Code-based attacks

Code-based attacks imply using vulnerabilities or weak/unsecure coding practices that can lead to exploitable applications. These exploits can allow attackers to modify or run executables or commands that result in gaining access to the system, reading data, modifying data, and more. In this section, we will discuss two very common types of attacks: buffer overflow and format string attacks.

Buffer overflow

Buffer overflow is one of the most common code-based attacks. It simply sends more or additional data into applications that don’t parse inputs. It works by moving data into memory if the applications don’t have a proper way to do limit checking and parsing on data. A simple example of a buffer overflow attack is a login page that is expecting an input of 8 bytes. If you send more than 8 bytes of data, the additional data will be written to an overflow buffer. This overflow buffer would be a piece of memory that is allocated to a different program, thereby allowing the attacker to influence how the program works.

Note

If you are interested in doing a deeper dive into shellcode and memory attacks, please read Offensive Shellcode from Scratch, by Rishalin Pillay.

These types of attacks are popular in both Linux and Windows-based environments.

Buffer overflow allows you to perform a few escalation techniques within the network:

• Escalate privileges: This involves gaining elevated access to resources on the target system
• Execute arbitrary commands: This allows you to run any commands or code of your choice on the target system

Usually, you have two options when using buffer overflow for exploitations:

• Use already developed tools such as Bed, a tool that we will discuss later in this chapter, or other tools that include payloads for buffer overflow, such as Metasploit
• Develop a new exploit for a vulnerability

The process of using buffer overflow is as follows:

1. Find a potential buffer overflow.
2. Push the right executable code into memory so that it can be executed.
3. Place the return pointer so that it points to the stack and the code can be run.

Buffer overflow is one of the most common code-based techniques that’s used. Here, we have provided a high-level overview of it and the process involved. We won’t cover this in more detail in this book but having a general understanding of this technique and any relevant tools are useful in the gaining access phase of any ethical hacking exercise.

Format string attacks

Format string is the second most common code-based attack. These attacks are based on the misuse of printf and related commands. It uses these commands to change information anywhere in memory to take control. This allows you to do the following:

• Read data from memory
• Change data anywhere in memory

Now that you have an understanding of code-based attacks, let’s add into your knowledge repository with the additional methods of attacks.

printf example

printf is one of the functions that’s commonly used in format string attacks. The right method to execute or use printf is by using printf("%s", buffer), where "%s" is the format string. Programmers may mistakenly use printf(buffer), which is the wrong method as it will compile without errors and run successfully. For this example, if we submit a value of %d, which means decimal, the program will search the memory looking for an integer. But similar to the aforementioned example, you can use this to input hexadecimal information and read the memory stack.

Bed

Bed is an open source tool that is used to scan for potential buffer overflows and format strings against apps. By default, the tool is not installed in Kali Linux. To install the Bed tool, you must run the following command:

$ sudo apt install bed

To list the options available for Bed, as well as a high-level description, all you need to do is run the bed -h command, as shown in the following screenshot:

Figure 6.3 – Bed command-line options

The following command shows an example of using the HTTP plugin to fuzz the Metasploitable 2 virtual machine:

$ bed -s HTTP -t192.168.1.102

Here’s the output:

Figure 6.4 – Bed command-line example

In this section, we provided a high-level overview of code-based attacks. Usually, these types of attacks are not covered during ethical hacking attacks, but knowing about them and some of the available tools can prove useful. Next, we will focus on exploiting services using different techniques and tools.