Buffer Overflows

If an attacker can find a way of getting arbitrary code to the target system and getting that system to execute it, the attacker can gain access to the system and its resources. Contiguous blocks of memory are used to store data, and when data copied into a buffer exceeds the size of the buffer, a buffer overflow occurs. Vulnerabilities occur through human error such as programming errors by developers, programming languages that contain errors, and when good programming practices are not followed. Many programs are designed to allow input. The input fields can be used to send arbitrary code to the system.

Stack Buffer Overflow

A stack buffer overflow is caused when a program writes more data to a buffer located on the stack than was expected. This results in the corruption of data. For additional information, visit Stack Buffer Overflow (https://blog.rapid7.com/2019/02/19/stack-based-buffer-overflow-attacks-what-you-need-to-know/).

Heap-Based Buffer Overflow

Memory on the heap is dynamically allocated by an application. A lot of times the program data is contained on the heap. If an attacker can corrupt this data, the attacker can cause the application to overwrite internal structures . For more information, visit Heap-Based Buffer Overflow (https://cwe.mitre.org/data/definitions/122.html).

Detecting Buffer Overflow Vulnerabilities

Programs written in C are more susceptible to buffer overflows. The standard C library offers many functions that do not perform any boundary checks.

An attacker looks for strings declared as local variables in functions and verifies the presence of a boundary check or the use of safe C functions in the source code. To detect buffer overflow vulnerabilities, you can examine source code for strings declared as local variables in functions or methods, check for improper use of standard functions, and force a large volume of data on an application and check for abnormal behavior. See Figure 14-1.

Defense Against Buffer Overflows

There are several things an application developer can do to eliminate buffer overflows including performing a manual audit of the code, disabling stack execution, using compiler techniques, and developing safer C library support.

Nmap

Nmap is free and operates on various platforms, like Microsoft Windows, Mac OS X, and Linux. It can be used to evaluate which hosts are on the network and then to identify the ports a remote system is running for the Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). To determine what operating system the remote machine is operating, you can also execute an operating system scan. The results of the OS scan given by nmap may often be inconclusive, requiring the attacker to use other techniques to determine the remote OS accurately.

The Ping Scan results show that five hosts are up on the 192.168.100.0/24 network. However, there might be other hosts that have their firewalls activated or are not responding to requests from the Internet Control Message Protocol (ICMP). See Figure 14-2.

TCP Scan

These ports are rarely available on machines that are connected to the Internet, but are usually open on LAN-connected Windows machines. In the particular case in Figure 14-3, these ports are available because the Windows 2008 server administrator shared a single folder called share on the C: drive. Generally, these ports are open on Windows systems and are related to file and print sharing for Microsoft Windows .

Fingerprint of the OS

The scan with nmap provides inconclusive results (Figure 14-4). It says that the OS could be

• Microsoft Windows 7 Professional

• Microsoft Windows Vista SP0 or SP1

• Windows Server 2008 SP1

• Windows 7

• Microsoft Windows Vista SP2

• Windows Server 2008

Using Metasploit to Fingerprint

You need to have a more accurate indication of what OS the target computer is running. If you use one of the Metasploit auxiliary scanning modules, you could get a better result. See Figure 14-5.

Use the show options command to view the options for the auxiliary scanning module’s options. See Figure 14-6.

After setting the RHOSTS , run the scan to determine the remote machine’s operating system. See Figure 14-7.

The OS is identified as Windows 2008 Standard without Hyper-V Service Pack 1 . See Figure 14-8.

Searching for Exploits

The exploits are mentioned last, as we review the results of the search. The exploit’s name is within Metasploit and also the release date, the exploit’s effectiveness, and the overview of what vulnerability that the exploit impacts. Since Server 2008 came out in 2008, we will look for an exploit that came out in 2008 or later. See Figure 14-9.

Meterpreter

Meterpreter is an advanced Metasploit payload that enables an attacker to dump the hashes, download data, and perform specific tasks after exploitation. See Figure 10-10. A tool such as John the Ripper could be used to crack passwords once the hashes are dumped.

Summary

In this chapter, you learned about buffer overflows and how hackers can take advantage of weaknesses in computer systems due to vulnerabilities that may exist. You became familiar with intrusion detection techniques and various types of intrusion detection systems and firewalls. In addition, you learned what to look for in order to identify an attack on an internal network.

Resources