In this lab, you will gain insights into the buffer overflow vulnerability. You will analyze a vulnerable program by using a debugger to exploit the vulnerability.
Buffer overflow vulnerability is the root cause of the many vulnerabilities in software products; in this regard, it is a significant security problem today.
There are many different types of buffer overflow. They have been categorized under 9 CWEs in https://cwe.mitre.org/data/definitions/1218.html.
Poor coding practices cause buffer overflow vulnerability. It is the fact that strongly typed programming languages, such as Java, C++, have automatic bound checks and memory management. The real problem comes with low-level programming languages. For instance, C and Python are such programming languages. They are not strongly typed languages; however, they are used for their advantages, flexibility, no performance issues, coders are free to code. Programmers should always check the inputs in their programs and use functions that do bounds checking if they are using low-level programming languages.
The topology of the Lab-2 is quite simple. You will be using both computers. It is recommended to undock both virtual machines to prevent going back and forth between the computers.
Windows 7 Target has an executable program named vulnserver. It is written in C. This network program listens on port 9999 once executed, meaning that Windows 7 Target will start listening on TCP 9999.
There are three Python codes on Kali Linux. All of the codes create a TCP 9999 connection on Windows 7 Target. The first code sends some bytes to the vulnserver service (nocrash.py). The second code crashes the vulnserver by overflowing the buffer of the service (crash.py). This code is also named proof of concept. The third code gets a remote shell from the Windows 7 Target by exploiting the buffer overflow vulnerability (remote_shell.py). The exploitation code (remote_shell.py) is developed by debugging the vulnserver program and by changing the proof of concept code as needed.
Section-1: Explore the Vulnerable Network Service
In this section, you will explore the remote service you will start on Windows 7 Target computer.
1. Log in to the Netlab environment.
2. Open Windows 7 Target from the list of computers on the top menu bar.
Click on Windows 7 Target on the top menu bar, and click undock.
3. At Windows 7 Target, open a command window by clicking the cmd icon on the taskbar.
4. Type this command in the command window and hit enter: netstat -a -n -p TCP
This command shows the list of open TCP ports on Windows 7 Target computer. The first option (a) shows all established connections and listening ports. The second option (n) makes netstat display IP addresses and port numbers instead of hostnames and service names; people usually use this for faster command results. The third option shows only open TCP ports. Have a look at the list of the open ports on the list.
5. In the command window, type cd Desktop to change the directory to the Desktop folder.
6. Type cd Vulnerable_Service to change the directory to the Vulnerable_Service folder.
After typing cd, pressing space, and â€œvâ€ character, you can press Tab on your keyboard to auto-type the directory name.
7. Type dir inside the Vulnerable_Service folder and to see the list of files.
You should see an executable file named vulnserver.exe. You will not use the other files in the folder. vulnserver.exe is a tiny program developed in C for educational purposes. It has buffer overflow vulnerability, which is placed knowingly by security researchers. When you run vulnserver.exe, it will open TCP 9999 port the server.
8. Type vulnserver and hit enter in the command window.
Once you run this program, you will see a short security warning and a prompt â€œWaiting for client connections â€¦â€
9. Open another command window in Windows 7 Target machine.
10. Type netstat -a -n -p TCP once again.
Can you see the difference compared to the previous netstat command?
11. Type netstat -a -n -p TCP -b now.
â€œbâ€ switch shows the executable name involved in opening the port. Confirm that you saw the vulnserver.exe
12. Now it is time to legitimately use the vulnserver service provided by Windows 7 Target computer.
13. Select Kali Linux from the list of computers in the Netlab environment.
Click on Kali Linux on the top menu bar, and click undock. Place the undocked Windows 7 Target window next to the Kali Linux window.
14. Type the password â€œtoorâ€ for the root user.
15. Open a terminal window by clicking the terminal icon on the menu bar at the bottom.
16. Type nc 192.168.2.13 9999 in the terminal window.
You should see this message â€œWelcome to Vulnerable Server! Enter HELP for help.â€ in the Kali Linux terminal window.
Note: If you donâ€™t see this message, try these: wait for 10 seconds. If you donâ€™t see the message above, hit Enter several times. If it still does not help, press CTRL-C to exit and retype nc 192.168.2.13 9999
You should also see this message â€œReceived a client connection from 192.168.2.10:XXXXXâ€ in the Windows 7 cmd window where you run vulnserver.exe
nc is the abbreviation of netcat. Netcat is a versatile utility used for various purposes, including connecting to a remote service as with our case or opening a port on the local system. Netcat is more than connecting to the remote services and opening ports on the local systems. You can refer to the Linux man page or Internet forums for a more comprehensive feature set.
In this step, you opened a TCP connection to the 9999 port of the Windows 7 Target machine.
17. In Kali Linux, type HELP in the vulnserver service prompt and press enter.
vulnserver service is case-sensitive and accepts command with capital letters only; therefore, “help” will not work. You should type “HELP” by pressing the Shift button, not the CAPS lock.
You will see a list of commands that the vulnserver accepts. Among these commands, the TRUN command is used to get a string from the user.
18. In the vulnserver service prompt, type TRUN some_text and hit enter.
You will see TRUN COMPLETE message.
19. Type EXIT in the vulnserver service prompt to return to the terminal window of Kali Linux.
20. Type cd fuzzer in the terminal windows to change directory to the fuzzer folder. (After this command, you will be in /root/fuzzer/ folder)
21. There is a file named nocrash.py in this folderâ€”type python nocrash.py in the terminal window.
nocrash.py opens a connection to TCP 9999 port at 192.168.2.13 , which is the service created by vulnserver, sends a certain amount of string to the vulnserver service and closes the connection. This small piece of code does not cause the vulnserver application crash.
Take a screen capture of the Kali Linux terminal window where you run the nocrash.py file.
In the next section, you will run another Python script to crash the vulnserver service remotely.
Section-2: Crash the Network Service by Exploiting the Buffer Overflow Vulnerability
Think about this scenario: A company is using a network service (vulnserver.exe) for the contractors. Contractors remotely connect to this service and provide some data to the company. You saw how this is done in the Section-1.
A cyber attacker discovers a buffer overflow vulnerability and remotely exploit this vulnerability, and crashes the service.
Now, it is time to realize this scenario.
1. If you created a new reservation before Section-2, then select Kali Linux and undock it. Type in â€œtoorâ€ as the password of the root. Open a terminal window. Type cd fuzzer to change the folder to the fuzzer.
Place the undocked Windows 7 Target window next to the undocked Kali Linux window.
If you didnâ€™t create a new reservation, skip this step and continue with the next step.
2. In the Kali Linux terminal window, type python crash.py and hit Enter.
After this command, notice the crash message shown in Windows 7 Target computer.
3. In Windows 7 Target computer, click the â€œView problem detailsâ€ at the message box.
Check the Fault Module Name is StackHash_xxxx, which indicates that the crash is associated with the Stack (Stack is a kind of buffer)
Take a screen capture of the Windows 7 Target desktop showing the crash message window.
4. In Windows 7 Target computer, click â€œClose the programâ€.
The program will be terminated. You will observe this in the cmd window where vulnserver.exe was running. The program will stop working, and the windows command prompt will appear. Type netstat -a -n -p TCP and ensure that TCP port 9999 is not open anymore.
5. Switch to Kali Linux, review both nocrash.py and crash.py codes by using nano editor.
In the terminal window, type nano filename to open the desired file. To exit from the nano editor, press CTRL-X.
Please explain what crash.py does by using the template below.
host = “192.168.2.13” #explanation:
port = 9999 #explanation:
junk = “A”*5000 #explanation:
buffer = “TRUN .” + junk #explanation:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #explanation:
Why crash.py causes a crash in the vulnserver network service? Which line of the code overflows the buffer?
Section-3: Get a Remote Shell from the Server by Exploiting the Buffer Overflow Vulnerability of the Network Service
1. If you created a new reservation before Section-3, then select Kali Linux and undock it. Type in â€œtoorâ€ as the password of the root. Open a terminal window. Type cd fuzzer to change the folder to the fuzzer.
Select Windows 7 Target and undock it. Place the undocked Windows 7 Target window next to the undocked Kali Linux window. Open a cmd window in Windows 7 Target, type cd Desktop, and cd Vulnerable_Service to change the directory to the Vulnerable_Service folder.
If you didnâ€™t create a new reservation, skip this step and continue with the next step.
2. In Windows 7 Target machine, type vulnserver in the cmd prompt to run the service once again. (The service was crashed in Section-2)
3. In Kali Linux, open a new terminal window by right-clicking on the terminal window on the taskbar and clicking “Open a New Tab”.
4. In the new tab, type nc -lvp 443 and press enter to create a listener.
You will see the “listening on [any] 443 â€¦” message on the screen.
In this case, you are using netcat utility in listen mode. â€œlâ€ switch indicates that nc will be in listening mode. “v” switch means verbose; netcat shows detailed message related to the connection status. “p” switch indicates which local port number will be used in listen mode. The above command opens the port 443 on Kali Linux, and Kali Linux starts to listen on this port.
5. Switch to the previous tab where you are in the fuzzer folder.
6. Type python remote_shell.py and press enter.
Are you busy and do not have time to handle your assignment? Are you scared that your paper will not make the grade? Do you have responsibilities that may hinder you from turning in your assignment on time? Are you tired and can barely handle your assignment? Are your grades inconsistent?
Whichever your reason is, it is valid! You can get professional academic help from our service at affordable rates. We have a team of professional academic writers who can handle all your assignments.
Students barely have time to read. We got you! Have your literature essay or book review written without having the hassle of reading the book. You can get your literature paper custom-written for you by our literature specialists.
Do you struggle with finance? No need to torture yourself if finance is not your cup of tea. You can order your finance paper from our academic writing service and get 100% original work from competent finance experts.
While psychology may be an interesting subject, you may lack sufficient time to handle your assignments. Don’t despair; by using our academic writing service, you can be assured of perfect grades. Moreover, your grades will be consistent.
Engineering is quite a demanding subject. Students face a lot of pressure and barely have enough time to do what they love to do. Our academic writing service got you covered! Our engineering specialists follow the paper instructions and ensure timely delivery of the paper.
In the nursing course, you may have difficulties with literature reviews, annotated bibliographies, critical essays, and other assignments. Our nursing assignment writers will offer you professional nursing paper help at low prices.
Truth be told, sociology papers can be quite exhausting. Our academic writing service relieves you of fatigue, pressure, and stress. You can relax and have peace of mind as our academic writers handle your sociology assignment.
We take pride in having some of the best business writers in the industry. Our business writers have a lot of experience in the field. They are reliable, and you can be assured of a high-grade paper. They are able to handle business papers of any subject, length, deadline, and difficulty!
We boast of having some of the most experienced statistics experts in the industry. Our statistics experts have diverse skills, expertise, and knowledge to handle any kind of assignment. They have access to all kinds of software to get your assignment done.
Writing a law essay may prove to be an insurmountable obstacle, especially when you need to know the peculiarities of the legislative framework. Take advantage of our top-notch law specialists and get superb grades and 100% satisfaction.
We have highlighted some of the most popular subjects we handle above. Those are just a tip of the iceberg. We deal in all academic disciplines since our writers are as diverse. They have been drawn from across all disciplines, and orders are assigned to those writers believed to be the best in the field. In a nutshell, there is no task we cannot handle; all you need to do is place your order with us. As long as your instructions are clear, just trust we shall deliver irrespective of the discipline.
Our essay writers are graduates with bachelor's, masters, Ph.D., and doctorate degrees in various subjects. The minimum requirement to be an essay writer with our essay writing service is to have a college degree. All our academic writers have a minimum of two years of academic writing. We have a stringent recruitment process to ensure that we get only the most competent essay writers in the industry. We also ensure that the writers are handsomely compensated for their value. The majority of our writers are native English speakers. As such, the fluency of language and grammar is impeccable.
There is a very low likelihood that you won’t like the paper.
Not at all. All papers are written from scratch. There is no way your tutor or instructor will realize that you did not write the paper yourself. In fact, we recommend using our assignment help services for consistent results.
We check all papers for plagiarism before we submit them. We use powerful plagiarism checking software such as SafeAssign, LopesWrite, and Turnitin. We also upload the plagiarism report so that you can review it. We understand that plagiarism is academic suicide. We would not take the risk of submitting plagiarized work and jeopardize your academic journey. Furthermore, we do not sell or use prewritten papers, and each paper is written from scratch.
You determine when you get the paper by setting the deadline when placing the order. All papers are delivered within the deadline. We are well aware that we operate in a time-sensitive industry. As such, we have laid out strategies to ensure that the client receives the paper on time and they never miss the deadline. We understand that papers that are submitted late have some points deducted. We do not want you to miss any points due to late submission. We work on beating deadlines by huge margins in order to ensure that you have ample time to review the paper before you submit it.
We have a privacy and confidentiality policy that guides our work. We NEVER share any customer information with third parties. Noone will ever know that you used our assignment help services. It’s only between you and us. We are bound by our policies to protect the customer’s identity and information. All your information, such as your names, phone number, email, order information, and so on, are protected. We have robust security systems that ensure that your data is protected. Hacking our systems is close to impossible, and it has never happened.
You fill all the paper instructions in the order form. Make sure you include all the helpful materials so that our academic writers can deliver the perfect paper. It will also help to eliminate unnecessary revisions.
Proceed to pay for the paper so that it can be assigned to one of our expert academic writers. The paper subject is matched with the writer’s area of specialization.
You communicate with the writer and know about the progress of the paper. The client can ask the writer for drafts of the paper. The client can upload extra material and include additional instructions from the lecturer. Receive a paper.
The paper is sent to your email and uploaded to your personal account. You also get a plagiarism report attached to your paper.
Delivering a high-quality product at a reasonable price is not enough anymore.
That’s why we have developed 5 beneficial guarantees that will make your experience with our service enjoyable, easy, and safe.
You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.Read more
Each paper is composed from scratch, according to your instructions. It is then checked by our plagiarism-detection software. There is no gap where plagiarism could squeeze in.Read more
Thanks to our free revisions, there is no way for you to be unsatisfied. We will work on your paper until you are completely happy with the result.Read more
Your email is safe, as we store it according to international data protection rules. Your bank details are secure, as we use only reliable payment systems.Read more
By sending us your money, you buy the service we provide. Check out our terms and conditions if you prefer business talks to be laid out in official language.Read more