fast and slow” by Daniel Kahneman this summer. This is a book to understand how the mind works. He explains that human beings have two types of minds. A mind which is fast, intuitive, and emotional. It is called system 1. This system helps us to make decisions faster based in intuition which, sometimes, could be helpful and beneficial but it could also be harmful because there are some things which should be thought slowly. We use the system 1 while we are walking, driving the car or even speaking. The system 1 is used for routine activities. On the other hand, we also have a mind which is slower, more deliberative, and more logical. It is called system 2. This system helps us to make logical decisions based in arguments which is useful often to make the right decision. However, this system is slower because it requests lots of mind efforts and human beings don’t like to make efforts by nature thus we prefer to use system 1 instead of system 2 most of the time. I’m using system 2 right now to write in English language and it’s also used for maths calculations or learning new skills.


The last book that I hope to finish this week is “Factfulness” by Hans Rosling. This is a book where we can see the progress of the world. We can see most countries are getting better. Most people around the world live better than before. Hans Rosling show lots of data sets from the United Nations (UN) where we can see that, although there are still countries which live in poverty, most countries are making progress in health, democracy and human rights.


These are the books I’ve been reading for this summer. I recommend you these books. The first one to be motivated. The second one to understand how the mind works when we make decisions. The last one to know that things are better than we think.

I really love reading. Quietly. Reading in my room. Nobody disturbs me. I think it’s the best way to get knowledge from others. I hope keep reading for a long time.

Regards my friends. I hope these books are interesting for you. Keep reading.
Related Posts Plugin for WordPress, Blogger...

Entradas populares