Introduction to Exploit Development - Buffer Overflows - Part 1


Hello everyone. This two part series intends to lay a foundation on what Exploit Development is and why learning it is extremely valuable for a Security Enthusiast.

I myself am just starting on this journey and I'll try to explain the concepts to my best. As my knowledge on the subject grows, I'll upload new blogs on the topic and add changes in this blog if necessary.


What is Exploit Development?

We all hear about new exploits being found on a day to day basis everywhere. How do you think those exploits are being found?

Security researches test softwares and find vulnerabilities. Then, they try to take advantage of the vulnerability in order to cause unintended or unanticipated behavior to occur, aka, exploits. These exploits can be a sequence of commands or a piece of code or a chunk of data.

The process of getting from finding a vulnerability to writing an actual exploit for it is called Exploit Development. 


Why should anyone learn Exploit Dev. ?

As security researchers, we love the idea of breaking into things. That is on of the main goals in the domain. Learning to find new vulnerabilities and developing exploits for it is the definition of breaking into stuff. Being the first one to break something gives immense pleasure and if the exploit is big, a huge amount of respect and possibly money too.

There are millions of new code uploaded to the internet daily and new exploits for them are being uploaded to websites like exploit.db by both individual researchers and companies alike. So there is a huge opportunity for you to learn a new and valuable skill and contribute to the wider internet. 


Demonstration

Exploits development is a skill that can't be taught. It must be learned practically. Let's see one example.

Disclaimer: The software I'm about to test is very old and intentionally vulnerable. In the real world, it would more difficult and different methods might be needed to find the vulnerabilities. 

Required Installations:

1)    Vulnserver - It is a vulnerable TCP server. We will be exploiting one of the vulnerabilities in it. It usually runs on port 9999.

2)    Immunity Debugger - It is a debugging tool used for malware analysis, exploit writing and reverse engineering binary files. In this example, we will use it to see how a buffer overflow (There is an excellent blog written by Hemang Ahuja on buffer overflow here. Check it out if you want to know more about it) occurs by analyzing the registers, hex values, memory addresses, etc.

3)    A Windows machine (Windows 7 or newer) - The above mentioned softwares are all Windows based. You can try to run them on Linux using Wine, but it would be much easier to just use a Windows machine. It can a Virtual Machine (recommended, since you are going to run a vulnerable software) or a real machine.    

4)    Any programming language to write code. I'm using Python3 here.

Setup:

First open Vulnserver in your Windows machine and let it run in the background.


Then open Immunity Debugger and go to "File" -> "Attach" and attach the Vulnserver running in the background.

You should get a screen something like this:

This is the current process going on the Vulnserver. It is paused for now and we can resume it by pressing the "Play" button at the top. 

But first let us understand what these different blocks are.

1) Disassembly: This block contains memory addresses, instruction operation code and the assembly code which is being executed. 

2) Registers: This block shows all the CPU's registers and the values stored in them. Registers are one of the most important part/concept in any CPU. It also displays the flags (an indicator when something important has happened) used. 

3) Dump: This block displays the hex view of the entire program, i.e, hex dump.

4) Stack: This block displays the location of ESP (stack pointer register) at the top and the addresses, data stored in the addresses and any comments in the subsequent rows.

OK. What now? 

Now get to your attacker machine and connect to Vulnserver. To do that, you should have the victim machine's IP address. You can find it by typing "ipconfig" in the victim machine's CMD or by doing an ARP scan on your attacker machine.

Now connect to Vulnserver using the netcat command.

How to find the vulnerability?

Virtually all the time, a vulnerability arises because of any kind of user interaction with the software. In this case, the Vulnserver accepts user inputs as commands and the list of valid commands are listed when you type "HELP". We are now going to check if we can find a buffer overflow vulnerability in any of these commands. 

A buffer overflow vulnerability happens when the size of input data is bigger than the buffer it has been provided or allocated, allowing it to "overflow" to other parts of the memory which may or may not have been properly secured.

To find which command is vulnerable to buffer overflow, we have to SPIKE them.


The next part of this series will be on SPIKEing and how to find and develop the exploit for the buffer overflow vulnerability. Stay tuned for it. 


Connect with me on Linkedin!

0 Comments