Exploiting stack overflow 101

2,244 views

Published on

Chennai November 2011 meet

Published in: Technology, News & Politics
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,244
On SlideShare
0
From Embeds
0
Number of Embeds
292
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Exploiting stack overflow 101

  1. 1. Exploiting Stack Overflow 101 By Sebas Sujeen (_masteR)
  2. 2. #whoami <ul><li>Student @ CEG currently in my fourth year </li></ul><ul><li>Interested in exploit development/systems security </li></ul><ul><li>Active member of g4h , an online community for hackers </li></ul><ul><li>Attitude: Learn what you don’t know , share what you learn </li></ul><ul><li>Blog @ http://phr33dom.wordpress.com </li></ul>
  3. 3. Agenda <ul><li>We will be exploiting a simple stack overflow found in EasyRmtoMp3 player </li></ul><ul><li>Nothing new, the reason for choosing this software is that reference to exploit this software is available online @ http://corelan.be </li></ul><ul><li>So , nothing stops you from trying it out yourselves! </li></ul>
  4. 4. Setting up the Environment <ul><li>Immunity Debugger </li></ul><ul><li>Windows Xp SP3 </li></ul><ul><li>Metasploit framework </li></ul>
  5. 5. The theory... Before the fun part <ul><li>A typical function call looks like this in assembly </li></ul><ul><li>push args </li></ul><ul><li>call function </li></ul>
  6. 6. The theory... Before the fun part <ul><li>A typical function prologue </li></ul><ul><li>push ebp ;save the sfp </li></ul><ul><li>mov ebp,esp; ebp points to base of current sf </li></ul><ul><li>sub esp,<offset>;space for local variables </li></ul>
  7. 7. The theory... Before the fun part <ul><li>A typical function epilogue looks like this </li></ul><ul><li>leave; mov esp,ebp / pop ebp </li></ul><ul><li>ret ; pop the dword @ esp and put it in eip </li></ul>
  8. 8. Visualize the stack Breno de Medeiros Florida State University Fall 2005 <ul><li>Function (sub-routine) calls results in an activation frame being pushed onto a memory area called the stack . </li></ul><previous stack frame> function arguments return address previous frame pointer local variables local buffer variables Direction of stack growth
  9. 9. Time to visualize the exploit <ul><li>void get_input() { </li></ul><ul><li>char buf[1024]; </li></ul><ul><li>gets(buf); </li></ul><ul><li>} </li></ul><ul><li>void main(int argc, char*argv[]){ </li></ul><ul><li>get_input(); </li></ul><ul><li>} </li></ul><ul><li>Vulnerable to Buffer overflow because , gets() </li></ul><ul><li>doesn’t check the size of the buffer causing it to </li></ul><ul><li>overflow.According to the slide before, if we give </li></ul><ul><li>1024 + 8 bytes we overwrite saved return address </li></ul><ul><li>which can be the address of our shellcode in memory </li></ul><ul><li>to alter the execution path of our program. </li></ul>
  10. 10. References <ul><li>http://phrack.org </li></ul><ul><li>http://corelan.be </li></ul><ul><li>http://metasploit.com </li></ul>
  11. 11. Exploit Demo
  12. 12. Questions!!!

×