Nibin - Reverse Engineering for exploit writers - ClubHack2008

Nibin Varghese iViZ Security, Kolkata Reverse Engineering for Exploit Writers

Agenda ,[object Object],[object Object],[object Object]

Exploitation Overview ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Reverse Engineering Tools ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

MS08-067 ,[object Object],[object Object],[object Object],[object Object]

Structure of X86 stack frame Stack grows towards lower addresses Local Variables Saved EBP Saved IP Arguments

Classical Overflow Return address overwritten with address of shellcode Local Variables Saved EBP Saved IP Arguments

Reverse engineering the patch ,[object Object]

The Bug ,[object Object],[object Object]

The Bug(contd..) ptr_path computername....AAAAAAAAAAAAAAAAAAAAAAAAA ptr_previous_slash ptr_current_slash ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],..AAAAAAAAAAAAAAAAAAAAAAAAA Lower Address Higher Address

path Return Address of vulnerable_function Saved EBP Netapi32!NetpwPathCanonicalize vulnerable_function( wchar *path ) wcscpy(dst,src) Return Address of wcscpy Saved EBP ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],..AAAAAA ..AAAAAAAAAAA (ptr1 – 1) ptr2 ptr1 ptr_path c.... AAAAAAAAAAA AAAA AAAA AAAA Shell Code

The Bug (contd..) ,[object Object],[object Object],[object Object]

Ready for PoC ,[object Object],[object Object],[object Object],[object Object],[object Object]

Mass Exploitation ,[object Object],[object Object],[object Object],[object Object]

Thank You ,[object Object],[object Object],[object Object]

Nibin - Reverse Engineering for exploit writers - ClubHack2008

Recommandé

Recommandé

Contenu connexe

En vedette

En vedette (20)

Similaire à Nibin - Reverse Engineering for exploit writers - ClubHack2008

Similaire à Nibin - Reverse Engineering for exploit writers - ClubHack2008 (20)

Plus de ClubHack

Plus de ClubHack (20)

Dernier

Dernier (20)

Nibin - Reverse Engineering for exploit writers - ClubHack2008