Exploit Development
-
Upload
kyaw-thiha -
Category
Documents
-
view
273 -
download
4
Transcript of Exploit Development
Exploit DevelopmentWin32 Buffer Overflow Exploitation
ByKyaw Thiha
Whoami?• Info-sec analyst• Currently working at Kernellix• Ex-team member of mmCERT• Participate some bug bounty programs
Prerequisties Knowledge• Memory stack • CPU Register• Knowledge on assembly language• Buffer overflow attack• Understanding Shellcode
CPU RegisterGeneral Purpose Registers
EAX EBX ECX EDX
Segment Registers
CS DS SS ES FS GS
CPU RegisterIndex and Pointer Register
EFLAGS Registers
EDIESI EBP ESP EIP
EFLAGS
General Purpose Registers
Base register It is used as a base pointer for memory access Gets some interrupt return values
EAX
EBX
ECX
EDX
Counter register It is used as a loop counter and for shifts Gets some interrupt values
Accumulator register.It is used for I/O port access, arithmetic, interrupt calls, etc...
Data register It is used for I/O port access, arithmetic, some interruptcalls.
Segment Registers
Holds the Data segment that your program accesses. Changing its value might give erronous data.
CS
DS
SS
ES
FS
GP
These are extra segment registers available for far pointer addressing like video memory and such.
Holds the Stack segment your program uses. Sometimes has the same value as DS.Changing its value can give unpredictable results, mostly data related.
Holds the Code segment in which your program runs. Changing its value might make the computer hang.
Index and pointer RegistersEDI
ESI
ESP
EBP
Data Pointer Register for memory operations
Stack Pointer Register
Stack Data Pointer Register
EIP Next Instruction
EFLAGSRegistersBit Label Desciption
---------------------------
0 CF Carry flag
2 PF Parity flag
4 AF Auxiliary carry flag
6 ZF Zero flag
7 SF Sign flag
8 TF Trap flag
9 IF Interrupt enable flag
10 DF Direction flag
11 11 OF Overflow flag
12-13 IOPL I/O Priviledge level
14 NT Nested task flag
16 RF Resume flag
17 VM Virtual 8086 mode flag
18 AC Alignment check flag (486+)
19 VIF Virutal interrupt flag
20 VIP Virtual interrupt pending flag
21 ID ID flagThose that are not listed are reserved by Intel.
General Purpose RegisterEAX
AX
31 0
31 01516
AH AL
07815
Program Memory LayoutStack
UnusedMemory
Heap
.bss
.data
.text
Used for stroing function
Dynamic Memory
Unintialize Data
Intialize Data
Program Code
0xffffffff
0x80961025
What is Buffer Overflow?A buffer overflow condition exists when a program attempts to put
more data in a buffer than it can hold or when a program attempts to put data in a memory area past a buffer
What is Buffer Overflow?Environments Affected
Almost all known web servers, application servers, and web application environments are susceptible to buffer overflows, the notable exception being environments written in interpreted languages like Java or Python, which are immune to these attacks (except for overflows in the Interpretor itself).
Stack Layout
EIP
EBP
EBX
EAXHigh Memory
Low Memory
Data
Data
Instruction
Sample Stack Overflow
AAAA
AAAA
AAAA
AAAAHigh Memory
Low Memory
Data
Data
Instruction
Vul code sample
Arrayint [20];int [20][5];int [20][5][3];
Format Strings;printf(),
fprint(),sprint(),sprintf()
Overflowstrcpy()strcat()sprintf()vsprint()scanf()
Sample ProgramGetInput(){
char buffer[8];
gets(buffer);puts(buffer);
}
Sample Program
Demo • Prerequisites• Freefloat FTP• Debugger• Python• Metasploit
Fuzzing – the very first step• Need to know crash point• Need to know vul command
Fuzzing Framework• Spike• Sulley• Peach
Overwrite EIP
Know Crash Point
Know crash point
Program stack
Buffer EIP Shellcode NOPs
EspJmp esp
Control EIP
Shellcode Generate
Final Payload
Final Payload
Thanks !
Question ??