Last updated at Wed, 27 Sep 2017 00:09:13 GMT
Summary: Video demonstration of discovering a buffer overflow vulnerability in a SUID-root program, determining attributes of the bof, and writing a custom exploit for local privilege escalation on Ubuntu 12.04 by webpwnized (@webpwnized).
While modern operating systems have long been patched against exploits which use direct addressing to exploit buffer overflows, it can be interesting to look at the creation of a custom exploit in order to better understand the basics of buffer overflow vulnerabilities. Additionally, even with up-to-date operating systems available, it is still possible some of these vulnerabiltities are still exposed to static addressing exploits due to weaknesses in third-party software and out of date systems which "can't" be updated because of an older business critical software system relying on last-generation O/S support.
In any case, this video is entirely acedemic in that a sample program was written to purposely contain a buffer overflow and all operating system protections were removed for simplicity. Also the program has the suid bit set and the owner changed to root. In order to ensure the demonstration is repeatable, it is important to note that the program was compiled with both stack-canaries disabled and non-executable stack protection turned off. Additionally, address space layout randomization (ASLR) was disabled at run time. While it is possible to circumvent these controls under certain conditions (i.e. patch levels, compiler options, rop-friendly environments, etc.), it is best to practice at first without these controls to aid in understanding. The operating system is Ubuntu 12.04 running as a Virtual Machine in Oracle VirtualBox. Helpful notes are below. These are used at various points in the video.
Links:
Ubuntu
Oracle VM VirtualBox
Basic checkpoints in the demonstration are:
- Explain the environment (Ubuntu 12.04)
- Compile the sample program with protections disabled
- Disable ASLR
- Examine process assembly in debugger
- Locate overflow
- Determine buffer size, location, and layout
- Find reliable method to overwrite return pointer
- Inject shellcode and set return pointer to land inside
Practice Checklist
1. Disable address space layout randomization (ASLR)
echo 0 > /proc/sys/kernel/randomize_va_space
2. Compile program without stack canary protection and non-executable stack protection
gcc -fno-stack-protector -z execstack -o <name of output file> <name of source code>
3. Run GDB as a regular user since the exploit will be run as a regular user. Running as root can change the memory layout.
How to Check ASLR
cat /proc/sys/kernel/randomize_va_space`
Values:
0 - Off
1 - On
2 - On (Max Randomization)
How to Check Non-Executable Stack for a Program
objdump -p authenticate_user | grep -i -A1 stack (check rwx flags)
readelf -l authenticate_user | grep -i stack (check RWE flags)
scanelf -e authenticate_user (check RWX flags)
gdb helpful hints
Run program with input
run < $(python -c 'print "A" * 512 "B" * 4')
show next 10 instructions
x/10i $eip
show registers
info registers
show stack pointer
info reg $esp
print $esp
show function address
print <function>
Showing modules loaded for a program, the load address, and whether the addresses are static
ldd <program>
Source code used in demo
#include <stdio.h>
#include <stdlib.h>
#define correct_password "op3ns3s3m3"
authenticate_user (){
char password[512];
printf("Please enter the password: ");
gets (password);
if (strcmp(correct_password, password) == 0)
password_correct();
else
printf("Access Denied!\n");
return 0;
}
password_correct(){
printf("Access Granted\n");
return 0;
}
int main(int argc, char *argv[]){
if(argc > 1){
printf("Usage: password <password>\n");
exit(1);
}
authenticate_user();
return 0;
}
