Buffer Overflow Question

Email
Comment *
Verification *
File	Select/drop/paste files here
Password	(Randomized for file and post deletion; you may also set your own.)
* = required field	[▶ Show post options & limits] Confused? See the FAQ.

Flag
Oekaki	Show oekaki applet (replaces files and can be used instead)
Options	Do not bump (you can also write sage in the email field) Spoiler images (this replaces the thumbnails of your images with question marks)
Allowed file types:jpg, jpeg, gif, png, webm, mp4, pdf Max filesize is 16 MB. Max image dimensions are 15000 x 15000. You may upload 3 per post.

File (hide): cd745cf89cd9b55⋯.jpeg (28.98 KB, 580x403, 580:403, BufferOverflow.jpeg) (h) (u)

File (hide): 0c66e2e6bff7c5d⋯.png (42.94 KB, 500x427, 500:427, KaliLinux.png) (h) (u)

▶Buffer Overflow Question Anonymous 05/05/19 (Sun) 14:21:13 No.1061712>>1061715 [Watch Thread][Show All Posts]

So about buffer overflow attacks, I have a question.

So from my understanding they work through providing oversized inputs to a program, allowing access to registers outside of those within the program, and what you hope to do is take advantage of this space outside the registers to insert your machine code which exploits the targeted system.

From there you can gain root access and things like that.

When I see most people doing this attack, they're taking advantage of a compiled program already on the computer.

My question is, is it possible that once you've managed to connected to your targets computer, but still haven't gained root access, that you just upload your own program onto the computer which is designed to take an input, and then you insert your oversized input onto that program instead of just hoping that a program with this sort of vulnerability is on the target computer?

Is there something I'm missing which makes this not possible (which is probably the case to be honest)? Thanks

▶Anonymous 05/05/19 (Sun) 14:31:54 No.1061715

>>1061712 (OP)

Your are missing permissions. If you can run a program to gain root then you can just gain root anyway.

▶Anonymous 05/05/19 (Sun) 20:49:27 No.1061823>>1061829

You've just misunderstood what it is you're doing.

It's easier if we work backwards, so what exactly is it that you want to do?

>I want to execute my own code on a system on which I do not have permissions to do so

How are you going to go about that?

>Find a process running on said system that will let me talk to it and make it do my bidding

How are you going to make it do what you want?

This is where it gets a bit complicated.

One thing you could do is find a buffer overflow bug in the process that lets you write data arbitrarily into its address space. However you can't write text (code) there because all the text pages are not writeable, only data, and the kernel will refuse to execute anything that isn't marked as executable text. So now we need to get creative.

What if we knew beforehand or could find out the text of the entire compiled binary and where it is in memory? This might be really hard or trivial depending on the target. Say we use this information to create a list of gadgets. Gadgets are one instruction followed by a return instruction. How does this help us? On an x86 compatible RET will pop an address from the stack and jump to it, and we can write shit to the stack! So now we can recreate our own code by piecing together instructions that are already in the program, writing their addresses out in one long line on the stack, and they'll get executed in the order we define. We can now execute arbitrary code inside the exploitable process.

This is return-oriented-programming. Repeat ad nauseum.

Note all the protections in place here making us jump through a heap of hoops. Memory is not linear. It appears so because of virtual trickery. Memory is mapped from physical addresses to virtual addresses and each process gets its own address space, which is like a private view of the world. Whenever you want to access a page of memory the MMU on the CPU will ask the hypervisor (kernel) what physical page to map to this virtual page address. If the kernel tells it nothing then it traps and produces a fault that will probably result in the process being terminated. All processes, including the kernel, are separated this way. They cannot see the contents of each others address space unless the information is given voluntarily.

Whenever you want to escalate your privileges you need to attack a process that already have the privileges you want (be it code execution on a remote system or root access on a local one). It's designed this way precisely to ensure that you do NOT need to trust all software on your system to be perfect for it to be safe.

▶Anonymous 05/05/19 (Sun) 22:15:38 No.1061829>>1061990

>>1061823

>On an x86 compatible RET will pop an address from the stack and jump to it

>Whenever you want to access a page of memory the MMU on the CPU will ask the hypervisor (kernel) what physical page to map to this virtual page address

So what do if your target is a MMU less system?

▶Anonymous 05/05/19 (Sun) 22:34:55 No.1061835

Man, you are retarded. You need to exploit the kernel (or a program running as root) to elevate your permissions.

▶Anonymous 05/06/19 (Mon) 20:06:11 No.1061990

>>1061829

No MMU means no memory protections means any code execution on the system and it's yours.

/tech/ - Technology★

General

WebM

Theme

User JS

Do not paste code here unless you absolutely trust the source or have read it yourself!

Favorites

Customize Formatting

Filters