© The Author(s), under exclusive license to APress Media, LLC, part of Springer Nature 2021
A. SheikhCertified Ethical Hacker (CEH) Preparation Guidehttps://doi.org/10.1007/978-1-4842-7258-9_14

14. Buffer Overflow

Ahmed Sheikh1  
(1)
Miami, FL, USA
 

When vulnerabilities exist, hackers can exploit flaws in computer networks. A person responsible for an organization’s network protection will have to patch vulnerable systems. It is also a good practice to shut down non-essential services running on systems. If systems are not properly managed or protected, they can be exploited by hackers. After cracking into a remote system, an attacker can take steps to entrench by setting up accounts and capturing and exfiltering information from the network. In this chapter, you will take a close look at buffer overflow and buffer overflow countermeasures.

By the end of this chapter, you will be able to
  1. 1.

    Define a buffer overflow.

     
  2. 2.

    Identify a buffer overflow.

     
  3. 3.

    Identify buffer overflow countermeasures.

     

Buffer Overflows

If an attacker can find a way of getting arbitrary code to the target system and getting that system to execute it, the attacker can gain access to the system and its resources. Contiguous blocks of memory are used to store data, and when data copied into a buffer exceeds the size of the buffer, a buffer overflow occurs. Vulnerabilities occur through human error such as programming errors by developers, programming languages that contain errors, and when good programming practices are not followed. Many programs are designed to allow input. The input fields can be used to send arbitrary code to the system.

Stack Buffer Overflow

A stack buffer overflow is caused when a program writes more data to a buffer located on the stack than was expected. This results in the corruption of data. For additional information, visit Stack Buffer Overflow (https://blog.rapid7.com/2019/02/19/stack-based-buffer-overflow-attacks-what-you-need-to-know/).

Heap-Based Buffer Overflow

Memory on the heap is dynamically allocated by an application. A lot of times the program data is contained on the heap. If an attacker can corrupt this data, the attacker can cause the application to overwrite internal structures . For more information, visit Heap-Based Buffer Overflow (https://cwe.mitre.org/data/definitions/122.html).

Detecting Buffer Overflow Vulnerabilities

Programs written in C are more susceptible to buffer overflows. The standard C library offers many functions that do not perform any boundary checks.

An attacker looks for strings declared as local variables in functions and verifies the presence of a boundary check or the use of safe C functions in the source code. To detect buffer overflow vulnerabilities, you can examine source code for strings declared as local variables in functions or methods, check for improper use of standard functions, and force a large volume of data on an application and check for abnormal behavior. See Figure 14-1.
../images/505537_1_En_14_Chapter/505537_1_En_14_Fig1_HTML.jpg
Figure 14-1

Detecting buffer overflow vulnerabilities

Defense Against Buffer Overflows

There are several things an application developer can do to eliminate buffer overflows including performing a manual audit of the code, disabling stack execution, using compiler techniques, and developing safer C library support.

Nmap

Nmap is free and operates on various platforms, like Microsoft Windows, Mac OS X, and Linux. It can be used to evaluate which hosts are on the network and then to identify the ports a remote system is running for the Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). To determine what operating system the remote machine is operating, you can also execute an operating system scan. The results of the OS scan given by nmap may often be inconclusive, requiring the attacker to use other techniques to determine the remote OS accurately.

The Ping Scan results show that five hosts are up on the 192.168.100.0/24 network. However, there might be other hosts that have their firewalls activated or are not responding to requests from the Internet Control Message Protocol (ICMP). See Figure 14-2.
../images/505537_1_En_14_Chapter/505537_1_En_14_Fig2_HTML.jpg
Figure 14-2

Nmap

TCP Scan

These ports are rarely available on machines that are connected to the Internet, but are usually open on LAN-connected Windows machines. In the particular case in Figure 14-3, these ports are available because the Windows 2008 server administrator shared a single folder called share on the C: drive. Generally, these ports are open on Windows systems and are related to file and print sharing for Microsoft Windows .
../images/505537_1_En_14_Chapter/505537_1_En_14_Fig3_HTML.jpg
Figure 14-3

TCP scan

Fingerprint of the OS

The scan with nmap provides inconclusive results (Figure 14-4). It says that the OS could be
  • Microsoft Windows 7 Professional

  • Microsoft Windows Vista SP0 or SP1

  • Windows Server 2008 SP1

  • Windows 7

  • Microsoft Windows Vista SP2

  • Windows Server 2008

../images/505537_1_En_14_Chapter/505537_1_En_14_Fig4_HTML.jpg
Figure 14-4

OS fingerprint

Using Metasploit to Fingerprint

You need to have a more accurate indication of what OS the target computer is running. If you use one of the Metasploit auxiliary scanning modules, you could get a better result. See Figure 14-5.
../images/505537_1_En_14_Chapter/505537_1_En_14_Fig5_HTML.jpg
Figure 14-5

Metasploit auxiliary scan

Use the show options command to view the options for the auxiliary scanning module’s options. See Figure 14-6.
../images/505537_1_En_14_Chapter/505537_1_En_14_Fig6_HTML.jpg
Figure 14-6

Showing options

After setting the RHOSTS , run the scan to determine the remote machine’s operating system. See Figure 14-7.
../images/505537_1_En_14_Chapter/505537_1_En_14_Fig7_HTML.jpg
Figure 14-7

RHOSTS

The OS is identified as Windows 2008 Standard without Hyper-V Service Pack 1 . See Figure 14-8.
../images/505537_1_En_14_Chapter/505537_1_En_14_Fig8_HTML.jpg
Figure 14-8

Windows 2008 Standard without Hyper-V Service Pack 1

Searching for Exploits

The exploits are mentioned last, as we review the results of the search. The exploit’s name is within Metasploit and also the release date, the exploit’s effectiveness, and the overview of what vulnerability that the exploit impacts. Since Server 2008 came out in 2008, we will look for an exploit that came out in 2008 or later. See Figure 14-9.
../images/505537_1_En_14_Chapter/505537_1_En_14_Fig9_HTML.jpg
Figure 14-9

Search using Metasploit

Meterpreter

Meterpreter is an advanced Metasploit payload that enables an attacker to dump the hashes, download data, and perform specific tasks after exploitation. See Figure 10-10. A tool such as John the Ripper could be used to crack passwords once the hashes are dumped.
../images/505537_1_En_14_Chapter/505537_1_En_14_Fig10_HTML.jpg
Figure 14-10

Meterpreter

Summary

In this chapter, you learned about buffer overflows and how hackers can take advantage of weaknesses in computer systems due to vulnerabilities that may exist. You became familiar with intrusion detection techniques and various types of intrusion detection systems and firewalls. In addition, you learned what to look for in order to identify an attack on an internal network.

Resources

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset