Buffer Overflow Exploitation by Vivek Ramachandran [azazredhat]

In this video series we will learn the basics of Buffer Overflow attacks and demonstrate how one can exploit Buffer Overflows in programs for fun and profit. The pre-requisite for this video series is that you are familiar with Assembly language. If you are not familiar with Assembly language, no worries, Vivek Ramachandran have created detailed video tutorials for Assembly language here - Assembly Language Primer for Hackers.

In Part 1 of the Buffer Overflow series we will look at why buffer overflow attacks happen. We will discuss how the program stack is laid out when a function call happens, then how a buffer can be overwritten if proper bounds checking does not happen and finally how a hacker could take control of the program by overwriting the return address stored on the stack to an arbitrary value. We will use a sample program - Demo.c to demonstrate how it is possible to change the Return address by overwriting the stack using user supplied input.

Welcome to Part 2 of the Buffer Overflow Primer. The Buffer Overflow Primer requires that you know at least some basic Assembly Language. Vivek Ramachandran have created a series of Assembly Language video tutorials for Hackers here, for those not familiar with the language. In this video we will look at how to create Shellcode which we can use as payload while exploiting a buffer overflow vulnerability. Shellcode is nothing but machine code which the CPU can execute directly without requiring any further assembling, compilation or linking. Thus instructions in the Shellcode will be executed as-is. We will look at the exit() syscall and see how we can convert the assembly language code for invoking it into shellcode. In the process, we will be using the Objdump utility which ships with the Binary utils package. After you have gone through this video, you will be able to convert almost any assembly code into it's shellcode equivalent.

Welcome to Part 3 of the Buffer Overflow Primer. The Buffer Overflow Primer requires that you know at least some basic Assembly Language. Vivek Ramachandran have created a series of Assembly Language video tutorials for Hackers here, for those not familiar with the language. In the last video we saw how to create shellcode from assembly language code, this video will concentrate on how to execute the shellcode from within a C program to check that it is working properly. In order to do this, we will use the exit() shellcode which we created in the last video. We then use ShellCode.c to launch the shellcode. During this demo we will discuss how the main() function is actually invoked by the __libc_start_main routine, which sets up the environment for the program and also cleans up after main() returns. We will see how it is possible to change the return address on the stack (RET) to point to our shellcode and have it execute.

In Part 4 video we will look at how to create shellcode for the Execve() syscall. We will first create a C program to spawn a shell using Execve(), then we will disassemble the program to understand how the syscall works and the kind of inputs it expects. We will cover this part in-depth and trace through individual instructions and recreate the program stack before execve() is called. Once the disassembled code has been understood, we will create our own program in assembly to spawn a shell using Execve(). This video is very important for those who want to learn how to convert a complex syscall() into its working assembly language equivalent.

Welcome to Part 5 of the Buffer Overflow Primer. The Buffer Overflow Primer requires that you know at least some basic Assembly Language. Vivek Ramachandran have created a series of Assembly Language video tutorials for Hackers here, for those not familiar with the language. In this video we will learn how to convert the shellcode created in the previous video to a more usable format. It is important to note that the shellcode in the previous video cannot be used as-is becuase it contains NULLs and hardcoded addresses. Thus we need to convert it into something which can be injected into a buffer - i.e. we need to remove the NULLs and setup relative addressing. This video will show how we can replace the NULLs in the shellcode with instructions which results in non-NULL shellcode. Also, we discuss in detail how we can setup relative addressing within the shellcode and modify it at runtime to make it work. This is probably the most important video in the series, if one wants to understand the shellcode generation process completely. Please download ExecveShellCode.s and ShellCode.c before you view this video.

Welcome to Part 6 of the Buffer Overflow Primer. The Buffer Overflow Primer requires that you know at least some basic Assembly Language. Vivek Ramachandran have created a series of Assembly Language video tutorials for Hackers here, for those not familiar with the language.

In this video we will understand how to use the shellcode created in the previous video to exploit an actual program. We will first take an example program ExploitMe.c and look at how it's stack is organized. Then, we will create a environment variable "EGG" which will be custom made to smash ExploitMe.c's stack and overwrite it with the shellcode and replace the original RET address with a new one pointing to our shellcode. Once this is done, we have full control of the EIP and once main() returns, our shellcode will be executed. Though this video is entirely in presentation mode, it is probably the most important video of this entire series. If you understand the stack overwriting logic explanied here, you are done learning buffer overflows :) The next video will consist of the actual demo of the exploitation process.