Your SlideShare is downloading. ×
Software Exploitation Techniques by Amit Malik
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Software Exploitation Techniques by Amit Malik

1,788
views

Published on

Software Exploitation Techniques by Amit Malik @ null Pune Meet, July, 2010

Software Exploitation Techniques by Amit Malik @ null Pune Meet, July, 2010

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,788
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
59
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • The first three instructions (123,124,125) are known as prologue. And last three instructions(127,128,129) are know as epologue. When main call the the sum it push the address of next instruction on stack..means 127 on stack and then create its stack. See next slides.
  • Here main is preparing its stack. EBP (base pointer) register is used to track the variables. So we need to push parent function ebp on the stack so that when function return to parent function it can start normally.
  • The instruction mov ebp,esp setting the stack for main(or setting the ebp for main to track variables). And sub esp, val is creating the space for local variables of main function. Although in e.g. we have no local variable but this is for illustrative purpose. NOTE: As we can see in the above pic that stack grows downward (from higher memory address to lower memory address) means something [ebp+val] point to parameters for function (can be pass by value or pass by reference) and everything [ebp-val] point to the local variable for that function. *val- can be any value in hex..like 3,4,a,b etc. etc. Note: ret (startup) address is the address of next instruction in startup function. Explanation of startup function is beyond the scope of this presentation. But main function return 0 or 1 to startup function. Means process successfully completed or error.
  • Now main is calling sum. The first task is to push the address of next instruction means address 127 on stack. So that when function sum return it returns to 127 so that program execution continue in a normal way. Please note that no (another) instruction is required to push ret(127) on stack because call sum will do it for us.. Similar to like main, sum will creates its stack with similar instructions and also destroy stack its stack with similar instructions (127,128,129). Note: The instructions to create stack and destroy stack.. may vary with compiler to complier and are the issues of compiler optimization..for eg. Some compilers user push reg. instead of sub esp,val for integers.
  • I think it should be clear now. Note that I am showing you jmp esp (this can be call esp, push esp,ret – all have same meaning). this should be the address because EIP only understand addresses. Visit previous slides for better clarification.
  • Note that [eba+8] and [ebp+c] are the parameter for this function. (visit previous slides for more clarification). Rep movs instruction cause problem because it copy the data from [esi] to [edi] with ecx as a counter. During analysis I found that value of ecx can be maximum 41. multiply it with 4 and then we have 104 bytes..(260 bytes in dec.) and that is enough to overwrite saved EIP. Do some debugging you can easily understand it.
  • Calculate offset for EIP means after how many bytes saved EIP overwrite takes place. We can calculate it with metasploit pattern create and pattern offset scripts. but we have very limited space on the stack. So check other registers.. And ecx is pointing to our buffer but not directaly.
  • Ok what we do.. We first use stack limited space to increase ecx and to jump to ecx. But first we need to jump to esp. because EIP only accept address so we can’t use instruction like jmp esp. we need to have to find out the address. We search the address in dll.
  • And on stack add instructions that will increase the ecx. And jump to ecx.
  • The 152 etc is in Hex. In decimal it is 152  338. ok.
  • Transcript

    • 1.
      • Presented By:
      • Amit Malik
      • a.k.a DouBle_Zer0
      • [email_address]
    • 2.
      • Application overview
      • Debuggers
      • Stack based buffer overflow
      • Demo
    • 3.
      • Filecopa FTP (File Transfer Protocol) server
      • Port 21
      • Vulnerable to buffer overflow
    • 4.
      • All time favorite ollydbg
      • Why debuggers ?
      • Breakpoints
      • Immunity Debugger
      • Others
    • 5.  
    • 6.
      • Discovered in 1972. Computer Security Planning Study.
      • Exploited in 1988. Morris Worm.
      • Published in Phrack in 1994. Aleph One.
      • “ Smashing the stack for fun and profit.”
    • 7.
      • Each function creates its own stack.
      • Caller function stack: known as parent stack.
      • Called function stack: known as child stack.
      • For e.g.
      • main(){ ASM Pseudo:
      • sum(); _main:
      • } 123: push ebp
      • 124: mov ebp,esp
      • 125: sub esp,val
      • 126: call _sum
      • 127: mov esp,ebp
      • 128: pop ebp
      • 129: ret
    • 8.
      • 123: push ebp
      • 124: mov ebp,esp
      • 125: sub esp,val
      • 126: call _sum
      • 127: mov esp,ebp
      • 128: pop ebp
      • 129: ret
      Ret startup() ebp Locals main() Ret(127) ebp Locals sum() Unallocated space Stack Growth
    • 9.
      • 123: push ebp
      • 124: mov ebp,esp
      • 125: sub esp,val
      • 126: call _sum
      • 127: mov esp,ebp
      • 128: pop ebp
      • 129: ret
      Ret startup() ebp Locals main() Ret(127) ebp Locals sum() Unallocated space Stack Growth
    • 10.
      • 123: push ebp
      • 124: mov ebp,esp
      • 125: sub esp,val
      • 126: call _sum
      • 127: mov esp,ebp
      • 128: pop ebp
      • 129: ret
      Ret startup() ebp Locals main() Ret(127) ebp Locals sum() Unallocated space Stack Growth
    • 11.
      • if the input for local
      • variables is greater than the
      • space allocated to
      • them..Then……….
      Ret startup() ebp Locals main() Ret(127) ebp Locals sum() Unallocated space Stack Growth
    • 12.
      • it will overwrite ret(saved EIP)
      Ret startup() ebp Locals main() AAAA AAAA AAAAAAAAAAAA… Unallocated space Stack Growth Ret startup() ebp Locals main() jmp esp AAAA AAAAAAAAAAAA… Unallocated space Before After
    • 13.
      • Vulnerable to Buffer Overflow (LIST command)
      • But how we know that server is vulnerable ?
      • Three methods to find out security bugs.
      • Fuzzing
      • Reverse Engineering
      • Source Code Auditing
    • 14.
      • Fuzzing - Send invalid, unexpected, or random data to the inputs of a program. If the program fails/crash, the defects can be noted.
      • Ok lets send invalid input to our server.
      • Still listening ? Umm no..gud.
      • But we don’t know which function is causing this problem.
    • 15.
      • Reverse engineering – is the process of analyzing a subject system to create representations of the system at a higher level of abstraction.
      • Generally used after Fuzzing.
      • Provide in-depth information about target. Sometimes more than source code.
    • 16.  
    • 17.
      • Calculate offset for EIP.
      • ESP is pointing to our buffer.
      • Aahhh.. problem we don’t have much space on stack (only 13-14 bytes approx.).
      • Now what ?? Check other registers.
      • ECX is pointing but not directly.
    • 18.
      • But we have some bytes on stack. Use these bytes to adjust ecx and then jump to ecx.
      • We need a jmp esp (address) first.
      • Note: hard coding the stack address is not a good practice. Contains null bytes, address may change.
      • Search the address in DLLs. Because DLLs are static at least for same service packs.
    • 19.
      • ECX is at 00652984 but our data is at 006529cc (on my system).
      • Increase ECX, but a little problem that data is used to overwrite EIP.
      • So increasing ECX to that address gives little space (only 234 bytes approx.)
      • So increase ECX, that will jump over saved EIP.
    • 20.
      • So add ecx,152 bytes. Does it work ??
      • Nop.. It generate null bytes, can’t use.
      • Ok add cx,152 bytes.. Should work. Else increase bytes. 
    • 21.
      • Now jump to ecx. (instruction).
      • And we have our hellcode ready.
    • 22.  
    • 23.