top of page
Writer's picturealvin gitonga

Buffer Overflow☠️: C 😜how to build🛠️ a zero-day😈

Cybermorans🤗

Developing👾 your own zero-day exploits☠️ is hard. In this post I introduced you to buffer overflows, the source of some of the most lethal exploits💀, particularly RCE(remote code execution) thus we are focusing our exploit development on a simple buffer overflow😈

In this simpo simpo illustration, we will build a simple buffer overflow to show how a buffer overflow can work. We build a short, simple program in C, compile it, run it successfully, and then attempt to overflow its buffer and get our own code to run. BAM!🙀🙊


Lets learn some illegal shit....💪 For educational purposes ONLY!!🤡


 

🚀 Launch a text editor

Fire up Kali and open a text editor for our code. In my case, I'll be using Nano, but you can use any text editor you want 👇....Vim users mkaskie vibaya nauko😂😂

sudo nano bufferoverflow.c  

🚀 The Code

A small bit of code that will enable us to overflow a memory buffer and run our own commands on the system. It is not meant to be used as an exploit💩, but rather to simply demonstrate the principle of buffer overflows that we will be building into our zero-day exploit😈


Now, enter the following code👇 .....Relaaax...I'll explain😋

👉 In the screenshot , our two variables we will be using in this code;

  • char *place

  • char *systemcommand

We have declared them below both "char" or character type variables.


👉 Next, we have allocated memory for each variable using the malloc (memory allocation) command.


👉 After the memory allocation, we have two "printf" statements that print the memory locations of the two variables. The third printf then calculates the number of bytes between the two memory locations of our variables.

👉 The fourth printf then asks the user "Where are your secrets?" followed by the "gets" function that puts the users response into the variable "place."

👉 This is then followed by another printf function that prints the statement "My darkest secrets are: " followed by the user's response, the user will respond with "Church"...

👉 Finally, the last line executes whatever is in the "systemcommand" variable. If the variable is empty, then no command is executed.

👉Finally, save this file as bufferoverflow.c. ---- ctrl+x, Y, Enter -- In nano


 

🚀 Compile

The next step is to compile our new program. 🧐 Coz C, into machine code is required whenever we write code in a compiled language, unlike say, Python, that is an interpreted language🤓 (interpreted languages are converted to machine language on the fly at run-time, line by line, and are thereby slower).


We need to use the GNU C Compiler (gcc) on the file bufferoverflow.c and output (-o) the compiled to a new file named "bufferoverflow" ...👇

kali> gcc bufferoverflow.c -o bufferoverflow

This may produce a few errors, ignore all of them😤

 

🚀 Run the Program

Now, let's run our smol "bufferoverflow" program👇


kali > ./bufferoverflow

Notice that it first responded with the memory location of our variable "place," and then the memory location of our variable "systemcommand," and third it calculates the bytes between these two memory locations. It then prompts the user for "where are your darkest secrets?"🤪 and, of course, the user responds "Church." Finally, the program responds with the obvious truth "My darkest secrets are in church."😝😝

 

🚀 Overflow the Buffer...Like literally

Now, let's run this program and try to overflow the memory area for the variable "place" into the memory area for "systemcommand." If we can overflow that memory area into the variable "systemcommand," we should be able to execute any system command on the system😱


For instance, we might be able to execute a command shell or display the contents of the /etc/shadow file😋

We know from the third printf statement, the space between the "place" variable and the "systemcommand" variable in bytes😊. This means that if we enter more (than the bytes in space) ASCII characters (each ASCII character is one byte) when prompted, It will fill up the 'space', and then whatever we input after that will move into the next variable, in this case, "systemcommand."😎.......umeget?

🤔 Its like filling a bucket to the brim alafu the water overflows to another karae....the bucket in this case ni 'place' variable🪣 na karae ni 'systemcommand' variable🪣....comprende?😋

Let's now enter the following when prompted👇

kali> nnnnnnnnnnnnnnnnnnnnnnnnnncat /etc/shadow

When you do this👆, the first characters should go into the "place" variable and then consequent characters and everything after (The code at the end of the command) will overflow into the "systemcommand" variable. The final line of our code will then execute the system command variable......Buuut MINE FAILED multiple times!!!😤😤


So I lit up an old kali version 2016 and tried it and ....Voila!👇

Notice 👆 that that we have been able to overflow the "place" variable into the "systemcommand" variable and have been able to "cat" the contents of the /etc/shadow file thus showing us all the users and their hashed passwords. Congratulations!🥳 You have successfully overflowed the buffer and run your own code🥳


 

🚀Conclusion 🤖

Subscribe to receive notifications of similar posts 😜 where we will be reverse engineering malware, vulnerabilities as well as hacking tools, vectors, stories, tutorials and other Infosec stuff...😋


Follow me on twitter for daily Infosec Memes and shenanigans😝


Morans,


Thank you for taking time and hope you learned something new, Like/Share and leave a comment/review and as always, stay awesome! 😋👊 💪

37 views0 comments

Recent Posts

See All

Comments


Post: Blog2_Post
bottom of page