This presentation deals with different scenarios in attacking applications vulnerable to Buffer overflow by exploiting the default SEH chain, by the SEH overwrite
A short introduction on how functions work. Functions are the building blocks of any modern programming language. This tutorial shows you how functions are implemented and how the process stack plays an important role in supporting functions.
A short introduction on how functions work. Functions are the building blocks of any modern programming language. This tutorial shows you how functions are implemented and how the process stack plays an important role in supporting functions.
This presentation was presented at IT Audit & IT Security Meetup #4 at Indonesian Cloud, Jakarta.
The exploit development process was quite challenging and we think that it's worth to share.
For educational purposes only.
Exploit Development: EzServer Buffer Overflow oleh Tom Gregoryzakiakhmad
EzServer adalah video server yang dapat melakukan stream dengan kualitas full HD ke berbagai mesin. Buffer overflow ditemukan pada aplikasi EzServer yang berjalan pada port 8000. Attacker dapat mengirimkan sejumlah kode berbahaya ke port 8000 dan mendapatkan akses setara dengan hak akses aplikasi EzServer. Pada kesempatan ini, penulis akan memaparkan proses pembuatan exploit terhadap aplikasi EzServer menggunakan Python.
Tom Gregory: Security consultant at Spentera, Metasploit exploit developer/contributor.
http://www.python.or.id/2013/04/kopi-darat-komunitas-python-indonesia.html
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
In a world of high volume malware and limited researchers, we need a dramatic improvement in our ability to process and analyze new and old malware at scale. Unfortunately, what is currently available to the community is incredibly cost prohibitive or does not rise to the challenge. As malware authors and distributors share code and prepackaged tool kits, the white hat community is dominated by solutions aimed at profit as opposed to augmenting capabilities available to the broader community. With that in mind, we are introducing our library for malware disassembly called Xori as an open source project. Xori is focused on helping reverse engineers analyze binaries, optimizing for time and effort spent per sample.
Xori is an automation-ready disassembly and static analysis library that consumes shellcode or PE binaries and provides triage analysis data. This Rust library emulates the stack, register states, and reference tables to identify suspicious functionality for manual analysis. Xori extracts structured data from binaries to use in machine learning and data science pipelines.
We will go over the pain-points of conventional open source disassemblers that Xori solves, examples of identifying suspicious functionality, and some of the interesting things we've done with the library. We invite everyone in the community to use it, help contribute and make it an increasingly valuable tool in this arms race.
XPDDS17: Using American Fuzzy Lop on the x86 Instruction Emulator - George Du...The Linux Foundation
Americal Fuzzy Lop (AFL) is a fuzzer that uses code coverage and genetic algorithms to automatically find "interesting" inputs: in particular, inputs which will crash your code. Andrew Cooper hooked it up Xen's x86 instruction decoder to AFL and within an hour it found a bug which had been introduced in the 4.8 development window. I extended that work to test the full emulator, and with a few days of tweaking and iterating, AFL had produced over 6,000 unique test cases which gave us nearly 97% code coverage.
This talk will give an overview of our experience with AFL, to help give you a better understanding of the usefulness of this new tool.
This talk will shed some light into the intermediate language that is used inside the Hex-Rays Decompiler. The microcode is simple yet powerful to represent real world programs. We publish it and give programmatic access to it from C++.
This presentation was presented at IT Audit & IT Security Meetup #4 at Indonesian Cloud, Jakarta.
The exploit development process was quite challenging and we think that it's worth to share.
For educational purposes only.
Exploit Development: EzServer Buffer Overflow oleh Tom Gregoryzakiakhmad
EzServer adalah video server yang dapat melakukan stream dengan kualitas full HD ke berbagai mesin. Buffer overflow ditemukan pada aplikasi EzServer yang berjalan pada port 8000. Attacker dapat mengirimkan sejumlah kode berbahaya ke port 8000 dan mendapatkan akses setara dengan hak akses aplikasi EzServer. Pada kesempatan ini, penulis akan memaparkan proses pembuatan exploit terhadap aplikasi EzServer menggunakan Python.
Tom Gregory: Security consultant at Spentera, Metasploit exploit developer/contributor.
http://www.python.or.id/2013/04/kopi-darat-komunitas-python-indonesia.html
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
In a world of high volume malware and limited researchers, we need a dramatic improvement in our ability to process and analyze new and old malware at scale. Unfortunately, what is currently available to the community is incredibly cost prohibitive or does not rise to the challenge. As malware authors and distributors share code and prepackaged tool kits, the white hat community is dominated by solutions aimed at profit as opposed to augmenting capabilities available to the broader community. With that in mind, we are introducing our library for malware disassembly called Xori as an open source project. Xori is focused on helping reverse engineers analyze binaries, optimizing for time and effort spent per sample.
Xori is an automation-ready disassembly and static analysis library that consumes shellcode or PE binaries and provides triage analysis data. This Rust library emulates the stack, register states, and reference tables to identify suspicious functionality for manual analysis. Xori extracts structured data from binaries to use in machine learning and data science pipelines.
We will go over the pain-points of conventional open source disassemblers that Xori solves, examples of identifying suspicious functionality, and some of the interesting things we've done with the library. We invite everyone in the community to use it, help contribute and make it an increasingly valuable tool in this arms race.
XPDDS17: Using American Fuzzy Lop on the x86 Instruction Emulator - George Du...The Linux Foundation
Americal Fuzzy Lop (AFL) is a fuzzer that uses code coverage and genetic algorithms to automatically find "interesting" inputs: in particular, inputs which will crash your code. Andrew Cooper hooked it up Xen's x86 instruction decoder to AFL and within an hour it found a bug which had been introduced in the 4.8 development window. I extended that work to test the full emulator, and with a few days of tweaking and iterating, AFL had produced over 6,000 unique test cases which gave us nearly 97% code coverage.
This talk will give an overview of our experience with AFL, to help give you a better understanding of the usefulness of this new tool.
This talk will shed some light into the intermediate language that is used inside the Hex-Rays Decompiler. The microcode is simple yet powerful to represent real world programs. We publish it and give programmatic access to it from C++.
This presentation goes over basic exploitation techniques. Topics include:
- Introduction to x86 paradigms used exploited by these techniques
- Stack overflows including the classic stack smashing attack
- Ret2libc
- Format string exploits
- Heap overflows and metadata corruption attacks
Nadav Markus goes over the path from a simple crash POC provided by Google Project Zero (for CVE-2015-7547), to a fully weaponized exploit.
He explores how an attacker can utilize the behavior of the Linux kernel in order to bypass ASLR, allowing an attacker to remotely execute code on vulnerable targets.
Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q.
Instructor: Sam Bowne
Class website: https://samsclass.info/127/127_F19.shtml
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Elvin Gentiles
Slides from my ROOTCON12 training. This material contains an introduction to stack-based buffer overflow. This is also helpful for those who are doing OSCP and wanted to learn exploit development.
SEMAPHORE MANAGEMENT AND TYPES OF SEMAPHORE .pptxSaiDhanushM
Semaphores are just normal variables used to coordinate the activities of multiple processes in a computer system. They are used to enforce mutual exclusion, avoid race conditions, and implement synchronization between processes.
The process of using Semaphores are just normal variables used to coordinate the activities of multiple processes in a computer system. They are used to enforce mutual exclusion, avoid race conditions, and implement synchronization between processes.
The process of using Semaphores provides two operations: wait (P) and signal (V). The wait operation decrements the value of the semaphore, and the signal operation increments the value of the semaphore. When the value of the semaphore is zero, any process that performs a wait operation will be blocked until another process performs a signal operation.
Semaphores are used to implement critical sections, which are regions of code that must be executed by only one process at a time. By using semaphores, processes can coordinate access to shared resources, such as shared memory or I/O devices.
A semaphore is a special kind of synchronization data that can be used only through specific synchronization primitives. When a process performs a wait operation on a semaphore, the operation checks whether the value of the semaphore is >0. If so, it decrements the value of the semaphore and lets the process continue its execution; otherwise, it blocks the process on the semaphore. A signal operation on a semaphore activates a process blocked on the semaphore if any, or increments the value of the semaphore by 1. Due to these semantics, semaphores are also called counting semaphores. The initial value of a semaphore determines how many processes can get past the wait operation.
Semaphores are of two types:
Binary Semaphore –
This is also known as a mutex lock. It can have only two values – 0 and 1. Its value is initialized to 1. It is used to implement the solution of critical section problems with multiple processes.
Counting Semaphore –
Its value can range over an unrestricted domain. It is used to control access to a resource that has multiple instances.
Now let us see how it does so.
First, look at two operations that can be used to access and change the value of the semaphore variable.
P-and-V-operation-in-OS
Some points regarding P and V operation:
P operation is also called wait, sleep, or down operation, and V operation is also called signal, wake-up, or up operation.
Both operations are atomic and semaphore(s) is always initialized to one. Here atomic means that variable on which read, modify and update happens at the same time/moment with no pre-emption i.e. in-between read, modify and update no other operation is performed that may change the variable.
A critical section is surrounded by both operations to implement process synchronization. See the below image. The critical section of Process P is in between P and V operation.
Now, let us see how it implements m
This was the slide representation for my training session at OWASP Seasides 2020. This entails all the workflow for the session, but please understand that this is not a lab manual and won't entail the details on Step-by-step execution of the attack. You can find my youtube video pertaining to this session here
https://www.youtube.com/watch?v=ZhZAKWpykTo
This is the most basic presentation introducing to the concepts of kubernetes this presentation only solves the mundane purpose as a visual aid to the session
This encompasses different techniques employed by leveraging powershell and attacking the systems in different ways. It is an interesting agglomeration of combined methods in plundering a windows box
This along with the binaries to be found at my github profiles @ github.com/shahenshah99 is used to present and conduct a hands-on session on securely deploying containers in docker at the time of production
This is in regards with the session that I have been holding at Null Bangalore. This session aims at providing basic understanding of Buffer Overflow to the attendees preparing for OSCP
This presentation is in regards with the talk that I gave at null monthly meet. This covers various grounds for covering cryptography. There are numerous ways to attack the methodology of any cryptographic content. The uploaded slides serve the same
This Presentation was for my talk at Null on Steganography using Python. This only serves as a on screen ppt to the talk. In order to understand this in-detail please follow my page to find the code
This is the slide check that I prepared for Null Pulliya session. I had prepared this presentation with the usage and the depth of coverage of GDB for any typical reverse engineer to have in his/her arsenal
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
6. How dose the OS locate the Handlers
Process
Thread Information Block
Exception Registration
8 bytes
Pointer to Next Record
Pointer to Handler
Exception Registration Record
FS:[0]
10. Exception Registration Linked List
Exception Registration
Thread Information Block
FFFFFFF
OS Handler
FS : [0]
Record 2
Ptr to R2
Function A
Handler
Record 1
12. Exception Registration Linked List
Exception Registration
Thread Information Block
FS : [0]
Ptr to R2
FunctionB
Handler
Record 1
Record 2
Record 3
Ptr to R3
FunctionA
Handler
FFFFFFFF
OS Handler
14. Exception Registration Linked List
Exception Registration
Thread Information Block
FS : [0]
Ptr to R2
FunctionC
Handler
Record 1
Record 2
Record 3
Ptr to R3
FunctionB
Handler
Ptr to R4
Record 4
FFFFFFFF
OS Handler
FunctionA
Handler
18. Program Stack with SEH
Bottom of Stack
(High memory addresses)
Unused Stack
(Lower monory addresses)
ESP
EBP
funcC’s
Stack Frame
funcB’s
Stack Frame
funcA’s
Stake Frame
funcC Local Variables
Next Exception_Registration_Record
funcC Exception Handler
funcB’s EBP
Return Address in funB
funcC Argument 1
funcC Arfument 2
funcB Local Variables
Next Exception_Registration_Record
funcB Exception Handler
funcA’s EBP
Return Address in funcA
funcB Argument 1
funcB Arfument 2
funcC Local Variables
Next Exception_Registration_Record
funcA Exception Handler
Caller’s EBP
Return Address in funB
funcC Argument 1
funcC Arfument 2
funcC’s
Exception
Registration
Record
funcB’s
Exception
Registration
Record
funcA’s
Exception
Registration
Record
EBP
19. Quick Recap of Concepts
• SEH Consist of a chain Exception Registration Records
• These Records are dynamically added and removed from a linked list
based on where we are in code
• FS : [0] points to the start of the SEH chain
• When an Exception happens OS walks the SEH chain to check who can
handle the exception
• If a handler is found, it handles the exception; else default OS handler
kicks in
20. Who walks the SEH chain ? Exception Dispatcher
KiUserExceptionDispatcher()
RtlDispatchException()
RtlExecuteHandlerForException()
ExecuteHandler()
_except_handler()
22. Handler Prototype
• Protptype for the exception handler is as follows
( excpt.h ) :
EXCEPTION_DISPOSITION
__cdecl_except_handler(
struct_EXCEPTION_RECORD *ExceptionRecord,
void * EstablisherFrame,
struct_CONTEXT *ContexRecord,
void * Dispatchercontext
);
23. Local Variable
Next ERR
ExceptionHandler()
Func – B EBP
RET of Func – B
Func – C Arg 1
Func – C Arg 2
Program Stack
FS[0]
Low Memory
Analyzing the 2 Stack Frames
ExeceptionHandler()
{
…..EIP
Exception Dispatcher Stack
…..
…..
Establisher Frame
…..
…..
…..
…..
ESP
ESP+4
ESP+8
24. Local Variable
Next ERR
ExceptionHandler()
Func – B EBP
RET of Func – B
Func – C Arg 1
Func – C Arg 2
Program Stack
FS[0]
Low Memory
What if?
ExeceptionHandler()
{
EIP
Exception Dispatcher Stack
…..
…..
Establisher Frame
…..
…..
…..
…..
ESP
ESP+4
ESP+8
pop eax
pop ebx
retn
25. Local Variable
Next ERR
ExceptionHandler()
Func – B EBP
RET of Func – B
Func – C Arg 1
Func – C Arg 2
Program Stack
Low Memory
Pop EAX
ExeceptionHandler()
{
EIP
Exception Dispatcher Stack
ESP
ESP+4
ESP+8
pop eax
pop ebx
retn
…..
Establisher Frame
…..
…..
…..
…..
26. Local Variable
Next ERR
ExceptionHandler()
Func – B EBP
RET of Func – B
Func – C Arg 1
Func – C Arg 2
Program Stack
Low Memory
Pop EBX
ExeceptionHandler()
{
EIP
Exception Dispatcher Stack
ESP
ESP+4
ESP+8
pop eax
pop ebx
retn
…..
Establisher Frame
…..
…..
…..
…..
27. Local Variable
Next ERR
ExceptionHandler()
Func – B EBP
RET of Func – B
Func – C Arg 1
Func – C Arg 2
Program Stack
Low Memory
RETN
ExeceptionHandler()
{
Exception Dispatcher Stack
ESP
ESP+4
ESP+8
pop eax
pop ebx
retn
Establisher Frame
…..
…..
…..
…..
28. Local Variable
Next ERR
ExceptionHandler()
Func – B EBP
RET of Func – B
Func – C Arg 1
Func – C Arg 2
Program Stack
Low Memory
RETN
ExeceptionHandler()
{
Exception Dispatcher Stack
ESP
ESP+4
ESP+8
popup eax
popup ebx
retn
Establisher Frame
…..
…..
…..
…..
EIP
29. Demo of overwrite with AAAAA….
• Verify the POP/POP/RET instruction sends control to the
next ERR location
• Cause a buffer overflow in the Easy Chat program by
sending a large number of AAA
30. Local Variable
Next ERR
ExceptionHandler()
Func – B EBP
RET of Func – B
Func – C Arg 1
Func – C Arg 2
Program Stack
FS[0]
Low Memory
How do we exploit this condition?
AAAA
Program Stack after overwrite
FS[0]
Low Memory
31. Local Variable
Next ERR
ExceptionHandler()
Func – B EBP
RET of Func – B
Func – C Arg 1
Func – C Arg 2
Program Stack
FS[0]
Low Memory
How do we exploit this condition?
AAAA
Short JMP 6 Bytes
ExceptionHandler()
Program Stack after overwrite
FS[0]
Low Memory
ExeceptionHandler()
{
pop eax
pop ebx
retn
32. Local Variable
Next ERR
ExceptionHandler()
Func – B EBP
RET of Func – B
Func – C Arg 1
Func – C Arg 2
Program Stack
FS[0]
Low Memory
How do we exploit this condition?
AAAA
Short JMP 6 Bytes
ExceptionHandler()
NOP sled
Payload
Payload
Payload
Program Stack after overwrite
FS[0]
Low Memory
ExeceptionHandler()
{
pop eax
pop ebx
retn
Establisher Frame
EIP
Short JMP 6
Bytes
2 NOP Ptr to EH NOP Sled PayloadLow Memory
2 bytes 2 bytes 4 bytes Variable Length Variable Length
33. Lets exploit Easy chat server
• Steps :
Find exact offset of next ERR and ExceptionHindler() on the
stack
Find a POP/POP/RET sequence in module without
SAFESEH
Overwrite ExceptionHindler() with address of POP/POP/RET
Overwrite ERR with short JMP for 6 byes =>
“xEBx06x90x90”
Add payload 6 bytes below after the ExceptionHandler()
34. SEH Exploitation Protection
• Modules linked with /SAFESEH cannot be used
• Creates a list of “safe” exception handlers
• OS will match the exception handler address with this list
before executing it
• If there is a match in this list, only then execution will
happen
• This was made by Microsoft to protect SEH from
exploitation and applied Windows XP SP1 onwards
35. ABUSING SEH
Access violation / exception is triggered
Pointer to Next SEH record
Current SE Handler
Pop,pop,ret
Shellcode
(1) Exception Handler
kicks in
(2) Current SE Handler was overwritten and
points to pop,pop,ret
(3) pop,pop,ret During prologue of exception handler, address of
pointer to next SEH was put on stack of ESP+8 pop pop ret puts
this address in EIP and allows execution of the code at the address
of “pointer to next SEH”
(4) Pointer to next SEH was
overwritten with jmp to shellcode