Linux Buffer Overflow

Computer Network Security

Ahmed Hamed 22011938

Abdelrahman Ihab 2206183 DR. Maged Abdelaty

 Buffer Overflow Concept
.

What is a Buffer Overflow ? Types of Buffer Overflows

 buffer overflow occurs when data written to a buffer  Stack-Based Overflows: These occur in temporary,
exceeds its allocated memory limit, causing adjacent function-specific memory on the stack, such as local
memory to be overwritten. variables. Attackers can overwrite the return address and
redirect execution flow
 This overflow can lead to unintended behavior, crashes,
or security vulnerabilities by corrupting memory  Heap-Based Overflows: Occur in dynamically allocated
structures. memory (the heap) and can lead to manipulation of
memory management structures, affecting program
stability and security

Causes of Buffer Overflows Consequences

 Lack of Bounds Checking: Functions like strcpy and  Security Vulnerabilities: Attackers may exploit overflows
strcat in C/C++ do not verify input size, potentially leading to inject and execute arbitrary code, potentially gaining
to overflows if the input is larger than the buffer. control over the application or system.
 Insecure Coding Practices: Using functions like gets  Application Instability: Overwritten memory may cause
without validating input length or improperly handling user the program to crash, leading to downtime and potential data
input allows data to exceed buffer limits. loss.
 Exploiting Simple Buggy C Programs
Common Vulnerabilities : Steps to Exploit a Buffer Overflow :
Stack-Based Buffer Overflows:
• Occur in local variables on the stack when excessive data is written, potentially Identify the Buffer Size:
overwriting the return address. Tools like gdb or static analysis can
• Exploitation can allow attackers to redirect execution to injected shellcode or assist in identifying buffer limits
malicious payloads.

Heap-Based Overflows:
• Arise in dynamically allocated memory (malloc, calloc) where input can exceed
allocated space.
• Attackers can corrupt adjacent heap metadata, leading to arbitrary code execution or Crafting the Exploit Payload
manipulation of application behavior. Shellcode: Construct a payload that
executes desired commands (e.g.,
spawning a shell or escalating
privileges)..
Format String Vulnerabilities:
• Arise when user input is unsafely used in functions like printf, allowing attackers to
read memory and potentially write to arbitrary memory locations.
• This can lead to data leakage, arbitrary code execution, or control of the program's
flow
Overwriting the Return Address:
Overflow the buffer to overwrite the
Format String Vulnerabilities: saved return address on the stack,
redirecting execution to the shellcode or
• Arise when user input is unsafely used in functions like printf, allowing attackers to
a specific memory address.
read memory and potentially write to arbitrary memory locations.
• This can lead to data leakage, arbitrary code execution, or control of the program's
flow.
 Basic Knowledge of gdb

The GNU Debugger (gdb) helps analyze and

debug C/C++ programs, especially for
identifying vulnerabilities.

Key Commands:
• run: Starts the program under gdb.
• break [function/line]: Sets breakpoints to pause execution.
• backtrace: Displays the call stack to see the flow of execution.
• info proc mappings: Shows memory layout for understanding buffer locations.
• print: Inspects variable values and memory addresses.

Key Features :
• Breakpoints: Pause execution at lines/functions to inspect variables and control flow.
• Stepping: Execute code line by line (step or next) to monitor behavior.
• Inspecting: Use print for variable values and x for memory examination.
• Backtrace: Use backtrace (or bt) to see function calls leading to the current point.
• Memory Mapping: Use info proc mappings to view memory layout and buffer
locations.
 Buffer Overflow Vulnerability
Fuzzer loop with integrated G :

• First, we turn off ASLR

(Address Space Layout
Randomization) to make
memory addresses predictable,
facilitating the development and
testing of buffer overflow
exploits.

• We implemented a fuzzer loop

integrated with GDB to
automate input testing while
enabling immediate analysis of
crashes, helping us quickly
identify vulnerabilities in the
target

• The fuzzer output shows that

the program begins to crash at
input 1005, but the actual crash
from the buffer overflow flaw is
characterized by the fact that the
hex address of the EIP
(Extended Instruction Pointer)
remains unchanged.
Locating the EIP
.

EIP is (Extended Instruction Pointer) is a CPU

register that holds the address of the next
instruction to execute.
 To pinpoint the exact bytes that overwrite EIP, we use a nonrepeating
pattern in the final 20 bytes of our exploit  This helps us identify which
part of our input reaches EIP

We Start with 1000 "A" characters to fill up space up to where we expect the overflow to
occur..

We Add a 20-byte unique pattern (BBBBCCCCDDDDEEEEFFFF) at the end to

identify the exact overwrite point in EIP. And We use 4 of each letter in the pattern
because EIP is a 4-byte (32-bit) register

The output showed a segmentation fault with EIP set to 0x45454545, which
corresponds to EEEE in ASCII. This confirms our overflow successfully reached and
overwrote EIP, pinpointing where we control program execution.
Reverse shellcode

Enables an attacker to gain remote access  by having the

compromised system connect back to the attacker's server,
often bypassing firewalls by using outgoing traffic..

 It typically involves exploiting a vulnerability to execute the shellcode, which

opens a network socket and connects to a predefined IP address and port,
enabling command execution on the compromised system.
 We use Metasploit's **msfvenom** tool to generate reverse shellcode, which
streamlines the creation of payloads for remote access..

Bind

shellcode Reverse shellcode

•Opens a listening socket •Connects back to the attacker's
on the target machine. machine

•Requires the attacker to •Allows remote access initiated

initiate the connection. by the victim
 Constructing the Exploit
Before we start constructing the exploit, we need to familiarize ourselves
with some key terms:

 ESP Register
The ESP (Extended Stack Pointer) register points to the top of the stack in x86
architecture (32-bit systems), tracking the current stack location where temporary
data, such as local variables and return addresses, are stored. In buffer overflow
attacks, excess data can overwrite critical information, allowing attackers to control
program flow. NOP sleds help ensure that ESP lands on the malicious code.

 EBP Register
The EBP (Base Pointer) register manages the stack frame of a function, keeping
track of local variables and function arguments. Buffer overflows can overwrite
EBP, enabling attackers to manipulate the stack frame and redirect execution flow
to an arbitrary memory address.

NOP Sled.
NOP sled is a sequence of NOP (No Operation) instructions in
memory, used in buffer overflow exploits to enhance the
chances of redirecting program execution to a target payload,
such as shellcode. The NOP instruction allows the CPU to skip
over it, making the sled a useful "landing zo
Why Use a NOP Sled?
• Margin of Error: In buffer overflows, targeting the exact
memory address of the payload can be difficult due to
variations in the environment (e.g., stack alignment, buffer
sizes).
• Landing Zone for EIP: Instead of aiming for the payload's
start, the EIP register is directed to the NOP sled. If EIP lands
within the sled, the CPU will execute NOPs until it reaches the
Finding the NOP sled in RAM

Finding the NOP sled in RAM after constructing a buffer

overflow exploit is an important step in the exploitation
process for several reasons
•Address Verification: Confirming the actual memory addresses ensures that the exploit
points to the correct location, especially in environments with ASLR.

•Debugging and Testing: Locating the NOP sled aids in debugging, allowing attackers to
assess and refine the exploit's effectiveness.

•Increasing Success Rate: Knowing the sled's address increases the likelihood that the
EIP will land within it, facilitating successful payload execution.

 We use the identified address of the NOP sled to adjust the exploit code, ensuring
that the EIP register points to this address. This increases the likelihood of landing in
the NOP sled during the exploit.

 After obtaining the address of the NOP sled, we set a breakpoint at that location and
execute the shellcode. Subsequently, we use GDB to examine the register values with the
info registers command to verify the state of the registers during execution
 Completing The Exploit Code & Reverse Shell
Connection on Other VM

 After examining the stack frame with x/410x $esp, we

selected the address 0xffffc880
 which is positioned in the middle of the NOP sled (the \x90
bytes). We must avoid any addresses that contain 00, 10, or 20
bytes, as these will act as delimiters and prematurely terminate
the string.
.

Finally, we used Netcat on the attacker machine to exploit the vulnerability in

the target program on another VM via a reverse shell connection.

In our exploitation process, we utilized Netcat to create a reverse shell

connection. On the attacker machine, we set up a listener on port 31337 using
the command nc -lvp 31337. Then, on the target machine, we executed a
payload that connected back to the attacker's IP address on the same port,
allowing us to gain remote command execution.

We successfully connected using port 31337, a commonly used port for

reverse shells, as it is often less monitored by security systems, making it a
favorable choice for such exploits.
 CLOSING

Thank You