In the previous articles, we have understood the basics of the buffer overflow. In this article, we will be looking at a client server program which is written in C and try to write a working exploit for that.

NOTE:

The entire series of articles about this topic is purely intended for educational purposes. We do not want anyone to use this information to actually hack into the computers or do other illegal things. We will not be held responsible for the acts of people who use any tools from this article for their own purposes.

So, let’s look at the program and try to understand what it does.

About the TCP Echo Server Program

The TCP Echo Server program is basically a client-server based program in which a program is running on a Windows XP 3 machine, which actually opens port 9000 on the machine and sets it to listening mode. The client program could be anything (Example: Telnet, NetCut etc., for this article we will use NetCut) that will connect to the server program, and whatever the client types on the screen the server program will return the same message to the client. You can download the server program here:

In this article, we are not using any kind of source code of the program to analyze the things as we did in previous articles.

Machine and Network Setup for this article

In our scenario the victim machine’s IP address is 192.168.1.173 in which a server program is running on Windows XP Service Pack 3 machine. (Throughout the article we will use Machine A for victim machine.) The attacker machine’s IP address is 192.168.1.67 which is a Kali Linux machine. (We will use Machine B for attacker machine throughout the article.)

NOTE: The victim and attacker IP addresses could be changed according to the network configuration.

Now, by running the TCP echo server program on Windows XP machine, we will see the following type of screen.

As can be seen in the above screenshot, our server program is running perfectly on port 9000 and waiting for the incoming connection. As we have already mentioned, the IP address of the machine is 192.168.1.173. So let’s connect with it through Machine B. We will use NetCut tool to connect.

As can be seen in the above screenshot, first we run the ipconfig command to get the IP address which can be seen in No 2, and then we run NetCut command in machine B which can be seen in No 3. After that we got a message on machine A in TCP Echo Server that the server got a connection which is visible in No 1.

This shows that machine B (Client Program) is successfully connected to machine A (Server Program). If we type anything on machine B, the server program which is running on A will send the same message back to the machine B. We can see the same in the screenshot given below.

In the above screenshot, we see that whatever we are typing on machine B is getting reflected back to the screen and the same can be seen on the server program, which is running on machine A.

Crashing the Server Program by the User input (Verifying the Buffer Overflow)

Now, first of all our target is to enter a large amount of input data in the program so that the server program which is running on machine A would crash. So, let’s enter the 500 A’s as input and hit the enter key on machine B.

As we can see, the TCP Echo server program which is running on machine A doesn’t crash, so we will have to input larger data into the program than what we had entered.

It is not possible to enter a large amount of input data in the program every time, so we will use a Python script which will input the data in the server program. The screen shot of the Python script which we will use is given below. We can download the Python script by clicking here (if you haven’t already):

So, this is our simple Python script in which we have created a Socket that will connect by taking the Machine A’s IP address as an input by the command line and connect with port 9000. After that, we have defined a variable ‘input’ which has the 1500 A’s then we send these A’s to the server program by using the sock.send command.

It is the same thing we have done above in the article by manually entering data. But this time we just used a simple Python program to get things done in a faster way.

So, when we run this little program on machine B, we see that the server program crashed on machine A.

If we click on click here on machine A we could see that offset is over written by “41414141” which is actually the Hexadecimal representation of A’s. So, that is great news for us.

With the understanding of previous articles, we know that the program has crashed, as the return address in the memory is over written by the user input data, which is A’s.

Identifying the Return Address Position

Now, we will have to identify the exact part of the user input which has overwritten the return address into the memory out of the 1500 characters long input data that was entered into the server program. We can do it by entering pattern instead of A’s, but it is not possible to write a large pattern manually like we had done in the previous article. So, we will use Metasploit tools to generate the pattern of 1500 characters. Using this pattern, we can see the length of the buffer which is required to write exactly into EIP.

Following is the command to generate the pattern.

/usr/share/metasploit-framework/tools/pattern_create.rb 1500

As can be seen in the above screenshot, after hitting the enter key the pattern has been generated. Now, replace this pattern in the Python program with input data which we have created above in this article. We can see the same in the screenshot given below.

After saving this Python file, open the Echo Server Exe Program with the Debugger and make it run by hitting the F9 key on machine A.

As can be seen in the above screenshot, our echo server program is running on machine A and waiting for the incoming connection on port 9000.

Now, we run the Python script on machine B and we can see the following screen.

As can be seen in the screenshot, we have run the Python script on machine B and the server program crashed on machine A, but when we closely look into the debugger we can see EIP register is overwritten by the user input value and pointing the value “69423569” and the Top of the Stack is also overwritten holding the value “37694236”. These values are actually the Hexadecimal values of the pattern of our input which we had generated by Metasploit and sent it to the program by the Python script.

Now, we will use another Metasploit tool which will give us the exact position where the EIP register was overwritten by the user input. By identifying the overwritten position we can control the program execution.

We can do this by using another tool called pattern_offset. Let’s run the pattern_offset tool, and give the EIP value. The command for this is following.

First of all, we will have to go the Metasploit tools directory. We can do this by typing:

cd /usr/share/metasploit-framework/tools

After that run the pattern offset tool.

./pattern_offset <address>

We can see the actual running command in the following screenshot.

As we can see in the above screenshot, when we enter the EIP value with the pattern_offset tool we got the match position at the 1036 position. It means 1036 is the exact position in the memory where the return address is overwritten by the user input value.

When we entered the Top of the Stack Value in the pattern_offset tool we got the position 1040. So, if we subtract 1040-1036 we get 8. In simple words we can say, in the user input value after the 1036 A’s, the next 8 bytes of data in the user input is actually the return address. So, let’s verify the same by inputting the “BBBB” after the 1036 A. Now, according to this theory, when the program will crash the EIP should hold the value 42424242 (42 is the Hexadecimal presentation of B), after the 4 B’s let’s enter another 400 C’s so that we see the difference in the memory when the program crashes.

Now, let’s do the same changes in the Python script.

As we can see in the above screenshot, we have done the changes in the Python script. First of all we have added 1036 A’s in the input variable then we have added 4 B’s and after that we have added 400 C’s in the user input.

Now, restart the Echo Server Program in machine A. We can do the same by pressing Ctrl+F2, then run the Python script on machine B.

As we can see in the above screenshot, now the server program is again crashed but this time EIP is actually pointing the value “42424242” (42 is B in Hexadecimal) and the Top of the Stack is holding the value “43434343”. (43 is C in Hexadecimal).

So, if we input an address instead of four B’s, then we can actually change the way of the program execution. We will do it in the next part of the article series.

So now we understand…

  • Crashing a program remotely.
  • Writing Python script for the input value.
  • Creating random patterns with Metasploit tools.
  • Identifying the overwritten position in the memory.

References