SlideShare a Scribd company logo

Lab-2 Buffer Overflow In this lab, you will gain insight

Download as DOCX, PDF
S
simisterchristen

This document describes a lab focused on exploiting buffer overflow vulnerabilities in a network service running on Windows 7. Participants will learn to exploit these vulnerabilities using Python scripts to crash a vulnerable program and obtain a remote shell. The lab emphasizes the importance of secure coding practices, especially in lower-level programming languages, to prevent such security vulnerabilities.

Education
1 of 13
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
Lab-2: Buffer Overflow In this lab, you will gain insights into the buffer overflow vulnerability. You will analyze a vulnerable program by using a debugger to exploit the vulnerability. Buffer overflow vulnerability is the root cause of the many vulnerabilities in software products; in this regard, it is a significant security problem today. There are many different types of buffer overflow. They have been categorized under 9 CWEs in https://cwe.mitre.org/data/definitions/1218.html. Poor coding practices cause buffer overflow vulnerability. It is the fact that strongly typed programming languages, such as Java, C++, have automatic bound checks and memory management. The real problem comes with low-level programming languages. For instance, C and Python are such programming languages. They are not strongly typed languages; however, they are used for their advantages, flexibility, no performance issues, coders are free to code. Programmers should always check the inputs in their programs and use functions that do bounds checking if they are using low-level programming languages. The topology of the Lab-2 is quite simple. You will be using both computers. It is recommended to undock both virtual machines to prevent going back and forth between the computers. Windows 7 Target has an executable program named vulnserver. It is written in C. This network program listens on port 9999 once executed, meaning that Windows 7 Target will start listening on TCP 9999. There are three Python codes on Kali Linux. All of the codes
create a TCP 9999 connection on Windows 7 Target. The first code sends some bytes to the vulnserver service (nocrash.py). The second code crashes the vulnserver by overflowing the buffer of the service (crash.py). This code is also named proof of concept. The third code gets a remote shell from the Windows 7 Target by exploiting the buffer overflow vulnerability (remote_shell.py). The exploitation code (remote_shell.py) is developed by debugging the vulnserver program and by changing the proof of concept code as needed. Section-1: Explore the Vulnerable Network Service In this section, you will explore the remote service you will start on Windows 7 Target computer. 1. Log in to the Netlab environment. 2. Open Windows 7 Target from the list of computers on the top menu bar. Click on Windows 7 Target on the top menu bar, and click undock. 3. At Windows 7 Target, open a command window by clicking the cmd icon on the taskbar. 4. Type this command in the command window and hit enter: netstat -a -n -p TCP This command shows the list of open TCP ports on Windows 7 Target computer. The first option (a) shows all established connections and listening ports. The second option (n) makes netstat display IP addresses and port numbers instead of hostnames and service names; people usually use this for faster command results. The third option shows only open TCP ports. Have a look at the list of the open ports on the list.
5. In the command window, type cd Desktop to change the directory to the Desktop folder. 6. Type cd Vulnerable_Service to change the directory to the Vulnerable_Service folder. After typing cd, pressing space, and “v” character, you can press Tab on your keyboard to auto-type the directory name. 7. Type dir inside the Vulnerable_Service folder and to see the list of files. You should see an executable file named vulnserver.exe. You will not use the other files in the folder. vulnserver.exe is a tiny program developed in C for educational purposes. It has buffer overflow vulnerability, which is placed knowingly by security researchers. When you run vulnserver.exe, it will open TCP 9999 port the server. 8. Type vulnserver and hit enter in the command window. Once you run this program, you will see a short security warning and a prompt “Waiting for client connections …” 9. Open another command window in Windows 7 Target machine. 10. Type netstat -a -n -p TCP once again. Can you see the difference compared to the previous netstat
command? 11. Type netstat -a -n -p TCP -b now. “b” switch shows the executable name involved in opening the port. Confirm that you saw the vulnserver.exe 12. Now it is time to legitimately use the vulnserver service provided by Windows 7 Target computer. 13. Select Kali Linux from the list of computers in the Netlab environment. Click on Kali Linux on the top menu bar, and click undock. Place the undocked Windows 7 Target window next to the Kali Linux window. 14. Type the password “toor” for the root user. 15. Open a terminal window by clicking the terminal icon on the menu bar at the bottom. 16. Type nc 192.168.2.13 9999 in the terminal window. You should see this message “Welcome to Vulnerable Server! Enter HELP for help.” in the Kali Linux terminal window. Note: If you don’t see this message, try these: wait for 10 seconds. If you don’t see the message above, hit Enter several times. If it still does not help, press CTRL-C to exit and retype nc 192.168.2.13 9999 You should also see this message “Received a client connection from 192.168.2.10:XXXXX” in the Windows 7 cmd window where you run vulnserver.exe nc is the abbreviation of netcat. Netcat is a versatile utility used for various purposes, including connecting to a remote service as with our case or opening a port on the local system. Netcat is more than connecting to the remote services and opening ports
on the local systems. You can refer to the Linux man page or Internet forums for a more comprehensive feature set. In this step, you opened a TCP connection to the 9999 port of the Windows 7 Target machine. 17. In Kali Linux, type HELP in the vulnserver service prompt and press enter. vulnserver service is case-sensitive and accepts command with capital letters only; therefore, "help" will not work. You should type "HELP" by pressing the Shift button, not the CAPS lock. You will see a list of commands that the vulnserver accepts. Among these commands, the TRUN command is used to get a string from the user. 18. In the vulnserver service prompt, type TRUN some_text and hit enter. You will see TRUN COMPLETE message. 19. Type EXIT in the vulnserver service prompt to return to the terminal window of Kali Linux. 20. Type cd fuzzer in the terminal windows to change directory to the fuzzer folder. (After this command, you will be in /root/fuzzer/ folder) 21. There is a file named nocrash.py in this folder—type python nocrash.py in the terminal window. nocrash.py opens a connection to TCP 9999 port at 192.168.2.13 , which is the service created by vulnserver, sends a certain amount of string to the vulnserver service and closes the connection. This small piece of code does not cause the vulnserver application crash.
Take a screen capture of the Kali Linux terminal window where you run the nocrash.py file. In the next section, you will run another Python script to crash the vulnserver service remotely.Section-2: Crash the Network Service by Exploiting the Buffer Overflow Vulnerability Think about this scenario: A company is using a network service (vulnserver.exe) for the contractors. Contractors remotely connect to this service and provide some data to the company. You saw how this is done in the Section-1. A cyber attacker discovers a buffer overflow vulnerability and remotely exploit this vulnerability, and crashes the service. Now, it is time to realize this scenario. 1. If you created a new reservation before Section-2, then select Kali Linux and undock it. Type in “toor” as the password of the root. Open a terminal window. Type cd fuzzer to change the folder to the fuzzer. Place the undocked Windows 7 Target window next to the undocked Kali Linux window. If you didn’t create a new reservation, skip this step and continue with the next step. 2. In the Kali Linux terminal window, type python crash.py and hit Enter. After this command, notice the crash message shown in Windows 7 Target computer. 3. In Windows 7 Target computer, click the “View problem details” at the message box. Check the Fault Module Name is StackHash_xxxx, which indicates that the crash is associated with the Stack (Stack is a kind of buffer) Take a screen capture of the Windows 7 Target desktop showing the crash message window.
4. In Windows 7 Target computer, click “Close the program”. The program will be terminated. You will observe this in the cmd window where vulnserver.exe was running. The program will stop working, and the windows command prompt will appear. Type netstat -a -n -p TCP and ensure that TCP port 9999 is not open anymore. 5. Switch to Kali Linux, review both nocrash.py and crash.py codes by using nano editor. In the terminal window, type nano filename to open the desired file. To exit from the nano editor, press CTRL-X. Please explain what crash.py does by using the template below. host = "192.168.2.13" #explanation: port = 9999 #explanation: junk = "A"*5000 #explanation: buffer = "TRUN ." + junk #explanation: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #explanation: s.connect((host,port)) #explanation: print(s.recv(1024)) #explanation: s.send(buffer) #explanation: s.close() #explanation:
Why crash.py causes a crash in the vulnserver network service? Which line of the code overflows the buffer?Section-3: Get a Remote Shell from the Server by Exploiting the Buffer Overflow Vulnerability of the Network Service 1. If you created a new reservation before Section-3, then select Kali Linux and undock it. Type in “toor” as the password of the root. Open a terminal window. Type cd fuzzer to change the folder to the fuzzer. Select Windows 7 Target and undock it. Place the undocked Windows 7 Target window next to the undocked Kali Linux window. Open a cmd window in Windows 7 Target, type cd Desktop, and cd Vulnerable_Service to change the directory to the Vulnerable_Service folder. If you didn’t create a new reservation, skip this step and continue with the next step. 2. In Windows 7 Target machine, type vulnserver in the cmd prompt to run the service once again. (The service was crashed in Section-2) 3. In Kali Linux, open a new terminal window by right-clicking on the terminal window on the taskbar and clicking "Open a New Tab". 4. In the new tab, type nc -lvp 443 and press enter to create a listener. You will see the "listening on [any] 443 …" message on the screen. In this case, you are using netcat utility in listen mode. “l” switch indicates that nc will be in listening mode. "v" switch means verbose; netcat shows detailed message related to the
connection status. "p" switch indicates which local port number will be used in listen mode. The above command opens the port 443 on Kali Linux, and Kali Linux starts to listen on this port. 5. Switch to the previous tab where you are in the fuzzer folder. 6. Type python remote_shell.py and press enter. This python code has a long payload contrary to the other python codes you run in Section-1 and Section-2. Python code connects to TCP 9999 port on Windows 7 Target machine like the other codes; however, it exploits the buffer overflow vulnerability to gain a remote shell from Windows 7 Target computer. 7. Switch to netcat terminal windows in Kali Linux to see the remote shell. 8. Type whoami and press enter. You should be able to see win7-targetms user, who is currently logged on user on Windows 7 Target. Take a screen capture of the Kali Linux terminal window where you can see the remote shell and the name of the currently logged on user in it. Review the remote_shell.py by typing nano remote_shell.py in Kali Linux (within the fuzzer folder). Alternatively, you can also open the remote_shell.py file on the desktop of the Windows 7 Target. There are two differences between
crash.py and remote_shell.py: The first difference is the buf variable; this is a new variable that did not exist in crash.py. The second difference is the updated junk variable. Let’s start with the buf variable: The buf variable contains a specially crafted, 351-byte long payload. This payload contains: 1) A reverse TCP shell 2) The IP address of the Kali Linux 3) The port number (443) to connect to the Kali Linux All this information is encoded, and you should have seen the encoded string once you opened the remote_shell.py. After python code runs on Kali Linux, it opens a connection to Windows 7 Target; the same code sends this payload to the vulnserver service over this connection. Buffer overflow vulnerability causes vulnserver to accept all of the inputs from the code and let the operating system (Windows 7 Target) run the code in the payload. As shown above, the code in payload runs a TCP shellcode, and this shellcode connects to 443 port on Kali Linux. Let’s talk about the updated junk variable. junk = "A"*2006 + "xAFx11x50x62" + "x90"*16 + buf +
"C"*(5000-2006-4-16-351) In the crash.py (this is also called proof of concept code), code was sending the “A” character 5000 times (5000 bytes). In remote_shell.py, the code is sending a specially crafted package that causes gaining a remote shell. There are five sections of the crafted junk variable. The following list of data should be sent in the specified order: 1) "A"*2006 >>> 2006 times A character: 2006 is not a random number. This is the crash point. The vulnserver crashes if it gets an input -via TRUN parameter- that is more than or equal to 2006 characters. This has been determined after examining the behavior of the vulnserver by using a debugger. 2) xAFx11x50x62: Identifying the crash point is very important. Because the operating system has the EIP register right after this crash point, EIP stands for Extended Instruction Pointer. This register contains the address of the next instruction to be executed. Your goal is to write the address of the instruction that will run the payload (shellcode). xAFx11x50x62 is the address of the instruction that will run the payload in our case. More specifically, this address has a special instruction; “jmp esp". This instruction is critical in exploiting the buffer overflow vulnerability to get a shell because jmp esp points to the address where the payload is stored in the memory. To summarize, at the crash point, the EIP register is given xAFx11x50x62; so that the instruction jmp esp will run next to execute shellcode. 3) "x90"*16 >>> 16 times x90: x90 means no operation (NOP). You place a sequence of 16 no operation instructions here. You can also change the numbers to 20 instead of 16, which will not change the python code's behavior. This is done to ensure that jump esp finds the whole payload (nothing is missing with
payload). Because we don’t know for certain at which address the payload will start in the buffer due to random changes in the memory. The NOP is a way to deal with this uncertainty. jmp esp will jump to the beginning part of NOP instructions; it will do nothing 16 times and find the payload and run it. If you don't place x90"*16, jmp esp will go to a place where some parts of payload might be missing. 4) buf: This is the payload; already talked about this. 5) "C"*(5000-2006-4-16-351) >>> 2623 times C character: Specially crafted package for the remote shell has been created starting with the crash script in which 5000 times A characters had been sent; therefore, we add 2623 times C character to send a total number 5000 characters to the remote service. It does not matter whether C, A, or any other character; the critical point is that it should end up with 5000 characters. You found 2623 by subtracting the number of bytes of the previous sections from 5000. Remember that 2006 bytes to reach out to the crash point, 4 bytes for the next instruction address, 16 bytes for NOP, 351 bytes for the payload size. Weekly Learning and Reflection In two to three paragraphs (i.e., sentences, not bullet lists) using APA style citations if needed, summarize, and interact with the content covered in this lab. Summarize what you did as an attacker, what kind of vulnerabilities did you exploit, what might have prevented these attacks. List the attackers and all of the targets in your summary. You can provide topologies, sketches, graphics if you want. In particular, highlight what surprised, enlightened, or otherwise engaged you. You should think and write critically, not just about what was presented but also what you have learned through the session. You can ask questions for the things you're confused about. Questions asked here will be summarized and answered anonymously in the next class.
image1.png

More Related Content

PDF
Vulnserver bufferoverflow
Eric alleshouse
 
PDF
Buffer Overflow - English.pdf
Okan YILDIZ
 
PPT
Linux Operating System Vulnerabilities
Information Technology
 
PPT
Linux Vulnerabilities
SecurityTube.Net
 
PPTX
Linux binary analysis and exploitation
Dharmalingam Ganesan
 
PPTX
Ethical hacking Chapter 9 - Linux Vulnerabilities - Eric Vanderburg
Eric Vanderburg
 
PPTX
Anatomy of a Buffer Overflow Attack
Rob Gillen
 
PPTX
ETCSS: Into the Mind of a Hacker
Rob Gillen
 
Vulnserver bufferoverflow
Eric alleshouse
 
Buffer Overflow - English.pdf
Okan YILDIZ
 
Linux Operating System Vulnerabilities
Information Technology
 
Linux Vulnerabilities
SecurityTube.Net
 
Linux binary analysis and exploitation
Dharmalingam Ganesan
 
Ethical hacking Chapter 9 - Linux Vulnerabilities - Eric Vanderburg
Eric Vanderburg
 
Anatomy of a Buffer Overflow Attack
Rob Gillen
 
ETCSS: Into the Mind of a Hacker
Rob Gillen
 

Similar to Lab-2 Buffer Overflow In this lab, you will gain insight (20)

PDF
Remote file path traversal attacks for fun and profit
Dharmalingam Ganesan
 
PDF
Unix executable buffer overflow
Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
PDF
What is Remote Buffer Overflow Attack.pdf
uzair
 
PDF
BRISK_Network_Pentest_
BriskInfosec Solutions
 
PDF
OSCP Preparation Guide @ Infosectrain
InfosecTrain
 
PPTX
BSides Ottawa 2019 - HTB Blue
DianaWhitney4
 
PPTX
Metasploit for Web Workshop
Dennis Maldonado
 
PPTX
Buffer overflow attacks
Kapil Nagrale
 
PPTX
Client side exploits
nickyt8
 
PDF
Figure 3 TCP Session Hijacking Attack victims to execute the mali.pdf
orderfabfirki
 
PPT
Finding Diversity In Remote Code Injection Exploits
amiable_indian
 
PDF
Slmail Buffer Overflow
Eric alleshouse
 
PPTX
Lifnaaaaaa e
henelpj
 
DOCX
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
pauline234567
 
PDF
Privileges Escalation by Exploiting Client-Side Vulnerabilities Using Metasploit
Vishal Kumar
 
DOCX
Backtrack Manual Part7
Nutan Kumar Panda
 
PDF
Filip palian mateuszkocielski. simplest ownage human observed… routers
Yury Chemerkin
 
PDF
Simplest-Ownage-Human-Observed… - Routers
Logicaltrust pl
 
PDF
Metasploitable
Sri Manakula Vinayagar Engineering College
 
PPTX
Intimacy with MSF - Metasploit Framework
Animesh Roy
 
Remote file path traversal attacks for fun and profit
Dharmalingam Ganesan
 
Unix executable buffer overflow
Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
What is Remote Buffer Overflow Attack.pdf
uzair
 
BRISK_Network_Pentest_
BriskInfosec Solutions
 
OSCP Preparation Guide @ Infosectrain
InfosecTrain
 
BSides Ottawa 2019 - HTB Blue
DianaWhitney4
 
Metasploit for Web Workshop
Dennis Maldonado
 
Buffer overflow attacks
Kapil Nagrale
 
Client side exploits
nickyt8
 
Figure 3 TCP Session Hijacking Attack victims to execute the mali.pdf
orderfabfirki
 
Finding Diversity In Remote Code Injection Exploits
amiable_indian
 
Slmail Buffer Overflow
Eric alleshouse
 
Lifnaaaaaa e
henelpj
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
pauline234567
 
Privileges Escalation by Exploiting Client-Side Vulnerabilities Using Metasploit
Vishal Kumar
 
Backtrack Manual Part7
Nutan Kumar Panda
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Yury Chemerkin
 
Simplest-Ownage-Human-Observed… - Routers
Logicaltrust pl
 
Metasploitable
Sri Manakula Vinayagar Engineering College
 
Intimacy with MSF - Metasploit Framework
Animesh Roy
 
Ad

More from simisterchristen (20)

DOCX
Reflection essay should be at least 350-400 words.Student resp.docx
simisterchristen
 
DOCX
Reflection is no less than one page, but no more than two pages. (2..docx
simisterchristen
 
DOCX
Reflecting on Personal Identity and Global CitizenshipReview the .docx
simisterchristen
 
DOCX
Reflecting on Personal Identity and Global CitizenshipReview the.docx
simisterchristen
 
DOCX
Reflecting on the movie we watched in class, 12 Angry Men, please ad.docx
simisterchristen
 
DOCX
Reflect on your understanding of the relationship between thinking a.docx
simisterchristen
 
DOCX
Reflect on your experiences during research processes and MLA style.docx
simisterchristen
 
DOCX
Reflect on what you learned in regards to mission statements.1) Di.docx
simisterchristen
 
DOCX
Reflect on the following for your 1-page journal reflection. As a ma.docx
simisterchristen
 
DOCX
Reflect on what you have learned in this course.What future concer.docx
simisterchristen
 
DOCX
Reflect on this semester as it is coming to an end.  Please summariz.docx
simisterchristen
 
DOCX
Reflect on the University Personal Development. What impediments.docx
simisterchristen
 
DOCX
Reflect on an experience when you interacted with someone from anoth.docx
simisterchristen
 
DOCX
ReferencesAssignment Submit a reference list showing your r.docx
simisterchristen
 
DOCX
Referenced from American Literature Since the Civil War. Create.docx
simisterchristen
 
DOCX
Refer to the project from your local community or state that you des.docx
simisterchristen
 
DOCX
Recruitment Methods  Please respond to the followingDevelop a b.docx
simisterchristen
 
DOCX
Recommended Pages 5Style MLACitations Have a works cited page.docx
simisterchristen
 
DOCX
Reducing Communication BarriersIdentify what techniques you can im.docx
simisterchristen
 
DOCX
Red-green color blindness in humans is an example of __________..docx
simisterchristen
 
Reflection essay should be at least 350-400 words.Student resp.docx
simisterchristen
 
Reflection is no less than one page, but no more than two pages. (2..docx
simisterchristen
 
Reflecting on Personal Identity and Global CitizenshipReview the .docx
simisterchristen
 
Reflecting on Personal Identity and Global CitizenshipReview the.docx
simisterchristen
 
Reflecting on the movie we watched in class, 12 Angry Men, please ad.docx
simisterchristen
 
Reflect on your understanding of the relationship between thinking a.docx
simisterchristen
 
Reflect on your experiences during research processes and MLA style.docx
simisterchristen
 
Reflect on what you learned in regards to mission statements.1) Di.docx
simisterchristen
 
Reflect on the following for your 1-page journal reflection. As a ma.docx
simisterchristen
 
Reflect on what you have learned in this course.What future concer.docx
simisterchristen
 
Reflect on this semester as it is coming to an end.  Please summariz.docx
simisterchristen
 
Reflect on the University Personal Development. What impediments.docx
simisterchristen
 
Reflect on an experience when you interacted with someone from anoth.docx
simisterchristen
 
ReferencesAssignment Submit a reference list showing your r.docx
simisterchristen
 
Referenced from American Literature Since the Civil War. Create.docx
simisterchristen
 
Refer to the project from your local community or state that you des.docx
simisterchristen
 
Recruitment Methods  Please respond to the followingDevelop a b.docx
simisterchristen
 
Recommended Pages 5Style MLACitations Have a works cited page.docx
simisterchristen
 
Reducing Communication BarriersIdentify what techniques you can im.docx
simisterchristen
 
Red-green color blindness in humans is an example of __________..docx
simisterchristen
 
Ad

Recently uploaded (20)

PDF
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
PPTX
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
PPTX
202450812 BayCHI UCSC-SV 20250812 v17.pptx
home
 
PDF
Classroom Observation Tools for Teachers
Nicaramirez
 
PDF
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
PDF
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
PPTX
1st Inaugural Professorial Lecture held on 19th February 2020 (Governance and...
kawisojames10
 
PDF
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
PPTX
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
PDF
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
PDF
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
PDF
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
PDF
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
PPTX
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
PDF
Computing-Curriculum for Schools in Ghana
abigailanane203
 
PPTX
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
PDF
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
PPTX
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
PPTX
Lesson notes of climatology university.
sgladness67
 
PPTX
Presentation on HIE in infants and its manifestations
joghikamal786
 
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
202450812 BayCHI UCSC-SV 20250812 v17.pptx
home
 
Classroom Observation Tools for Teachers
Nicaramirez
 
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
1st Inaugural Professorial Lecture held on 19th February 2020 (Governance and...
kawisojames10
 
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
Computing-Curriculum for Schools in Ghana
abigailanane203
 
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
Lesson notes of climatology university.
sgladness67
 
Presentation on HIE in infants and its manifestations
joghikamal786
 

Lab-2 Buffer Overflow In this lab, you will gain insight

  • 1. Lab-2: Buffer Overflow In this lab, you will gain insights into the buffer overflow vulnerability. You will analyze a vulnerable program by using a debugger to exploit the vulnerability. Buffer overflow vulnerability is the root cause of the many vulnerabilities in software products; in this regard, it is a significant security problem today. There are many different types of buffer overflow. They have been categorized under 9 CWEs in https://cwe.mitre.org/data/definitions/1218.html. Poor coding practices cause buffer overflow vulnerability. It is the fact that strongly typed programming languages, such as Java, C++, have automatic bound checks and memory management. The real problem comes with low-level programming languages. For instance, C and Python are such programming languages. They are not strongly typed languages; however, they are used for their advantages, flexibility, no performance issues, coders are free to code. Programmers should always check the inputs in their programs and use functions that do bounds checking if they are using low-level programming languages. The topology of the Lab-2 is quite simple. You will be using both computers. It is recommended to undock both virtual machines to prevent going back and forth between the computers. Windows 7 Target has an executable program named vulnserver. It is written in C. This network program listens on port 9999 once executed, meaning that Windows 7 Target will start listening on TCP 9999. There are three Python codes on Kali Linux. All of the codes
  • 2. create a TCP 9999 connection on Windows 7 Target. The first code sends some bytes to the vulnserver service (nocrash.py). The second code crashes the vulnserver by overflowing the buffer of the service (crash.py). This code is also named proof of concept. The third code gets a remote shell from the Windows 7 Target by exploiting the buffer overflow vulnerability (remote_shell.py). The exploitation code (remote_shell.py) is developed by debugging the vulnserver program and by changing the proof of concept code as needed. Section-1: Explore the Vulnerable Network Service In this section, you will explore the remote service you will start on Windows 7 Target computer. 1. Log in to the Netlab environment. 2. Open Windows 7 Target from the list of computers on the top menu bar. Click on Windows 7 Target on the top menu bar, and click undock. 3. At Windows 7 Target, open a command window by clicking the cmd icon on the taskbar. 4. Type this command in the command window and hit enter: netstat -a -n -p TCP This command shows the list of open TCP ports on Windows 7 Target computer. The first option (a) shows all established connections and listening ports. The second option (n) makes netstat display IP addresses and port numbers instead of hostnames and service names; people usually use this for faster command results. The third option shows only open TCP ports. Have a look at the list of the open ports on the list.
  • 3. 5. In the command window, type cd Desktop to change the directory to the Desktop folder. 6. Type cd Vulnerable_Service to change the directory to the Vulnerable_Service folder. After typing cd, pressing space, and “v” character, you can press Tab on your keyboard to auto-type the directory name. 7. Type dir inside the Vulnerable_Service folder and to see the list of files. You should see an executable file named vulnserver.exe. You will not use the other files in the folder. vulnserver.exe is a tiny program developed in C for educational purposes. It has buffer overflow vulnerability, which is placed knowingly by security researchers. When you run vulnserver.exe, it will open TCP 9999 port the server. 8. Type vulnserver and hit enter in the command window. Once you run this program, you will see a short security warning and a prompt “Waiting for client connections …” 9. Open another command window in Windows 7 Target machine. 10. Type netstat -a -n -p TCP once again. Can you see the difference compared to the previous netstat
  • 4. command? 11. Type netstat -a -n -p TCP -b now. “b” switch shows the executable name involved in opening the port. Confirm that you saw the vulnserver.exe 12. Now it is time to legitimately use the vulnserver service provided by Windows 7 Target computer. 13. Select Kali Linux from the list of computers in the Netlab environment. Click on Kali Linux on the top menu bar, and click undock. Place the undocked Windows 7 Target window next to the Kali Linux window. 14. Type the password “toor” for the root user. 15. Open a terminal window by clicking the terminal icon on the menu bar at the bottom. 16. Type nc 192.168.2.13 9999 in the terminal window. You should see this message “Welcome to Vulnerable Server! Enter HELP for help.” in the Kali Linux terminal window. Note: If you don’t see this message, try these: wait for 10 seconds. If you don’t see the message above, hit Enter several times. If it still does not help, press CTRL-C to exit and retype nc 192.168.2.13 9999 You should also see this message “Received a client connection from 192.168.2.10:XXXXX” in the Windows 7 cmd window where you run vulnserver.exe nc is the abbreviation of netcat. Netcat is a versatile utility used for various purposes, including connecting to a remote service as with our case or opening a port on the local system. Netcat is more than connecting to the remote services and opening ports
  • 5. on the local systems. You can refer to the Linux man page or Internet forums for a more comprehensive feature set. In this step, you opened a TCP connection to the 9999 port of the Windows 7 Target machine. 17. In Kali Linux, type HELP in the vulnserver service prompt and press enter. vulnserver service is case-sensitive and accepts command with capital letters only; therefore, "help" will not work. You should type "HELP" by pressing the Shift button, not the CAPS lock. You will see a list of commands that the vulnserver accepts. Among these commands, the TRUN command is used to get a string from the user. 18. In the vulnserver service prompt, type TRUN some_text and hit enter. You will see TRUN COMPLETE message. 19. Type EXIT in the vulnserver service prompt to return to the terminal window of Kali Linux. 20. Type cd fuzzer in the terminal windows to change directory to the fuzzer folder. (After this command, you will be in /root/fuzzer/ folder) 21. There is a file named nocrash.py in this folder—type python nocrash.py in the terminal window. nocrash.py opens a connection to TCP 9999 port at 192.168.2.13 , which is the service created by vulnserver, sends a certain amount of string to the vulnserver service and closes the connection. This small piece of code does not cause the vulnserver application crash.
  • 6. Take a screen capture of the Kali Linux terminal window where you run the nocrash.py file. In the next section, you will run another Python script to crash the vulnserver service remotely.Section-2: Crash the Network Service by Exploiting the Buffer Overflow Vulnerability Think about this scenario: A company is using a network service (vulnserver.exe) for the contractors. Contractors remotely connect to this service and provide some data to the company. You saw how this is done in the Section-1. A cyber attacker discovers a buffer overflow vulnerability and remotely exploit this vulnerability, and crashes the service. Now, it is time to realize this scenario. 1. If you created a new reservation before Section-2, then select Kali Linux and undock it. Type in “toor” as the password of the root. Open a terminal window. Type cd fuzzer to change the folder to the fuzzer. Place the undocked Windows 7 Target window next to the undocked Kali Linux window. If you didn’t create a new reservation, skip this step and continue with the next step. 2. In the Kali Linux terminal window, type python crash.py and hit Enter. After this command, notice the crash message shown in Windows 7 Target computer. 3. In Windows 7 Target computer, click the “View problem details” at the message box. Check the Fault Module Name is StackHash_xxxx, which indicates that the crash is associated with the Stack (Stack is a kind of buffer) Take a screen capture of the Windows 7 Target desktop showing the crash message window.
  • 7. 4. In Windows 7 Target computer, click “Close the program”. The program will be terminated. You will observe this in the cmd window where vulnserver.exe was running. The program will stop working, and the windows command prompt will appear. Type netstat -a -n -p TCP and ensure that TCP port 9999 is not open anymore. 5. Switch to Kali Linux, review both nocrash.py and crash.py codes by using nano editor. In the terminal window, type nano filename to open the desired file. To exit from the nano editor, press CTRL-X. Please explain what crash.py does by using the template below. host = "192.168.2.13" #explanation: port = 9999 #explanation: junk = "A"*5000 #explanation: buffer = "TRUN ." + junk #explanation: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #explanation: s.connect((host,port)) #explanation: print(s.recv(1024)) #explanation: s.send(buffer) #explanation: s.close() #explanation:
  • 8. Why crash.py causes a crash in the vulnserver network service? Which line of the code overflows the buffer?Section-3: Get a Remote Shell from the Server by Exploiting the Buffer Overflow Vulnerability of the Network Service 1. If you created a new reservation before Section-3, then select Kali Linux and undock it. Type in “toor” as the password of the root. Open a terminal window. Type cd fuzzer to change the folder to the fuzzer. Select Windows 7 Target and undock it. Place the undocked Windows 7 Target window next to the undocked Kali Linux window. Open a cmd window in Windows 7 Target, type cd Desktop, and cd Vulnerable_Service to change the directory to the Vulnerable_Service folder. If you didn’t create a new reservation, skip this step and continue with the next step. 2. In Windows 7 Target machine, type vulnserver in the cmd prompt to run the service once again. (The service was crashed in Section-2) 3. In Kali Linux, open a new terminal window by right-clicking on the terminal window on the taskbar and clicking "Open a New Tab". 4. In the new tab, type nc -lvp 443 and press enter to create a listener. You will see the "listening on [any] 443 …" message on the screen. In this case, you are using netcat utility in listen mode. “l” switch indicates that nc will be in listening mode. "v" switch means verbose; netcat shows detailed message related to the
  • 9. connection status. "p" switch indicates which local port number will be used in listen mode. The above command opens the port 443 on Kali Linux, and Kali Linux starts to listen on this port. 5. Switch to the previous tab where you are in the fuzzer folder. 6. Type python remote_shell.py and press enter. This python code has a long payload contrary to the other python codes you run in Section-1 and Section-2. Python code connects to TCP 9999 port on Windows 7 Target machine like the other codes; however, it exploits the buffer overflow vulnerability to gain a remote shell from Windows 7 Target computer. 7. Switch to netcat terminal windows in Kali Linux to see the remote shell. 8. Type whoami and press enter. You should be able to see win7-targetms user, who is currently logged on user on Windows 7 Target. Take a screen capture of the Kali Linux terminal window where you can see the remote shell and the name of the currently logged on user in it. Review the remote_shell.py by typing nano remote_shell.py in Kali Linux (within the fuzzer folder). Alternatively, you can also open the remote_shell.py file on the desktop of the Windows 7 Target. There are two differences between
  • 10. crash.py and remote_shell.py: The first difference is the buf variable; this is a new variable that did not exist in crash.py. The second difference is the updated junk variable. Let’s start with the buf variable: The buf variable contains a specially crafted, 351-byte long payload. This payload contains: 1) A reverse TCP shell 2) The IP address of the Kali Linux 3) The port number (443) to connect to the Kali Linux All this information is encoded, and you should have seen the encoded string once you opened the remote_shell.py. After python code runs on Kali Linux, it opens a connection to Windows 7 Target; the same code sends this payload to the vulnserver service over this connection. Buffer overflow vulnerability causes vulnserver to accept all of the inputs from the code and let the operating system (Windows 7 Target) run the code in the payload. As shown above, the code in payload runs a TCP shellcode, and this shellcode connects to 443 port on Kali Linux. Let’s talk about the updated junk variable. junk = "A"*2006 + "xAFx11x50x62" + "x90"*16 + buf +
  • 11. "C"*(5000-2006-4-16-351) In the crash.py (this is also called proof of concept code), code was sending the “A” character 5000 times (5000 bytes). In remote_shell.py, the code is sending a specially crafted package that causes gaining a remote shell. There are five sections of the crafted junk variable. The following list of data should be sent in the specified order: 1) "A"*2006 >>> 2006 times A character: 2006 is not a random number. This is the crash point. The vulnserver crashes if it gets an input -via TRUN parameter- that is more than or equal to 2006 characters. This has been determined after examining the behavior of the vulnserver by using a debugger. 2) xAFx11x50x62: Identifying the crash point is very important. Because the operating system has the EIP register right after this crash point, EIP stands for Extended Instruction Pointer. This register contains the address of the next instruction to be executed. Your goal is to write the address of the instruction that will run the payload (shellcode). xAFx11x50x62 is the address of the instruction that will run the payload in our case. More specifically, this address has a special instruction; “jmp esp". This instruction is critical in exploiting the buffer overflow vulnerability to get a shell because jmp esp points to the address where the payload is stored in the memory. To summarize, at the crash point, the EIP register is given xAFx11x50x62; so that the instruction jmp esp will run next to execute shellcode. 3) "x90"*16 >>> 16 times x90: x90 means no operation (NOP). You place a sequence of 16 no operation instructions here. You can also change the numbers to 20 instead of 16, which will not change the python code's behavior. This is done to ensure that jump esp finds the whole payload (nothing is missing with
  • 12. payload). Because we don’t know for certain at which address the payload will start in the buffer due to random changes in the memory. The NOP is a way to deal with this uncertainty. jmp esp will jump to the beginning part of NOP instructions; it will do nothing 16 times and find the payload and run it. If you don't place x90"*16, jmp esp will go to a place where some parts of payload might be missing. 4) buf: This is the payload; already talked about this. 5) "C"*(5000-2006-4-16-351) >>> 2623 times C character: Specially crafted package for the remote shell has been created starting with the crash script in which 5000 times A characters had been sent; therefore, we add 2623 times C character to send a total number 5000 characters to the remote service. It does not matter whether C, A, or any other character; the critical point is that it should end up with 5000 characters. You found 2623 by subtracting the number of bytes of the previous sections from 5000. Remember that 2006 bytes to reach out to the crash point, 4 bytes for the next instruction address, 16 bytes for NOP, 351 bytes for the payload size. Weekly Learning and Reflection In two to three paragraphs (i.e., sentences, not bullet lists) using APA style citations if needed, summarize, and interact with the content covered in this lab. Summarize what you did as an attacker, what kind of vulnerabilities did you exploit, what might have prevented these attacks. List the attackers and all of the targets in your summary. You can provide topologies, sketches, graphics if you want. In particular, highlight what surprised, enlightened, or otherwise engaged you. You should think and write critically, not just about what was presented but also what you have learned through the session. You can ask questions for the things you're confused about. Questions asked here will be summarized and answered anonymously in the next class.