1
1

00:00:00,315  -->  00:00:02,975
<v ->Buffer overflows, or dissecting the exploit.</v>
2

2

00:00:02,975  -->  00:00:04,084
So we talked about, in Gaining Access,
3

3

00:00:04,084  -->  00:00:05,917
that there's lots of different ways to gain access
4

4

00:00:05,917  -->  00:00:08,707
and one of the most common is a buffer overflow.
5

5

00:00:08,707  -->  00:00:11,323
Now, what exactly is a buffer overflow?
6

6

00:00:11,323  -->  00:00:13,118
That's what we're gonna cover in this lecture.
7

7

00:00:13,118  -->  00:00:15,504
So, first, let's talk about what a buffer is.
8

8

00:00:15,504  -->  00:00:17,577
A buffer is just a temporary storage area
9

9

00:00:17,577  -->  00:00:20,069
that an program uses to store its data.
10

10

00:00:20,069  -->  00:00:22,408
So, for instance, we might have something
11

11

00:00:22,408  -->  00:00:26,226
like a phone number we wanna remember, 555-1234.
12

12

00:00:26,226  -->  00:00:28,866
Now, if I'm a computer program, I have to constantly be
13

13

00:00:28,866  -->  00:00:31,301
remembering that, or I need to put it someplace to store it,
14

14

00:00:31,301  -->  00:00:33,885
and that's where a buffer comes in.
15

15

00:00:33,885  -->  00:00:36,138
So let's take a example of a Buffer A.
16

16

00:00:36,138  -->  00:00:37,734
It's an 8-bit buffer, it's got eight blocks
17

17

00:00:37,734  -->  00:00:39,328
for us to put information in.
18

18

00:00:39,328  -->  00:00:43,108
Can I put the number 555-1234 in an 8-bit buffer?
19

19

00:00:43,108  -->  00:00:43,963
Well, sure I can
20

20

00:00:43,963  -->  00:00:47,882
because I can put 555, dash, 1234 and it fits perfectly
21

21

00:00:47,882  -->  00:00:49,718
inside an 8-bit buffer.
22

22

00:00:49,718  -->  00:00:52,262
What happens, though, with a buffer overflow
23

23

00:00:52,262  -->  00:00:54,539
is a program puts more data into the buffer
24

24

00:00:54,539  -->  00:00:55,979
than the buffer can hold.
25

25

00:00:55,979  -->  00:00:59,155
In our example, instead of using a regular seven-digit
26

26

00:00:59,155  -->  00:01:03,760
phone number, what if I end up using the area code as well?
27

27

00:01:03,760  -->  00:01:05,932
Well, now, instead of being able to put the entire number
28

28

00:01:05,932  -->  00:01:08,316
in A, the buffer I was looking at,
29

29

00:01:08,316  -->  00:01:10,365
it's gonna overflow into B.
30

30

00:01:10,365  -->  00:01:14,532
And so you'll see it goes 210, dash, 555, dash, 1234.
31

31

00:01:15,536  -->  00:01:18,351
So when I read from Buffer A, I'm actually getting
32

32

00:01:18,351  -->  00:01:20,101
210, dash, 555, dash.
33

33

00:01:21,184  -->  00:01:24,461
And now when I go for my second program to run Buffer B,
34

34

00:01:24,461  -->  00:01:27,171
I'm actually getting 1234 and I don't understand
35

35

00:01:27,171  -->  00:01:29,056
what that information is from.
36

36

00:01:29,056  -->  00:01:31,372
And that's all a buffer overflow does is it actually goes
37

37

00:01:31,372  -->  00:01:35,616
beyond what is allowed to be stored in a single area.
38

38

00:01:35,616  -->  00:01:37,155
So how does the exploit work?
39

39

00:01:37,155  -->  00:01:39,038
Well, the stack is a reserved area of memory
40

40

00:01:39,038  -->  00:01:41,346
where the program saves the return address
41

41

00:01:41,346  -->  00:01:43,512
when a call instruction is received.
42

42

00:01:43,512  -->  00:01:46,079
So as you can see here, we have Buffer 2
43

43

00:01:46,079  -->  00:01:47,426
with a Local Variable 2,
44

44

00:01:47,426  -->  00:01:49,486
and then we have our shell code that we've put in there.
45

45

00:01:49,486  -->  00:01:51,914
And then we put a new pointer to the shell code
46

46

00:01:51,914  -->  00:01:54,533
and that might be where the information used to be.
47

47

00:01:54,533  -->  00:01:56,804
So when the computer goes back there, it's gonna now see
48

48

00:01:56,804  -->  00:01:58,654
the return pointer that was overwritten
49

49

00:01:58,654  -->  00:02:00,254
and point to my shell code.
50

50

00:02:00,254  -->  00:02:01,087
So as we walk through this,
51

51

00:02:01,087  -->  00:02:03,030
this'll make a little bit more sense.
52

52

00:02:03,030  -->  00:02:06,265
The stack is organized in a first in, last out structure.
53

53

00:02:06,265  -->  00:02:07,551
The first thing that's placed in the stack
54

54

00:02:07,551  -->  00:02:10,056
is the last thing that comes out of the stack.
55

55

00:02:10,056  -->  00:02:11,586
So what happens is the attacker places
56

56

00:02:11,586  -->  00:02:13,491
too much information on the stack,
57

57

00:02:13,491  -->  00:02:15,269
and they can change the value of the return pointer
58

58

00:02:15,269  -->  00:02:16,847
to carry out their attack.
59

59

00:02:16,847  -->  00:02:18,693
So when you go to the new pointer, it's actually gonna
60

60

00:02:18,693  -->  00:02:21,633
point to my shell code and not to the internet browser
61

61

00:02:21,633  -->  00:02:24,065
or to Microsoft Word.
62

62

00:02:24,065  -->  00:02:26,222
So the attacker's code is placed inside the buffer
63

63

00:02:26,222  -->  00:02:27,857
and the code that's used to run the commands
64

64

00:02:27,857  -->  00:02:30,715
or execute a series of instructions, again, that shell code,
65

65

00:02:30,715  -->  00:02:32,530
is then gonna be used.
66

66

00:02:32,530  -->  00:02:34,818
Buffer overflows are a complex topic.
67

67

00:02:34,818  -->  00:02:36,322
We don't need to understand the nitty gritties
68

68

00:02:36,322  -->  00:02:39,106
of how to actually develop them, but the fact is
69

69

00:02:39,106  -->  00:02:40,621
that many of the techniques that we use
70

70

00:02:40,621  -->  00:02:42,723
inside Metasploit and Metasploit Framework
71

71

00:02:42,723  -->  00:02:44,572
are buffer overflow exploits,
72

72

00:02:44,572  -->  00:02:46,325
and so you're gonna be using them a lot.
73

73

00:02:46,325  -->  00:02:47,991
This I just to give you an idea of how they work
74

74

00:02:47,991  -->  00:02:51,068
and the idea is that as you put additional information
75

75

00:02:51,068  -->  00:02:53,677
into the memory, when the computer hits that part,
76

76

00:02:53,677  -->  00:02:56,355
it's gonna slide into it, go to that new pointer,
77

77

00:02:56,355  -->  00:02:59,074
and run that shell code.
78

78

00:02:59,074  -->  00:03:00,946
So again, where do buffer overflows fall
79

79

00:03:00,946  -->  00:03:02,344
in this grand scheme of things?
80

80

00:03:02,344  -->  00:03:04,855
Usually, we're gonna use them in our Gaining Access phase.
81

81

00:03:04,855  -->  00:03:07,252
This is an exploit, so we're gonna exploit a vulnerability
82

82

00:03:07,252  -->  00:03:09,038
using a buffer overflow.
83

83

00:03:09,038  -->  00:03:10,426
Buffer overflows are able to be done
84

84

00:03:10,426  -->  00:03:12,581
because of poorly-written software.
85

85

00:03:12,581  -->  00:03:14,020
So let's take an example of how this works
86

86

00:03:14,020  -->  00:03:16,526
and see if it makes a little bit clearer.
87

87

00:03:16,526  -->  00:03:18,078
So there's a wonderful website out there
88

88

00:03:18,078  -->  00:03:19,594
called Over the Wire and it's got a lot
89

89

00:03:19,594  -->  00:03:21,067
of different hacking challenges.
90

90

00:03:21,067  -->  00:03:22,654
It's a live environment where you can connect
91

91

00:03:22,654  -->  00:03:25,474
via an SSH connection, a secure shell connection,
92

92

00:03:25,474  -->  00:03:27,796
to attempt various binary exploitation challenges,
93

93

00:03:27,796  -->  00:03:29,420
including buffer overflows.
94

94

00:03:29,420  -->  00:03:31,300
Now, this is beyond the scope of this class,
95

95

00:03:31,300  -->  00:03:33,607
it's pretty challenging, but as you start working through
96

96

00:03:33,607  -->  00:03:35,522
and developing your skill set, you'll wanna go back
97

97

00:03:35,522  -->  00:03:37,383
to this site and play with it because there's a lot
98

98

00:03:37,383  -->  00:03:39,655
of great challenges there that can really help bring
99

99

00:03:39,655  -->  00:03:41,719
your technical ability up.
100

100

00:03:41,719  -->  00:03:43,347
Now, one of the ones we're gonna use here to show
101

101

00:03:43,347  -->  00:03:46,133
the buffer overflow is one in the Narnia series
102

102

00:03:46,133  -->  00:03:48,690
of exercises at Over the Wire.
103

103

00:03:48,690  -->  00:03:51,562
So here's a copy of what the code looks like.
104

104

00:03:51,562  -->  00:03:53,395
This is the actual software code.
105

105

00:03:53,395  -->  00:03:55,921
It's a very short code, less than 20 lines.
106

106

00:03:55,921  -->  00:03:57,832
Now, this is a C program they're writing.
107

107

00:03:57,832  -->  00:03:59,725
So I'm gonna walk through it with you
108

108

00:03:59,725  -->  00:04:01,786
so if you don't understand C, that's just fine.
109

109

00:04:01,786  -->  00:04:03,982
You'll be able to follow along, I promise.
110

110

00:04:03,982  -->  00:04:07,155
So don't worry two much about the first two, the includes.
111

111

00:04:07,155  -->  00:04:10,032
That's just saying here's how I can talk to the computer
112

112

00:04:10,032  -->  00:04:12,743
and receive information, input, output.
113

113

00:04:12,743  -->  00:04:16,104
So inside the main program, we have long value,
114

114

00:04:16,104  -->  00:04:17,217
that's a variable.
115

115

00:04:17,217  -->  00:04:18,673
And they're setting that variable initially
116

116

00:04:18,673  -->  00:04:22,340
to 0x41414141, which is a hexadecimal value.
117

117

00:04:24,257  -->  00:04:26,463
It's just giving us an initial value to start with.
118

118

00:04:26,463  -->  00:04:28,175
Our goal in this program is we wanna be able
119

119

00:04:28,175  -->  00:04:32,175
to change the value from x41414141 to xdeadbeef.
120

120

00:04:34,066  -->  00:04:37,140
We're gonna set up a buffer of 20 characters.
121

121

00:04:37,140  -->  00:04:38,362
Now, the next thing we're gonna look at
122

122

00:04:38,362  -->  00:04:41,139
is print to the screen, correct value
123

123

00:04:41,139  -->  00:04:43,306
from 41414141 to deadbeef.
124

124

00:04:45,496  -->  00:04:47,173
They're gonna print Here's your chance,
125

125

00:04:47,173  -->  00:04:48,450
and then they're gonna scanf.
126

126

00:04:48,450  -->  00:04:51,441
Scanf just means input, so it's waiting for an input.
127

127

00:04:51,441  -->  00:04:54,493
And it's gonna allow us to input from the keyboard
128

128

00:04:54,493  -->  00:04:56,219
and it's gonna input that into the buffer.
129

129

00:04:56,219  -->  00:04:57,723
Now, how big's that buffer again?
130

130

00:04:57,723  -->  00:04:59,537
That's right, we said it was only 20.
131

131

00:04:59,537  -->  00:05:02,225
So if we overflow that buffer, we can actually get it
132

132

00:05:02,225  -->  00:05:04,547
to do things that we want.
133

133

00:05:04,547  -->  00:05:05,716
So the next thing we're gonna do is print out
134

134

00:05:05,716  -->  00:05:06,774
what the buffer is.
135

135

00:05:06,774  -->  00:05:08,154
So whatever we typed and hit Enter,
136

136

00:05:08,154  -->  00:05:09,366
it's gonna print back to us
137

137

00:05:09,366  -->  00:05:12,051
and give us the value inside hex.
138

138

00:05:12,051  -->  00:05:14,578
And so you'll see that there.
139

139

00:05:14,578  -->  00:05:18,261
So if the value that we set was deadbeef,
140

140

00:05:18,261  -->  00:05:22,428
then we're gonna get back system bin/sh, which is a shell.
141

141

00:05:23,755  -->  00:05:24,850
So that's gonna be our payload.
142

142

00:05:24,850  -->  00:05:26,228
Our payload is we're gonna receive
143

143

00:05:26,228  -->  00:05:28,496
the command prompt from Linux.
144

144

00:05:28,496  -->  00:05:31,588
Otherwise, we're gonna get an answer of WAY OFF,
145

145

00:05:31,588  -->  00:05:33,192
you messed up, you didn't do it right,
146

146

00:05:33,192  -->  00:05:35,438
and the program's gonna terminate.
147

147

00:05:35,438  -->  00:05:36,849
It's a pretty simple program.
148

148

00:05:36,849  -->  00:05:39,921
So let's see how that works in the real world.
149

149

00:05:39,921  -->  00:05:41,377
So if you thought this was an interesting topic
150

150

00:05:41,377  -->  00:05:42,677
and you wanna learn more about it,
151

151

00:05:42,677  -->  00:05:45,086
I recommend looking at The Shellcoder's Handbook,
152

152

00:05:45,086  -->  00:05:46,629
Hacking: The Art of Exploitation,
153

153

00:05:46,629  -->  00:05:48,254
or The Hacker's Playbook 2.
154

154

00:05:48,254  -->  00:05:50,215
All three of these books are great resources.
155

155

00:05:50,215  -->  00:05:51,770
They'll really help you hone the skills
156

156

00:05:51,770  -->  00:05:54,672
that you'll need to work on binary exploitation.
157

157

00:05:54,672  -->  00:05:56,353
Again, it's way beyond the scope of this class
158

158

00:05:56,353  -->  00:05:58,633
to teach you how to really dig in deep into this.
159

159

00:05:58,633  -->  00:06:00,627
This is just to give you a quick overview
160

160

00:06:00,627  -->  00:06:02,572
so you understand what a buffer overflow is
161

161

00:06:02,572  -->  00:06:06,072
and just see what that example looks like.