Posted on

Buffer Overflow for beginners

Hello aspiring hackers. In this article, you will learn about buffer overflow for beginners. Do you remember the new directory named “C” we created in our previous article to demonstrate about the tool GNU Debugger. I want you to go again into that directory and code another C program as shown below. You can aptly name it second.c.

Bof1

After you finish coding it, compile the second.c program as shown below.

Bof2

The compilation should pop up many warnings. But as it is said, programmers worry about errors and not warnings. So for now just ignore the warnings. Now let me explain what this program does. This program is one of the popular programs used to demonstrate buffer overflow. We have introduced some modifications to it. Externally, it is a simple program which asks users as to which superhero they want to be and prints it back as shown below.

Bof3

Now let me explain the internal code of this program line by line. Let’s jump to the 4th and 5th line directly in which we created two characters ‘sh_name’ and ‘command’ with a pointer. The asterisk symbol signifies a pointer to a char variable. We use this when we have no idea what length the string is going to be for the character. In the 6th and 7th line of the program, we have a C function named “malloc” which is used to allocate memory during runtime. As you can see, it allocates a memory of 10 and 128 bytes to ‘sh_name’ and ‘command’ respectively. To put simply, I have created two buffers here, one of 10 bytes and other of 128 bytes.


Seeing where we are getting to? In the 8th line, the program prints the text as to who your super hero is and collects user input using the “gets” command which reads input from the standard input and stores them as a C string. In the 9th line, it is printed back by prepending it with a “Hello” as we have already seen in the image above. The last line of the C program has the ‘system’ function which passes commands to command processor to be executed. I hope you understood the function of this program.
Now suppose a user ran the program and when prompted for his favorite super hero answered as shown below. Maybe he was a diehard (to the power of 7) fan of Captain America like me or he was an English language perfectionist who hated answering minimal answers. Whatever the user was, the program responded as shown below. It printed out the answer but it also printed something else, ” he not found” with a ‘sh’ at the beginning.

Bof3a

“sh” is a command language interpreter that executes commands from the standard input. This is a BUG. Say it once again loudly “a BUG”. The program is sent to the testers to find out what the bug can do. The testers load the program using GNU Debugger about which our readers have learnt in our previous article.

Bof4

Now, you are the tester. Check the assembly code of the program.

Bof5
Bof6

In the assembly code, you can see that there’s a command “gets” that collects data from standard input. Introduce a breakpoint at the point shown below and run the program . With the breakpoint, the program stops running exactly at the point where you give input to the program. After giving input, you can continue the program as shown below.

Bof7

If you have observed in the above image, I have given 16 C’s as input. This process is known as fuzzing. Fuzzing is a process where we provide strings of varying length as input to find out where the buffer overflow occurs.
This strings of different lengths can be created in various ways. Here’s a method to create C’s of varied lengths using python.

Bof8

We can also directly provide this random text created to the program as shown below instead of copying and pasting it.

Bof8s

Here is the program running in the debugger.

buffer overflow

As an input of 35 characters is provided, a overflow occurred. Three C’s overflowed over their buffer onto the next buffer.

Bof10

So the size of the first buffer is 35-3 = 32 characters. Anything that jumps over this 32 characters onto next buffer is being executed as a command due to “system” function there. So next, give 32 C’s and then append a command “ls” to it as shown below.

Bof11

As you can see, the “ls” command got executed. If it is not a command, the program says “not found” .

Bof12

Try some other commands as shown below.

Bof13

You can even pop a raw shell to another machine as shown below.

Bof15
Bof14
Bof16

That’s all for now. To add more fun, go to your “second.c” program and add some additional lines as highlighted below. These are print commands.

Bof17

Compile again and now run the program. You should see something as shown below. Observed the difference?

Bof19
Bof8a

That’s all in buffer overflow for beginners. Want to learn Ethical Hacking in Real World Scenarios? Subscribe to our monthly magazine now.

Posted on 1 Comment

GNU Debugger : Step By step Guide

Hello aspiring ethical hackers. In this howto, you will learn about GNU Debugger, step by step, A debugger is a computer program used to test the working of and debug other programs. Debugging means breaking down the program to see if it has any bugs or working glitches. These bugs can also be vulnerabilities although most of the times they are random behavior or unexpected behavior of the program (like crashing).

A debugger does debugging by running the target program under controlled conditions. GNU debugger more popular as GDB, is one such debugger. It can do four main things for us : Starting the program we want to test, Stop the program at certain points, examine what has happened when the program has stopped and change things in the target program allowing us to experiment. It is a portable debugger and runs on Windows, UNIX and Mac OS X. It can be used to debug programs of the given programming languages below.


1. Ada 2. Assembly 3. C 4. C++ 5. D 6. Fortran 7. Go 8. Objective-C 9. OpenCL 10. Modula-2 11. Pascal 12. Rust

Now let’s learn about this tool practically. We are doing this on Kali Linux OS (any version) as GNU debugger is provided by default in it. We create a new directory named “C” and move into that directory.

Gdb1

In that folder, use your favorite text editor to create a script named “first.c” and code a C program as shown below (Type it, don’t copy, you will thank us later).

Gdb2

As can be seen, it is a simple C program that adds two numbers given to it. Once the program is finished, save the file and compile the program using GCC compiler as shown below. Compiling the program is the process of turning it into machine language. This can be done using command gcc first.c -g -o first.

The “-g” option enables debugging. Once it is in machine code, we can execute it and see if it is working. It can be done in Linux as ./first. As we coded it, the program first asks the user to enter the first number. Once it is over, it asks user to enter the second umber. When both numbers are entered, it will ad -d them both and print the result after adding them both.

Gdb6a

The program is running smoothly as intended. Now, let’s load this in the gdb debugger as shown below.

How to use GNU Debugger

Now let’s run the program once again inside the debugger. This can be done either using command r or run.

Gdb7
Gdb11

Now, in case you forgot the code of the program and can’t remember what it does you have no need to go out of the debugger. Using “l” or “list” command will show the first 10 lines of the code as shown below.

Gdb9
Gdb10

Now let’s add a break point at a certain line of the program. Break points allow us to stop the program at a certain point we want. A break point can be added using command “break” or “b“. Run the program again to see if the program stops at the intended point.

Gdb12

It stops exactly at line 9. The disable command disables the latest break point.

Gdb13

Now we set a break point at line 10 and want to see something. As the program stops at line 10, we can only enter one value that of variable “a”. We can use the print command to see the values of variables we have assigned.

Gdb14

While the value of “a” is something we set and it displaying correctly, we did not yet set the value for variable “b”. But it is still showing some random value. We can change the values we already set using the “set” command as shown below.

Gdb15

We set another break point and all the breakpoints set to the program can be seen using command “info b“.

Gdb16

Although there are three breakpoints, see that only two of them are active as we disabled one already. Let’s run the program again.

Gdb17

It stops at the break point which is at line 10. To completely remove the breakpoint use command “clear“.

Gdb18

Now there are only two breakpoints. To continue running the program from this point, use command “continue“. This will run the program from the exact point where it stopped. The program exited normally. “clear” command can be used to delete break points using their line number as shown below.

Gdb20

Let’s run the program again after removing all the break points .

Gdb21

Now, let’s set three new break points again on lines 9, 11 and 16. We will assign the values as the program executes.

Gdb22

At the first break point, I set the value of variable “a” to 19.5 and continue the program. I use the print command to see the value of variable “a”.

Gdb23

As you can see, it is printed as 19 and not 19.5. Our first bug. Similarly the “b” variable is 17 whereas we gave it the value of 17.6.

Gdb24

When we continue the program as it is, the answer we got is 32786 which is definitely wrong. Here we detected that the program is behaving abnormally when decimal numbers are given as input.

Gdb25

Here’ s another example.

Gdb26

Seeing this we can conclude that this program is only suitable for non decimal numbers and result goes wrong even if one of them is a decimal number. Using gdb we found out our first bug in a program. We can even see the assembly code of this program using the “disass” command.

Gdb28

But more about this in our future articles, That was all about Gnu debugger.

Posted on

Shellcode Injection with Metasploit

Shellcode Injection Module is a Metasploit module which as its name suggests, injects shellcode into the target Windows system on which we already have access. In our previous article, we have learnt what is shellcode and how it is created. Shellcode is a bit assembly code or machine language and it plays a very important role in cyber security. Typically shellcode is used in offensive penetration testing.

Let’ s see how this module works. Get a meterpreter session on a Windows system. Background the current session and load the post windows shellcode inject module as shown below.

Shellcodeinject2

We will use Donut tool to create a shellcode of the mimikatz program. Mimikatz is a tool used to experiment with Windows security. Its known to extract plaintext passwords and kerberos tickets from memory. It can also perform pass-the-hash, pass-the-ticket or build Golden tickets.

Shellcodeinject6

Set the SESSION ID and other options given below.

Shellcodeinject7

Set the interactive option to TRUE . We need to do this so that we are not taken directly to the mimikatz shell. We also need to set the correct target architecture.

Shellcodeinject9

After all the options are set, we need to just execute the module as shown below.

shellcode injection with Metasploit
Shellcodeinject10

That’s all about the Metasploit Shellcode Injection Module.

If you liked this article you can Learn advanced ethical hacking tutorials in our Monthly Magazine. Enjoy Free for 3 months.

Posted on 1 Comment

Donut shellcode generator

Donut shellcode generator is a tool that generates shellcode from VBScript, JScript, EXE, DLL files and DOTNET assemblies. Although there are many tools that can do this, Donut does this with position independent code that enables in-memory execution of the compiled assemblies. This compiled shellcode assembly can either be staged from a HTTP server or embedded directly in the file itself. After the compiled shellcode is loaded and executed in memory, the original reference is erased immediately to avoid memory scanners.

The features supported by the Donut generator are

  1. Compression of the generated files with aPLib and LZNT1, Xpress, Xpress Huffman.
  2. Using entropy for generation of strings 128-bit symmetric encryption of files.
  3. Patching Antimalware Scan Interface (AMSI) and Windows Lockdown Policy (WLDP).
  4. Patching command line for EXE files.
  5. Patching exit-related API to avoid termination of host process.
  6. Multiple output formats: C, Ruby, Python, PowerShell, Base64, C#, Hexadecimal.
  7. What exactly is shellcode? Shellcode is a bit assembly code or machine language. Shellcode plays a very important role in cyber security. Typically shellcode is used in offensive penetration testing. In this article, let us learn about this awesome tool. This tool can be installed in Kali Linux by cloning it from Github as shown below. This will create a new directory named “Donut”
donut1

Navigating into the Donut shellcode generator directory, let’s create the shellcode of mimikatz.exe as shown.

How to use donut shellcode generator

Mimikatz.exe is a simple tool that is used to play with windows security. If you take this executable of Mimikatz into a Windows system, any antivirus or Windows Defender will detect this as malware. Just try it on your machine first before turning it into shellcode. It is found in Kali Linux. Here we copied it into the Donut folder.
When we run above command, shellcode is created as a file named “loader.bin” in the same directory of Donut.

Donut4

By default, Donut creates shellcode for x86 (32bit) and amd64 (64bit). To create only a x86 shellcode, the command is as shown below.

Donut3

The “-b” option is used to set the shellcode’s behavior when faced with AMSI/WLDP. Anti Malware Scan Interface and Windows Lock Down Policy are security features. These both features help in defending against malware.

Donut5

By default, Donut sets the shellcode to bypass AMSI/WLDP. By setting the “-b” option to “2” as shown in the above image, it can be set to ABORT once it encounters AMSI/WLDP. Setting “1 ” will do nothing.
Entropy in general terms means the degree of randomness. It is used in malware to make detection of its code harder by Anti malware. This is called obfuscation. The more the entropy the least chances of detection of malware. Donut by default sets random names and al- so encrypts the shellcode to obfuscate the code from anti malware. It can be changed using the “-e” option. Setting it to “2” just sets random names to the payload and setting it to “1” does nothing.

Donut6

Not just binaries, we can create different output formats with Donut although by default it creates a binary payload. The “-f” option is used to set different output formats. For example, set -ting “-f” option to “2” gives a base64 format. 3 creates C, 4 creates Ruby, 5 creates Python, 6 creates Powershell, 7 creates C# and 8 creates Hexadecimal shellcodes respectively.

Donut7
Donut8
Donut9

The “-z” option is used to setting packing and compressing engines. Donut doesn’t use any compression by default. However it supports four compression engines. 2=aPLib, 3=LZNT1, 4=Xpress, 5=Xpress Huffman. Only the aPlib compressor works in Linux. Rest of them work in windows. Compression reduces the size of the payload whereas packing is used to avoid detection by anti malware.

Donut11

We have seen that by default, Donut saves the payloads it creates in the same directory. The location as to where the payload is saved can be changed with the “-o” option.

Donut12

That’s all about the Donut shellcode generator, readers. We will learn more about this tool and how it is used in real world ethical hacking.

Liked this article? Learn advanced ethical hacking tutorials in our Monthly Magazine. Enjoy Free for 3 months.

Posted on

Parrot OS VirtualBox installation using ISO File

Hello aspiring ethical hackers. In this article, you will see how to install Parrot Security ISO in VirtualBox. In our previous article readers have seenhow to install Parrot Security OS in VirtualBox using OVA file (VirtualBox image file). In this article, readers will see how to install Parrot Security OS in VirtualBox using ISO file. Download the Parrot security ISO file from here. Once ISO file is finished downloading, open VirtualBox, go to Machine > New or hit CTRL+N as shown below.

Parrot Security Iso 1 1024x546

A new window will open as shown below.

Parrot Security Iso 1a

Click on “Expert mode”.

How to install parrot os virtualbox

Fill up the details. Configure the machine folder, type of OS, version etc and allocate the RAM (RAM should be minimum 2GB). Once everything is configured, Click on “Create”.

Parrot Security Iso 3

Allocate the hard-disk size (minimum 16 GB is the minimum requirement but keep it at least 20 GB). Set the other options as shown below. Click on “Create”.

Parrot Security Iso 4

The virtual machine is created. Start the newly created virtual machine. It should start as shown below.

Parrot Security Iso 5

Browse to the ISO file we downloaded earlier and add it as shown below. Then, click on “Start”.

Parrot Security Iso 6
Parrot Security Iso 7

The interface changes as shown below. Click on “Install”.

Parrot Security Iso 8
Parrot Security Iso 9
Parrot Security Iso 10 1024x507

Once you are at the OS interface, click on “Install Parrot “. The Calamares Installer opens.

Parrot Security Iso 11 2 1024x507

Click on “Next “. Select Location and click on “Next”.

Parrot Security Iso 12 1024x548

Select the keyboard mode and click on “Next”.

Parrot Security Iso 13 1024x551

Set the partition. Select “Erase disk” and click on “Next”.

Parrot Security Iso 14 1024x555

Create a user and set credentials to the newly created user.

Parrot Security Iso 15

Review all the settings and click on “Install”.

Parrot Security Iso 16 1024x601

Click on “Install Now.”

Parrot Security Iso 17 1024x601

The system starts installing as shown below.

Parrot Security Iso 18

Once the system has finished installing as shown below, click on “Done” .

Parrot Security Iso 19 1024x602

This will restart the system and will take you to the Login screen. Login using credentials of the newly created user and you are good to go. Happy hacking.