In the previous part of Buffer overflow exploit we went through the basic overview of buffer overflow. In this tutorial we will create a server that is vulnerable to buffer overflow attack and create a simple client or attacker that connects to the server and sends a simple message.
Creating a Server
We need to create a server where we can perform the attack. We are using Windows 10 as a target for an attack. Below is the server code that is written in C programming language that is vulnerable to buffer overflow attack stored in C:/VulnerableServer. Copy and paste the code in Visual Studio 2017 and compile it.
| //VulnerableServer.c #include “stdafx.h” #include “winsock.h” #include “windows.h” //load windows socket #pragma comment(lib, “wsock32.lib”) //Define Return Messages #define SS_ERROR 1 #define SS_OK 0void sError(char * str) { printf(“Error %s”, str); WSACleanup(); } char str[5000]; int main(int argc, char * argv[]) { WORD sockVersion; WSADATA wsaData; int rVal; int bytesRecv; u_short LocalPort = 1200; SOCKET clientSocket; SOCKADDR_IN sin; SOCKET serverSocket; //Loading Library File //create server socket if (serverSocket == INVALID_SOCKET) //bind the socket //get socket to listen //wait for a client to connect printf(“%d”, bytesRecv); while (bytesRecv == SOCKET_ERROR) //close client socket |
The above program will open a port (i.e. 1200) and start listening. The buffer size is 100 and the use of strcpy () function is made. In the above code, a dll file is loaded. The reason for why we need to load dll file is explained in Buffer Overflow – part 1. The dll file is stored in the same address as the Server (i.e. C:/VulnerableServer/Debug/dll.dll). You can also download dll file by clicking here. Compile the code and run it in Visual Studio 2017. The given Figure is the output when the code is compiled and running.
Figure 1. Output of the Vulnerable server
Attaching Server with Immunity debugger
We will need to attach the server in immunity debugger to see how the memory looks like when running the server. When you run the server code in Visual Studio, it automatically generates a exe file that is stored in C:/VulnerableServer/Debug/VulnerableServer.exe. To attach the server in immunity debugger, Open Immunity debugger and go to File → Open→ Select the VulnerableServer.exe file → Open as shown in figure.
Figure 2. Opening the executable file in debugger
An alert may be displayed, you need to allow access and click on run button to get the port listening. The output of this is the same as shown in figure 1.
Verifying Port is Listening
To check whether it is actually listening to the port number we provided open command prompt and type the following command:
| netstat -an |find /i “listening” or netstat -an |find /i “1200” |
The output of the command will give the result as Listening as shown in the below diagram.
Figure 3. Verifying if the port 1200 is listening
Now we know the server is listening to the port number that we provided. Now the next step is to create a client/attacker which will send the data to the server through that port number.
Creating Attacker’s Script
Till now we just created a vulnerable Server that open a port 1200 and listens to it. Now we need to create an attacker’s script that will connect to the port number 1200 and send message. So we are going to use Kali Linux as an attacker’s machine. For this tutorial both the attacker and server are in same network.
Before proceeding forward make sure you install python 2.7 in Kali Linux. Copy the following code written in Python and run it.
| import socket host = 192.168.x.x # Target Machine’s IP Address port = 1200 # The same port as used by the server s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) # Connects to the Port in Target machine s.sendall(b’Hello, world’) # Sends msg(Hello World) to the server s.close() # Connection is closed print(“The message has been sent.”) |
To run you need to open terminal in the same folder where the above python script is saved. And type the following-
| Python ./script.py |
When you press enter, it will send message (i.e. Hello World) to the server. The following figure shows you the output in the server side when the message is sent. Whereas from the attacker’s side you will see the text as “The message has been sent”. If you don’t get this output, you may not be in same network. Make sure in the script you change the ip address with the server’s ip.
Figure 4. Message sent from attacker to server
I hope everything is clear till here. In this tutorial we simply sent a message to the server. Now in the next tutorial we will perform a Stack-Based Buffer overflow.
If you got any questions you can leave a comment below or mail me. The id is given at the end of this page.
Radiojitter