SlideShare a Scribd company logo

Exploit Development with Python

Download as PPTX, PDF
Thomas Gregory
Thomas Gregory

A small example of how python can be used during exploit development. This was an event prepared by Indonesia Python Community.

Technology
1 of 25
EXPLOIT DEVELOPMENT WITH PYTHON Tom Gregory id:python Gathering 27 April 2013
AGENDA  Memory  Stack/Buffer Overflow  Structured Exception Handler (SEH)  Escape from small space  Egghunter  Demo
Args./Environment Stack Unused Memory Heap (dynamic data) Static Data .data Program Code .text PROCESS MEMORY LAYOUT High addresses Top of memory 0xFFFFFFFF Low addresses 0x00000000 Stack grows down by procedures call Heap grows up e.g. by malloc and new
STACK BUFFER OVERFLOW #include <string.h> void foo (char *bar) { char c[12]; strcpy(c, bar); // no bounds checking... } int main (int argc, char **argv) { foo(argv[1]); }
STACK BUFFER OVERFLOW Unallocated stack char c[12] char *bar Saved frame pointer (EBP) Return Address (EIP) Parent routine’s stack Memory addressStack growth
STACK BUFFER OVERFLOW Unallocated stack char c[12] char *bar Saved frame pointer (EBP) Return Address (EIP) Parent routine’s stack Memory addressStack growth h e l l 0o
STACK BUFFER OVERFLOW Unallocated stack Memory addressStack growth A A A A A A A A A A A A A A A A A A A A A A A A A A A A x08 x35 xc0 x80 Fill the stack with ‘A’ Overwritten return address at 0x80c03508 Parent routine’s stack Little Endian 0x80c03508
WHAT IS SEH? This structure ( also called a SEH record) is 8 bytes and has 2 (4 bytes each) elements :  a pointer to the next exception_registration structure (in essence, to the next SEH record, in case the current handler is unable the handle the exception)  a pointer, the address of the actual code of the exception handler. (SE Handler)
WHAT IS SEH? Image was taken without permission from http://images.google.com
LOOK AT THE SEH STRUCTURE Beginning of SEH chain  SEH chain will be placed at the top of the main data block  It also called FS:[0] chain as well (on intel: mov [reg], dword ptr fs:[0]) End of seh chain  Is indicated by 0xFFFFFFFF  Will trigger improper termination to the program
HOW SEH WORKS? Stack TEB FS[0]: 0012FF40 0012FF40 0012FF44 0012FFB0 : next SEH record 7C839AD8 : SE Handler 0012FFB0 0012FFB4 0012FFE0 : next SEH record 0040109A : SE Handler 0012FFE0 0012FFE4 FFFFFFFF : next SEH record 7C839AD8 : SE Handler
PROTECTIONS AGAINST SEH XOR  before the exception handler is called, all registers are XORed with each other, so it will make them all point to 0x00000000 DEP & Stack Cookies  Stack Cookies or Canary is setup via C++ compiler options  DEP will mark the memory stack to no execute.  It was introduced since Windows XP SP2 and Windows 2003, enabled by default on Windows Vista and 7  Those two protections can make it harder to build exploits.
PROTECTIONS AGAINST SEH SafeSEH  additional protection was added to compilers, helping to stop the abuse of SEH overwrites.  It will check the original value of SEH, if it overwritten, SafeSEH will try to bring it back to the original value.
ABUSING SEH On direct RET technique:  Simply find an instruction to jump to the stack, done. While on SEH Based:  You cannot simply jump to the stack, because the registers are XORed.  We can take advantage this exception handling condition by overwrite the SE Handler address.  The OS will know the exception handling routine, and pass it to next SEH record.  Pointer to next SEH will bring us to the shellcode.  Game over!
ABUSING SEH In other words, the payload must do the following things:  Cause an exception. Without an exception, the SEH handler (the one you have overwritten/control) won’t kick in.  Overwrite the pointer to the next SEH record with some jumpcode (so it can jump to the shellcode)  Overwrite the SE handler with a pointer to an instruction that will bring you back to next SEH and execute the jumpcode.  The shellcode should be directly after the overwritten SE Handler. Some small jumpcode contained in the overwritten “pointer to next SEH record” will jump to it).
ABUSING SEH  When the exception occurred, the position on the stack will going like this:  Possible value to overwrite SE Handler are POP something, POP something and RETN to the stack.  It will POP address that sit at the top of the stack, POP it again to take the second address, and RETN to execute the third address (which is now at the top of the stack) Top of stack Our pointer to next SEH address
ABUSING SEH Image was taken from http://corelan.be with permission from Peter van Eeckhoutte (Corelan)
ESCAPE FROM SMALL SPACE  Use Egghunter  “Staged shellcode”  Use small amount of custom shellcode to find the actual “bigger” shellcode (the egg), by searching entire memory for the final shellcode
EGGHUNTER  There are 3 conditions that are important in order for this technique to work  We must be able to jump to (jmp, call, push/ret) & execute “some” shellcode, the egghunter.  The final shellcode must be available somewhere in memory (stack/heap/…).  You must “tag” or prepend the final shellcode with a unique string/marker/tag. This means that we will have to define the marker in the egg hunter code, and also write it just in front of the actual shellcode.
ENOUGH TALKING!
1ST SKELETON EXPLOIT: CRASH IT! #!/usr/bin/python from socket import * junk = "x41" * 10000 s = socket(AF_INET, SOCK_STREAM) s.connect((‘x.x.x.x’,8000)) print "[+] Launching attack..” s.send ("GET /" + payload + "HTTP/1.0rnrnrn") s.close()
2ND SKELETON EXPLOIT: EIP OVERWRITE #!/usr/bin/python from socket import * junk = [random data generated from msf] s = socket(AF_INET, SOCK_STREAM) s.connect((‘x.x.x.x’,8000)) print "[+] Launching attack..” s.send ("GET /" + payload + "HTTP/1.0rnrnrn") s.close()
3RD SKELETON EXPLOIT: SMALL SPACE  Egghunter x66x81xcaxffx0fx42x52x6a x02x58xcdx2ex3cx05x5ax74 xefxb8x77x30x30x74x8bxfa xafx75xeaxafx75xe7xffxe7
4TH FINAL EXPLOIT  Exploit DB  http://www.exploit-db.com/exploits/19266/  Metasploit  http://www.exploit-db.com/exploits/19291/  http://www.metasploit.com/modules/exploit/windows/http/ezserver_http
EOF tom@spentera.com

Recommended

Data Storage in DNA
Data Storage in DNAData Storage in DNA
Data Storage in DNASourabh Chalotra
 
Smart homes presentation
Smart homes presentation Smart homes presentation
Smart homes presentation shadenalsh
 
Home automation - SMART HOME
Home automation - SMART HOME Home automation - SMART HOME
Home automation - SMART HOME Ankur Mehra
 
Artificial intelligence and IoT
Artificial intelligence and IoTArtificial intelligence and IoT
Artificial intelligence and IoTVeselin Pizurica
 
IoT Security
IoT SecurityIoT Security
IoT SecurityPeter Waher
 
IoT on Azure
IoT on AzureIoT on Azure
IoT on AzureVinoth Rajagopalan
 
Cuda tutorial
Cuda tutorialCuda tutorial
Cuda tutorialMahesh Khadatare
 
Smart Networks for the Industrial Internet of Things
Smart Networks for the Industrial Internet of ThingsSmart Networks for the Industrial Internet of Things
Smart Networks for the Industrial Internet of ThingsCreekside Marketing Group, LLC
 

Recommended

Data Storage in DNA
Data Storage in DNAData Storage in DNA
Data Storage in DNASourabh Chalotra
 
Smart homes presentation
Smart homes presentation Smart homes presentation
Smart homes presentation shadenalsh
 
Home automation - SMART HOME
Home automation - SMART HOME Home automation - SMART HOME
Home automation - SMART HOME Ankur Mehra
 
Artificial intelligence and IoT
Artificial intelligence and IoTArtificial intelligence and IoT
Artificial intelligence and IoTVeselin Pizurica
 
IoT Security
IoT SecurityIoT Security
IoT SecurityPeter Waher
 
IoT on Azure
IoT on AzureIoT on Azure
IoT on AzureVinoth Rajagopalan
 
Cuda tutorial
Cuda tutorialCuda tutorial
Cuda tutorialMahesh Khadatare
 
Smart Networks for the Industrial Internet of Things
Smart Networks for the Industrial Internet of ThingsSmart Networks for the Industrial Internet of Things
Smart Networks for the Industrial Internet of ThingsCreekside Marketing Group, LLC
 
IoT Security Challenges and Solutions
IoT Security Challenges and SolutionsIoT Security Challenges and Solutions
IoT Security Challenges and SolutionsIntel® Software
 
Border security-using-wireless-integrated-network-sensors-1
Border security-using-wireless-integrated-network-sensors-1Border security-using-wireless-integrated-network-sensors-1
Border security-using-wireless-integrated-network-sensors-1Sayeed Shawon
 
Fog computing technology
Fog computing technologyFog computing technology
Fog computing technologyNikhil Sabu
 
Green internet of things for smart world(2)
Green internet of things for smart world(2)Green internet of things for smart world(2)
Green internet of things for smart world(2)Divas K Das
 
Fog computing
Fog computingFog computing
Fog computingParmeshwar Wahatule
 
Fog Computing Projects
Fog Computing ProjectsFog Computing Projects
Fog Computing ProjectsPhdtopiccom
 
Application Layer Protocols for the IoT
Application Layer Protocols for the IoTApplication Layer Protocols for the IoT
Application Layer Protocols for the IoTDamien Magoni
 
Cuda
CudaCuda
CudaMannu Malhotra
 
Smart homes
Smart homesSmart homes
Smart homesBrad Fitzpatrick
 
Fog computing
Fog computingFog computing
Fog computingAyush Chaurasia
 
Digital jewellery ppt
Digital jewellery pptDigital jewellery ppt
Digital jewellery pptRithu Pudiyaveedu
 
SMART HEALTH AND Internet of Things (IoT) - RESEARCH Opportunities
SMART HEALTH AND Internet of Things (IoT) - RESEARCH Opportunities SMART HEALTH AND Internet of Things (IoT) - RESEARCH Opportunities
SMART HEALTH AND Internet of Things (IoT) - RESEARCH Opportunities Tauseef Naquishbandi
 
Blue eye technology ppt
Blue eye technology pptBlue eye technology ppt
Blue eye technology ppt-jyothish kumar sirigidi
 
CDH on Board Cubesat.pptx
CDH on Board Cubesat.pptxCDH on Board Cubesat.pptx
CDH on Board Cubesat.pptxssuser035685
 
Neuromorphic computing
Neuromorphic computingNeuromorphic computing
Neuromorphic computingSreekuttanJayakumar
 
fog computing ppt
fog computing ppt fog computing ppt
fog computing ppt sravya raju
 
Skinput Technology
Skinput TechnologySkinput Technology
Skinput Technologyvivek sagar
 
Utility fog ppt
Utility fog pptUtility fog ppt
Utility fog pptParvathy Dileep
 
IoT Arduino UNO, RaspberryPi with Python, RaspberryPi Programming using Pytho...
IoT Arduino UNO, RaspberryPi with Python, RaspberryPi Programming using Pytho...IoT Arduino UNO, RaspberryPi with Python, RaspberryPi Programming using Pytho...
IoT Arduino UNO, RaspberryPi with Python, RaspberryPi Programming using Pytho...Jayanthi Kannan MK
 
Security issues and solutions : IoT
Security issues and solutions : IoTSecurity issues and solutions : IoT
Security issues and solutions : IoTJinia Bhowmik
 
CyberLink LabelPrint 2.5 Exploitation Process
CyberLink LabelPrint 2.5 Exploitation ProcessCyberLink LabelPrint 2.5 Exploitation Process
CyberLink LabelPrint 2.5 Exploitation ProcessThomas Gregory
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 

More Related Content

What's hot

IoT Security Challenges and Solutions
IoT Security Challenges and SolutionsIoT Security Challenges and Solutions
IoT Security Challenges and SolutionsIntel® Software
 
Border security-using-wireless-integrated-network-sensors-1
Border security-using-wireless-integrated-network-sensors-1Border security-using-wireless-integrated-network-sensors-1
Border security-using-wireless-integrated-network-sensors-1Sayeed Shawon
 
Fog computing technology
Fog computing technologyFog computing technology
Fog computing technologyNikhil Sabu
 
Green internet of things for smart world(2)
Green internet of things for smart world(2)Green internet of things for smart world(2)
Green internet of things for smart world(2)Divas K Das
 
Fog Computing Projects
Fog Computing ProjectsFog Computing Projects
Fog Computing ProjectsPhdtopiccom
 
Application Layer Protocols for the IoT
Application Layer Protocols for the IoTApplication Layer Protocols for the IoT
Application Layer Protocols for the IoTDamien Magoni
 
SMART HEALTH AND Internet of Things (IoT) - RESEARCH Opportunities
SMART HEALTH AND Internet of Things (IoT) - RESEARCH Opportunities SMART HEALTH AND Internet of Things (IoT) - RESEARCH Opportunities
SMART HEALTH AND Internet of Things (IoT) - RESEARCH Opportunities Tauseef Naquishbandi
 
CDH on Board Cubesat.pptx
CDH on Board Cubesat.pptxCDH on Board Cubesat.pptx
CDH on Board Cubesat.pptxssuser035685
 
fog computing ppt
fog computing ppt fog computing ppt
fog computing ppt sravya raju
 
Skinput Technology
Skinput TechnologySkinput Technology
Skinput Technologyvivek sagar
 
IoT Arduino UNO, RaspberryPi with Python, RaspberryPi Programming using Pytho...
IoT Arduino UNO, RaspberryPi with Python, RaspberryPi Programming using Pytho...IoT Arduino UNO, RaspberryPi with Python, RaspberryPi Programming using Pytho...
IoT Arduino UNO, RaspberryPi with Python, RaspberryPi Programming using Pytho...Jayanthi Kannan MK
 
Security issues and solutions : IoT
Security issues and solutions : IoTSecurity issues and solutions : IoT
Security issues and solutions : IoTJinia Bhowmik
 

What's hot (20)

IoT Security Challenges and Solutions
IoT Security Challenges and SolutionsIoT Security Challenges and Solutions
IoT Security Challenges and Solutions
 
Border security-using-wireless-integrated-network-sensors-1
Border security-using-wireless-integrated-network-sensors-1Border security-using-wireless-integrated-network-sensors-1
Border security-using-wireless-integrated-network-sensors-1
 
Fog computing technology
Fog computing technologyFog computing technology
Fog computing technology
 
Green internet of things for smart world(2)
Green internet of things for smart world(2)Green internet of things for smart world(2)
Green internet of things for smart world(2)
 
Fog computing
Fog computingFog computing
Fog computing
 
Fog Computing Projects
Fog Computing ProjectsFog Computing Projects
Fog Computing Projects
 
Application Layer Protocols for the IoT
Application Layer Protocols for the IoTApplication Layer Protocols for the IoT
Application Layer Protocols for the IoT
 
Cuda
CudaCuda
Cuda
 
Smart homes
Smart homesSmart homes
Smart homes
 
Fog computing
Fog computingFog computing
Fog computing
 
Digital jewellery ppt
Digital jewellery pptDigital jewellery ppt
Digital jewellery ppt
 
SMART HEALTH AND Internet of Things (IoT) - RESEARCH Opportunities
SMART HEALTH AND Internet of Things (IoT) - RESEARCH Opportunities SMART HEALTH AND Internet of Things (IoT) - RESEARCH Opportunities
SMART HEALTH AND Internet of Things (IoT) - RESEARCH Opportunities
 
Blue eye technology ppt
Blue eye technology pptBlue eye technology ppt
Blue eye technology ppt
 
CDH on Board Cubesat.pptx
CDH on Board Cubesat.pptxCDH on Board Cubesat.pptx
CDH on Board Cubesat.pptx
 
Neuromorphic computing
Neuromorphic computingNeuromorphic computing
Neuromorphic computing
 
fog computing ppt
fog computing ppt fog computing ppt
fog computing ppt
 
Skinput Technology
Skinput TechnologySkinput Technology
Skinput Technology
 
Utility fog ppt
Utility fog pptUtility fog ppt
Utility fog ppt
 
IoT Arduino UNO, RaspberryPi with Python, RaspberryPi Programming using Pytho...
IoT Arduino UNO, RaspberryPi with Python, RaspberryPi Programming using Pytho...IoT Arduino UNO, RaspberryPi with Python, RaspberryPi Programming using Pytho...
IoT Arduino UNO, RaspberryPi with Python, RaspberryPi Programming using Pytho...
 
Security issues and solutions : IoT
Security issues and solutions : IoTSecurity issues and solutions : IoT
Security issues and solutions : IoT
 

Similar to Exploit Development with Python

CyberLink LabelPrint 2.5 Exploitation Process
CyberLink LabelPrint 2.5 Exploitation ProcessCyberLink LabelPrint 2.5 Exploitation Process
CyberLink LabelPrint 2.5 Exploitation ProcessThomas Gregory
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploitshughpearse
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassemblingHarsh Daftary
 
NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdfNDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdfPatricia Aas
 
Buffer Overflows
Buffer OverflowsBuffer Overflows
Buffer OverflowsSumit Kumar
 
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsExploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsAjin Abraham
 
Buffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly RequiredBuffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly RequiredKory Kyzar
 
Return Oriented Programming, an introduction
Return Oriented Programming, an introductionReturn Oriented Programming, an introduction
Return Oriented Programming, an introductionPatricia Aas
 
Shellcode Disassembling - Reverse Engineering
Shellcode Disassembling - Reverse EngineeringShellcode Disassembling - Reverse Engineering
Shellcode Disassembling - Reverse EngineeringSumutiu Marius
 
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)CODE BLUE
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linuxAjin Abraham
 
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming BasicsReversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basicssecurityxploded
 
Heap overflows for humans – 101
Heap overflows for humans – 101Heap overflows for humans – 101
Heap overflows for humans – 101Craft Symbol
 

Similar to Exploit Development with Python (20)

CyberLink LabelPrint 2.5 Exploitation Process
CyberLink LabelPrint 2.5 Exploitation ProcessCyberLink LabelPrint 2.5 Exploitation Process
CyberLink LabelPrint 2.5 Exploitation Process
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
Exploiting stack overflow 101
Exploiting stack overflow 101Exploiting stack overflow 101
Exploiting stack overflow 101
 
Abusing SEH For Fun
Abusing SEH For FunAbusing SEH For Fun
Abusing SEH For Fun
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
 
Return Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part IReturn Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part I
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassembling
 
Unix executable buffer overflow
Unix executable buffer overflowUnix executable buffer overflow
Unix executable buffer overflow
 
NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdfNDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
 
Buffer Overflows
Buffer OverflowsBuffer Overflows
Buffer Overflows
 
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsExploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
 
Buffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly RequiredBuffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly Required
 
null Pune meet - Application Security: Code injection
null Pune meet - Application Security: Code injectionnull Pune meet - Application Security: Code injection
null Pune meet - Application Security: Code injection
 
Return Oriented Programming, an introduction
Return Oriented Programming, an introductionReturn Oriented Programming, an introduction
Return Oriented Programming, an introduction
 
Shellcode Disassembling - Reverse Engineering
Shellcode Disassembling - Reverse EngineeringShellcode Disassembling - Reverse Engineering
Shellcode Disassembling - Reverse Engineering
 
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
 
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming BasicsReversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
 
Exploitation Crash Course
Exploitation Crash CourseExploitation Crash Course
Exploitation Crash Course
 
Heap overflows for humans – 101
Heap overflows for humans – 101Heap overflows for humans – 101
Heap overflows for humans – 101
 

Recently uploaded

Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 

Exploit Development with Python

  • 2. AGENDA  Memory  Stack/Buffer Overflow  Structured Exception Handler (SEH)  Escape from small space  Egghunter  Demo
  • 3. Args./Environment Stack Unused Memory Heap (dynamic data) Static Data .data Program Code .text PROCESS MEMORY LAYOUT High addresses Top of memory 0xFFFFFFFF Low addresses 0x00000000 Stack grows down by procedures call Heap grows up e.g. by malloc and new
  • 4. STACK BUFFER OVERFLOW #include <string.h> void foo (char *bar) { char c[12]; strcpy(c, bar); // no bounds checking... } int main (int argc, char **argv) { foo(argv[1]); }
  • 5. STACK BUFFER OVERFLOW Unallocated stack char c[12] char *bar Saved frame pointer (EBP) Return Address (EIP) Parent routine’s stack Memory addressStack growth
  • 6. STACK BUFFER OVERFLOW Unallocated stack char c[12] char *bar Saved frame pointer (EBP) Return Address (EIP) Parent routine’s stack Memory addressStack growth h e l l 0o
  • 7. STACK BUFFER OVERFLOW Unallocated stack Memory addressStack growth A A A A A A A A A A A A A A A A A A A A A A A A A A A A x08 x35 xc0 x80 Fill the stack with ‘A’ Overwritten return address at 0x80c03508 Parent routine’s stack Little Endian 0x80c03508
  • 8. WHAT IS SEH? This structure ( also called a SEH record) is 8 bytes and has 2 (4 bytes each) elements :  a pointer to the next exception_registration structure (in essence, to the next SEH record, in case the current handler is unable the handle the exception)  a pointer, the address of the actual code of the exception handler. (SE Handler)
  • 9. WHAT IS SEH? Image was taken without permission from http://images.google.com
  • 10. LOOK AT THE SEH STRUCTURE Beginning of SEH chain  SEH chain will be placed at the top of the main data block  It also called FS:[0] chain as well (on intel: mov [reg], dword ptr fs:[0]) End of seh chain  Is indicated by 0xFFFFFFFF  Will trigger improper termination to the program
  • 11. HOW SEH WORKS? Stack TEB FS[0]: 0012FF40 0012FF40 0012FF44 0012FFB0 : next SEH record 7C839AD8 : SE Handler 0012FFB0 0012FFB4 0012FFE0 : next SEH record 0040109A : SE Handler 0012FFE0 0012FFE4 FFFFFFFF : next SEH record 7C839AD8 : SE Handler
  • 12. PROTECTIONS AGAINST SEH XOR  before the exception handler is called, all registers are XORed with each other, so it will make them all point to 0x00000000 DEP & Stack Cookies  Stack Cookies or Canary is setup via C++ compiler options  DEP will mark the memory stack to no execute.  It was introduced since Windows XP SP2 and Windows 2003, enabled by default on Windows Vista and 7  Those two protections can make it harder to build exploits.
  • 13. PROTECTIONS AGAINST SEH SafeSEH  additional protection was added to compilers, helping to stop the abuse of SEH overwrites.  It will check the original value of SEH, if it overwritten, SafeSEH will try to bring it back to the original value.
  • 14. ABUSING SEH On direct RET technique:  Simply find an instruction to jump to the stack, done. While on SEH Based:  You cannot simply jump to the stack, because the registers are XORed.  We can take advantage this exception handling condition by overwrite the SE Handler address.  The OS will know the exception handling routine, and pass it to next SEH record.  Pointer to next SEH will bring us to the shellcode.  Game over!
  • 15. ABUSING SEH In other words, the payload must do the following things:  Cause an exception. Without an exception, the SEH handler (the one you have overwritten/control) won’t kick in.  Overwrite the pointer to the next SEH record with some jumpcode (so it can jump to the shellcode)  Overwrite the SE handler with a pointer to an instruction that will bring you back to next SEH and execute the jumpcode.  The shellcode should be directly after the overwritten SE Handler. Some small jumpcode contained in the overwritten “pointer to next SEH record” will jump to it).
  • 16. ABUSING SEH  When the exception occurred, the position on the stack will going like this:  Possible value to overwrite SE Handler are POP something, POP something and RETN to the stack.  It will POP address that sit at the top of the stack, POP it again to take the second address, and RETN to execute the third address (which is now at the top of the stack) Top of stack Our pointer to next SEH address
  • 17. ABUSING SEH Image was taken from http://corelan.be with permission from Peter van Eeckhoutte (Corelan)
  • 18. ESCAPE FROM SMALL SPACE  Use Egghunter  “Staged shellcode”  Use small amount of custom shellcode to find the actual “bigger” shellcode (the egg), by searching entire memory for the final shellcode
  • 19. EGGHUNTER  There are 3 conditions that are important in order for this technique to work  We must be able to jump to (jmp, call, push/ret) & execute “some” shellcode, the egghunter.  The final shellcode must be available somewhere in memory (stack/heap/…).  You must “tag” or prepend the final shellcode with a unique string/marker/tag. This means that we will have to define the marker in the egg hunter code, and also write it just in front of the actual shellcode.
  • 21. 1ST SKELETON EXPLOIT: CRASH IT! #!/usr/bin/python from socket import * junk = "x41" * 10000 s = socket(AF_INET, SOCK_STREAM) s.connect((‘x.x.x.x’,8000)) print "[+] Launching attack..” s.send ("GET /" + payload + "HTTP/1.0rnrnrn") s.close()
  • 22. 2ND SKELETON EXPLOIT: EIP OVERWRITE #!/usr/bin/python from socket import * junk = [random data generated from msf] s = socket(AF_INET, SOCK_STREAM) s.connect((‘x.x.x.x’,8000)) print "[+] Launching attack..” s.send ("GET /" + payload + "HTTP/1.0rnrnrn") s.close()
  • 23. 3RD SKELETON EXPLOIT: SMALL SPACE  Egghunter x66x81xcaxffx0fx42x52x6a x02x58xcdx2ex3cx05x5ax74 xefxb8x77x30x30x74x8bxfa xafx75xeaxafx75xe7xffxe7
  • 24. 4TH FINAL EXPLOIT  Exploit DB  http://www.exploit-db.com/exploits/19266/  Metasploit  http://www.exploit-db.com/exploits/19291/  http://www.metasploit.com/modules/exploit/windows/http/ezserver_http

Editor's Notes

  1. Stack is used for function calls There are 2 Registers on the CPU associated with stack, EBP and ESP. ESP points to the top of the stack, whereas EBP points to the beginning of the current frame When a function is called, arguments, EIP and EBP pushed onto stack EBP is set to ESP, and ESP is decremented to make space for the functions local variable