1
00:00:06,591 --> 00:00:07,566
- [Instructor] So this is the strategy

2
00:00:07,566 --> 00:00:09,233
for exploiting buffer overflows.

3
00:00:09,233 --> 00:00:12,362
Your first goal is to
control the execution flow.

4
00:00:12,362 --> 00:00:13,937
The best thing that you
could ever see is that

5
00:00:13,937 --> 00:00:15,978
when you run a fuzz test case

6
00:00:15,978 --> 00:00:19,644
and you see that the program
crashes, and it crashes at

7
00:00:19,644 --> 00:00:23,570
0X41414141 ... and for
those of you who may know

8
00:00:23,570 --> 00:00:27,699
or may not know, that is
the ASCII value for all A's.

9
00:00:27,699 --> 00:00:30,873
So if you're putting a
bunch of A's into a buffer,

10
00:00:30,873 --> 00:00:33,495
then 41 is the A and you
can actually see that

11
00:00:33,495 --> 00:00:38,325
it tries to execute code that
is located at 4141 and so on.

12
00:00:38,325 --> 00:00:40,671
So what you have to do first
is when you've done a crash,

13
00:00:40,671 --> 00:00:42,749
now you need to figure
out where in that buffer

14
00:00:42,749 --> 00:00:45,718
the instruction pointer actually is.

15
00:00:45,718 --> 00:00:47,663
You know, where is it in memory?

16
00:00:47,663 --> 00:00:49,763
Because I'm gonna override a buffer

17
00:00:49,763 --> 00:00:51,998
that I may not know the length of.

18
00:00:51,998 --> 00:00:54,242
You may not know what else is in memory,

19
00:00:54,242 --> 00:00:55,811
maybe after that buffer.

20
00:00:55,811 --> 00:00:58,107
So you might have to overflow more

21
00:00:58,107 --> 00:00:59,961
to get to that instruction pointer,

22
00:00:59,961 --> 00:01:02,763
and a tool that is provided by Metasploit

23
00:01:02,763 --> 00:01:06,465
is called Pattern Generate,
and Pattern Offset.

24
00:01:06,465 --> 00:01:08,963
And that will create a pattern for you

25
00:01:08,963 --> 00:01:12,469
that you can put into
your code, your payload,

26
00:01:12,469 --> 00:01:15,507
that will show you where in that offset

27
00:01:15,507 --> 00:01:18,122
the instruction pointer actually is.

28
00:01:18,122 --> 00:01:19,031
And then once you have that,

29
00:01:19,031 --> 00:01:20,903
then you can place
favorable address in there

30
00:01:20,903 --> 00:01:22,778
to be restored in the instruction pointer

31
00:01:22,778 --> 00:01:24,922
when the function returns.

32
00:01:24,922 --> 00:01:27,354
And then, in that case,
you could actually jump

33
00:01:27,354 --> 00:01:32,177
into code that you control,
like the buffer itself.

34
00:01:32,177 --> 00:01:35,595
And also, your goal is is you
don't wanna crash the program.

35
00:01:35,595 --> 00:01:37,763
So maybe after you're doing your exploit,

36
00:01:37,763 --> 00:01:41,887
and you're doing your work,
you wanna return back to

37
00:01:41,887 --> 00:01:44,512
the code that was legitimately
supposed to be running.

38
00:01:44,512 --> 00:01:46,767
So in this case we're running main,

39
00:01:46,767 --> 00:01:48,384
and so of course when main exists,

40
00:01:48,384 --> 00:01:50,782
then we're just exiting program.

41
00:01:50,782 --> 00:01:53,753
But, in other cases, you
may be several functions

42
00:01:53,753 --> 00:01:56,934
into the stack, and you wanna return back

43
00:01:56,934 --> 00:02:00,311
to the legitimate place
you're supposed to leave off.

44
00:02:00,311 --> 00:02:04,247
And so you may need to do
some fix-ups on the stack

45
00:02:04,247 --> 00:02:08,563
to fix the problems that you
made when you exploited things,

46
00:02:08,563 --> 00:02:09,642
so that you can return to

47
00:02:09,642 --> 00:02:11,938
the legitimate function and keep going.

48
00:02:11,938 --> 00:02:13,849
And uh, an example of this is,

49
00:02:13,849 --> 00:02:16,868
let's say you have a web server.

50
00:02:16,868 --> 00:02:18,533
Let's say you're running Apache,

51
00:02:18,533 --> 00:02:20,123
and you found a buffer overflow

52
00:02:20,123 --> 00:02:21,497
and some part of a patch here,

53
00:02:21,497 --> 00:02:23,922
some program that Apache runs,

54
00:02:23,922 --> 00:02:26,606
and then you wanted to keep that up

55
00:02:26,606 --> 00:02:28,929
because you don't want the administrator

56
00:02:28,929 --> 00:02:31,207
to notice that something
was broken and went down,

57
00:02:31,207 --> 00:02:33,034
so you would want to clean that up

58
00:02:33,034 --> 00:02:35,754
and make sure that you can continue on.

59
00:02:35,754 --> 00:02:37,064
So we've talked a little bit about buffers

60
00:02:37,064 --> 00:02:38,923
and the information that
you can put in before.

61
00:02:38,923 --> 00:02:41,432
We talked about maybe using all A's

62
00:02:41,432 --> 00:02:44,238
and having that show up in
your saved instruction pointer.

63
00:02:44,238 --> 00:02:46,353
Or you want to use very
well-defined payloads

64
00:02:46,353 --> 00:02:48,206
that are called "shellcode".

65
00:02:48,206 --> 00:02:50,705
And shellcode does what it says.

66
00:02:50,705 --> 00:02:52,559
It's something that if you run,

67
00:02:52,559 --> 00:02:55,134
it gives you a shell, and it helps you

68
00:02:55,134 --> 00:02:57,226
with exploiting these vulnerabilities.

69
00:02:57,226 --> 00:03:00,490
And it's all very
platform and OS specific.

70
00:03:00,490 --> 00:03:04,437
So, if you're running Linux
on x86, you're going to

71
00:03:04,437 --> 00:03:05,976
have to know that you're going

72
00:03:05,976 --> 00:03:07,701
to be running against that kind of system.

73
00:03:07,701 --> 00:03:10,668
If you're trying to execute
something against Windows,

74
00:03:10,668 --> 00:03:12,776
and you try to use shellcode for Linux,

75
00:03:12,776 --> 00:03:14,594
you're probably gonna have a bad time

76
00:03:14,594 --> 00:03:15,759
and it's not gonna work,

77
00:03:15,759 --> 00:03:18,197
and you probably will crash the program.

78
00:03:18,197 --> 00:03:20,630
And in the case of shellcode for Windows,

79
00:03:20,630 --> 00:03:24,803
Windows is very picky about
the shellcode that you can use,

80
00:03:24,803 --> 00:03:27,532
and typically you won't
haul the system directly.

81
00:03:27,532 --> 00:03:30,193
You'll use libraries that are in memory.

82
00:03:30,193 --> 00:03:34,059
And so there are shellcode
patterns, so to speak,

83
00:03:34,059 --> 00:03:36,381
that you can use from Metasploit,

84
00:03:36,381 --> 00:03:38,641
and there is a command called "msfvenom"

85
00:03:38,641 --> 00:03:40,128
which we'll go into, which allows you

86
00:03:40,128 --> 00:03:43,188
to generate these payloads
to do certain things.

87
00:03:43,188 --> 00:03:46,681
And normally what happens
is, you don't know really

88
00:03:46,681 --> 00:03:49,249
ahead of time what you wanna exploit.

89
00:03:49,249 --> 00:03:51,993
Maybe you don't know
what data is on a server,

90
00:03:51,993 --> 00:03:54,095
so what you want, is you
really want a connection

91
00:03:54,095 --> 00:03:56,244
that gives you a shell,
that gives you like,

92
00:03:56,244 --> 00:03:57,733
if you're running bin/bash,

93
00:03:57,733 --> 00:04:01,038
or if you're running cm.exe
on a Windows machine,

94
00:04:01,038 --> 00:04:04,141
you wanna have that
run and then connect it

95
00:04:04,141 --> 00:04:07,559
to a socket that will
connect back either to you,

96
00:04:07,559 --> 00:04:09,123
or just open a port.

97
00:04:09,123 --> 00:04:12,140
And in the case of where
you open a TCP port

98
00:04:12,140 --> 00:04:15,497
on the victim's side, that's
a bind TCP shell code,

99
00:04:15,497 --> 00:04:19,713
you need to listen on a
port and then connect to it.

100
00:04:19,713 --> 00:04:21,608
And that's not very useful if

101
00:04:21,608 --> 00:04:23,743
the machine is behind a firewall,

102
00:04:23,743 --> 00:04:26,266
because the firewall could
block that connection attempt.

103
00:04:26,266 --> 00:04:29,131
So, to turn it around,
we can actually make

104
00:04:29,131 --> 00:04:32,481
a system called "home"
back to the attacker.

105
00:04:32,481 --> 00:04:34,061
And so you've got a victim process,

106
00:04:34,061 --> 00:04:36,477
the process actually connects out

107
00:04:36,477 --> 00:04:39,882
to the attacker through firewall,

108
00:04:39,882 --> 00:04:43,435
and that is just a reverse TCP connection.

109
00:04:43,435 --> 00:04:45,815
And then in some cases where
you have smarter firewalls,

110
00:04:45,815 --> 00:04:46,946
you actually have to tunnel

111
00:04:46,946 --> 00:04:49,190
that connection over certain protocol.

112
00:04:49,190 --> 00:04:51,303
It could be http or https,

113
00:04:51,303 --> 00:04:53,755
and there's even some dns shellcode.

114
00:04:53,755 --> 00:04:55,678
And then once you have that connection,

115
00:04:55,678 --> 00:04:56,943
then you perform the command.

116
00:04:56,943 --> 00:05:01,404
It could just be to run a program
like a shell, or a cm.exe.

117
00:05:01,404 --> 00:05:05,025
And then if you want some
flexibility to that shellcode,

118
00:05:05,025 --> 00:05:06,539
you can use "Meterpreter".

119
00:05:06,539 --> 00:05:10,499
And Meterpreter is a
whole suite of shellcode

120
00:05:10,499 --> 00:05:12,786
that you could stage that allows you

121
00:05:12,786 --> 00:05:15,877
to do things like capturing the desktop,

122
00:05:15,877 --> 00:05:18,437
you can capture camera information ...

123
00:05:18,437 --> 00:05:20,772
So if you wanna see
what's going on in a room,

124
00:05:20,772 --> 00:05:23,161
or if you wanted to even send uh ...

125
00:05:23,161 --> 00:05:25,201
You can even play sounds
and do things like that,

126
00:05:25,201 --> 00:05:26,935
find out what processes are running.

127
00:05:26,935 --> 00:05:30,200
So it's almost like a little
mini operating system in itself

128
00:05:30,200 --> 00:05:32,392
that all happens within a process.

129
00:05:32,392 --> 00:05:34,593
So here's how to generate shellcode.

130
00:05:34,593 --> 00:05:39,133
This is an example using a
utility called "msfvenom".

131
00:05:39,133 --> 00:05:42,296
I'm running msfvenom on my kali machine,

132
00:05:42,296 --> 00:05:47,124
and I'm using the
payload "linux/x86/exec".

133
00:05:47,124 --> 00:05:49,052
So I'm actually going to ...

134
00:05:49,052 --> 00:05:51,559
This is the code that
if it runs by the CPU,

135
00:05:51,559 --> 00:05:55,928
the CPU will actually
invoke the command /bin/sh

136
00:05:55,928 --> 00:05:57,611
which is the orange shell.

137
00:05:57,611 --> 00:05:59,806
There are certain characters
that I may need to avoid.

138
00:05:59,806 --> 00:06:01,997
In this case, I'm doing
a stored copy, right?

139
00:06:01,997 --> 00:06:05,363
So I would want to avoid a
character return or a space,

140
00:06:05,363 --> 00:06:07,023
and then I would encode that using

141
00:06:07,023 --> 00:06:09,341
an encoder called "Shikata Ga Nai"

142
00:06:09,341 --> 00:06:10,491
which is fairly popular.

143
00:06:10,491 --> 00:06:14,420
The only thing is, it's 32
bit the last time I checked.

144
00:06:14,420 --> 00:06:16,104
Maybe at the time of publishing

145
00:06:16,104 --> 00:06:18,236
it'll be different, but it is 32 bit.

146
00:06:18,236 --> 00:06:20,538
And then we're just showing this payload.

147
00:06:20,538 --> 00:06:22,539
So that actually is the shellcode

148
00:06:22,539 --> 00:06:24,279
that you would put into the buffer,

149
00:06:24,279 --> 00:06:27,144
and then when you jump with
your saved VIP into this,

150
00:06:27,144 --> 00:06:29,727
you'll actually run this code.