Cybermoransđ€
DevelopingđŸ your own zero-day exploitsâ ïž is hard. In this post I introduced you to buffer overflows, the source of some of the most lethal exploitsđ, particularly RCE(remote code execution) thus we are focusing our exploit development on a simple buffer overflowđ
In this simpo simpo illustration, we will build a simple buffer overflow to show how a buffer overflow can work. We build a short, simple program in C, compile it, run it successfully, and then attempt to overflow its buffer and get our own code to run. BAM!đđ
Lets learn some illegal shit....đȘ For educational purposes ONLY!!đ€Ą
đ Launch a text editor
Fire up Kali and open a text editor for our code. In my case, I'll be using Nano, but you can use any text editor you want đ....Vim users mkaskie vibaya naukođđ
sudo nano bufferoverflow.c 
đ The Code
A small bit of code that will enable us to overflow a memory buffer and run our own commands on the system. It is not meant to be used as an exploitđ©, but rather to simply demonstrate the principle of buffer overflows that we will be building into our zero-day exploitđ
Now, enter the following codeđ .....Relaaax...I'll explainđ
đ In the screenshot , our two variables we will be using in this code;
char *place
char *systemcommand
We have declared them below both "char" or character type variables.
đ Next, we have allocated memory for each variable using the malloc (memory allocation) command.
đ After the memory allocation, we have two "printf" statements that print the memory locations of the two variables. The third printf then calculates the number of bytes between the two memory locations of our variables.
đ The fourth printf then asks the user "Where are your secrets?" followed by the "gets" function that puts the users response into the variable "place."
đ This is then followed by another printf function that prints the statement "My darkest secrets are: " followed by the user's response, the user will respond with "Church"...
đ Finally, the last line executes whatever is in the "systemcommand" variable. If the variable is empty, then no command is executed.
đFinally, save this file as bufferoverflow.c. ---- ctrl+x, Y, Enter -- In nano
đ Compile
The next step is to compile our new program. đ§ Coz C, into machine code is required whenever we write code in a compiled language, unlike say, Python, that is an interpreted languageđ€ (interpreted languages are converted to machine language on the fly at run-time, line by line, and are thereby slower).
We need to use the GNU C Compiler (gcc) on the file bufferoverflow.c and output (-o) the compiled to a new file named "bufferoverflow" ...đ
kali> gcc bufferoverflow.c -o bufferoverflow
This may produce a few errors, ignore all of themđ€
đ Run the Program
Now, let's run our smol "bufferoverflow" programđ
kali > ./bufferoverflow
Notice that it first responded with the memory location of our variable "place," and then the memory location of our variable "systemcommand," and third it calculates the bytes between these two memory locations. It then prompts the user for "where are your darkest secrets?"đ€Ș and, of course, the user responds "Church." Finally, the program responds with the obvious truth "My darkest secrets are in church."đđ
đ Overflow the Buffer...Like literally
Now, let's run this program and try to overflow the memory area for the variable "place" into the memory area for "systemcommand." If we can overflow that memory area into the variable "systemcommand," we should be able to execute any system command on the systemđ±
For instance, we might be able to execute a command shell or display the contents of the /etc/shadow fileđ
We know from the third printf statement, the space between the "place" variable and the "systemcommand" variable in bytesđ. This means that if we enter more (than the bytes in space) ASCII characters (each ASCII character is one byte) when prompted, It will fill up the 'space', and then whatever we input after that will move into the next variable, in this case, "systemcommand."đ.......umeget?
đ€ Its like filling a bucket to the brim alafu the water overflows to another karae....the bucket in this case ni 'place' variableđȘŁ na karae ni 'systemcommand' variableđȘŁ....comprende?đ
Let's now enter the following when promptedđ
kali> nnnnnnnnnnnnnnnnnnnnnnnnnncat /etc/shadow
When you do thisđ, the first characters should go into the "place" variable and then consequent characters and everything after (The code at the end of the command) will overflow into the "systemcommand" variable. The final line of our code will then execute the system command variable......Buuut MINE FAILED multiple times!!!đ€đ€
So I lit up an old kali version 2016 and tried it and ....Voila!đ
Notice đ that that we have been able to overflow the "place" variable into the "systemcommand" variable and have been able to "cat" the contents of the /etc/shadow file thus showing us all the users and their hashed passwords. Congratulations!đ„ł You have successfully overflowed the buffer and run your own codeđ„ł
đConclusion đ€
Subscribe to receive notifications of similar posts đ where we will be reverse engineering malware, vulnerabilities as well as hacking tools, vectors, stories, tutorials and other Infosec stuff...đ
Follow me on twitter for daily Infosec Memes and shenanigansđ
Morans,
Thank you for taking time and hope you learned something new, Like/Share and leave a comment/review and as always, stay awesome! đđ đȘ