Dan H, profile picture
Uploaded byDan H
1,838 views

Seminar Hacking & Security Analysis

The document discusses hacking and information security analysis. It covers various hacking techniques like cyber spying, fraud/forgery, and illegal access. It then discusses common vulnerabilities like buffer overflows, SQL injections, and cross-site scripting attacks. The document provides examples of stack-based buffer overflows and how they can be exploited to hijack a program's execution flow and potentially execute arbitrary code. It also discusses mitigation techniques used by modern operating systems and counter-techniques employed by hackers.

Embed presentation

Downloaded 174 times
Hacking | Information Security Analysis Hacking Security Analysis -- Build security with creativity Danang Heriyadi (danang@hatsecure.com)
Hacking | Information Security Analysis Hello World
Hacking | Information Security Analysis Today Hacking Incidents Assets Vulnerability Analysis
Hacking | Information Security Analysis Top 3 - Hacking in action Cyber Spying Fraud or Forgery Illegal Access
Hacking | Information Security Analysis Cyber Spying
Hacking | Information Security Analysis Fraud or Forgery
Hacking | Information Security Analysis Illegal Access
Hacking | Information Security Analysis How they can do that? • Sensitive information disclosure – Search Engine (google, bing, yahoo) – Magazine – etc • Social engineering attacks – The knowledge and attitude members of an organization possess regarding the protection of the information assets. • Vulnerability on your system – Attacker exploit the vulnerability to gaining access.
Hacking | Information Security Analysis Google Hacking
Hacking | Information Security Analysis What are you trying to protect? • Senstive personal data • Your network infrastructure • Your assets
Hacking | Information Security Analysis Common Vulnerabilities • Web – XSS – Database Injection – OS command Injection – Local File Disclosure – File Inclusion – Path Disclosure – CSRF – Dir. Traversal • Low level Vulnerability – Stack Overflow – Heap Overflow – Integer Overflow – Memory Corruption – Etc
Hacking | Information Security Analysis Buffer Overflow • Low level vulnerability – Stack Overflow ( Very easy ) – Integer Overflow ( easy ) – Heap Overflow ( medium ) – Memory Corruption ( easy - medium ) – .....
Hacking | Information Security Analysis Impact of buffer overflow • Application – Crash and terminated – Arbitary code execution • Operating System – Crash, hang, or reboot – Arbitary code execution – Privilege escalation
Hacking | Information Security Analysis Basic Knowledge • CPU Register – EAX EDI – EBX ESI – ECX EBP – EDX ESP – EIP
Hacking | Information Security Analysis Basic Knowledge • Assembly Language – mov ret – push – pop – shr – jmp
Hacking | Information Security Analysis Windows Memory Allocation 0x00000000 0xFFFFFFFF Stack Heap Program Image • PE Header • .text, .rdata, .data, ... Can be allocated as heap or stack for other threads DLL PEB Shared User Page No Access 0x00400000 0x7FFE1000 0x7FFE0000 0x7FFDF000
Hacking | Information Security Analysis C++ from beginner #include <stdio.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; }
Hacking | Information Security Analysis Run it !!
Hacking | Information Security Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } CPU Register (Example) • EIP = 0x01234567 => address of main() 0x00000000 Top of Stack
Hacking | Information Security Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack CPU Register (Example) • EIP = 0x01234571 => address of vulnerable()
Hacking | Information Security Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack CPU Register (Example) • EIP = 0x01234585 => stack_data[128]
Hacking | Information Security Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack CPU Register (Example) • EIP = 0x01234544 => address of strcpy() <Space for stack_data> ESP <ptr to argv[1]> Saved EBP 0x00112233 Saved EIP 0x00112237
Hacking | Information Security Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack ABCD ESP <ptr to argv[1]> Saved EBP 0x00112233 Saved EIP 0x00112237 CPU Register (Example) • EIP = 0x01234548 => address of printf()
Hacking | Information Security Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack ESP <ptr to argv[1]> Saved EBP 0x00112233 Saved EIP 0x00112237 CPU Register (Example) • EIP = 0x01234552 => restore saved EIP -> EIP
Hacking | Information Security Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack ESP <ptr to argv[1]> CPU Register (Example) • EIP = 0x01234599 => exit(0)
Hacking | Information Security Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack
Hacking | Information Security Analysis Stack Allocation (Stack Overflow)
Hacking | Information Security Analysis Stack Allocation (Stack Overflow) #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack CPU Register (Example) • EIP = 0x012345 => address of strcpy() <Space for stack_data> ESP <ptr to argv[1]> Saved EBP 0x00112233 Saved EIP 0x00112237
Hacking | Information Security Analysis Stack Allocation (Stack Overflow) #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack 414141414141414141414141 414141414141414141414141 414141414141414141414141 Saved EBP 0x41414141 Saved EIP 0x41414141 ESP 414141414141414141414141 414141414141414141414141 414141414141414141414141 414141414141414141414141 414141414141414141414141 0x00112233 0x00112237 CPU Register (Example) • EIP = 0x01234548 => address of printf()
Hacking | Information Security Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack ESP 414141414141414141414141 414141414141414141414141 414141414141414141414141 414141414141414141414141 414141414141414141414141 0x00112233 0x00112237 Saved EBP 0x41414141 Saved EIP 0x41414141 CPU Register (Example) • EIP = 0x41414141 => restore saved EIP -> EIP
Hacking | Information Security Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack ESP 414141414141414141414141 414141414141414141414141 414141414141414141414141 414141414141414141414141 414141414141414141414141 0x00112233 0x00112237 CPU Register (Example) • EIP = 0x41414141 Access Volation when executing 0x41414141
Hacking | Information Security Analysis Stack Exploitation
Hacking | Information Security Analysis Stack Exploitation (Stack Overflow) 0x00000000 Top of Stack 414141414141414141414141 414141414141414141414141 414141414141414141414141 Saved EBP 0x41414141 Saved EIP 0x41414141 ESP 414141414141414141414141 414141414141414141414141 414141414141414141414141 414141414141414141414141 414141414141414141414141 0x00112233 0x00112237 0x00000000 Top of Stack 414141414141414141414141 414141414141414141414141 414141414141414141414141 Saved EBP 0x41414141 Saved EIP 0x80221122 ESP 31c031db31c931d2eb16bfea 07457e50535150ffd75950684 141414189e3ebeae8f0ffffff48 656c6c6f776f726c64 0x00112233 0x00112237 Shellcode Address for JMP ESP
Hacking | Information Security Analysis Shellcode • Small piece of code used as the payload in the exploitation of a software vulnerability • Why is our shellcode not working? – bad character – Big size
Hacking | Information Security Analysis • Fuzzing Technique – Detecting Buffer Overflow – Find offset to overwrite EBP and EIP register • Find -> JMP ESP windbg command > lm muser32 windbg command > s -b 7xxxxx 7xxxxx ff e4 • Generate shellcode – msfvenom – manual :-P • Finishing Exploit Stack Exploitation (Stack Overflow)
Hacking | Information Security Analysis Mitigation and Technique • Windows XP – Hardware DEP -> ROP shellcode • Windows Vistra – ASLR -> Static address on shared data memory – DEP -> ROP shellcode • Windows 7 – ASLR + DEP -> ROP / JIT ROP / JIT ROP Spraying
Hacking | Information Security Analysis Mitigation and Technique • Windows 8 – ASLR + DEP (new) -> ROP / JIT ROP

More Related Content

PDF
Hollywood mode off: security testing at scale
byClaudio Criscione
 
PDF
Franta Polach - Exploring Patent Data with Python
byPyData
 
PPTX
Ember
bymrphilroth
 
PPTX
Solr 6 Feature Preview
byYonik Seeley
 
PDF
Solr vs. Elasticsearch, Case by Case: Presented by Alexandre Rafalovitch, UN
byLucidworks
 
PDF
Magic Clusters and Where to Find Them 2.0 - Eugene Pirogov
byElixir Club
 
PDF
Python build your security tools.pdf
byTECHNOLOGY CONTROL CO.
 
PDF
Workshop 101 - Penetration testing & Vulnerability assessment system
byDan H
 
Hollywood mode off: security testing at scale
byClaudio Criscione
 
Franta Polach - Exploring Patent Data with Python
byPyData
 
Ember
bymrphilroth
 
Solr 6 Feature Preview
byYonik Seeley
 
Solr vs. Elasticsearch, Case by Case: Presented by Alexandre Rafalovitch, UN
byLucidworks
 
Magic Clusters and Where to Find Them 2.0 - Eugene Pirogov
byElixir Club
 
Python build your security tools.pdf
byTECHNOLOGY CONTROL CO.
 
Workshop 101 - Penetration testing & Vulnerability assessment system
byDan H
 

Viewers also liked

PDF
Linux Exploit Research
byDan H
 
PDF
Backtrack 5 - network pentest
byDan H
 
PDF
Backtrack 5 - web pentest
byDan H
 
PDF
Web Hacking (basic)
byAmmar WK
 
PDF
backdooring workshop
byAmmar WK
 
PDF
Ethical hacking
byKhairi Aiman
 
PDF
Advanced Exploit Development (Updated on 28 January, 2016)
byDan H
 
PDF
Advanced exploit development
byDan H
 
PPT
Penetrasi Jaringan
byDigital Echidna
 
PDF
Mastering Network HackingFU - idsecconf2008
byAmmar WK
 
PDF
Had sec mikrotik administrator
bymuhammad pailus
 
PDF
Syllabus Advanced Exploit Development 22-23 June 2013
byDan H
 
PDF
Workshop 101 - Penetration testing & Vulnerability Assessment
byDan H
 
PDF
Mobile hacking, pentest, and malware
byAmmar WK
 
PPTX
Pentesting with linux
byHammad Ahmed Khawaja
 
PDF
IPTV Security
byM.Syarifudin, ST, OSCP, OSWP
 
PDF
password series
byAmmar WK
 
PDF
Social Network Security & Backdooring email
byM.Syarifudin, ST, OSCP, OSWP
 
PDF
iCrOSS 2013_Pentest
byM.Syarifudin, ST, OSCP, OSWP
 
PDF
Information gath
byM.Syarifudin, ST, OSCP, OSWP
 
Linux Exploit Research
byDan H
 
Backtrack 5 - network pentest
byDan H
 
Backtrack 5 - web pentest
byDan H
 
Web Hacking (basic)
byAmmar WK
 
backdooring workshop
byAmmar WK
 
Ethical hacking
byKhairi Aiman
 
Advanced Exploit Development (Updated on 28 January, 2016)
byDan H
 
Advanced exploit development
byDan H
 
Penetrasi Jaringan
byDigital Echidna
 
Mastering Network HackingFU - idsecconf2008
byAmmar WK
 
Had sec mikrotik administrator
bymuhammad pailus
 
Syllabus Advanced Exploit Development 22-23 June 2013
byDan H
 
Workshop 101 - Penetration testing & Vulnerability Assessment
byDan H
 
Mobile hacking, pentest, and malware
byAmmar WK
 
Pentesting with linux
byHammad Ahmed Khawaja
 
IPTV Security
byM.Syarifudin, ST, OSCP, OSWP
 
password series
byAmmar WK
 
Social Network Security & Backdooring email
byM.Syarifudin, ST, OSCP, OSWP
 
iCrOSS 2013_Pentest
byM.Syarifudin, ST, OSCP, OSWP
 
Information gath
byM.Syarifudin, ST, OSCP, OSWP
 

Similar to Seminar Hacking & Security Analysis

PDF
StackOverflow
bySusam Pal
 
PDF
Offensive cyber security: Smashing the stack with Python
byMalachi Jones
 
PDF
Marat-Slides
byMarat Vyshegorodtsev
 
PDF
3
byMarat Vyshegorodtsev
 
PPTX
Control hijacking
byPrachi Gulihar
 
PPTX
Software to the slaughter
byQuinn Wilton
 
PDF
[ENG] Hacktivity 2013 - Alice in eXploitland
byZoltan Balazs
 
PPTX
Buffer overflow – Smashing The Stack
byTomer Zait
 
PDF
Buffer overflow Attacks
byCysinfo Cyber Security Community
 
PDF
Buffer Overflow Attacks
bysecurityxploded
 
PDF
fg.workshop: Software vulnerability
byfg.informatik Universität Basel
 
PDF
AllBits presentation - Lower Level SW Security
byAllBits BVBA (freelancer)
 
PDF
Buffer overflow attacks
bySandun Perera
 
PDF
Buffer Overflow - Smashing the Stack
byironSource
 
PDF
The Stack and Buffer Overflows
byUTD Computer Security Group
 
PDF
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
byElvin Gentiles
 
PPTX
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
bysecurityxploded
 
PPTX
¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...
bySoftware Guru
 
PPTX
Static analysis: looking for errors ... and vulnerabilities?
byAndrey Karpov
 
PDF
Dive into exploit development
byPayampardaz
 
StackOverflow
bySusam Pal
 
Offensive cyber security: Smashing the stack with Python
byMalachi Jones
 
Marat-Slides
byMarat Vyshegorodtsev
 
3
byMarat Vyshegorodtsev
 
Control hijacking
byPrachi Gulihar
 
Software to the slaughter
byQuinn Wilton
 
[ENG] Hacktivity 2013 - Alice in eXploitland
byZoltan Balazs
 
Buffer overflow – Smashing The Stack
byTomer Zait
 
Buffer overflow Attacks
byCysinfo Cyber Security Community
 
Buffer Overflow Attacks
bysecurityxploded
 
fg.workshop: Software vulnerability
byfg.informatik Universität Basel
 
AllBits presentation - Lower Level SW Security
byAllBits BVBA (freelancer)
 
Buffer overflow attacks
bySandun Perera
 
Buffer Overflow - Smashing the Stack
byironSource
 
The Stack and Buffer Overflows
byUTD Computer Security Group
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
byElvin Gentiles
 
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
bysecurityxploded
 
¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...
bySoftware Guru
 
Static analysis: looking for errors ... and vulnerabilities?
byAndrey Karpov
 
Dive into exploit development
byPayampardaz
 

Recently uploaded

PDF
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
DOCX
Cloud Security, Serverless Security. Cybersecurity
byEdcelPacayraDuena
 
PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PDF
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PDF
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
PDF
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PPT
software-security-intro in information security.ppt
byismaeelsahib032
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PPTX
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PPTX
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
PDF
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
PDF
Hybrid Cloud vs Multi-Cloud Strategy 2025
byTeleglobal International
 
PDF
December Patch Tuesday
byIvanti
 
PDF
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
Cloud Security, Serverless Security. Cybersecurity
byEdcelPacayraDuena
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
software-security-intro in information security.ppt
byismaeelsahib032
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
Hybrid Cloud vs Multi-Cloud Strategy 2025
byTeleglobal International
 
December Patch Tuesday
byIvanti
 
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 

Seminar Hacking & Security Analysis

  • 1.
    Hacking | InformationSecurity Analysis Hacking Security Analysis -- Build security with creativity Danang Heriyadi (danang@hatsecure.com)
  • 2.
    Hacking | InformationSecurity Analysis Hello World
  • 3.
    Hacking | InformationSecurity Analysis Today Hacking Incidents Assets Vulnerability Analysis
  • 4.
    Hacking | InformationSecurity Analysis Top 3 - Hacking in action Cyber Spying Fraud or Forgery Illegal Access
  • 5.
    Hacking | InformationSecurity Analysis Cyber Spying
  • 6.
    Hacking | InformationSecurity Analysis Fraud or Forgery
  • 7.
    Hacking | InformationSecurity Analysis Illegal Access
  • 8.
    Hacking | InformationSecurity Analysis How they can do that? • Sensitive information disclosure – Search Engine (google, bing, yahoo) – Magazine – etc • Social engineering attacks – The knowledge and attitude members of an organization possess regarding the protection of the information assets. • Vulnerability on your system – Attacker exploit the vulnerability to gaining access.
  • 9.
    Hacking | InformationSecurity Analysis Google Hacking
  • 10.
    Hacking | InformationSecurity Analysis What are you trying to protect? • Senstive personal data • Your network infrastructure • Your assets
  • 11.
    Hacking | InformationSecurity Analysis Common Vulnerabilities • Web – XSS – Database Injection – OS command Injection – Local File Disclosure – File Inclusion – Path Disclosure – CSRF – Dir. Traversal • Low level Vulnerability – Stack Overflow – Heap Overflow – Integer Overflow – Memory Corruption – Etc
  • 12.
    Hacking | InformationSecurity Analysis Buffer Overflow • Low level vulnerability – Stack Overflow ( Very easy ) – Integer Overflow ( easy ) – Heap Overflow ( medium ) – Memory Corruption ( easy - medium ) – .....
  • 13.
    Hacking | InformationSecurity Analysis Impact of buffer overflow • Application – Crash and terminated – Arbitary code execution • Operating System – Crash, hang, or reboot – Arbitary code execution – Privilege escalation
  • 14.
    Hacking | InformationSecurity Analysis Basic Knowledge • CPU Register – EAX EDI – EBX ESI – ECX EBP – EDX ESP – EIP
  • 15.
    Hacking | InformationSecurity Analysis Basic Knowledge • Assembly Language – mov ret – push – pop – shr – jmp
  • 16.
    Hacking | InformationSecurity Analysis Windows Memory Allocation 0x00000000 0xFFFFFFFF Stack Heap Program Image • PE Header • .text, .rdata, .data, ... Can be allocated as heap or stack for other threads DLL PEB Shared User Page No Access 0x00400000 0x7FFE1000 0x7FFE0000 0x7FFDF000
  • 17.
    Hacking | InformationSecurity Analysis C++ from beginner #include <stdio.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; }
  • 18.
    Hacking | InformationSecurity Analysis Run it !!
  • 19.
    Hacking | InformationSecurity Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } CPU Register (Example) • EIP = 0x01234567 => address of main() 0x00000000 Top of Stack
  • 20.
    Hacking | InformationSecurity Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack CPU Register (Example) • EIP = 0x01234571 => address of vulnerable()
  • 21.
    Hacking | InformationSecurity Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack CPU Register (Example) • EIP = 0x01234585 => stack_data[128]
  • 22.
    Hacking | InformationSecurity Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack CPU Register (Example) • EIP = 0x01234544 => address of strcpy() <Space for stack_data> ESP <ptr to argv[1]> Saved EBP 0x00112233 Saved EIP 0x00112237
  • 23.
    Hacking | InformationSecurity Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack ABCD ESP <ptr to argv[1]> Saved EBP 0x00112233 Saved EIP 0x00112237 CPU Register (Example) • EIP = 0x01234548 => address of printf()
  • 24.
    Hacking | InformationSecurity Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack ESP <ptr to argv[1]> Saved EBP 0x00112233 Saved EIP 0x00112237 CPU Register (Example) • EIP = 0x01234552 => restore saved EIP -> EIP
  • 25.
    Hacking | InformationSecurity Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack ESP <ptr to argv[1]> CPU Register (Example) • EIP = 0x01234599 => exit(0)
  • 26.
    Hacking | InformationSecurity Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack
  • 27.
    Hacking | InformationSecurity Analysis Stack Allocation (Stack Overflow)
  • 28.
    Hacking | InformationSecurity Analysis Stack Allocation (Stack Overflow) #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack CPU Register (Example) • EIP = 0x012345 => address of strcpy() <Space for stack_data> ESP <ptr to argv[1]> Saved EBP 0x00112233 Saved EIP 0x00112237
  • 29.
    Hacking | InformationSecurity Analysis Stack Allocation (Stack Overflow) #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack 414141414141414141414141 414141414141414141414141 414141414141414141414141 Saved EBP 0x41414141 Saved EIP 0x41414141 ESP 414141414141414141414141 414141414141414141414141 414141414141414141414141 414141414141414141414141 414141414141414141414141 0x00112233 0x00112237 CPU Register (Example) • EIP = 0x01234548 => address of printf()
  • 30.
    Hacking | InformationSecurity Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack ESP 414141414141414141414141 414141414141414141414141 414141414141414141414141 414141414141414141414141 414141414141414141414141 0x00112233 0x00112237 Saved EBP 0x41414141 Saved EIP 0x41414141 CPU Register (Example) • EIP = 0x41414141 => restore saved EIP -> EIP
  • 31.
    Hacking | InformationSecurity Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack ESP 414141414141414141414141 414141414141414141414141 414141414141414141414141 414141414141414141414141 414141414141414141414141 0x00112233 0x00112237 CPU Register (Example) • EIP = 0x41414141 Access Volation when executing 0x41414141
  • 32.
    Hacking | InformationSecurity Analysis Stack Exploitation
  • 33.
    Hacking | InformationSecurity Analysis Stack Exploitation (Stack Overflow) 0x00000000 Top of Stack 414141414141414141414141 414141414141414141414141 414141414141414141414141 Saved EBP 0x41414141 Saved EIP 0x41414141 ESP 414141414141414141414141 414141414141414141414141 414141414141414141414141 414141414141414141414141 414141414141414141414141 0x00112233 0x00112237 0x00000000 Top of Stack 414141414141414141414141 414141414141414141414141 414141414141414141414141 Saved EBP 0x41414141 Saved EIP 0x80221122 ESP 31c031db31c931d2eb16bfea 07457e50535150ffd75950684 141414189e3ebeae8f0ffffff48 656c6c6f776f726c64 0x00112233 0x00112237 Shellcode Address for JMP ESP
  • 34.
    Hacking | InformationSecurity Analysis Shellcode • Small piece of code used as the payload in the exploitation of a software vulnerability • Why is our shellcode not working? – bad character – Big size
  • 35.
    Hacking | InformationSecurity Analysis • Fuzzing Technique – Detecting Buffer Overflow – Find offset to overwrite EBP and EIP register • Find -> JMP ESP windbg command > lm muser32 windbg command > s -b 7xxxxx 7xxxxx ff e4 • Generate shellcode – msfvenom – manual :-P • Finishing Exploit Stack Exploitation (Stack Overflow)
  • 36.
    Hacking | InformationSecurity Analysis Mitigation and Technique • Windows XP – Hardware DEP -> ROP shellcode • Windows Vistra – ASLR -> Static address on shared data memory – DEP -> ROP shellcode • Windows 7 – ASLR + DEP -> ROP / JIT ROP / JIT ROP Spraying
  • 37.
    Hacking | InformationSecurity Analysis Mitigation and Technique • Windows 8 – ASLR + DEP (new) -> ROP / JIT ROP