Exploitable Buffer Overflow in a Server
Objective
Identify the buffer overflow vulnerability in a server process. Verify the existence of the vulnerability by fuzzing the running server process. Outline an attack that would provide remote access to a shell running on the server hardware; if possible, implement the attack. Finally, describe how to fix the bug in the server software.
Scenario
The "Bad Server" package implements a simple server program that includes an exploitable buffer overflow. Your objective is to identify the vulnerability, verify the vulnerability through fuzzing, design an attack, and, if possible, implement the attack.
The server code, sample shell code, and any other documents are available from my Box directory.
Procedure
You may choose to begin by analyzing the server code, or you can go directly to running the server and attacking it remotely. The following steps outline how to install and interact with the running server.-
Build and install the server code on a vulnerable server VM
(for example, the SEEDUbuntu12.04 VM, since it already has
stack protections turned-off). Run the server as root and
specify the port number on which it should listen for connections:
sudo ./bad_server 50000
-
From your host computer (or second VM) connect to the remote
server using netcat (nc). Here is an example from my
installation (my input is in bold):
nc 192.168.1.23 50000 Welcome to TB Server 1000 > help Available commands: help login passphrase quit
Try each of the commands; note any messages that are returned. - Write a Python program that uses Pexpect to remotely “fuzz” the server; determine what input causes the connection to terminate. If you analyzed the source code first, are your fuzzing results consistent with your analysis?
- Examine the provided connect-back shellcode (connectback_shell_v1.asm) and explain what this shellcode is doing. Outline an attack on the server using this shellcode; your description must include how the attacker would interact with the compromised server.
- Advanced: Implement the full attack on the vulnerable server.