<ul><li>Presented By: </li></ul><ul><li>Amit Malik  </li></ul><ul><li>a.k.a DouBle_Zer0 </li></ul><ul><li>[email_address] ...
<ul><li>Application overview </li></ul><ul><li>Debuggers </li></ul><ul><li>Stack based buffer overflow </li></ul><ul><li>D...
<ul><li>Filecopa FTP (File Transfer Protocol) server </li></ul><ul><li>Port 21 </li></ul><ul><li>Vulnerable to buffer over...
<ul><li>All time favorite ollydbg </li></ul><ul><li>Why debuggers ? </li></ul><ul><li>Breakpoints </li></ul><ul><li>Immuni...
 
<ul><li>Discovered in 1972. Computer Security Planning Study. </li></ul><ul><li>Exploited in 1988. Morris Worm. </li></ul>...
<ul><li>Each function creates its own stack. </li></ul><ul><li>Caller function stack: known as parent stack. </li></ul><ul...
<ul><li>123:  push ebp  </li></ul><ul><li>124:  mov ebp,esp </li></ul><ul><li>125:  sub esp,val </li></ul><ul><li>126:  ca...
<ul><li>123:  push ebp  </li></ul><ul><li>124:  mov ebp,esp </li></ul><ul><li>125:  sub esp,val </li></ul><ul><li>126:  ca...
<ul><li>123:  push ebp  </li></ul><ul><li>124:  mov ebp,esp </li></ul><ul><li>125:  sub esp,val </li></ul><ul><li>126:  ca...
<ul><li>if the input for local </li></ul><ul><li>variables is greater than the </li></ul><ul><li>space allocated to </li><...
<ul><li>it will overwrite  ret(saved EIP)  </li></ul>Ret startup() ebp Locals main() AAAA AAAA AAAAAAAAAAAA… Unallocated s...
<ul><li>Vulnerable to Buffer Overflow (LIST command) </li></ul><ul><li>But how we know that server is vulnerable ? </li></...
<ul><li>Fuzzing - Send invalid, unexpected, or random data to the inputs of a program. If the program fails/crash, the def...
<ul><li>Reverse engineering – is the process of analyzing a subject system to create representations of the system at a hi...
 
<ul><li>Calculate offset for EIP. </li></ul><ul><li>ESP is pointing to our buffer. </li></ul><ul><li>Aahhh.. problem we do...
<ul><li>But we have some bytes on stack. Use these bytes to adjust ecx and then jump to ecx. </li></ul><ul><li>We need a j...
<ul><li>ECX is at 00652984 but our data is at 006529cc (on my system). </li></ul><ul><li>Increase ECX, but a little proble...
<ul><li>So add ecx,152 bytes. Does it work ?? </li></ul><ul><li>Nop.. It generate null bytes, can’t use. </li></ul><ul><li...
<ul><li>Now jump to ecx. (instruction). </li></ul><ul><li>And we have our hellcode ready. </li></ul>
 
 
Upcoming SlideShare
Loading in …5
×

Software Exploitation Techniques by Amit Malik

2,129 views

Published on

Software Exploitation Techniques by Amit Malik @ null Pune Meet, July, 2010

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Software Exploitation Techniques by Amit Malik

  1. 1. <ul><li>Presented By: </li></ul><ul><li>Amit Malik </li></ul><ul><li>a.k.a DouBle_Zer0 </li></ul><ul><li>[email_address] </li></ul>
  2. 2. <ul><li>Application overview </li></ul><ul><li>Debuggers </li></ul><ul><li>Stack based buffer overflow </li></ul><ul><li>Demo </li></ul>
  3. 3. <ul><li>Filecopa FTP (File Transfer Protocol) server </li></ul><ul><li>Port 21 </li></ul><ul><li>Vulnerable to buffer overflow </li></ul>
  4. 4. <ul><li>All time favorite ollydbg </li></ul><ul><li>Why debuggers ? </li></ul><ul><li>Breakpoints </li></ul><ul><li>Immunity Debugger </li></ul><ul><li>Others </li></ul>
  5. 6. <ul><li>Discovered in 1972. Computer Security Planning Study. </li></ul><ul><li>Exploited in 1988. Morris Worm. </li></ul><ul><li>Published in Phrack in 1994. Aleph One. </li></ul><ul><li>“ Smashing the stack for fun and profit.” </li></ul>
  6. 7. <ul><li>Each function creates its own stack. </li></ul><ul><li>Caller function stack: known as parent stack. </li></ul><ul><li>Called function stack: known as child stack. </li></ul><ul><li>For e.g. </li></ul><ul><li>main(){ ASM Pseudo: </li></ul><ul><li>sum(); _main: </li></ul><ul><li>} 123: push ebp </li></ul><ul><li>124: mov ebp,esp </li></ul><ul><li> 125: sub esp,val </li></ul><ul><li>126: call _sum </li></ul><ul><li>127: mov esp,ebp </li></ul><ul><li> 128: pop ebp </li></ul><ul><li> 129: ret </li></ul>
  7. 8. <ul><li>123: push ebp </li></ul><ul><li>124: mov ebp,esp </li></ul><ul><li>125: sub esp,val </li></ul><ul><li>126: call _sum </li></ul><ul><li>127: mov esp,ebp </li></ul><ul><li>128: pop ebp </li></ul><ul><li>129: ret </li></ul>Ret startup() ebp Locals main() Ret(127) ebp Locals sum() Unallocated space Stack Growth
  8. 9. <ul><li>123: push ebp </li></ul><ul><li>124: mov ebp,esp </li></ul><ul><li>125: sub esp,val </li></ul><ul><li>126: call _sum </li></ul><ul><li>127: mov esp,ebp </li></ul><ul><li>128: pop ebp </li></ul><ul><li>129: ret </li></ul>Ret startup() ebp Locals main() Ret(127) ebp Locals sum() Unallocated space Stack Growth
  9. 10. <ul><li>123: push ebp </li></ul><ul><li>124: mov ebp,esp </li></ul><ul><li>125: sub esp,val </li></ul><ul><li>126: call _sum </li></ul><ul><li>127: mov esp,ebp </li></ul><ul><li>128: pop ebp </li></ul><ul><li>129: ret </li></ul>Ret startup() ebp Locals main() Ret(127) ebp Locals sum() Unallocated space Stack Growth
  10. 11. <ul><li>if the input for local </li></ul><ul><li>variables is greater than the </li></ul><ul><li>space allocated to </li></ul><ul><li>them..Then………. </li></ul>Ret startup() ebp Locals main() Ret(127) ebp Locals sum() Unallocated space Stack Growth
  11. 12. <ul><li>it will overwrite ret(saved EIP) </li></ul>Ret startup() ebp Locals main() AAAA AAAA AAAAAAAAAAAA… Unallocated space Stack Growth Ret startup() ebp Locals main() jmp esp AAAA AAAAAAAAAAAA… Unallocated space Before After
  12. 13. <ul><li>Vulnerable to Buffer Overflow (LIST command) </li></ul><ul><li>But how we know that server is vulnerable ? </li></ul><ul><li>Three methods to find out security bugs. </li></ul><ul><li>Fuzzing </li></ul><ul><li>Reverse Engineering </li></ul><ul><li>Source Code Auditing </li></ul>
  13. 14. <ul><li>Fuzzing - Send invalid, unexpected, or random data to the inputs of a program. If the program fails/crash, the defects can be noted. </li></ul><ul><li>Ok lets send invalid input to our server. </li></ul><ul><li>Still listening ? Umm no..gud. </li></ul><ul><li>But we don’t know which function is causing this problem. </li></ul>
  14. 15. <ul><li>Reverse engineering – is the process of analyzing a subject system to create representations of the system at a higher level of abstraction. </li></ul><ul><li>Generally used after Fuzzing. </li></ul><ul><li>Provide in-depth information about target. Sometimes more than source code. </li></ul>
  15. 17. <ul><li>Calculate offset for EIP. </li></ul><ul><li>ESP is pointing to our buffer. </li></ul><ul><li>Aahhh.. problem we don’t have much space on stack (only 13-14 bytes approx.). </li></ul><ul><li>Now what ?? Check other registers. </li></ul><ul><li>ECX is pointing but not directly. </li></ul>
  16. 18. <ul><li>But we have some bytes on stack. Use these bytes to adjust ecx and then jump to ecx. </li></ul><ul><li>We need a jmp esp (address) first. </li></ul><ul><li>Note: hard coding the stack address is not a good practice. Contains null bytes, address may change. </li></ul><ul><li>Search the address in DLLs. Because DLLs are static at least for same service packs. </li></ul>
  17. 19. <ul><li>ECX is at 00652984 but our data is at 006529cc (on my system). </li></ul><ul><li>Increase ECX, but a little problem that data is used to overwrite EIP. </li></ul><ul><li>So increasing ECX to that address gives little space (only 234 bytes approx.) </li></ul><ul><li>So increase ECX, that will jump over saved EIP. </li></ul>
  18. 20. <ul><li>So add ecx,152 bytes. Does it work ?? </li></ul><ul><li>Nop.. It generate null bytes, can’t use. </li></ul><ul><li>Ok add cx,152 bytes.. Should work. Else increase bytes.  </li></ul>
  19. 21. <ul><li>Now jump to ecx. (instruction). </li></ul><ul><li>And we have our hellcode ready. </li></ul>

×