This is the part 1 of the series on exploit research and development given as part of the null humla at Singapore. More details at www.meetup.com/Null-Singapore-The-Open-Security-Community/events/230268953/

1. https://www.flickr.com/photos/68759973@N00/26497568431/ hugojcardoso

2. I’m Imran.
Senior Security Engineer at Autodesk
Null Singapore Founder and Leader
OSCP/SCJP
MI
Hello !

3. Warning!
Please note that this workshop is intended for educational
purposes only, and you should NOT use the acquired skills to attack
any system. It's illegal to hack a system without permission and is a
punishable offense in most countries including Singapore.
You agree to abide by above statement by
staying in this workshop after this slide.

4. Agenda

5. Lets tickle security buds …
int main() {
int cookie;
char buf[80];
printf("b: %x c: %xn", &buf, &cookie);
gets(buf);
if (cookie == 0x41424344)
printf("you win!n");
}

6. 20-30 Instructions
14 assembly instructions account for 90% of assembly code!
http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Bilar.pdf
are enough for most of your needs

7. Let’s learn Assembly Language
Slides: http://www.slideshare.net/secfigo/assembly-language-21656919

8. Assembly Language Trivia
AT&T
MOVE source, destination
MOVE $61, %eax
objdump -d /bin/cat
Intel
MOVE destination, source
MOVE AL,61
objdump -M intel -d /bin/cat

9. Stdcall vs cdecl
Function parameters pushed onto stack right to
left.
Saves the old stack frame pointer and sets up a
new stack frame.
cdecl
Caller responsible for stack cleanup
Stdcall
Callee responsible for stack cleanup

10. From amazing corelan https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
Memory layout in win32

11. Stack overflow example
Int add (int a, int b)
{
Int var1 =a;
Int var2 =b;
}
Int main()
{
printf(“enter two numbers”);
….
Int sum = add(3+5); //  when this function is invoked
Printf(“sume is %d” &sum);
}

12. Buffer overflow
High Memory
Low memory
…….
Argument 2
Argument 1
RETURN ADDRESS
Old value of EBP
.
.
.
.
.
.
.
0x0012F000
0x0012D000

13. Buffer overflow
Low Memory
High memory
0x0012F000
0x0012D000 …….
Old EBP – old Frame
Return address
Argument 1
Argument 2
.
.
.
.
.
.
.

14. Buffer overflow
Low Memory
High memory
0x0012F000
0x0012D000 …….
Old EBP – old Frame
Return address
a
b
.
.
.
.
.
.
.

15. Immunity Debugger and Mona
Immunity Debugger is a powerful new way to write exploits, analyze malware, and reverse
engineer binary files. It builds on a solid user interface with function graphing, the industry's first
heap analysis tool built specifically for heap creation, and a large and well supported Python API
for easy extensibility.
“
”
- https://www.immunityinc.com/products/debugger
“
”
- https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/
Mona.py is a very powerful PyCommand for Immunity Debugger . Mona makes exploit
development a breeze and has tons of helper methods to automate mundane tasks in exploit
development.

17. Exercises
We will repeat the following steps for
every exploit
1. Fuzzing the target
2. Find the crash offset
3. Analyze if the crash is exploitable
4. Control EIP and jump to shellcode
5. Game over 

18. Vanilla Stack Overflow
Name: ASX to MP3 Converter
Exploit Type: Vanilla Stack Overflow
URL: https://www.exploit-db.com/exploits/11930/
Exploit steps: https://github.com/secfigo/exploit-dev-
series

19. SEH Exploit
Name: Konica Minolta FTP Utility 1.0
Exploit Type: SEH Overflow
URL: https://www.exploit-db.com/exploits/38252/
Exploit steps: https://github.com/secfigo/exploit-dev-
series

20. References
• http://opensecuritytraining.info/
• https://www.corelan.be/index.php/2009/07/19/exploit
-writing-tutorial-part-1-stack-based-overflows/
• https://github.com/RPISEC/MBE
• Hacking: The Art of Exploitation: The Art of
Exploitation

21. Null Singapore