[krackatoa]

There's a couple of threads running talking about linux based buffer overflows. There's also papers out there that explain Windows based BOF's. Some of the papers are ok and I understand the basics of how a BOF works. I can do the long strings and overwrite EIP. But I think myself and others could benefit from an online demo that we work through together from start to finish using the same free tools.

I'm thinking along the lines of using OllyDbg for a debugger.
A free C compiler.
A simple program that is vulnerable to BOF and doesn't need to be installed(I have one that I can upload).

The program that I can upload is vulnerable to a long filename put or get. It can be overflowed by using the built-in windows tftp client (tftp.exe).

run tftp server, now from a windows client run tftp.exe -i 127.0.0.1 get AAAA..AAA.exe

After a specific amt of AAAAA's the Buffer is overflowed.

Any experts out there that are willing to take this one on for the benefit of all of us?

[TheOther]

Nice plan!

Sorry but I can't help you out. I only can learn from it.

[Blackknight]

:ph34r:
I could make an example program to exploit wudnt be very realistic.. but hey you would learn howto do all the gay ms exploit concepts..
Only problem is im on a 56k and walking people through is always a hassle...
the tutorials out there are very comprehensive you cud easily learn how its done... you obviously dont try hard enough or you just lack the abbilty <_<

[krackatoa]

It's all about learning on this board.

Any help from anyone with the right skills would be appreciated by many.

[krackatoa]

Ok, so far no takers besides the post by blackknight, so I'll get it started.

I posted the vulnerable program here:http://www.governmentsecurity.org/forum/index.php?showtopic=7735

Download Ollydebug and lcc win.


Program preperation:

Unzip Ollydebug to your desktop and run it.
-Select "Options" from the toolbar then "Just-in-time debugging"
-Click the command buttun "Make OllyDbg just-in-time debugger"
-Click "Attach without confirmation"
-Click "Done" and close Olly

Unzip the tftp server files to your desktop.

Let's start:

Run the tftp server "tftp.exe" from your desktop folder. You'll see the gui interface.

Now we are going to pass a long string to the tftp server to trigger the vulnerability>

Start up a cmd prompt (Start. run, cmd)
-type in your cmd window "tftp -i 127.0.0.1 get AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
A
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.exe"
-Then click enter.

Olly will break in when you get enough AAAAAAA's

If it doesn't break, then you don't have enough AAAAA's or the just-in-time options aren't set right on Olly.

Once Olly breaks, look at the "Registers" (FPU) frame\Window on the upper right half. If you see "EIP" at 41414141 then you've successfully over written EIP.

The next thing we'll do is find exactly how many AAAAA's it takes to overwrite EIP.
-Repeat the above process slowly removing blocks of AAAAAAA's until you see the EIP register change to something other than 41414141. You'll need to restart the tftp server each time because it will die when you close Olly.

Continue experimenting until you find out the exact amount to over flow EIP then change the last four AAAA to BBBB. You'll know you have it right when EIP is 42424242.

Post it here when you get it then we'll go from there.

[z0mbi3]

thanx man might help ppl like me understand how to work on buffer overflows..

I think the number of A it can handle for the EIP to go 41414141 is 268
so if i put
"A"x264+"B"x4 =EIP 42424242

i think thats it but dunno how that happened...kept on trying till i got it..
Wehn using just in time(i don't think i set it right) it did break and eip did goto 41414141 but i couldn't see the 41 on the bottom..so i looked around and found attach tried taht and it seemed to work =)

maybe you guys could explain it..theoratically..

[Q] I attached the tftp.exe to olly and ran it to see the EIP as 7FFE0304 ..so i ran
tftp -i blah blah "A"x264+"B"x4 .exe and the EIP turned to 42424242

where is that 7FFE0304??

This post has been edited by yamaraj: 11 April 2004 - 03:20 AM

[linuxwolf]

nice work here, i know alot of people are learning about this. :)

[shaun2k2]

A Windows demonstration would be infeasible if anybody wanted me to do it, as I currently don't have any access to Windows operating systems.

Although the concept of buffer overflows can seem either complex or quite easy, the only way to learn the principles and ultimately how they can be exploited in theory and in practice is to read about them as much as you can - demos probably won't help you, because you'll just be doing what the lecturer says, and everybody might be shouting about their difficulties. Demos aren't even feasible because everybody uses different archeteictures, and therefore everybodys system is different.

Help yourself - read some papers :)

http://www.elitehave...WideChapter.txt - Exploitation of Buffer Overflow Vulnerabilities Under Windows XP
http://www.elitehaven.net/buf.zip - Buffer Overflows on NT Based Platforms REALLY Explained!
http://www.phrack.org/phrack/49/P49-14 - Smashing the stack for fun and profit
http://www.phrack.org/phrack/55/P55-15

There's other good articles by teleh0r - he demonstrates buffer overflow exploitation in two articles; one for perl and one for C. Ask Dr. Google.


-Shaun.

[linuxwolf]

cheers for that shaun.

i've got a sweet buffer overflow paper and one on stacking somewhere, ill root em out and put em up here. share the knowledge you lot.

-ben

[krackatoa]

Ok, let's move on; Yamaraj wrote:

I think the number of A it can handle for the EIP to go 41414141 is 268
so if i put
"A"x264+"B"x4 =EIP 42424242


This is the same number that I get as well as others.

Shaun2k2 posted the widechapter tutorial. The method I wanted to try was the jmp esp. It is talked about in this tutorial. He also posted http://www.elitehaven.net/buf.zip - Buffer Overflows on NT Based Platforms REALLY Explained! This one is very good.

So far we know it takes 268 bytes to completely overwrite EIP, now we need to know how much space beyond 268 that we have available. As I understand it, we want to place our shell code into this space AFTER EIP. So we continue to add AAAA...s until the program no longer crashes. Then we count the amount of AAA's it took after EIP and this is our available space for to work with.

When we eventually jmp esp (We'll have to find a spot that's the same across Windows versions), we'll get to our code.


Paul: You hit that when you go too far past EIP.

T3cHn0b0y: I'm learning this as well and I'm hoping someone will volunteer hard information on some of the questions asked.

Yamaraj: 7FFE0304 can be in anywhere in memory, exe, dll, ect that execution will jump to next.

I'm still waiting on an expert to take the reigns and lead us through. But in case their is none, Im hoping we can do it together. We are going have problems with nulls and buffer size I think.

So lets find our available size and go from there.

If' you're totally lost, read the wide chapter tutorial posted.

[z0mbi3]

do we have to put the code before the EIP or after??

for eaxample i put A*264+B*4+A*8 => this will keep the eip as 42424242 ..so now do we just keep on putting a's and find a point where it doesn't crash anymore ...
(i dunno..i'm a n00b) :)