Downloaded 68 times
![Presented By: Amit Malik a.k.a DouBle_Zer0 [email_address]](https://image.slidesharecdn.com/softwareexploitationtechniques2-100719125618-phpapp02/85/Software-Exploitation-Techniques-by-Amit-Malik-1-320.jpg)
![Presented By: Amit Malik a.k.a DouBle_Zer0 [email_address]](https://image.slidesharecdn.com/softwareexploitationtechniques2-100719125618-phpapp02/75/Software-Exploitation-Techniques-by-Amit-Malik-1-2048.jpg)
Uploaded byn|u - The Open Security Community
Software Exploitation Techniques by Amit Malik
The document discusses stack-based buffer overflow vulnerabilities. It begins with an overview of buffer overflows and demonstrates one using the Filecopa FTP server. It explains the stack structure when functions call each other and how a buffer overflow can overwrite the return address on the stack. The document then discusses three methods for finding security bugs: fuzzing, reverse engineering, and source code auditing. It walks through fuzzing the FTP server, determining the vulnerable function through reverse engineering, calculating the offset needed for the instruction pointer, addressing issues of limited space on the stack, and constructing an exploit to gain remote code execution by manipulating the ECX register and jumping to it.
More Related Content
Similar to Software Exploitation Techniques by Amit Malik
![[ENG] Hacktivity 2013 - Alice in eXploitland](https://cdn.slidesharecdn.com/ss_thumbnails/exploitland-131019060054-phpapp02-thumbnail.jpg?width=640&height=640&fit=bounds)
More from n|u - The Open Security Community
Software Exploitation Techniques by Amit Malik
- 1. Presented By: AmitMalik a.k.a DouBle_Zer0 [email_address]
- 2. Application overview DebuggersStack based buffer overflow Demo
- 3. Filecopa FTP (FileTransfer Protocol) server Port 21 Vulnerable to buffer overflow
- 4. All time favoriteollydbg Why debuggers ? Breakpoints Immunity Debugger Others
- 5.
- 6. Discovered in 1972.Computer Security Planning Study. Exploited in 1988. Morris Worm. Published in Phrack in 1994. Aleph One. “ Smashing the stack for fun and profit.”
- 7. Each function createsits own stack. Caller function stack: known as parent stack. Called function stack: known as child stack. For e.g. main(){ ASM Pseudo: sum(); _main: } 123: push ebp 124: mov ebp,esp 125: sub esp,val 126: call _sum 127: mov esp,ebp 128: pop ebp 129: ret
- 8. 123: pushebp 124: mov ebp,esp 125: sub esp,val 126: call _sum 127: mov esp,ebp 128: pop ebp 129: ret Ret startup() ebp Locals main() Ret(127) ebp Locals sum() Unallocated space Stack Growth
- 9. 123: pushebp 124: mov ebp,esp 125: sub esp,val 126: call _sum 127: mov esp,ebp 128: pop ebp 129: ret Ret startup() ebp Locals main() Ret(127) ebp Locals sum() Unallocated space Stack Growth
- 10. 123: pushebp 124: mov ebp,esp 125: sub esp,val 126: call _sum 127: mov esp,ebp 128: pop ebp 129: ret Ret startup() ebp Locals main() Ret(127) ebp Locals sum() Unallocated space Stack Growth
- 11. if the inputfor local variables is greater than the space allocated to them..Then………. Ret startup() ebp Locals main() Ret(127) ebp Locals sum() Unallocated space Stack Growth
- 12. it will overwrite ret(saved EIP) Ret startup() ebp Locals main() AAAA AAAA AAAAAAAAAAAA… Unallocated space Stack Growth Ret startup() ebp Locals main() jmp esp AAAA AAAAAAAAAAAA… Unallocated space Before After
- 13. Vulnerable to BufferOverflow (LIST command) But how we know that server is vulnerable ? Three methods to find out security bugs. Fuzzing Reverse Engineering Source Code Auditing
- 14. Fuzzing - Sendinvalid, unexpected, or random data to the inputs of a program. If the program fails/crash, the defects can be noted. Ok lets send invalid input to our server. Still listening ? Umm no..gud. But we don’t know which function is causing this problem.
- 15. Reverse engineering –is the process of analyzing a subject system to create representations of the system at a higher level of abstraction. Generally used after Fuzzing. Provide in-depth information about target. Sometimes more than source code.
- 16.
- 17. Calculate offset forEIP. ESP is pointing to our buffer. Aahhh.. problem we don’t have much space on stack (only 13-14 bytes approx.). Now what ?? Check other registers. ECX is pointing but not directly.
- 18. But we havesome bytes on stack. Use these bytes to adjust ecx and then jump to ecx. We need a jmp esp (address) first. Note: hard coding the stack address is not a good practice. Contains null bytes, address may change. Search the address in DLLs. Because DLLs are static at least for same service packs.
- 19. ECX is at00652984 but our data is at 006529cc (on my system). Increase ECX, but a little problem that data is used to overwrite EIP. So increasing ECX to that address gives little space (only 234 bytes approx.) So increase ECX, that will jump over saved EIP.
- 20. So add ecx,152bytes. Does it work ?? Nop.. It generate null bytes, can’t use. Ok add cx,152 bytes.. Should work. Else increase bytes.
- 21. Now jump toecx. (instruction). And we have our hellcode ready.
- 22.
- 23.
Editor's Notes
- #8 The first three instructions (123,124,125) are known as prologue. And last three instructions(127,128,129) are know as epologue. When main call the the sum it push the address of next instruction on stack..means 127 on stack and then create its stack. See next slides.
- #9 Here main is preparing its stack. EBP (base pointer) register is used to track the variables. So we need to push parent function ebp on the stack so that when function return to parent function it can start normally.
- #10 The instruction mov ebp,esp setting the stack for main(or setting the ebp for main to track variables). And sub esp, val is creating the space for local variables of main function. Although in e.g. we have no local variable but this is for illustrative purpose. NOTE: As we can see in the above pic that stack grows downward (from higher memory address to lower memory address) means something [ebp+val] point to parameters for function (can be pass by value or pass by reference) and everything [ebp-val] point to the local variable for that function. *val- can be any value in hex..like 3,4,a,b etc. etc. Note: ret (startup) address is the address of next instruction in startup function. Explanation of startup function is beyond the scope of this presentation. But main function return 0 or 1 to startup function. Means process successfully completed or error.
- #11 Now main is calling sum. The first task is to push the address of next instruction means address 127 on stack. So that when function sum return it returns to 127 so that program execution continue in a normal way. Please note that no (another) instruction is required to push ret(127) on stack because call sum will do it for us.. Similar to like main, sum will creates its stack with similar instructions and also destroy stack its stack with similar instructions (127,128,129). Note: The instructions to create stack and destroy stack.. may vary with compiler to complier and are the issues of compiler optimization..for eg. Some compilers user push reg. instead of sub esp,val for integers.
- #13 I think it should be clear now. Note that I am showing you jmp esp (this can be call esp, push esp,ret – all have same meaning). this should be the address because EIP only understand addresses. Visit previous slides for better clarification.
- #17 Note that [eba+8] and [ebp+c] are the parameter for this function. (visit previous slides for more clarification). Rep movs instruction cause problem because it copy the data from [esi] to [edi] with ecx as a counter. During analysis I found that value of ecx can be maximum 41. multiply it with 4 and then we have 104 bytes..(260 bytes in dec.) and that is enough to overwrite saved EIP. Do some debugging you can easily understand it.
- #18 Calculate offset for EIP means after how many bytes saved EIP overwrite takes place. We can calculate it with metasploit pattern create and pattern offset scripts. but we have very limited space on the stack. So check other registers.. And ecx is pointing to our buffer but not directaly.
- #19 Ok what we do.. We first use stack limited space to increase ecx and to jump to ecx. But first we need to jump to esp. because EIP only accept address so we can’t use instruction like jmp esp. we need to have to find out the address. We search the address in dll.
- #20 And on stack add instructions that will increase the ecx. And jump to ecx.
- #21 The 152 etc is in Hex. In decimal it is 152 338. ok.