Wrong confirmation ID

Email
Favorite
Favorited ×
Download
Embed
Private Content
Copy and paste this code into your blog or website Copy Customize… Close
We have emailed the verification/download link to "".
Login to your email and click the link to download the file directly.

To request the link at a different email address, update it here. Close
Validation messages. Success message. Fail message.

Check your bulk/spam folders if you can't find our mail.

Loading…

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

+ Follow

Software Exploitation Techniques by Amit Malik

by n|u - The Open Security Community on Jul 19, 2010

1,101 views

Software Exploitation Techniques by Amit Malik @ null Pune Meet, July, 2010

More…

Software Exploitation Techniques by Amit Malik @ null Pune Meet, July, 2010

Less

3 Embeds 55

http://null.co.in	44
http://nullpresentations.blogspot.com	10
http://www.nullpresentations.blogspot.com	1

Statistics

Favorites: 0
Downloads: 43
Comments: 0
Embed Views: 55
Views on SlideShare: 1,046
Total Views: 1,101

The first three instructions (123,124,125) are known as prologue. And last three instructions(127,128,129) are know as epologue. When main call the the sum it push the address of next instruction on stack..means 127 on stack and then create its stack. See next slides.
Here main is preparing its stack. EBP (base pointer) register is used to track the variables. So we need to push parent function ebp on the stack so that when function return to parent function it can start normally.
The instruction mov ebp,esp setting the stack for main(or setting the ebp for main to track variables). And sub esp, val is creating the space for local variables of main function. Although in e.g. we have no local variable but this is for illustrative purpose. NOTE: As we can see in the above pic that stack grows downward (from higher memory address to lower memory address) means something [ebp+val] point to parameters for function (can be pass by value or pass by reference) and everything [ebp-val] point to the local variable for that function. *val- can be any value in hex..like 3,4,a,b etc. etc. Note: ret (startup) address is the address of next instruction in startup function. Explanation of startup function is beyond the scope of this presentation. But main function return 0 or 1 to startup function. Means process successfully completed or error.
Now main is calling sum. The first task is to push the address of next instruction means address 127 on stack. So that when function sum return it returns to 127 so that program execution continue in a normal way. Please note that no (another) instruction is required to push ret(127) on stack because call sum will do it for us.. Similar to like main, sum will creates its stack with similar instructions and also destroy stack its stack with similar instructions (127,128,129). Note: The instructions to create stack and destroy stack.. may vary with compiler to complier and are the issues of compiler optimization..for eg. Some compilers user push reg. instead of sub esp,val for integers.
I think it should be clear now. Note that I am showing you jmp esp (this can be call esp, push esp,ret – all have same meaning). this should be the address because EIP only understand addresses. Visit previous slides for better clarification.
Note that [eba+8] and [ebp+c] are the parameter for this function. (visit previous slides for more clarification). Rep movs instruction cause problem because it copy the data from [esi] to [edi] with ecx as a counter. During analysis I found that value of ecx can be maximum 41. multiply it with 4 and then we have 104 bytes..(260 bytes in dec.) and that is enough to overwrite saved EIP. Do some debugging you can easily understand it.
Calculate offset for EIP means after how many bytes saved EIP overwrite takes place. We can calculate it with metasploit pattern create and pattern offset scripts. but we have very limited space on the stack. So check other registers.. And ecx is pointing to our buffer but not directaly.
Ok what we do.. We first use stack limited space to increase ecx and to jump to ecx. But first we need to jump to esp. because EIP only accept address so we can’t use instruction like jmp esp. we need to have to find out the address. We search the address in dll.
And on stack add instructions that will increase the ecx. And jump to ecx.
The 152 etc is in Hex. In decimal it is 152  338. ok.

Software Exploitation Techniques by Amit Malik — Presentation Transcript

- Presented By:
- Amit Malik
- a.k.a DouBle_Zer0
- [email_address]
- Application overview
- Debuggers
- Stack based buffer overflow
- Demo
- Filecopa FTP (File Transfer Protocol) server
- Port 21
- Vulnerable to buffer overflow
- All time favorite ollydbg
- Why debuggers ?
- Breakpoints
- Immunity Debugger
- Others
- Discovered in 1972. Computer Security Planning Study.
- Exploited in 1988. Morris Worm.
- Published in Phrack in 1994. Aleph One.
- “ Smashing the stack for fun and profit.”
- Each function creates its own stack.
- Caller function stack: known as parent stack.
- Called function stack: known as child stack.
- For e.g.
- main(){ ASM Pseudo:
- sum(); _main:
- } 123: push ebp
- 124: mov ebp,esp
- 125: sub esp,val
- 126: call _sum
- 127: mov esp,ebp
- 128: pop ebp
- 129: ret
- 123: push ebp
- 124: mov ebp,esp
- 125: sub esp,val
- 126: call _sum
- 127: mov esp,ebp
- 128: pop ebp
- 129: ret
Ret startup() ebp Locals main() Ret(127) ebp Locals sum() Unallocated space Stack Growth
- 123: push ebp
- 124: mov ebp,esp
- 125: sub esp,val
- 126: call _sum
- 127: mov esp,ebp
- 128: pop ebp
- 129: ret
Ret startup() ebp Locals main() Ret(127) ebp Locals sum() Unallocated space Stack Growth
- 123: push ebp
- 124: mov ebp,esp
- 125: sub esp,val
- 126: call _sum
- 127: mov esp,ebp
- 128: pop ebp
- 129: ret
Ret startup() ebp Locals main() Ret(127) ebp Locals sum() Unallocated space Stack Growth
- if the input for local
- variables is greater than the
- space allocated to
- them..Then……….
Ret startup() ebp Locals main() Ret(127) ebp Locals sum() Unallocated space Stack Growth
- it will overwrite ret(saved EIP)
Ret startup() ebp Locals main() AAAA AAAA AAAAAAAAAAAA… Unallocated space Stack Growth Ret startup() ebp Locals main() jmp esp AAAA AAAAAAAAAAAA… Unallocated space Before After
- Vulnerable to Buffer Overflow (LIST command)
- But how we know that server is vulnerable ?
- Three methods to find out security bugs.
- Fuzzing
- Reverse Engineering
- Source Code Auditing
- Fuzzing - Send invalid, unexpected, or random data to the inputs of a program. If the program fails/crash, the defects can be noted.
- Ok lets send invalid input to our server.
- Still listening ? Umm no..gud.
- But we don’t know which function is causing this problem.
- Reverse engineering – is the process of analyzing a subject system to create representations of the system at a higher level of abstraction.
- Generally used after Fuzzing.
- Provide in-depth information about target. Sometimes more than source code.
- Calculate offset for EIP.
- ESP is pointing to our buffer.
- Aahhh.. problem we don’t have much space on stack (only 13-14 bytes approx.).
- Now what ?? Check other registers.
- ECX is pointing but not directly.
- But we have some bytes on stack. Use these bytes to adjust ecx and then jump to ecx.
- We need a jmp esp (address) first.
- Note: hard coding the stack address is not a good practice. Contains null bytes, address may change.
- Search the address in DLLs. Because DLLs are static at least for same service packs.
- ECX is at 00652984 but our data is at 006529cc (on my system).
- Increase ECX, but a little problem that data is used to overwrite EIP.
- So increasing ECX to that address gives little space (only 234 bytes approx.)
- So increase ECX, that will jump over saved EIP.
- So add ecx,152 bytes. Does it work ??
- Nop.. It generate null bytes, can’t use.
- Ok add cx,152 bytes.. Should work. Else increase bytes. 
- Now jump to ecx. (instruction).
- And we have our hellcode ready.

Software Exploitation Techniques by Amit Malik

by n|u - The Open Security Community on Jul 19, 2010

Accessibility

Categories

Tags

Upload Details

Usage Rights

3 Embeds 55

Statistics

Software Exploitation Techniques by Amit Malik — Presentation Transcript