https://www.flickr.com/photos/68759973@N00/26497568431/ hugojcardoso

I’m Imran.

Senior Security Engineer at Autodesk

Null Singapore Founder and Leader

OSCP/SCJP

MI

Hello !

Warning! Please note that this workshop is intended for educational purposes only, and you should NOT use the acquired skills to attack any system. It's illegal to hack a system without permission and is a punishable offense in most countries including Singapore.

You agree to abide by above statement by staying in this workshop after this slide.

Agenda

Lets tickle security buds …

int main() {

int cookie;

char buf[80];

printf("b: %x c: %x\n", &buf, &cookie);

gets(buf);

if (cookie == 0x41424344)

printf("you win!\n");

}

20-30 Instructions

14 assembly instructions account for 90% of assembly code! http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Bilar.pdf

are enough for most of your needs

Let’s learn Assembly Language

Slides: http://www.slideshare.net/secfigo/assembly-language-21656919

Assembly Language Trivia

AT&T MOVE source, destination

MOVE $61, %eax

objdump -d /bin/cat

Intel MOVE destination, source

MOVE AL,61

objdump -M intel -d /bin/cat

Stdcall vs cdecl

Function parameters pushed onto stack right to left.

Saves the old stack frame pointer and sets up a new stack frame.

cdecl Caller responsible for stack cleanup

Stdcall

Callee responsible for stack cleanup

From amazing corelan https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/

Memory layout in win32

Stack overflow example

Int add (int a, int b)

{ Int var1 =a;

Int var2 =b;

}

Int main()

{

printf(“enter two numbers”);

….

Int sum = add(3+5); // when this function is invoked

Printf(“sume is %d” &sum);

}

Buffer overflow High Memory

Low memory

…….

Argument 2

Argument 1

RETURN ADDRESS

Old value of EBP

.

.

.

.

.

.

.

0x0012F000

0x0012D000

Buffer overflow Low Memory

High memory

Low memory

0x0012F000

0x0012D000 …….

Old EBP – old Frame

Return address

Argument 1

Argument 2

.

.

.

.

.

.

.

Buffer overflow Low Memory

High memory

Low memory

0x0012F000

0x0012D000 …….

Old EBP – old Frame

Return address

a

b

.

.

.

.

.

.

.

Immunity Debugger and Mona

Immunity Debugger is a powerful new way to write exploits, analyze malware, and reverse engineer binary files. It builds on a solid user interface with function graphing, the industry's first heap analysis tool built specifically for heap creation, and a large and well supported Python API for easy extensibility.

“ ”

- https://www.immunityinc.com/products/debugger

“ ”

- https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/

Mona.py is a very powerful PyCommand for Immunity Debugger . Mona makes exploit development a breeze and has tons of helper methods to automate mundane tasks in exploit development.

Exercises

We will repeat the following steps for every exploit

1. Fuzzing the target

2. Find the crash offset

3. Analyze if the crash is exploitable

4. Control EIP and jump to shellcode

5. Game over

Vanilla Stack Overflow

Name: ASX to MP3 Converter

Exploit Type: Vanilla Stack Overflow

URL: https://www.exploit-db.com/exploits/11930/

Exploit steps: https://github.com/secfigo/exploit-dev-series

SEH Exploit

Name: Konica Minolta FTP Utility 1.0

Exploit Type: SEH Overflow

URL: https://www.exploit-db.com/exploits/38252/

Exploit steps: https://github.com/secfigo/exploit-dev-series

References

• http://opensecuritytraining.info/

• https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/

• https://github.com/RPISEC/MBE

• Hacking: The Art of Exploitation: The Art of Exploitation

Null Singapore