This is the part 1 of the series on exploit research and development given as part of the null humla at Singapore. More details at www.meetup.com/Null-Singapore-The-Open-Security-Community/events/230268953/
3. Warning!
Please note that this workshop is intended for educational
purposes only, and you should NOT use the acquired skills to attack
any system. It's illegal to hack a system without permission and is a
punishable offense in most countries including Singapore.
You agree to abide by above statement by
staying in this workshop after this slide.
5. Lets tickle security buds …
int main() {
int cookie;
char buf[80];
printf("b: %x c: %xn", &buf, &cookie);
gets(buf);
if (cookie == 0x41424344)
printf("you win!n");
}
6. 20-30 Instructions
14 assembly instructions account for 90% of assembly code!
http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Bilar.pdf
are enough for most of your needs
7. Let’s learn Assembly Language
Slides: http://www.slideshare.net/secfigo/assembly-language-21656919
9. Stdcall vs cdecl
Function parameters pushed onto stack right to
left.
Saves the old stack frame pointer and sets up a
new stack frame.
cdecl
Caller responsible for stack cleanup
Stdcall
Callee responsible for stack cleanup
10. From amazing corelan https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
Memory layout in win32
11. Stack overflow example
Int add (int a, int b)
{
Int var1 =a;
Int var2 =b;
}
Int main()
{
printf(“enter two numbers”);
….
Int sum = add(3+5); // when this function is invoked
Printf(“sume is %d” &sum);
}
12. Buffer overflow
High Memory
Low memory
…….
Argument 2
Argument 1
RETURN ADDRESS
Old value of EBP
.
.
.
.
.
.
.
0x0012F000
0x0012D000
13. Buffer overflow
Low Memory
High memory
0x0012F000
0x0012D000 …….
Old EBP – old Frame
Return address
Argument 1
Argument 2
.
.
.
.
.
.
.
15. Immunity Debugger and Mona
Immunity Debugger is a powerful new way to write exploits, analyze malware, and reverse
engineer binary files. It builds on a solid user interface with function graphing, the industry's first
heap analysis tool built specifically for heap creation, and a large and well supported Python API
for easy extensibility.
“
”
- https://www.immunityinc.com/products/debugger
“
”
- https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/
Mona.py is a very powerful PyCommand for Immunity Debugger . Mona makes exploit
development a breeze and has tons of helper methods to automate mundane tasks in exploit
development.
16.
17. Exercises
We will repeat the following steps for
every exploit
1. Fuzzing the target
2. Find the crash offset
3. Analyze if the crash is exploitable
4. Control EIP and jump to shellcode
5. Game over
18. Vanilla Stack Overflow
Name: ASX to MP3 Converter
Exploit Type: Vanilla Stack Overflow
URL: https://www.exploit-db.com/exploits/11930/
Exploit steps: https://github.com/secfigo/exploit-dev-
series