Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Exploit development 101 - Part 1 - Null Singapore


Published on

This is the part 1 of the series on exploit research and development given as part of the null humla at Singapore. More details at

Published in: Technology
  • Be the first to comment

Exploit development 101 - Part 1 - Null Singapore

  1. 1. hugojcardoso
  2. 2. I’m Imran. Senior Security Engineer at Autodesk Null Singapore Founder and Leader OSCP/SCJP MI Hello !
  3. 3. Warning! Please note that this workshop is intended for educational purposes only, and you should NOT use the acquired skills to attack any system. It's illegal to hack a system without permission and is a punishable offense in most countries including Singapore. You agree to abide by above statement by staying in this workshop after this slide.
  4. 4. Agenda
  5. 5. Lets tickle security buds … int main() { int cookie; char buf[80]; printf("b: %x c: %xn", &buf, &cookie); gets(buf); if (cookie == 0x41424344) printf("you win!n"); }
  6. 6. 20-30 Instructions 14 assembly instructions account for 90% of assembly code! are enough for most of your needs
  7. 7. Let’s learn Assembly Language Slides:
  8. 8. Assembly Language Trivia AT&T MOVE source, destination MOVE $61, %eax objdump -d /bin/cat Intel MOVE destination, source MOVE AL,61 objdump -M intel -d /bin/cat
  9. 9. Stdcall vs cdecl Function parameters pushed onto stack right to left. Saves the old stack frame pointer and sets up a new stack frame. cdecl Caller responsible for stack cleanup Stdcall Callee responsible for stack cleanup
  10. 10. From amazing corelan Memory layout in win32
  11. 11. Stack overflow example Int add (int a, int b) { Int var1 =a; Int var2 =b; } Int main() { printf(“enter two numbers”); …. Int sum = add(3+5); //  when this function is invoked Printf(“sume is %d” &sum); }
  12. 12. Buffer overflow High Memory Low memory ……. Argument 2 Argument 1 RETURN ADDRESS Old value of EBP . . . . . . . 0x0012F000 0x0012D000
  13. 13. Buffer overflow Low Memory High memory 0x0012F000 0x0012D000 ……. Old EBP – old Frame Return address Argument 1 Argument 2 . . . . . . .
  14. 14. Buffer overflow Low Memory High memory 0x0012F000 0x0012D000 ……. Old EBP – old Frame Return address a b . . . . . . .
  15. 15. Immunity Debugger and Mona Immunity Debugger is a powerful new way to write exploits, analyze malware, and reverse engineer binary files. It builds on a solid user interface with function graphing, the industry's first heap analysis tool built specifically for heap creation, and a large and well supported Python API for easy extensibility. “ ” - “ ” - is a very powerful PyCommand for Immunity Debugger . Mona makes exploit development a breeze and has tons of helper methods to automate mundane tasks in exploit development.
  16. 16. Exercises We will repeat the following steps for every exploit 1. Fuzzing the target 2. Find the crash offset 3. Analyze if the crash is exploitable 4. Control EIP and jump to shellcode 5. Game over 
  17. 17. Vanilla Stack Overflow Name: ASX to MP3 Converter Exploit Type: Vanilla Stack Overflow URL: Exploit steps: series
  18. 18. SEH Exploit Name: Konica Minolta FTP Utility 1.0 Exploit Type: SEH Overflow URL: Exploit steps: series
  19. 19. References • • -writing-tutorial-part-1-stack-based-overflows/ • • Hacking: The Art of Exploitation: The Art of Exploitation
  20. 20. Null Singapore