WindowsNT Buffer Overflow's From Start to Finish
I've read most of the articles on BO's(Buffer Overflows) on the net. I have found that
they either for *NIX systems, or they are not detailed enough. The author's usually take
some known vulnerable software and show you step by step how to exploit it. I am going
to take a different approach. I am going to write an app that has a buffer overflow when
reading data from a file. Then I will write an app that will create the file, that when
read, will cause the exploit. I will also include an opcode finding tool.
Tools Needed:
Visual C++ 6.0
Windows NT
*The code and addresses I use are for Windows NT Workstation
4.0 SP6 .First lets write the app that will contain the buffer
overflow. We also want the app to be able to read in some
type of file so we can actually exploit this from some type
of script. So in Visual C++ create a new console application,
select "An Application that supports MFC" and click Finish.
This does not necessarily have to be a MFC app, but I
prefer to use some of the MFC classes. Obviously, I am a
windows programmer. So let's add some exploitable code
here. This is what it will look like:
CWinApp theApp;
using namespace std;
void overflow(char* buff);
int _tmain(int argc, TCHAR* argv[], TCHAR* envp[])
{
int nRetCode = 0;
// initialize MFC and print and error on failure
if (!AfxWinInit(::GetModuleHandle(NULL), NULL, ::GetCommandLine(), 0))
{
// TODO: change error code to suit your needs
cerr << _T("Fatal Error: MFC initialization failed") << endl;
nRetCode = 1;
}
else
{
char buff[10];
overflow(buff);
}
return nRetCode;
}
void overflow(char* buff)
{
CFile file;
CFileException er;
if(!file.Open(_T("overflow.txt"),CFile::modeRead,&er))
{
er.ReportError();
return;
}
int x = file.GetLength();
file.Read(buff,x);
}
Let's analyze the code a bit now and find where the problem actually is. Since this
is an MFC console app, the "main" routine may look a little
different, but it works the same. Let's skip to the else
section inside main. You see the first line, char buff[10].
We have allocated a local variable, buff which is an array
of 10 chars. We all know local variables are allocated on
the stack right? So now we call the function overflow and
pass it our buff. Now lets look inside the overflow function.
First we instantiate a CFile object, then a CFileException
object. Now we will attempt to open a file named "overflow.
txt" from the current directory, with read access. If we
open the file successfully we will get the files length,
then we will read the entire contents of the file into our
buff. Do you see the problem here? buff is only 10 chars.
What happens if the file we read is 100? BUFFER OVERFLOW.
But, the big problem is that we are overflowing a buffer
which exists on the stack. When we can write to the stack
we can do some strange things. As you will soon see. So now
lets create a text file called overflow.txt and place it into
the project directory of the first application.
Let's step to the side for a second, a little explanation
of WindowsNT memory architecture is in order here. In NT every
process (executable) is given 4GB (0xFFFFFFFF) of virtual memory
when it is started. Some of this memory is actually shared among
all processes, like kernel and device driver areas. But those
areas are mapped to each processes virtual address space.
No process actually gets 4GB of phyiscal memory, only the
memory necessary is actually allocated from physical. So
every process has full 4GB of virtual memory, which ranges
from 0x00000000 to 0xFFFFFFFF. These areas are divided.
0x00000000 to 0x0000FFFF is reserved for NULL pointer assignments.
Attempting to access memory in this area will cause an access
violation. 0x00010000 to 0x7FFEFFFF is the processes user space.
This is where the exe image is loaded (starting at 0x00400000)
and DLL's are loaded. If code (a DLL or EXE) is loaded at a certain
address in this range it can be executed. Accessing an address which
does not have code loaded in it will cause an access violation.
0x7FFF0000 to 0x7FFFFFFF is reserved bad pointer assignments and you
will get an access violation with any attempt to access it. 0x80000000
to 0xFFFFFFFF is for operating system use only. Things like Device
Drivers and other Kernel level code is stored here. Attempting to
access this area from a user level application (ring 3) will cause
an access violation.
Now back to the overflow.txt file. We are going to keep
putting characters into our text file until we see the
dialog popup informing us of an application error and what
memory we attempted to access. Which character you chose to
fill this text file with is important, as you will see in
minute. Let's start by filling the text file with a's.
Lower case a's. We know the buffer will hold ten so lets
start with 11(make sure your application being built in
debug mode or your results will be different). 11 doesn't
work so we keep increasing it. 18 finally causes a crash.
This crash isn't anything special yet. We've just totally
screwed up the stack and it shows. Lets add six more a's,
for a total of 24. Run the program and watch the dialog
popup explaining to us that instruction at 0x61616161 had
referenced memory at 0x61616161. You do know that the hex
value for the ascii character a is 0x61 right? If you have
Visual C++ installed you will be able to hit cancel now,
and it will debug the application. Once visual studio is
open, open you registers window. To do that go to the view
menu, then debug window, and select registers. If you don't
know anything about assembly, you should, get a book and
READ IT. We see that EAX has been taken, and so has EBP and
EIP. The most important thing is EIP. By being able to fill
in the EIP with whatever we want we are able to jump to any
code in memory. And what makes this even easier is that our
ESP is not destroyed. It seems to point near the area on
the stack that we control. We need to test this to find out.
Now let's get into this. Set a breakpoint on the last bracket
of the main routine, we only care about what happens here.
Now start the debugger and it will make it to this breakpoint
with no errors. Now we need to switch into disassembly view.
If you have the standard keyboard setup for Visual C++ press
alt+8, if not go to the view menu, debug windows, and select
disassembly Also open your memory and registers windows if
you haven't already. You should see something similiar to
this:
004011DB 5F pop edi
004011DC 5E pop esi
004011DD 5B pop ebx
004011DE 83 C4 50 add esp,50h
004011E1 3B EC cmp ebp,esp
004011E3 E8 28 04 00 00 call _chkesp (00401610)
004011E8 8B E5 mov esp,ebp
004011EA 5D pop ebp
004011EB C3 ret
So what is that junk? It's assembly code. You do know
assembly right? Even if you don't, I'll try to make this
easy to understand. Starting at the top we have pop edi.
The pop instruction will remove one item from the top of
the stack and place it into whatever register. In this case
edi. Also important here is the ESP. The ESP is the 32 bit
stack pointer. A pop will mov(e) the top element from the
stack, in this case a DWORD (4 bytes), put it in whatever
register, and increment the stack pointer by 4 (because of
the 4 bytes). So before making another step, look at ESP.
In the memory window enter ESP. You will now see exactly
where esp is pointing to and what is there. Look at the four
bytes pointed to by ESP and watch edi. Now step over this
instruction and notice that edi is now filled with
whatever esp pointed to, and esp has been incremented by
four. Now the next two instructions are the same, but
different registers, step over them and see that they work
the same way. The next three lines are not very important
to us. To understand them you will need to follow the
assembly from the beginning of the routine, and we aren't
doing that. Just step over them, they do nothing special.
Now onto the line, mov esp,ebp. You read this line, right
to left. This will mov(e) whatever is in EBP into ESP.
This also does nothing special for us. Now onto pop ebp.
Here is where this gets interesting. Remember what a pop
does, it removes the top element from the stack. Now lets
take a look at where we our ESP is pointing to, cause
whatever four bytes are there are about to go into EBP.
So again type esp into your memory window. We have a bunch
of 0x61's there (hex value of 'a'). So 0x61616161 is about
to be popped into ebp. Step over the instruction and verify
that it does. Sure enough, that is what happens. But that doesn't
really get us anywhere. Now the next line, ret. Ret is the assembly
return instruction. But there is more to it than just returning. How
does it know where to return to? By the address that is supposed to
be sitting on the stack right now. The return would be the equivalent
of pop eip (which you can't do). It takes the four bytes that ESP points
to and moves them into EIP. And EIP is our 32 bit instruction pointer.
This mean, whatever address EIP points to, is the next instruction to get
executed. So once again, type esp into the memory window and see what we
are about to put into EIP. Well what do you know, another four bytes of
0x61. So step over the ret instruction and watch what happens. EIP will
become 0x61616161 and you will be about to execute the instruction at
0x61616161. Which in my case is nothing ???, invalid memory. So step over
again and you get an access violation. Now look at ESP. It correctly points
to the next area on the stack. For some reason, if you run the program
independant of the debugger and let it crash so you get the ok\cancel dialog,
and then press cancel. When you land on 0x61616161 your ESP will be wrong.
I'm not sure why that is, but it works as expected when you step through
it line by line like we just did. So now we got the program to execute, or
attempt to execute code at 0x61616161, which means we can take over the EIP.
So lets see if we can overflow the stack some more, so that when we get to
0x61616161 our ESP points to the rest of our overflow. So lets add another
4 a's to our text file and debug again. We now have 28 a's in our text file.
So we view the disassembly again, make sure to have your memory window and
register windows open. Step through and over the ret instruction. You are
now at 0x61616161 again. Now type esp into the memory window and look what
is there. Just as we suspected, there are 4 0x61's there. Now we are in business.
Let me go back to a point I made earlier. We used a's (0x61) to fill our text
file to determine if there was an overflow. So since EIP became 0x61616161 we
attempted to access instructions at that address. In my case there was invalid
memory there so it was an access violation. But what if there had been code there?
Maybe a DLL loaded or something. Well, it would have executed that code and probably
done something totally different. The same thing could have happened if we would have
used, A's instead of a's. A's hex value is 0x41. So we would have jumped to 0x41414141
instead of 0x61616161. There could be code there and it would have executed it. So keep
those things in mind.
So we can control the EIP, the ESP points to the rest of the stack, and we can
fill the stack with whatever we like. So now what? Would it be nice if we could
could just jump to ESP and start executing? Well we can, hopefully. Jmp ESP is
in fact a legal instruction. This instruction would mov(e) whatever is in ESP
into EIP and begin executing instructions there. So we need to somehow call jmp
esp. Hmm, how can we do that? Well, lets think. We do have control of EIP, so we
can jump to where ever we want in our process space. If we can fill EIP with the
address of a jmp esp instruction somewhere in memory we are in business. So how
do we find out if there is a jmp esp instruction somewhere in our process space?
It's easier than you think. The first thing we need to do is figure out what the
opcodes for jmp esp are. The opcodes are the machine instructions that programs
are compiled into so they can be executed. So let's create a new app in Visual
C++. Again a console app, and again with MFC. Enter the following code:
CWinApp theApp;
using namespace std;
int _tmain(int argc, TCHAR* argv[], TCHAR* envp[])
{
int nRetCode = 0;
// initialize MFC and print and error on failure
if (!AfxWinInit(::GetModuleHandle(NULL), NULL, ::GetCommandLine(), 0))
{
// TODO: change error code to suit your needs
cerr << _T("Fatal Error: MFC initialization failed") << endl;
nRetCode = 1;
}
else
{
return 0;
__asm jmp esp
}
return nRetCode;
}
Now set a breakpoint on the return 0; statement, because the inline assembly line
will not get executed. Start the debugger and let it run to the breakpoint. Now
open up the disassembly debug window. Right click on the window to turn on source
annotation and code bytes. Now look at the line which contains jmp esp. To the
left of jmp esp and to the right of its address, you will see its code bytes
or opcodes. The opcodes for jmp esp are FF E4. So now that we know that, how
do we find that in oour process space? Let's add a bit more code to this app.
Change it to the following:
CWinApp theApp;
using namespace std;
int _tmain(int argc, TCHAR* argv[], TCHAR* envp[])
{
int nRetCode = 0;
// initialize MFC and print and error on failure
if (!AfxWinInit(::GetModuleHandle(NULL), NULL, ::GetCommandLine(), 0))
{
// TODO: change error code to suit your needs
cerr << _T("Fatal Error: MFC initialization failed") << endl;
nRetCode = 1;
}
else
{
#if 0
return 0;
__asm jmp esp
#else
bool we_loaded_it = false;
HINSTANCE h;
TCHAR dllname[] = _T("Kernel32");
h = GetModuleHandle(dllname);
if(h == NULL)
{
h = LoadLibrary(dllname);
if(h == NULL)
{
cout<<"ERROR LOADING DLL: "<
