I'm not really sure if this belongs in the newbie section, but relative to most on these forums I still consider myself a newb. Anyways, I'm currently trying to understand buffer overflows the best that I possibly can. I've read through "Smashing the Stack for Fun and for Profit" by Aleph One, another paper "STACK OVERFLOW EXPLOiTS ON LiNUX/BSDOS/FREEBSD/SUNOS/SOLARiS/HP-UX" over at Thc.org, and even attempted the cDc #351: The Tao of Windows Buffer Overflows. Other things I have enjoyed were Anti-online: Shellcode Thread and Antionline: How buffer overflows work.
Using this 'knowledge' *still would like to read over everything again* I have attempted to try and use a proof of concept exploit using the Old Aim goaway: protocol overflow. I've compiled this proof of concept with an intoductory edition of Visual C++ 6.0 and created a specially crafted html page that would automattically use the vulnerable AIM client to establish a connection back to my 192.168.0.13 internal network address. I'm using VMWare with bridged networking (192.168.0.14) and a vulnerable AIM client v. 5.53595 and accessing the html page to hopefully connect back to my actual address (.13) with netcat listening on the port specified (5194 in this case). I've tried having the proof of concept code connecting back through my external Ip 24.xxx.xxx.xxx and port forwarding 5194 to address 192.168.0.13, and then tried directly connecting from .14 (vmware vuln. address) to .13. On BOTH occasions netcat was left static with nothing happening apparently. :confused:
I don't know what to expect from the community here regarding this particular problem, but if anyone has anything that I might be able to try just to get a feel for a proof of concept actually working.
Also, if there is any other material that I could possibly tackle to understand how would I actually catch these Buffer Overflows in the wild then that would be very helpful. If I remember correctly whenever I used to attempt to overflow the goaim: protocol it would give me a Dr. Watson box with alot of details regarding the current EIP and other registers. Would there be anyway of attaining this knowledge by other means? Sorry for the length and if it was anyway confusing.
WigHtOloRE <--- pay attention to the capitalization.. jk :)
Also, I've created a .bmp that illustrates some of the key points on the stack. Take a look if you want and feel free to correct me if I've made any mistakes.
--- ONE MORE THING---
I am NOT a script kiddie. If this was an attempt to gain access to anyone's computer I would have chose a newer exploit. I'm simply trying to further my knowledge with hand's on 'real world' examples. Thank you.
June 5th, 2005, 09:13 PM
Seems to me that if you were getting the Dr. Watson indicating the pointer issues you probably adjusted the overflow. Now, it seems, your adjustment is almost working insofar as the system isn't recognizing there is an issue but you aren't quite close enough to leave a functional netcat running. Are you running any memory mapping software on the exploitable machine so you can watch the effect?
June 5th, 2005, 10:11 PM
memory mapping software
Memory mapping software? * And this would be why I posted in the newbie section :) *
I did a quick google search for both: memory mapping software and then "memory mapping software" without any eye-catching results that would lead me into a frenzy of coffee-filled nights in order to further my understanding. However, I am familiar with a few programs that I could/should be running while attempting this code. Would programs like TCPView (to view outgoing connections to port 5194), Ethereal (to view possible packets being sent), and even Filemon? (not extremely familiar with exactly but plan to research) have any use at all? Just a suggestion.
What are some good memory mapping programs? Thanks again for the quick reply.
*** Btw... the program (AIM.exe) does crash I just never get to see the Dr. Watson window. Would I just barely have to overwrite the EIP with arbitrary input like all "A's" for it to complain and not be occupied with some random shellcode.
June 5th, 2005, 10:36 PM
You are leaving my level of interest and knowledge right now so I can't recommend a memory mapping app.
You might want to look for things regarding NOP Sledding so that the exploit will find the correct entry point in memory pretty much on it's own. Your "A"'s are a "sled" but only if the exploit code is correctly written IIRC.
June 6th, 2005, 05:26 PM
Well I would just like to thank you again Tiger Shark for the quick replies and the push in the right direction for a search in memory mapping software. Before this thread dies I just wanted to ask anyone else if they had any recommendations for memory mapping software or (because I visited Barnes and Noble yesterday) if the Shellcoder's Handbook was a good read er not? I hope so, because I just ordered it last night :D . Looked excellent with a brief flip through.
June 6th, 2005, 06:26 PM
You might find this of use as a more general way of monitoring what's going on.... It just won't go far enough to show the exploit at the level you need. It might give yo a clue as to the problem area though.