Analyzing Buffer Remotely 2023
In this article we will learn about Analyzing Buffer Remotely.
Introduction to Analyzing Buffer Remotely:
The entire series of articles on this topic is intended purely for educational purposes. We don’t want anyone to use this information to actually hack into computers or do other illegal things. We are not responsible for the actions of people who use any tools from this article for their own purposes.
So let’s take a look at the program and try to understand what it does.
About TCP Echo Server
The TCP Echo Server program is basically a client-server based program where you run a program on a computer running Windows XP 3 that actually opens port 9000 on the computer and puts it into listening mode. The client program can be anything (Example: Telnet, NetCut, etc., for this article we will use NetCut) that connects to the server program, and whatever type the client types on the screen, the server program returns the same message to the client. . You can download the server program here:
[download]
In this article we are not using any kind of program source code to analyze things as we have done in previous articles.
Computer and network settings for this article
In our scenario, the victim computer’s IP address is 192.168.1.173, which is running a server program on a Windows XP Service Pack 3 computer. is a Kali Linux computer. (Throughout the article, we will use Machine B for the attacker’s machine.)
NOTE: Victim and attacker IP addresses can be changed depending on network configuration.
Now, by running the TCP echo server program on a Windows XP computer, we will see the following type of screen.
As seen in the screenshot above, our server program is running perfectly on port 9000 and waiting for incoming connections. As we have already mentioned, the IP address of the machine is 192.168.1.173. So let’s connect to it via machine B. We’ll use the NetCut tool to connect.
As seen in the screenshot above, we first run the ipconfig command to get the IP address, which can be seen in #2, and then run the NetCut command on machine B, which can be seen in #3. Then we got the message on the computer And in TCP Echo Server, that server got a connection which is visible in #1.
This shows that machine B (the client program) is successfully connected to machine A (the server program). If we write anything on machine B, the server program running on A will send the same message back to machine B. We can see the same in the screenshot below.
In the above screenshot, we see that whatever we are typing on machine B is getting reflected back to the screen and the same can be seen on the server program, which is running on machine A.
Crashing the Server Program by the User input (Verifying the Buffer Overflow)
Now, first of all our target is to enter a large amount of input data in the program so that the server program which is running on machine A would crash. So, let’s enter the 500 A’s as input and hit the enter key on machine B.
As we can see, the TCP Echo server program which is running on machine A doesn’t crash, so we will have to input larger data into the program than what we had entered.
It is not possible to enter a large amount of input data in the program every time, so we will use a Python script which will input the data in the server program. The screen shot of the Python script which we will use is given below. We can download the Python script by clicking here (if you haven’t already):
So, this is our simple Python script in which we have created a Socket that will connect by taking the Machine A’s IP address as an input by the command line and connect with port 9000. After that, we have defined a variable ‘input’ which has the 1500 A’s then we send these A’s to the server program by using the sock.send command.
It is the same thing we have done above in the article by manually entering data. But this time we just used a simple Python program to get things done in a faster way.
So, when we run this little program on machine B, we see that the server program crashed on machine A.
If we click on click here on machine A we could see that offset is over written by “41414141” which is actually the Hexadecimal representation of A’s. So, that is great news for us.
With the understanding of the previous articles, we know that the program crashed because the return address in memory is overwritten by the user input data, which is A.
Identifying the location of the return address
Now we will need to identify the exact part of the user input that overwrote the return address into memory from the 1500 character input data that was entered into the server program. We can do this by entering a pattern instead of A, but it is not possible to write a large pattern manually as we did in the previous article. So we’ll use the Metasploit tools to generate a 1500 character pattern. Using this pattern, we can see the length of the buffer that is needed to accurately write to the EIP.
Following is the command to generate the pattern.
[simple]
/usr/share/metasploit-framework/tools/pattern_create.rb 1500
[/simple]
As can be seen in the above screenshot, after hitting the enter key the pattern has been generated. Now, replace this pattern in the Python program with input data which we have created above in this article. We can see the same in the screenshot given below.
After saving this Python file, open the Echo Server Exe Program with the Debugger and make it run by hitting the F9 key on machine A.
As can be seen in the above screenshot, our echo server program is running on machine A and waiting for the incoming connection on port 9000.
Now, we run the Python script on machine B and we can see the following screen.
As seen in the screenshot, we ran the Python script on computer B and the server program crashed on computer A, but if we look closely in the debugger, we can see that the EIP register is overwritten by the user input value and shows the value “69423569” and the upper stack is also overwritten with the value “37694236”. These values are actually the hexadecimal values of our input pattern that we generated with Metasploit and sent to the program using a Python script.
Now we’ll use another tool, Metasploit, which will give us the exact position where the EIP registry was overwritten by user input. By identifying the overwritten position, we can control the execution of the program.
We can do this using another tool called pattern_offset. Run the pattern_offset utility and enter the EIP value. The command to do this is as follows.
First we will need to go to the Metasploit tools directory. We can do this by typing:
[bash]
cd /usr/share/metasploit-framework/tools
[/bash]
Then run the pattern offset tool.
[bash]
./pattern_offset
We can see the actual running command in the following screenshot.
As we can see in the screenshot above, when we enter the EIP value using the pattern_offset tool, we got a match at position 1036. This means that 1036 is the exact memory position where the return address is overwritten by the user input value.
Related article:GIFT CARDS CARDING METHOD
When we specified Top of the Stack in pattern_offset we got position 1040. So if we subtract 1040-1036 we get 8. Simply put, we can say that in the user value entered after 1036 AND there will be another 8 bytes of data in the user input is actually the return address. So verify the same by typing “BBBB” after 1036 A. Now according to this theory when the program crashes the EIP should be 42424242 (42 is the hexadecimal representation of B), after 4 B we type another 400 C to see the difference in memoirs.
Now make the same changes in the Python script.
As we can see in the above screenshot, we have done the changes in the Python script. First of all we have added 1036 A’s in the input variable then we have added 4 B’s and after that we have added 400 C’s in the user input.
Now, restart the Echo Server Program in machine A. We can do the same by pressing Ctrl+F2, then run the Python script on machine B.
As we can see in the above screenshot, now the server program is again crashed but this time EIP is actually pointing the value “42424242” (42 is B in Hexadecimal) and the Top of the Stack is holding the value “43434343”. (43 is C in Hexadecimal).
So, if we input an address instead of four B’s, then we can actually change the way of the program execution. We will do it in the next part of the article series.
