Downloaded 16 times
![Vul code sample
Array
int [20];
int [20][5];
int [20][5][3];
Format Strings;
printf(), fprint(),sprint(),sprintf()
Overflow
strcpy()
strcat()
sprintf()
vsprint()
scanf()](https://image.slidesharecdn.com/c56bb387-7f58-4855-a321-efd8f4919174-170130103649/85/Exploit-Development-16-320.jpg)
![Sample Program
GetInput()
{
char buffer[8];
gets(buffer);
puts(buffer);
}](https://image.slidesharecdn.com/c56bb387-7f58-4855-a321-efd8f4919174-170130103649/85/Exploit-Development-17-320.jpg)
Uploaded bykyaw thiha
Exploit Development
The document discusses Win32 buffer overflow exploitation, including prerequisites like understanding memory stacks, CPU registers, and assembly language. It explains various CPU registers like general purpose, segment, index/pointer, and EFLAGS registers. The document also covers stack layout, what a buffer overflow is, sample vulnerable code, and the steps to develop an exploit including fuzzing to find the crash point, overwriting EIP to control execution flow, generating shellcode, and creating a final payload.
Exploit Development
- 1. Exploit Development Win32 BufferOverflow Exploitation By Kyaw Thiha
- 2. Whoami? • Info-sec analyst •Currently working at Kernellix • Ex-team member of mmCERT • Participate some bug bounty programs
- 3. Prerequisties Knowledge • Memorystack • CPU Register • Knowledge on assembly language • Buffer overflow attack • Understanding Shellcode
- 4. CPU Register General PurposeRegisters EAX EBX ECX EDX Segment Registers CS DS SS ES FS GS
- 5. CPU Register Index andPointer Register EFLAGS Registers EDIESI EBP ESP EIP EFLAGS
- 6. General Purpose Registers Baseregister It is used as a base pointer for memory access Gets some interrupt return values EAX EBX ECX EDX Counter register It is used as a loop counter and for shifts Gets some interrupt values Accumulator register.It is used for I/O port access, arithmetic, interrupt calls, etc... Data register It is used for I/O port access, arithmetic, some interruptcalls.
- 7. Segment Registers Holds theData segment that your program accesses. Changing its value might give erronous data. CS DS SS ES FS GP These are extra segment registers available for far pointer addressing like video memory and such. Holds the Stack segment your program uses. Sometimes has the same value as DS.Changing its value can give unpredictable results, mostly data related. Holds the Code segment in which your program runs. Changing its value might make the computer hang.
- 8. Index and pointerRegisters EDI ESI ESP EBP Data Pointer Register for memory operations Stack Pointer Register Stack Data Pointer Register EIP Next Instruction
- 9. EFLAGSRegisters Bit Label Desciption --------------------------- 0CF Carry flag 2 PF Parity flag 4 AF Auxiliary carry flag 6 ZF Zero flag 7 SF Sign flag 8 TF Trap flag 9 IF Interrupt enable flag 10 DF Direction flag 11 11 OF Overflow flag 12-13 IOPL I/O Priviledge level 14 NT Nested task flag 16 RF Resume flag 17 VM Virtual 8086 mode flag 18 AC Alignment check flag (486+) 19 VIF Virutal interrupt flag 20 VIP Virtual interrupt pending flag 21 ID ID flag Those that are not listed are reserved by Intel.
- 10. General Purpose Register EAX AX 310 31 01516 AH AL 07815
- 11. Program Memory Layout Stack Unused Memory Heap .bss .data .text Usedfor stroing function Dynamic Memory Unintialize Data Intialize Data Program Code 0xffffffff 0x80961025
- 12. What is BufferOverflow? A buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold or when a program attempts to put data in a memory area past a buffer
- 13. What is BufferOverflow? Environments Affected Almost all known web servers, application servers, and web application environments are susceptible to buffer overflows, the notable exception being environments written in interpreted languages like Java or Python, which are immune to these attacks (except for overflows in the Interpretor itself).
- 14. Stack Layout EIP EBP EBX EAX High Memory LowMemory Data Data Instruction
- 15. Sample Stack Overflow AAAA AAAA AAAA AAAA HighMemory Low Memory Data Data Instruction
- 16. Vul code sample Array int [20]; int [20][5]; int [20][5][3]; Format Strings; printf(), fprint(),sprint(),sprintf() Overflow strcpy() strcat() sprintf() vsprint() scanf()
- 17.
- 18.
- 19. Demo • Prerequisites • FreefloatFTP • Debugger • Python • Metasploit
- 20. Fuzzing – thevery first step • Need to know crash point • Need to know vul command
- 21. Fuzzing Framework • Spike •Sulley • Peach
- 22.
- 23.
- 24.
- 25. Program stack Buffer EIPShellcode NOPs Esp Jmp esp
- 26.
- 27.
- 28.
- 29.
- 30.