The following C code lacks appropriate bound checking to enforce variable size restrictions on a copy. This is a rudimentary example of poor programming, but it is the basis for many exploits that are part of the Metasploit framework.
#include <string.h>
#include <stdio.h>
int main (int argc, char *argv[])
{
if (argc!=2) return 1;
char copyto[12];
strcpy(copyto, argv[1]); // failure to enforce size restrictions
printf("The username you provided is %s", copyto);
return 0;
}We take this code and place it into a file called username_test.cpp, and then compile it with MinGW, as shown following:
We can then run newly compiled program to see it returns whatever text we provide it.
Now, start Immunity and open the username_test.exe binary with the argument test, as seen below. This does functionally the same thing as both the Python script and running it from the command line, which means that you can monitor the output from the debugger.
Now, we need to provide more data than expected and attempt to trigger an overflow. This could easily be done here as we know the limits for this particular binary, but if we did not know this, we would have to take a relative guess. To do that, we should generate some data, such as a bunch of capital As, and see what happens.
We could either repeatedly hold down the Shift key plus the letter A each time we wanted to generate the arguments, or we can create a generator to do a similar activity. We can, again, use Python to help us out here. See the simple code, which will create files of data as needed, which can be copied and pasted into the debugger.
data = "A"*150
open('output.txt', 'w').close()
with open("output.txt", "w") as text_file:
text_file.write(data)The output of which can be seen in the following figure:
Now, copy and paste the data into the Immunity debugger arguments and step through the program as it runs with the F7 key. After holding the key down for a period of time, you will start to see your binary run with the arguments provided as it is processed in the Registers Pane, and as it is processed, 41414141 will be picked up in the EAX register. Each of the 41 represents the American Standard Code for Information Interchange (ASCII) letter A. Once you finish running the program, you should see the EIP overflowed with the letter A.
So, we know that we have provided enough As to overwrite the EIP. This means that we have found that we can overwrite the EIP, but we have not provided it with anything useful to do, and we do not know where it actually is in the stack. Basically, this means that this activity crashed our program instead of doing what we wanted to - get a shell.
This brings up another point about crafting exploits; often exploits that are not well designed, or cannot be designed to work in the memory constraints in particular vulnerabilities, will produce a Denial of Service (DoS) condition. Our goal instead is to get a shell on the box, and to do that, we need to manipulate what is being pushed into the program. Keep in mind that when you consider services, there have been reports of Remote Code Execution (RCE) attacks available, and the only public exploits available result in DoS attacks. This means that the environment is very difficult to achieve shell access, or the researcher's capabilities to create an exploit in that environment may be limited.
Now that you understand the basics of injecting data into the buffer and overflowing it, we can target a real vulnerable solution. We are going to use the Free MP3 CD Ripper program for this example. This program provides very little tangible value in developing an exploit, but developing it is a relatively simple exercise.