Date post: | 18-Jan-2017 |
Category: |
Technology |
Upload: | mohammed-a-imran |
View: | 314 times |
Download: | 5 times |
https://www.flickr.com/photos/68759973@N00/26497568431/ hugojcardoso
I’m Imran.
Senior Security Engineer at Autodesk
Null Singapore Founder and Leader
OSCP/SCJP
MI
Hello !
Warning! Please note that this workshop is intended for educational purposes only, and you should NOT use the acquired skills to attack any system. It's illegal to hack a system without permission and is a punishable offense in most countries including Singapore.
You agree to abide by above statement by staying in this workshop after this slide.
Agenda
Lets tickle security buds …
int main() {
int cookie;
char buf[80];
printf("b: %x c: %x\n", &buf, &cookie);
gets(buf);
if (cookie == 0x41424344)
printf("you win!\n");
}
20-30 Instructions
14 assembly instructions account for 90% of assembly code! http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Bilar.pdf
are enough for most of your needs
Let’s learn Assembly Language
Slides: http://www.slideshare.net/secfigo/assembly-language-21656919
Assembly Language Trivia
AT&T MOVE source, destination
MOVE $61, %eax
objdump -d /bin/cat
Intel MOVE destination, source
MOVE AL,61
objdump -M intel -d /bin/cat
Stdcall vs cdecl
Function parameters pushed onto stack right to left.
Saves the old stack frame pointer and sets up a new stack frame.
cdecl Caller responsible for stack cleanup
Stdcall
Callee responsible for stack cleanup
From amazing corelan https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
Memory layout in win32
Stack overflow example
Int add (int a, int b)
{ Int var1 =a;
Int var2 =b;
}
Int main()
{
printf(“enter two numbers”);
….
Int sum = add(3+5); // when this function is invoked
Printf(“sume is %d” &sum);
}
Buffer overflow High Memory
Low memory
…….
Argument 2
Argument 1
RETURN ADDRESS
Old value of EBP
.
.
.
.
.
.
.
0x0012F000
0x0012D000
Buffer overflow Low Memory
High memory
Low memory
0x0012F000
0x0012D000 …….
Old EBP – old Frame
Return address
Argument 1
Argument 2
.
.
.
.
.
.
.
Buffer overflow Low Memory
High memory
Low memory
0x0012F000
0x0012D000 …….
Old EBP – old Frame
Return address
a
b
.
.
.
.
.
.
.
Immunity Debugger and Mona
Immunity Debugger is a powerful new way to write exploits, analyze malware, and reverse engineer binary files. It builds on a solid user interface with function graphing, the industry's first heap analysis tool built specifically for heap creation, and a large and well supported Python API for easy extensibility.
“ ”
- https://www.immunityinc.com/products/debugger
“ ”
- https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/
Mona.py is a very powerful PyCommand for Immunity Debugger . Mona makes exploit development a breeze and has tons of helper methods to automate mundane tasks in exploit development.
Exercises
We will repeat the following steps for every exploit
1. Fuzzing the target
2. Find the crash offset
3. Analyze if the crash is exploitable
4. Control EIP and jump to shellcode
5. Game over
Vanilla Stack Overflow
Name: ASX to MP3 Converter
Exploit Type: Vanilla Stack Overflow
URL: https://www.exploit-db.com/exploits/11930/
Exploit steps: https://github.com/secfigo/exploit-dev-series
SEH Exploit
Name: Konica Minolta FTP Utility 1.0
Exploit Type: SEH Overflow
URL: https://www.exploit-db.com/exploits/38252/
Exploit steps: https://github.com/secfigo/exploit-dev-series
References
• http://opensecuritytraining.info/
• https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
• https://github.com/RPISEC/MBE
• Hacking: The Art of Exploitation: The Art of Exploitation
Null Singapore