[supreme] buffer over FLOW EXPLOITATION + GUIDE

mesvak

[hide]

Buffer Overflow

Buffer overflow occurs when a program reserves a memory zone or buffer to store data and for some reason the size of the data to be copied is not properly checked and the buffer is overflowed by copying more than the reserved size being able to step variables, arguments and pointers which are in the memory.

The simplest type of buffer overflow is the stack overflow, which is when there is an overflow in a reserved buffer in the stack and is the one that i will explain how to exploit

Let’s go

First let’s see what we have in the executable, so we run it.

https://0x00sec.s3.amazonaws.com/original/2X/a/a1f2ce83c8e8052fcdd6dd2387dc8e88d4aa9d66.png[/img]

We can see that he asks us to enter a number, I typed 1337 and the program closed. Then we do not know what it is that does, let’s analyze it with IDA

https://0x00sec.s3.amazonaws.com/original/2X/d/dc312da6dc2915e19995164ecf949f84b6f9ec41.png[/img]

entrypoint.png717×443 13.5 KB

[/url]

IDA leaves us in the entry point, but we seen in the executable a string “Please Enter Your Number of Choice:”. Then we will look for it, View-Open subviews-Strings, there we see many strings, Ctrl + F and our string

https://0x00sec.s3.amazonaws.com/original/2X/2/269ccf68d03979e0cf5e79eb45e4b60661067488.png[/img]

https://0x00sec.s3.amazonaws.com/original/2X/2/255d34e1252222040e6053999798ec138506a190.png[/img]

stringreferend.png821×317 41.8 KB

We double click on it, then we see where it is referenced by clicking on it and pressing the X key and ok

https://0x00sec.s3.amazonaws.com/original/2X/b/bed3cd8881491b7be3e50b6be0a0afa141f9f849.png[/img]

If we follow the calls “sub_4011B0” and “sub_4011F0” we will realize that it is a printf and a scanf, respectively, so we can rename it. Then here we see something that is possibly a structure because when you pass as an argument an address and then it is retrieved and added offsets to access the fields in each place that is used, it is possibly the direction of a structure. Let’s see the references of this function.

https://0x00sec.s3.amazonaws.com/optimized/2X/e/e7d2e4d4cf06c0ed630ba365ac772921a8f16954_2_690x123.png[/img]

ref1.png819×147 20.8 KB

I see there’s a call, I go there

https://0x00sec.s3.amazonaws.com/original/2X/b/b521be1363198c89fc4e2503ef1eab9b51fb0df6.png[/img]

I see that the argument is an address, which agrees with the idea of structure, so we create one, without knowing the size, without knowing the fields or anything, we will reverse them little by little.

We see that the maximum offset that I find so far is 0x14, so I will create a structure of that length, if it becomes bigger I will enlarge it. View-Subviews-Structures then Edit-Add struct type

https://0x00sec.s3.amazonaws.com/original/2X/7/74bdfe83ae6c7742f5b507ad9c647eea730f4d84.png[/img]

There it was created called “MyStruct” with size 0, now I will do a trick for when I still do not know the fields or anything and I want to give a size, first press D on the word “ends”, to add a single field.

https://0x00sec.s3.amazonaws.com/original/2X/3/38d49314d1457a12011b35d094e8f32fd083abc3.png[/img]

https://0x00sec.s3.amazonaws.com/original/2X/4/4944b8c71aeba46d665c1fa7b8b779f84f740843.png[/img]

There I add a field of 1 byte long DB, if I would press D it would change every time to word DW and then to DWORD DD.

But here as we do not know, we leave it like this and we right click on the structure to expand it since I have seen a field in 0x14, so as to fill that field with a dword, it needs 4 more bytes, I’ll create it from 0x18, I’ll will add 0x17 to the byte it had.

https://0x00sec.s3.amazonaws.com/original/2X/e/e7babfd1d531c9ff834ee066d45e32c1b4276533.png[/img]

I see that I stay with size 0x18 for now we will leave it like this, if we need more we enlarge it. As we saw that arg_0 is the argument that corresponds to a structure, we can rename it to _struct

If we decompile the function with F5 we see that it is not right

https://0x00sec.s3.amazonaws.com/original/2X/a/ae45df55f5ca476aec05ec38a57f996b0965f314.png[/img]

I see that the type of variable is int and not that of a structure as it seems, let’s change that. Right click on the argument, convert to struct and we choose the one we create

https://0x00sec.s3.amazonaws.com/original/2X/8/8be774c88789657669671828d24e19c6a9dfd92f.png[/img]

Obviously Buf is the structure and there gets its address and passes as an argument, let’s see Buf in the representation of the stack. As the structure does not need to be created because it already exists, I just have to say that Buf is MyStruct type, for that ALT + Q in Buf.

https://0x00sec.s3.amazonaws.com/original/2X/f/f342d32b13356bb20b13ad8ac98e3c81fbe1abfa.png[/img]

Rename Buff to Struct and return to the function

https://0x00sec.s3.amazonaws.com/original/2X/8/8abc0bb858ce72d0823151ed468ce3ab7831a575.png[/img]

We see that the field in 0x10 is a dword where it receives the value of scanf, so we go to MyStruct and in 0x10 we press the D until it is of type DWORD DD and we change it to number.

https://0x00sec.s3.amazonaws.com/original/2X/d/d6c9565d321890f2086af29b2b009fe46958799d.png[/img]

numero_10.png744×373 22.9 KB

https://0x00sec.s3.amazonaws.com/original/2X/7/7c906bd3c9eb1a3f0d4d06780fa229876fef2718.png[/img]

The other entry is the field 0x14 that is used in the loop to remove the 0A I will name it c.

https://0x00sec.s3.amazonaws.com/original/2X/e/ebd850a945a928749fde080f56e83eb94feae802.png[/img]

https://0x00sec.s3.amazonaws.com/original/2X/0/04a400c14c0b45709f3c9780464f0cff5dda941a.png[/img]

We press T on it and choose the field that corresponds in the structure

https://0x00sec.s3.amazonaws.com/original/2X/8/8695d329d8f4b0927f4c19d20cca26533de03d67.png[/img]

otherfunction.png767×347 6.95 KB

Rename the function to “enter” and we continue to reverse the following function

https://0x00sec.s3.amazonaws.com/original/2X/1/13282a02e70eb0fd829a2028c278b2a0f18f8e96.png[/img]

It also passes as argument the structure (buf), but as we see that it is char type we change it, f5-convert to struct * and we change the name with T to the corresponding fields

https://0x00sec.s3.amazonaws.com/original/2X/4/44c279ec4a3748cc6954a6922eadb180a39f1641.png[/img]

cmp_10.png716×438 13.7 KB

In the function we see a comparison between the number we enter and 0x10, then comes a jle that tells us that if the number is less or equal, considering the sign, jumps to “loc_401024” and if it does not come out. That explains why when I typed 1337 it came out

https://0x00sec.s3.amazonaws.com/original/2X/f/f2551d5594736cefdb7734110f663857c610e65d.png[/img]

Then it uses as size of get_s the number that we enter, and the other argument must be a buffer that is at the beginning of the structure because it uses the start address of the same, so I go to MyStruct and in 0x0 i press D once to create a single-byte field.

https://0x00sec.s3.amazonaws.com/original/2X/0/04111e37347d7a43083d7a433471c1e2ea7f3f29.png[/img]

Then right click on it, array, the length of the buffer will be 16 i accept it and rename it to buffer

The issue is that with gets_s the buffer may be overfloded, since the check passes negative values that when used as size, will be taken as unsigned values, and will be large, If for example we pass 0xffffffff in the comparison will be -1 because it is signed and it will be less than 0x10, but using it as size will be the positive value 0xffffffff which allows us to pass the number of characters we want in the gets_s to the buffer and overflode it .

So we could rename the function as check or get whatever we want it to be representative of what the function does, Let’s see the following function.

https://0x00sec.s3.amazonaws.com/original/2X/7/73a34b58d5369db37b9025b5a2d347f3063e232a.png[/img]

https://0x00sec.s3.amazonaws.com/original/2X/5/5f1a0ca0ee2d5cae4c06e7dee389ab2b7e31e675.png[/img]

The argument is the same so I repeat the procedure, press F5 and change the argument type, then we see that there is one more field since it is trying to compare [EAX + 0x18], which we have not defined, because the last field of MyStruct is 0x14, so we will add it and i will rename it to key

https://0x00sec.s3.amazonaws.com/original/2X/e/ea48909956f2690609238e3687c1d924a2990e76.png[/img]

Let’s go back to the function

https://0x00sec.s3.amazonaws.com/optimized/2X/6/6bfc12b620dec24e86013c75785b5c83014985c0_2_690x287.png[/img]

key.png1051×438 52.9 KB

At this point we know that to get the message “You are a winner man” must be MyStruct.key equal to 0x45934215, so we already know that we must surpass (I did not find a better translation)

Let’s look at the distribution of the main stack.

https://0x00sec.s3.amazonaws.com/original/2X/9/9ba64e73aafe7dd477b5f5a5487709569ba02f1e.png [/img]

Obviously everything is inside Struct, the buffer and the key, so let’s go to structures to see the sizes of each.

https://0x00sec.s3.amazonaws.com/original/2X/e/ea48909956f2690609238e3687c1d924a2990e76.png [/img]

So, we have to fill the buffer with 16 aes, then 2 more dwords and then the key, it would be something like this

“A” * 16 + numero + c + key

A script to exploit it might look like this:
from subprocess import *
import struct
p = Popen([r'ConsoleApplication4.exe', 'f'], stdout=PIPE, stdin=PIPE, stderr=STDOUT)

enter="-1\n"
p.stdin.write(enter)


numero=struct.pack("c=struct.pack("key=struct.pack("
payload = "A" * 16 + numero + c + key + "\n"
p.stdin.write(payload)


testresult = p.communicate()[0]
print(testresult)
https://0x00sec.s3.amazonaws.com/original/2X/2/24bcdc4d09368a7b028dcc385a606ebcb68d161b.png [/img]

We see that it happens -1 as number to pass the check when it compares with sign against 0x10 and then the 16 bytes to fill the buffer, then the number to which I passed a correct value of 0x34333231 because overflodear will change it, then c which can be any value and then the key 0x45934215.