Exploit Research and Development Megaprimer: Eliminating the Bad Characters in Shellcode

•Download as PPTX, PDF•

5 likes•1,391 views

Exploit Research and Development Megaprimer http://opensecurity.in/exploit-research-and-development-megaprimer/ http://www.youtube.com/playlist?list=PLX3EwmWe0cS_5oy86fnqFRfHpxJHjtuyf

Education

EXPLOIT RESEARCH
ELIMINATING BAD CHARACTERS
KERALA CYBER FORCE
WWW.KERALACYBERFORCE.IN
AJIN ABRAHAM
@ajinabraham

@ajinabraham
ELIMINATING BAD CHARACTERS
• Bad characters are those unwanted characters that can break your shellcode.
• We can use !mona bytearray to generate bytes from 0x00 – 0xFF.
• Insert the pattern into the buffer and find out which one is breaking the shellcode
• Mark it as a bad character and re-insert pattern excluding that bad character till all
the bad characters are eliminated.
• Create your shellcode excluding the bad characters.
• That’s It.

@ajinabraham
SOME COMMON BAD CHARACTERS
• 00 – NULL
• 0A – Line feed n
• 0D –Carriage return r
• FF – Form Feed f
Thanks
@ajinabraham

Viewers also liked

Inter-protocol Exploitation removes browser-based attacks from being dependent upon browser vulnerabilities. It increases the number of potential exploits to include many service vulnerabilities throughout the internal corporate network. This includes whatever service can be contacted via a browser request. Multiple protocols like IMAP, SMTP, POP, SIP, IRC and others are "tolerant" to errors, and they don't reset the connection with the client if they receive data that is not compliant with the protocol grammar. This leads to the possibility of interacting with such protocols with HTTP requests, even without the need of a SOP bypass. During the talk, we will see a demonstration on how to compromise an IMAP server that sits in the victim's internal network through its browser hooked in BeEF. This will include disabling the browser's PortBanning, identifying the victim's internal network IP and the live hosts in the subnet, followed by a port scan and finally sending the custom BeEF Bind shellcode after the IMAP service has been localized.

Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF

Michele Orru

Exploit Research and Development Megaprimer: Unicode Based Exploit Development

Ajin Abraham

Anton Dorfman. Shellcode Mastering.

Positive Hack Days

Talking about exploit writing

sbha0909

Shellcode Analysis - Basic and Concept

Julia Yu-Chin Cheng

Patching Windows Executables with the Backdoor Factory | DerbyCon 2013

midnite_runr

Hacking school computers for fun profit and better grades short

Vincent Ohprecio

Exploit Research and Development Megaprimer: Win32 Egghunter

Ajin Abraham

As the internet of things becomes less a buzzword, and more a reality, we're noticing that it's growing increasingly common to see embedded software which runs across different architectures -whether that's the same router firmware running across different models, or the operating system for a smart TV being used by different manufacturers. In a world where even your toaster might have internet access, we suspect that the ability to write cross-platform shellcode is going transition from being a merely neat trick, to a viable tool for attackers. Writing cross-platform shellcode is tough, but there's a few techniques you can use to simplify the problem. We discuss one such method, which we used to great success during the DEFCON CTF qualifiers this year. Presented by Tinfoil Security founder Michael Borohovski and engineer Shane Wilton at Secuinside 2014, in Seoul. https://www.tinfoilsecurity.com/blog/cross-platform-exploitation

One Shellcode to Rule Them All: Cross-Platform Exploitation

Quinn Wilton

Software Exploits

KevinCSmallwood

Shellcode injection

Dhaval Kapil

Writing Metasploit Plugins

amiable_indian

Browser exploits are a primary attack vector to compromise a victims internal network, but they have major restrictions including; limited current browser exploits; the huge price for 0-day browser exploits; and exploit complexity due to sandboxing. So, instead of exploiting the victims browser, what if the victims browser exploited internal systems for you? The new "BeEF Bind Exploit Proxy" module does this! This BeEF (Browser Exploitation Framework) module will allow penetration testers to proxy exploits through a victims web browser to compromise internal services. Not only this, but the new "BeEF Bind" shellcode also enables the communication channel to the attacker to pass back through the existing browser session. This attack technique (Inter-protocol Exploitation) removes browser-based attacks from being dependent upon browser vulnerabilities. It increases the number of potential exploits to include many service vulnerabilities throughout the internal corporate network. This includes whatever service can be contacted via a browser request. This increases the success rate of client-side exploitation attempts by dramatically increasing the number of vulnerabilities accessible to the attacker. So how does the new BeEF Bind Exploit Proxy work? BeEF is configured to use the BeEF Bind Exploit Proxy, and is set as the payload for XSS exploits or Phishing attacks. Once the victim visits the malicious site, their web browser becomes hooked and performs JavaScript port scanning across the internal corporate network looking for chosen open ports. Once a server has been identified, the BeEF server is notified and begins to send exploits through the hooked web browser to the service on the internal server. Each of these exploits are configured to use the new BeEF Bind shellcode. Once an exploit has successfully triggered a vulnerability within the internal service, the BeEF Bind shellcode is executed. This shellcode is designed to setup a web-listener that proxies commands through to a shell on the compromised server. This allows the attacker to send commands through the hooked web browser to the BeEF Bind payload. The command is executed on the compromised server and returned to the web browser in HTTP responses. The hooked web browser is then able to receive the command output and proxy it back to the attacker at the BeEF server. Penetration testers can now inject steroids into their XSS exploits by replacing simple alert boxes with demonstrations of actual compromised internal machines. They can also now increase the scope and success rate of their Phishing attacks to compromise internal servers. This new approach also minimizes the likelihood of IDS/IPS detection, and does not require an additional socket open back to the attacker via the firewall.

Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...

Michele Orru

Cisco network equipment has always been an attractive attack target due to its prevalence and the key role that it plays in network structure and security. This equipment is based on a wide variety of OS (firmware) architectures, types, and versions, so it is much harder to develop a universal shellcode. Publicly available Cisco IOS shellcodes are tailored to specific equipment, have narrow functionality, and are not exactly useful for penetration testing. This talk is the presentation of a research initiated by our research center to create a shellcode which is as easily portable between different IOS firmwares as possible and which provides a lot of pentesting features because it can dynamically change the shellcode destination at the stage of post-exploitation. We will also consider the possibility of creating a worm which could spread across the infrastructure, from firewall to router, from router to switch, etc.

Cisco IOS shellcode: All-in-one

DefconRussia

Low Level Exploits

hughpearse

Fuzzing | Null OWASP Mumbai | 2016 June

nullowaspmumbai

Hat Secure Training By Danang Heriyadi. [SHARE] Courses Linux Exploit Research 2012 - Purpose of the Course - Introducing Vulnerability Software - Register Processor - Intruksi Assembly - Buffer Overflows - Shellcode - Exploit - Stack & Heap - Basic Buffer Overflow - Basic Stack Overflows with Linux - Smashing stack for fun and profit - Basic shellcode development - DTORS Exploitation - Heap corruption and exploitation Register : http://hatsecure.com/exploit

Advanced exploit development

Dan H

The State of the Veil Framework

VeilFramework

CNIT 127 Ch 3: Shellcode

Sam Bowne

Higher Level Malware

CTruncer

Viewers also liked (20)

Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF

Exploit Research and Development Megaprimer: Unicode Based Exploit Development

Anton Dorfman. Shellcode Mastering.

Talking about exploit writing

Shellcode Analysis - Basic and Concept

Patching Windows Executables with the Backdoor Factory | DerbyCon 2013

Hacking school computers for fun profit and better grades short

Exploit Research and Development Megaprimer: Win32 Egghunter

One Shellcode to Rule Them All: Cross-Platform Exploitation

Software Exploits

Shellcode injection

Writing Metasploit Plugins

Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...

Cisco IOS shellcode: All-in-one

Low Level Exploits

Fuzzing | Null OWASP Mumbai | 2016 June

Advanced exploit development

The State of the Veil Framework

CNIT 127 Ch 3: Shellcode

Higher Level Malware

More from Ajin Abraham

This paper discusses the research outcomes on implementing a runtime application patching algorithm on an insecurely-coded application to protect it against code injection vulnerabilities and other logical issues related to web applications, and will introduce the next generation web application defending technology dubbed as Runtime Application Self-Protection (RASP) that defends against web attacks by working inside your web application. RASP relies on runtime patching to inject security into web apps implicitly without introducing additional code changes. The talk concludes with the challenges in this new technology and gives you an insight on future of runtime protection.

Injecting Security into Web apps at Runtime Whitepaper

Ajin Abraham

Web Application Security is not hard, but it’s easy to get it wrong as writing secure code is not easy as preaching. So to overcome incidents happening from such unforeseen events, organisations tend to rely on Web Application Firewalls or WAFs. Web Application Firewalls have been in the industry for a long time. Every one of them either work outside or around the web applications and act by intercepting the HTTP request coming to the web server, then take a decision to allow or block the request based on traditional signature checks. They are never aware of what is happening inside the application like how the user input is getting interpreted, Is the application/server under heavy load?, Is the attacker exfiltrating data by exploiting an SQLi that WAF couldn’t detect? etc. The strength of traditional WAF depends on manual or predefined rules/signature. As a result, they have the limitation that they will get bypassed if a payload is not present in their signature list. In the occurrence of a zero day, a WAF in most cases won’t be able to prevent an attack as they don’t know the signature of the exploit yet. In this talk I will share my research outcomes on implementing a runtime application patching algorithm on an insecurely coded application to make it secure against code injection vulnerabilities and other logical issues related to web applications. I will introduce the next generation web application defending technology dubbed as Runtime Application Self Protection (RASP) that works by understanding your application to defend against web attacks by working inside the web application. RASP relies on Runtime Patching to inject security into web apps implicitly without introducing additional code changes. The root cause of all the code injection vulnerabilities is that the language interpreter cannot distinguish between data and code. The proposed solution will detect code context breakout to effectively detect and prevent code injections with the help of runtime hooking and patching at framework api or language api level. The research focuses mainly on detecting and preventing vulnerabilities like SQL Injection, Cross Site Scripting, Remote Command Execution, HTTP Verb Tampering, Header Injection, File Upload Bypass, Path Traversal etc and other application security challenges like Session Hijacking, Credential Stuffing and Layer 7 DDoS etc. This research is carried out by implementing a RASP module to a vulnerable web application written in python using tornado framework with sqlite backend.

Injecting Security into vulnerable web apps at Runtime

Ajin Abraham

Mobile Application market is growing like anything and so is the Mobile Security industry. With lots of frequent application releases and updates happening, conducting the complete security analysis of mobile applications becomes time consuming and cumbersome. In this talk I will introduce an extendable, and scalable web framework called Mobile Security Framework (https://github.com/ajinabraham/YSO-Mobile-Security-Framework) for Security analysis of Mobile Applications. Mobile Security Framework is an intelligent and automated open source mobile application (Android/iOS) pentesting and binary/code analysis framework capable of performing static and dynamic analysis. It supports Android and iOS binaries as well as zipped source code. During the presentation, I will demonstrates some of the issues identified by the tool in real world android applications. The latest Dynamic Analyzer module will be released at OWASP AppSec. Attendees Benefits * An Open Source framework for Automated Mobile Security Assessment. * One Click Report Generation and Security Assessment. * Framework can be deployed at your own environment so that you have complete control of the data. The data/report stays within the organisation and nothing is stored in the cloud. * Supports both Android and iOS Applications. * Semi Automatic Dynamic Analyzer for intelligent application logic based (whitebox) security assessment.

AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF

Ajin Abraham

Mobile Security Framework (MobSF) is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis. It can be used for effective and fast security analysis of Android and iOS Applications and supports both binaries (APK & IPA) and zipped source code. MobSF can also perform Web API Security testing with it's API Fuzzer that can do Information Gathering, analyze Security Headers, identify Mobile API specific vulnerabilities like XXE, SSRF, Path Traversal, IDOR, and other logical issues related to Session and API Rate Limiting.

Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...

Ajin Abraham

Automated Security Analysis of Android & iOS Applications with Mobile Securit...

Ajin Abraham

G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...

Ajin Abraham

Samsung’s first Tizen-based devices are set to launch in the middle of 2015. This paper presents the research outcome on the security analysis of Tizen OS and it’s underlying security architecture. The paper begins with a quick introduction to Tizen architecture and explains the various components of Tizen OS. This will be followed by Tizen’s security model where application sandboxing and resource access control will be explained. Moving on, an overview of Tizen’s Content Security Framework which acts as an in-built malware detection API will be covered. Various vulnerabilities in Tizen will be discussed including issues like Tizen WebKit2 address spoofing and content injection, Tizen WebKit CSP bypass and issues in Tizen’s memory protection (ASLR and DEP).

Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015

Ajin Abraham

Hacking Tizen: The OS of everything - Whitepaper

Ajin Abraham

Tizen is an operating system which is built to run on various kinds of devices. Tizen OS defines following profiles based on the devices types supported. Tizen IVI (in-vehicle infotainment) Tizen Mobile Tizen TV, and Tizen Wearable Samsung's first Tizen-based devices are set to be launched in India in Nov 2014. This paper presents the research outcome on the security analysis of Tizen OS. The paper begins with a quick introduction to Tizen architecture which explains the various components of Tizen OS. This will be followed by Tizen's security model, where Application Sandboxing and Resource Access Control powered by Smack will be explained. The vulnerabilities in Tizen identified during the research and responsibly disclosed to Tizen community will be discussed. This includes issues like Tizen WebKit2 Address spoofing and content injection, Buffer Overflows, Issues in Memory Protection like ASLR and DEP, Injecting SSL Certificate into Trusted Zone, (Shellshock) CVE-2014-6271 etc. Applications in Tizen can be written in HTML5/JS/CSS or natively using C/C++. Overview of pentesting Tizen application will be presented along with some of the issues impacting the security of Tizen application. There will be comparisons made to Android application, and how these security issues differ with Tizen. For eg: Security issues with inter application communication with custom URL schemes or intent broadcasting in Android as opposed to using MessagePort API in Tizen. Issues with Webview & JavaScript Bridge in Android compared to how the web to native communication is handled with Tizen etc. Tizen is late to enter into the market as compared to Android or iOS, which gives it the benefit of learning from the mistakes impacting the security of mobile OS, and fixing these issues right in the Security Architecture. To conclude, a verdict would be provided by the speaker on how much Tizen has achieved with regard to making this mobile OS a secure one.

Hacking Tizen : The OS of Everything - Nullcon Goa 2015

Ajin Abraham

Abusing Exploiting and Pwning with Firefox Addons

Ajin Abraham

Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains

Ajin Abraham

Abusing Google Apps and Data API: Google is My Command and Control Center

Ajin Abraham

Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...

Ajin Abraham

Exploit Research and Development Megaprimer: Buffer overflow for beginners

Ajin Abraham

OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013

Ajin Abraham

Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013

Ajin Abraham

Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...

Ajin Abraham

The paper is about abusing and exploiting Firefox add-on Security model and explains how JavaScript functions, XPCOM and XPConnect interfaces, technologies like CORS and WebSocket, Session storing and full privilege execution can be abused by a hacker for malicious purposes. The widely popular browser add-ons can be targeted by hackers to implement new malicious attack vectors resulting in confidential data theft and full system compromise. This paper is supported by proof of concept add-ons which abuse and exploits the add-on coding in Firefox 17, the release which Mozilla boasts to have a more secure architecture against malicious plugins and add-ons. The proof of concept includes the implementation of a Local keylogger, a Remote keylogger, stealing Linux password files, spawning a Reverse Shell, stealing the authenticated Firefox session data, and Remote DDoS attack. All of these attack vectors are fully undetectable against anti-virus solutions and can bypass protection mechanisms.

Abusing, Exploiting and Pwning with Firefox Add-ons

Ajin Abraham

Xenotix XSS Exploit Framework: Clubhack 2012

Ajin Abraham

Wi-Fi Security with Wi-Fi P+

Ajin Abraham

More from Ajin Abraham (20)

Injecting Security into Web apps at Runtime Whitepaper

Injecting Security into vulnerable web apps at Runtime

AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF

Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...

Automated Security Analysis of Android & iOS Applications with Mobile Securit...

G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...

Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015

Hacking Tizen: The OS of everything - Whitepaper

Hacking Tizen : The OS of Everything - Nullcon Goa 2015

Abusing Exploiting and Pwning with Firefox Addons

Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains

Abusing Google Apps and Data API: Google is My Command and Control Center

Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...

Exploit Research and Development Megaprimer: Buffer overflow for beginners

OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013

Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013

Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...

Abusing, Exploiting and Pwning with Firefox Add-ons

Xenotix XSS Exploit Framework: Clubhack 2012

Wi-Fi Security with Wi-Fi P+

Recently uploaded

COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx

annathomasp01

TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...

Nguyen Thanh Tu Collection

latest AZ-104 Exam Questions and Answers

dalebeck957

𝐋𝐞𝐬𝐬𝐨𝐧 𝐎𝐮𝐭𝐜𝐨𝐦𝐞𝐬: -Discern accommodations and modifications within inclusive classroom environments, distinguishing between their respective roles and applications. -Through critical analysis of hypothetical scenarios, learners will adeptly select appropriate accommodations and modifications, honing their ability to foster an inclusive learning environment for students with disabilities or unique challenges.

Understanding Accommodations and Modifications

MJDuyan

Single or Multiple melodic lines structure

dhanjurrannsibayan2

80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...

Nguyen Thanh Tu Collection

Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf

Dr Vijay Vishwakarma

General Principles of Intellectual Property: Concepts of Intellectual Proper...

Poonam Aher Patil

Accessible Digital Futures project (20/03/2024)

Jisc

Jamworks pilot and AI at Jisc (20/03/2024)

Jisc

Towards a code of practice for AI in AT.pptx

Jisc

This presentation covers the essential parameters of Unit 2 Operations Processes of the subject Operations & Supply Chain Management. Topics Covered: Volume Variety and Flow. Types of Processes and Operations Systems - Continuous Flow system and intermittent flow systems.Job Production, Batch Production, Assembly line and Continuous Flow, Process and Product Layout. Design of Service Systems, Service Blueprinting.

OSCM Unit 2_Operations Processes & Systems

Sandeep D Chaudhary

How to Add New Custom Addons Path in Odoo 17

Celine George

Basic Intentional Injuries Health Education

NeilDeclaro1

How to Manage Global Discount in Odoo 17 POS

Celine George

Salient Features of India constitution especially power and functions

KarakKing

HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx

Esquimalt MFRC

Fostering Friendships - Enhancing Social Bonds in the Classroom

Pooky Knightsmith

Graduate Outcomes Presentation Slides - English

neillewis46

Google Gemini An AI Revolution in Education.pptx

Dr. Sarita Anand

Recently uploaded (20)

COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx

TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...

latest AZ-104 Exam Questions and Answers

Understanding Accommodations and Modifications

Single or Multiple melodic lines structure

80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...

Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf

General Principles of Intellectual Property: Concepts of Intellectual Proper...

Accessible Digital Futures project (20/03/2024)

Jamworks pilot and AI at Jisc (20/03/2024)

Towards a code of practice for AI in AT.pptx

OSCM Unit 2_Operations Processes & Systems

How to Add New Custom Addons Path in Odoo 17

Basic Intentional Injuries Health Education

How to Manage Global Discount in Odoo 17 POS

Salient Features of India constitution especially power and functions

HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx

Fostering Friendships - Enhancing Social Bonds in the Classroom

Graduate Outcomes Presentation Slides - English

Google Gemini An AI Revolution in Education.pptx

Exploit Research and Development Megaprimer: Eliminating the Bad Characters in Shellcode

1. EXPLOIT RESEARCH ELIMINATING BAD CHARACTERS KERALA CYBER FORCE WWW.KERALACYBERFORCE.IN AJIN ABRAHAM @ajinabraham

2. @ajinabraham ELIMINATING BAD CHARACTERS • Bad characters are those unwanted characters that can break your shellcode. • We can use !mona bytearray to generate bytes from 0x00 – 0xFF. • Insert the pattern into the buffer and find out which one is breaking the shellcode • Mark it as a bad character and re-insert pattern excluding that bad character till all the bad characters are eliminated. • Create your shellcode excluding the bad characters. • That’s It.

3. @ajinabraham SOME COMMON BAD CHARACTERS • 00 – NULL • 0A – Line feed n • 0D –Carriage return r • FF – Form Feed f Thanks @ajinabraham

Exploit Research and Development Megaprimer: Eliminating the Bad Characters in Shellcode

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (20)

More from Ajin Abraham

More from Ajin Abraham (20)

Recently uploaded

Recently uploaded (20)

Exploit Research and Development Megaprimer: Eliminating the Bad Characters in Shellcode