SlideShare a Scribd company logo

Buffer overflow – Smashing The Stack

Download as pptx, pdf
Tomer Zait
Tomer Zait

My Stack Overflow Presentation To Ort Singalovsky Software Engineering Students In ironSource Office.

1 of 33
Download to read offline
Buffer Overflow – Smashing The Stack Tomer Zait - Application Security Engineer
root@kali:~# whoami ironSourceTomer Zait • Application Security Engineer at • Practical Software Engineer (Ort Singalovsky) • Offensive Security Certified Professional (OSCP) • OpenSource Projects: o PyMultitor o HackMe Credit o AutoBrowser o SubDomain Analyzer o Proxist • 1st Place at The Israel Cyber Challenge, 2014
Today we will focus on: • Past Events • What Is Stack • Assembly – Registers • Stack Overflow • Shell Code • Exploit Development
Past Events
• Exploits a buffer overflow vulnerability in Microsoft DCOM RPC interface. • Worm downloads a copy of mblast.exe to compromised host from infecting host via TFTP and runs commands to execute it. • mblast.exe attempts to carry out SYN flood attack on windowsupdate.com as well as scanning/infecting other hosts. BLASTER WORM Hex dump of the Blaster worm
• DOS attack on windowsupdate.com failed - the regular domain name is windowsupdate.microsoft.com. • Windowsupdate.com was just a pointer to the windowsupdate.microsoft.com - so Microsoft just decomissioned it. BLASTER WORM - EFFECTS
• August 11, 2003: Original version of the worm appears on the internet. • August 12, 2003: The number of infected systems is reported at 30,000. • August 15, 2003:The number of infected systems is reported at 423,000. • August 16, 2003: DDoS attack against windowsupdate.com starts. (Largely unsuccessful because that url is merely a redirect to the real site, windowsupdate.microsoft.com) • January 28, 2005: The creator of the "B" variant of MSBlaster is sentenced to 18 months in jail. BLASTER WORM - TIMELINE
• Exploits a buffer overflow vulnerability in Microsoft NET BIOS interface (MS08-067). • Dictionary attack on ADMIN$ shares. • Creates DLL-based AutoRun trojan on attached removable drives. • Downloads daily from any of 250 pseudorandom domains over 5 TLDs (Top-level domains). • Updates self to Conficker B, C or D. CONFICKER WORM
• Account lockout policies being reset automatically. • Certain Microsoft Windows services such as Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender and Windows Error Reporting disabled. • Domain controllers responding slowly to client requests. • Congestion on local area networks (ARP flood as consequence of network scan). • Web sites related to antivirus software or the Windows Update service becoming inaccessible CONFICKER WORM - EFFECTS
• Discovered in early November 2008. • The French Navy computer network, was infected with Conficker on 15 January 2009. • An infection of Manchester City Council's IT system caused an estimated £1.5m worth of disruption in February 2009. • The estimated number of infected computers ranged from almost 9 million to 15 million. • Microsoft has reported the total number of infected computers detected by its antimalware products has remained steady at around 1.7 million from mid-2010 to mid- 2011. CONFICKER WORM - TIMELINE
What Is Stack
It's a special region of your computer's memory that stores temporary variables created by each function (including the main() function), The stack is a “LIFO” (last in , first out) data structure. Principal operations: • push adds an element to the collection. • pop removes the last element that was added. • Stack Real Life example is weapon's magazine STACK - EXPLANATION
Assembly – Registers
On today’s average WinTel CPU you have 9 32bit registers (w/o flag registers). Their names are: EAX: Extended Accumulator Register EBX: Extended Base Register ECX: Extended Counter Register EDX: Extended Data Register ESI: Extended Source Index EDI: Extended Destination Index EBP: Extended Base Pointer ESP: Extended Stack Pointer EIP: Extended Instruction Pointer CPU REGISTERS
The ESP register serves as an indirect memory operand pointing to the top of the stack at any time. WORD takes 2 bytes In memory. • When a word value is pushed onto the stack, the assembler decreases the ESP (Stack Pointer) register by 2. • When a word value is popped off the stack, the assembler increases the ESP register by 2. ESP REGISTER
The instruction pointer register points to the memory addresswhich the processor will next attempt to execute. it cannot be directly accessed in 16-bit or 32-bit mode, but a sequence like the following can be written to put the address of next_line into eax: call next_line next_line: pop eax This sequence of instructions generates position-independent code because call takes an instruction-pointer-relative immediate operand describing the offset in bytes of the target instruction from the next instruction (in this case 0). EIP REGISTER
Stack Overflow
A stack overflow is an undesirable condition in which a particular computer program tries to use more memory space than the call stack has available. In programming, the call stack is a buffer that stores requests that need to be handled. The size of a call stack depends on various factors. It is usually defined at the start of a program. Its size can depend on the architecture of the computer on which the program runs, the language in which the program is written, and the total amount of available memory in the system. When a stack overflow occurs as a result of a program's excessive demand for memory space, that program (and sometimes the entire computer) may crash. STACK OVERFLOW - EXPLANATION
Shell Code
# Metasploit generated – write.exe – x86 – Windows XP Pro SP2 shellcode="x68x97x4Cx80x7CxB8x4Dx11x86x7CxFFxD0”; Let’s disassemble these bytes into instructions : You don’t need to run this code to figure out what it will do. SHELLCODE - WINDOWS XP PRO SP2 32BIT (1) C:shellcode>"c:program filesnasmndisasm.exe" -b 32 c:tmpshellcode.bin 00000000 68974C807C push dword 0x7c804c97 00000005 B84D11867C mov eax,0x7c86114d 0000000A FFD0 call eax
If the exploit is indeed written for Windows XP Pro SP2 then this will happen: at 0x7c804c97 on XP SP2, we find (windbg output) : So push dword 0x7c804c97 will push “Write” onto the stack. SHELLCODE - WINDOWS XP PRO SP2 32BIT (2) 0:001> d 0x7c804c97 7c804c97 57 72 69 74 65 00 42 61-73 65 43 68 65 63 6b 41 Write.BaseCheckA 7c804ca7 70 70 63 6f 6d 70 61 74-43 61 63 68 65 00 42 61 ppcompatCache.Ba 7c804cb7 73 65 43 6c 65 61 6e 75-70 41 70 70 63 6f 6d 70 seCleanupAppcomp 7c804cc7 61 74 43 61 63 68 65 00-42 61 73 65 43 6c 65 61 atCache.BaseClea 7c804cd7 6e 75 70 41 70 70 63 6f-6d 70 61 74 43 61 63 68 nupAppcompatCach 7c804ce7 65 53 75 70 70 6f 72 74-00 42 61 73 65 44 75 6d eSupport.BaseDum 7c804cf7 70 41 70 70 63 6f 6d 70-61 74 43 61 63 68 65 00 pAppcompatCache. 7c804d07 42 61 73 65 46 6c 75 73-68 41 70 70 63 6f 6d 70 BaseFlushAppcomp
Next, 0x7c86114d is moved into eax and a call eax is made. At 0x7c86114d, we find : Conclusion : this code will execute “write” (=wordpad). SHELLCODE - WINDOWS XP PRO SP2 32BIT (3) 0:001> ln 0x7c86114d (7c86114d) kernel32!WinExec | (7c86123c) kernel32!`string' Exact matches: kernel32!WinExec =
SHELLCODE TEST - WINDOWS XP PRO SP2 32BIT char code[] = "x68x97x4Cx80x7CxB8x4Dx11x86x7CxFFxD0"; int main(int argc, char **argv) { int (*func)(); func = (int (*)()) code; (int)(*func)(); }
Exploit Development
VULNERABLE CODE - EXAMPLE #include <string.h> void foo (char *bar) { char c[12]; strcpy(c, bar); // no bounds checking } int main (int argc, char **argv) { foo(argv[1]); }
Buffer overflow – Smashing The Stack
VULNERABLE CODE - EXPLOTION This code takes an argument from the command line and copies it to a local stack variable c. This works fine for command line arguments smaller than 12 characters (as you can see in figure B below). Any arguments larger than 11 characters long will result in corruption of the stack. (The maximum number of characters that is safe is one less than the size of the buffer here because in the C programming language strings are terminated by a zero byte character. A twelve-character input thus requires thirteen bytes to store, the input followed by the sentinel zero byte. The zero byte then ends up overwriting a memory location that's one byte beyond the end of the buffer.)
THE PROGRAM STACK IN foo() WITH VARIOUS INPUTS (1) A. - Before data is copied.
THE PROGRAM STACK IN foo() WITH VARIOUS INPUTS (2) B. - "hello" is the first command line argument.
THE PROGRAM STACK IN foo() WITH VARIOUS INPUTS (3) A. - Before data is copied.
VULNERABLE CODE - SUMMARY Notice in figure C above, when an argument larger than 11 bytes is supplied on the command line foo() overwrites local stack data, the saved frame pointer, and most importantly, the return address. When foo() returns it pops the return address off the stack and jumps to that address (i.e. starts executing instructions from that address). Thus, the attacker has overwritten the return address with a pointer to the stack buffer char c[12], which now contains attacker-supplied data. In an actual stack buffer overflow exploit the string of "A"'s would instead be shellcode suitable to the platform and desired function. If this program had special privileges (e.g. the SUID bit set to run as the superuser), then the attacker could use this vulnerability to gain superuser privileges on the affected machine.
{ THANK YOU
1. Wikipedia - http://www.wikipedia.org/ 2. Corelan Team- https://www.corelan.be/ 3. Natashenka - http://natashenka.ca/ BIBLIOGRAPHY
Ad

Recommended

Sebastián Guerrero - Ke ase Android? [Rooted CON 2013]
Sebastián Guerrero - Ke ase Android? [Rooted CON 2013]Sebastián Guerrero - Ke ase Android? [Rooted CON 2013]
Sebastián Guerrero - Ke ase Android? [Rooted CON 2013]
RootedCON
 
Driver Debugging Basics
Driver Debugging BasicsDriver Debugging Basics
Driver Debugging Basics
Bala Subra
 
Debug tutorial
Debug tutorialDebug tutorial
Debug tutorial
Defri N
 
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_markCSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CanSecWest
 
Exploits
ExploitsExploits
Exploits
Ken Sai
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017
Manich Koomsusi
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesDebugging linux kernel tools and techniques
Debugging linux kernel tools and techniques
Satpal Parmar
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programming
kozossakai
 
Select and poll functions
Select and poll functionsSelect and poll functions
Select and poll functions
Manju Srinivasan
 
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionDavide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruption
linuxlab_conf
 
Windows persistence presentation
Windows persistence presentationWindows persistence presentation
Windows persistence presentation
OlehLevytskyi1
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
Cyber Security Alliance
 
ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!
Affan Syed
 
Dc 12 Chiueh
Dc 12 ChiuehDc 12 Chiueh
Dc 12 Chiueh
wollard
 
Np unit iv i
Np unit iv iNp unit iv i
Np unit iv i
vamsitricks
 
Penetration Testing and Intrusion Detection System
Penetration Testing and Intrusion Detection SystemPenetration Testing and Intrusion Detection System
Penetration Testing and Intrusion Detection System
Bikrant Gautam
 
Track c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eveTrack c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eve
chiportal
 
Embedding Linux On The Encore Simputer
Embedding Linux On The Encore SimputerEmbedding Linux On The Encore Simputer
Embedding Linux On The Encore Simputer
Satpal Parmar
 
TRENDnet IP Camera Multiple Vulnerabilities
TRENDnet IP Camera Multiple VulnerabilitiesTRENDnet IP Camera Multiple Vulnerabilities
TRENDnet IP Camera Multiple Vulnerabilities
insight-labs
 
Building
BuildingBuilding
Building
Satpal Parmar
 
LCU14 302- How to port OP-TEE to another platform
LCU14 302- How to port OP-TEE to another platformLCU14 302- How to port OP-TEE to another platform
LCU14 302- How to port OP-TEE to another platform
Linaro
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CanSecWest
 
Readme
ReadmeReadme
Readme
usupsamsudin
 
Dsd lab Practical File
Dsd lab Practical FileDsd lab Practical File
Dsd lab Practical File
Soumya Behera
 
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru OtsukaTake a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
CODE BLUE
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
Japneet Singh
 
Andrea Righi - Spying on the Linux kernel for fun and profit
Andrea Righi - Spying on the Linux kernel for fun and profitAndrea Righi - Spying on the Linux kernel for fun and profit
Andrea Righi - Spying on the Linux kernel for fun and profit
linuxlab_conf
 
Anatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackAnatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow Attack
Rob Gillen
 
Buffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackBuffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the Stack
ironSource
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
Ajin Abraham
 
Ad

More Related Content

What's hot (20)

Select and poll functions
Select and poll functionsSelect and poll functions
Select and poll functions
Manju Srinivasan
 
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionDavide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruption
linuxlab_conf
 
Windows persistence presentation
Windows persistence presentationWindows persistence presentation
Windows persistence presentation
OlehLevytskyi1
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
Cyber Security Alliance
 
ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!
Affan Syed
 
Dc 12 Chiueh
Dc 12 ChiuehDc 12 Chiueh
Dc 12 Chiueh
wollard
 
Np unit iv i
Np unit iv iNp unit iv i
Np unit iv i
vamsitricks
 
Penetration Testing and Intrusion Detection System
Penetration Testing and Intrusion Detection SystemPenetration Testing and Intrusion Detection System
Penetration Testing and Intrusion Detection System
Bikrant Gautam
 
Track c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eveTrack c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eve
chiportal
 
Embedding Linux On The Encore Simputer
Embedding Linux On The Encore SimputerEmbedding Linux On The Encore Simputer
Embedding Linux On The Encore Simputer
Satpal Parmar
 
TRENDnet IP Camera Multiple Vulnerabilities
TRENDnet IP Camera Multiple VulnerabilitiesTRENDnet IP Camera Multiple Vulnerabilities
TRENDnet IP Camera Multiple Vulnerabilities
insight-labs
 
Building
BuildingBuilding
Building
Satpal Parmar
 
LCU14 302- How to port OP-TEE to another platform
LCU14 302- How to port OP-TEE to another platformLCU14 302- How to port OP-TEE to another platform
LCU14 302- How to port OP-TEE to another platform
Linaro
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CanSecWest
 
Readme
ReadmeReadme
Readme
usupsamsudin
 
Dsd lab Practical File
Dsd lab Practical FileDsd lab Practical File
Dsd lab Practical File
Soumya Behera
 
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru OtsukaTake a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
CODE BLUE
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
Japneet Singh
 
Andrea Righi - Spying on the Linux kernel for fun and profit
Andrea Righi - Spying on the Linux kernel for fun and profitAndrea Righi - Spying on the Linux kernel for fun and profit
Andrea Righi - Spying on the Linux kernel for fun and profit
linuxlab_conf
 
Anatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackAnatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow Attack
Rob Gillen
 
Select and poll functions
Select and poll functionsSelect and poll functions
Select and poll functions
Manju Srinivasan
 
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionDavide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruption
linuxlab_conf
 
Windows persistence presentation
Windows persistence presentationWindows persistence presentation
Windows persistence presentation
OlehLevytskyi1
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
Cyber Security Alliance
 
ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!
Affan Syed
 
Dc 12 Chiueh
Dc 12 ChiuehDc 12 Chiueh
Dc 12 Chiueh
wollard
 
Np unit iv i
Np unit iv iNp unit iv i
Np unit iv i
vamsitricks
 
Penetration Testing and Intrusion Detection System
Penetration Testing and Intrusion Detection SystemPenetration Testing and Intrusion Detection System
Penetration Testing and Intrusion Detection System
Bikrant Gautam
 
Track c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eveTrack c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eve
chiportal
 
Embedding Linux On The Encore Simputer
Embedding Linux On The Encore SimputerEmbedding Linux On The Encore Simputer
Embedding Linux On The Encore Simputer
Satpal Parmar
 
TRENDnet IP Camera Multiple Vulnerabilities
TRENDnet IP Camera Multiple VulnerabilitiesTRENDnet IP Camera Multiple Vulnerabilities
TRENDnet IP Camera Multiple Vulnerabilities
insight-labs
 
Building
BuildingBuilding
Building
Satpal Parmar
 
LCU14 302- How to port OP-TEE to another platform
LCU14 302- How to port OP-TEE to another platformLCU14 302- How to port OP-TEE to another platform
LCU14 302- How to port OP-TEE to another platform
Linaro
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CanSecWest
 
Readme
ReadmeReadme
Readme
usupsamsudin
 
Dsd lab Practical File
Dsd lab Practical FileDsd lab Practical File
Dsd lab Practical File
Soumya Behera
 
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru OtsukaTake a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
CODE BLUE
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
Japneet Singh
 
Andrea Righi - Spying on the Linux kernel for fun and profit
Andrea Righi - Spying on the Linux kernel for fun and profitAndrea Righi - Spying on the Linux kernel for fun and profit
Andrea Righi - Spying on the Linux kernel for fun and profit
linuxlab_conf
 
Anatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackAnatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow Attack
Rob Gillen
 

Similar to Buffer overflow – Smashing The Stack (20)

Buffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackBuffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the Stack
ironSource
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
Ajin Abraham
 
Dive into exploit development
Dive into exploit developmentDive into exploit development
Dive into exploit development
Payampardaz
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
amiable_indian
 
Web (dis)assembly
Web (dis)assemblyWeb (dis)assembly
Web (dis)assembly
Shakacon
 
You're Off the Hook: Blinding Security Software
You're Off the Hook: Blinding Security SoftwareYou're Off the Hook: Blinding Security Software
You're Off the Hook: Blinding Security Software
Cylance
 
Chapter 1SyllabusCatalog Description Computer structu
Chapter 1SyllabusCatalog Description Computer structuChapter 1SyllabusCatalog Description Computer structu
Chapter 1SyllabusCatalog Description Computer structu
EstelaJeffery653
 
Stack-Based Buffer Overflows
Stack-Based Buffer OverflowsStack-Based Buffer Overflows
Stack-Based Buffer Overflows
Daniel Tumser
 
PVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentPVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications development
OOO "Program Verification Systems"
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
hughpearse
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Elvin Gentiles
 
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
GangSeok Lee
 
Code Red Security
Code Red SecurityCode Red Security
Code Red Security
Amr Ali
 
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...First Steps Developing Embedded Applications using Heterogeneous Multi-core P...
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...
Toradex
 
Swug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainathSwug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainath
Dennis Chung
 
fg.workshop: Software vulnerability
fg.workshop: Software vulnerabilityfg.workshop: Software vulnerability
fg.workshop: Software vulnerability
fg.informatik Universität Basel
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated Disassembly
Priyanka Aash
 
AAME ARM Techcon2013 003v02 Software Development
AAME ARM Techcon2013 003v02 Software DevelopmentAAME ARM Techcon2013 003v02 Software Development
AAME ARM Techcon2013 003v02 Software Development
Anh Dung NGUYEN
 
Shellcode Disassembling - Reverse Engineering
Shellcode Disassembling - Reverse EngineeringShellcode Disassembling - Reverse Engineering
Shellcode Disassembling - Reverse Engineering
Sumutiu Marius
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723
Iftach Ian Amit
 
Buffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackBuffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the Stack
ironSource
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
Ajin Abraham
 
Dive into exploit development
Dive into exploit developmentDive into exploit development
Dive into exploit development
Payampardaz
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
amiable_indian
 
Web (dis)assembly
Web (dis)assemblyWeb (dis)assembly
Web (dis)assembly
Shakacon
 
You're Off the Hook: Blinding Security Software
You're Off the Hook: Blinding Security SoftwareYou're Off the Hook: Blinding Security Software
You're Off the Hook: Blinding Security Software
Cylance
 
Chapter 1SyllabusCatalog Description Computer structu
Chapter 1SyllabusCatalog Description Computer structuChapter 1SyllabusCatalog Description Computer structu
Chapter 1SyllabusCatalog Description Computer structu
EstelaJeffery653
 
Stack-Based Buffer Overflows
Stack-Based Buffer OverflowsStack-Based Buffer Overflows
Stack-Based Buffer Overflows
Daniel Tumser
 
PVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentPVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications development
OOO "Program Verification Systems"
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
hughpearse
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Elvin Gentiles
 
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
GangSeok Lee
 
Code Red Security
Code Red SecurityCode Red Security
Code Red Security
Amr Ali
 
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...First Steps Developing Embedded Applications using Heterogeneous Multi-core P...
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...
Toradex
 
Swug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainathSwug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainath
Dennis Chung
 
fg.workshop: Software vulnerability
fg.workshop: Software vulnerabilityfg.workshop: Software vulnerability
fg.workshop: Software vulnerability
fg.informatik Universität Basel
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated Disassembly
Priyanka Aash
 
AAME ARM Techcon2013 003v02 Software Development
AAME ARM Techcon2013 003v02 Software DevelopmentAAME ARM Techcon2013 003v02 Software Development
AAME ARM Techcon2013 003v02 Software Development
Anh Dung NGUYEN
 
Shellcode Disassembling - Reverse Engineering
Shellcode Disassembling - Reverse EngineeringShellcode Disassembling - Reverse Engineering
Shellcode Disassembling - Reverse Engineering
Sumutiu Marius
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723
Iftach Ian Amit
 
Ad

More from Tomer Zait (6)

Escaping the python sandbox
Escaping the python sandboxEscaping the python sandbox
Escaping the python sandbox
Tomer Zait
 
The evolution of credential hijacking
The evolution of credential hijackingThe evolution of credential hijacking
The evolution of credential hijacking
Tomer Zait
 
PyMultiTor
PyMultiTorPyMultiTor
PyMultiTor
Tomer Zait
 
PyMultitor
PyMultitorPyMultitor
PyMultitor
Tomer Zait
 
Hacking 101 for developers
Hacking 101 for developersHacking 101 for developers
Hacking 101 for developers
Tomer Zait
 
Java - abstract class methods
Java - abstract class methodsJava - abstract class methods
Java - abstract class methods
Tomer Zait
 
Escaping the python sandbox
Escaping the python sandboxEscaping the python sandbox
Escaping the python sandbox
Tomer Zait
 
The evolution of credential hijacking
The evolution of credential hijackingThe evolution of credential hijacking
The evolution of credential hijacking
Tomer Zait
 
PyMultiTor
PyMultiTorPyMultiTor
PyMultiTor
Tomer Zait
 
PyMultitor
PyMultitorPyMultitor
PyMultitor
Tomer Zait
 
Hacking 101 for developers
Hacking 101 for developersHacking 101 for developers
Hacking 101 for developers
Tomer Zait
 
Java - abstract class methods
Java - abstract class methodsJava - abstract class methods
Java - abstract class methods
Tomer Zait
 
Ad

Recently uploaded (20)

Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Eric D. Schabell
 
!%& IDM Crack with Internet Download Manager 6.42 Build 32 >
!%& IDM Crack with Internet Download Manager 6.42 Build 32 >!%& IDM Crack with Internet Download Manager 6.42 Build 32 >
!%& IDM Crack with Internet Download Manager 6.42 Build 32 >
Ranking Google
 
Cryptocurrency Exchange Script like Binance.pptx
Cryptocurrency Exchange Script like Binance.pptxCryptocurrency Exchange Script like Binance.pptx
Cryptocurrency Exchange Script like Binance.pptx
riyageorge2024
 
Adobe Media Encoder Crack FREE Download 2025
Adobe Media Encoder Crack FREE Download 2025Adobe Media Encoder Crack FREE Download 2025
Adobe Media Encoder Crack FREE Download 2025
zafranwaqar90
 
The Elixir Developer - All Things Open
The Elixir Developer - All Things OpenThe Elixir Developer - All Things Open
The Elixir Developer - All Things Open
Carlo Gilmar Padilla Santana
 
AI in Business Software: Smarter Systems or Hidden Risks?
AI in Business Software: Smarter Systems or Hidden Risks?AI in Business Software: Smarter Systems or Hidden Risks?
AI in Business Software: Smarter Systems or Hidden Risks?
Amara Nielson
 
Gojek Clone App for Multi-Service Business
Gojek Clone App for Multi-Service BusinessGojek Clone App for Multi-Service Business
Gojek Clone App for Multi-Service Business
XongoLab Technologies LLP
 
Digital Twins Software Service in Belfast
Digital Twins Software Service in BelfastDigital Twins Software Service in Belfast
Digital Twins Software Service in Belfast
julia smits
 
sequencediagrams.pptx software Engineering
sequencediagrams.pptx software Engineeringsequencediagrams.pptx software Engineering
sequencediagrams.pptx software Engineering
aashrithakondapalli8
 
LEARN SEO AND INCREASE YOUR KNOWLDGE IN SOFTWARE INDUSTRY
LEARN SEO AND INCREASE YOUR KNOWLDGE IN SOFTWARE INDUSTRYLEARN SEO AND INCREASE YOUR KNOWLDGE IN SOFTWARE INDUSTRY
LEARN SEO AND INCREASE YOUR KNOWLDGE IN SOFTWARE INDUSTRY
NidaFarooq10
 
GDS SYSTEM | GLOBAL DISTRIBUTION SYSTEM
GDS SYSTEM | GLOBAL DISTRIBUTION SYSTEMGDS SYSTEM | GLOBAL DISTRIBUTION SYSTEM
GDS SYSTEM | GLOBAL DISTRIBUTION SYSTEM
philipnathen82
 
Protect HPE VM Essentials using Veeam Agents-a50012338enw.pdf
Protect HPE VM Essentials using Veeam Agents-a50012338enw.pdfProtect HPE VM Essentials using Veeam Agents-a50012338enw.pdf
Protect HPE VM Essentials using Veeam Agents-a50012338enw.pdf
株式会社クライム
 
Tools of the Trade: Linux and SQL - Google Certificate
Tools of the Trade: Linux and SQL - Google CertificateTools of the Trade: Linux and SQL - Google Certificate
Tools of the Trade: Linux and SQL - Google Certificate
VICTOR MAESTRE RAMIREZ
 
Top 12 Most Useful AngularJS Development Tools to Use in 2025
Top 12 Most Useful AngularJS Development Tools to Use in 2025Top 12 Most Useful AngularJS Development Tools to Use in 2025
Top 12 Most Useful AngularJS Development Tools to Use in 2025
GrapesTech Solutions
 
FlakyFix: Using Large Language Models for Predicting Flaky Test Fix Categorie...
FlakyFix: Using Large Language Models for Predicting Flaky Test Fix Categorie...FlakyFix: Using Large Language Models for Predicting Flaky Test Fix Categorie...
FlakyFix: Using Large Language Models for Predicting Flaky Test Fix Categorie...
Lionel Briand
 
How to avoid IT Asset Management mistakes during implementation_PDF.pdf
How to avoid IT Asset Management mistakes during implementation_PDF.pdfHow to avoid IT Asset Management mistakes during implementation_PDF.pdf
How to avoid IT Asset Management mistakes during implementation_PDF.pdf
victordsane
 
Maximizing ROI with Odoo Staff Augmentation A Smarter Way to Scale
Maximizing ROI with Odoo Staff Augmentation A Smarter Way to ScaleMaximizing ROI with Odoo Staff Augmentation A Smarter Way to Scale
Maximizing ROI with Odoo Staff Augmentation A Smarter Way to Scale
SatishKumar2651
 
Autodesk Inventor Crack (2025) Latest
Autodesk Inventor Crack (2025) LatestAutodesk Inventor Crack (2025) Latest
Autodesk Inventor Crack (2025) Latest
Google
 
WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)
sh607827
 
Robotic Process Automation (RPA) Software Development Services.pptx
Robotic Process Automation (RPA) Software Development Services.pptxRobotic Process Automation (RPA) Software Development Services.pptx
Robotic Process Automation (RPA) Software Development Services.pptx
julia smits
 
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Eric D. Schabell
 
!%& IDM Crack with Internet Download Manager 6.42 Build 32 >
!%& IDM Crack with Internet Download Manager 6.42 Build 32 >!%& IDM Crack with Internet Download Manager 6.42 Build 32 >
!%& IDM Crack with Internet Download Manager 6.42 Build 32 >
Ranking Google
 
Cryptocurrency Exchange Script like Binance.pptx
Cryptocurrency Exchange Script like Binance.pptxCryptocurrency Exchange Script like Binance.pptx
Cryptocurrency Exchange Script like Binance.pptx
riyageorge2024
 
Adobe Media Encoder Crack FREE Download 2025
Adobe Media Encoder Crack FREE Download 2025Adobe Media Encoder Crack FREE Download 2025
Adobe Media Encoder Crack FREE Download 2025
zafranwaqar90
 
The Elixir Developer - All Things Open
The Elixir Developer - All Things OpenThe Elixir Developer - All Things Open
The Elixir Developer - All Things Open
Carlo Gilmar Padilla Santana
 
AI in Business Software: Smarter Systems or Hidden Risks?
AI in Business Software: Smarter Systems or Hidden Risks?AI in Business Software: Smarter Systems or Hidden Risks?
AI in Business Software: Smarter Systems or Hidden Risks?
Amara Nielson
 
Gojek Clone App for Multi-Service Business
Gojek Clone App for Multi-Service BusinessGojek Clone App for Multi-Service Business
Gojek Clone App for Multi-Service Business
XongoLab Technologies LLP
 
Digital Twins Software Service in Belfast
Digital Twins Software Service in BelfastDigital Twins Software Service in Belfast
Digital Twins Software Service in Belfast
julia smits
 
sequencediagrams.pptx software Engineering
sequencediagrams.pptx software Engineeringsequencediagrams.pptx software Engineering
sequencediagrams.pptx software Engineering
aashrithakondapalli8
 
LEARN SEO AND INCREASE YOUR KNOWLDGE IN SOFTWARE INDUSTRY
LEARN SEO AND INCREASE YOUR KNOWLDGE IN SOFTWARE INDUSTRYLEARN SEO AND INCREASE YOUR KNOWLDGE IN SOFTWARE INDUSTRY
LEARN SEO AND INCREASE YOUR KNOWLDGE IN SOFTWARE INDUSTRY
NidaFarooq10
 
GDS SYSTEM | GLOBAL DISTRIBUTION SYSTEM
GDS SYSTEM | GLOBAL DISTRIBUTION SYSTEMGDS SYSTEM | GLOBAL DISTRIBUTION SYSTEM
GDS SYSTEM | GLOBAL DISTRIBUTION SYSTEM
philipnathen82
 
Protect HPE VM Essentials using Veeam Agents-a50012338enw.pdf
Protect HPE VM Essentials using Veeam Agents-a50012338enw.pdfProtect HPE VM Essentials using Veeam Agents-a50012338enw.pdf
Protect HPE VM Essentials using Veeam Agents-a50012338enw.pdf
株式会社クライム
 
Tools of the Trade: Linux and SQL - Google Certificate
Tools of the Trade: Linux and SQL - Google CertificateTools of the Trade: Linux and SQL - Google Certificate
Tools of the Trade: Linux and SQL - Google Certificate
VICTOR MAESTRE RAMIREZ
 
Top 12 Most Useful AngularJS Development Tools to Use in 2025
Top 12 Most Useful AngularJS Development Tools to Use in 2025Top 12 Most Useful AngularJS Development Tools to Use in 2025
Top 12 Most Useful AngularJS Development Tools to Use in 2025
GrapesTech Solutions
 
FlakyFix: Using Large Language Models for Predicting Flaky Test Fix Categorie...
FlakyFix: Using Large Language Models for Predicting Flaky Test Fix Categorie...FlakyFix: Using Large Language Models for Predicting Flaky Test Fix Categorie...
FlakyFix: Using Large Language Models for Predicting Flaky Test Fix Categorie...
Lionel Briand
 
How to avoid IT Asset Management mistakes during implementation_PDF.pdf
How to avoid IT Asset Management mistakes during implementation_PDF.pdfHow to avoid IT Asset Management mistakes during implementation_PDF.pdf
How to avoid IT Asset Management mistakes during implementation_PDF.pdf
victordsane
 
Maximizing ROI with Odoo Staff Augmentation A Smarter Way to Scale
Maximizing ROI with Odoo Staff Augmentation A Smarter Way to ScaleMaximizing ROI with Odoo Staff Augmentation A Smarter Way to Scale
Maximizing ROI with Odoo Staff Augmentation A Smarter Way to Scale
SatishKumar2651
 
Autodesk Inventor Crack (2025) Latest
Autodesk Inventor Crack (2025) LatestAutodesk Inventor Crack (2025) Latest
Autodesk Inventor Crack (2025) Latest
Google
 
WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)
sh607827
 
Robotic Process Automation (RPA) Software Development Services.pptx
Robotic Process Automation (RPA) Software Development Services.pptxRobotic Process Automation (RPA) Software Development Services.pptx
Robotic Process Automation (RPA) Software Development Services.pptx
julia smits
 

Buffer overflow – Smashing The Stack

  • 1. Buffer Overflow – Smashing The Stack Tomer Zait - Application Security Engineer
  • 2. root@kali:~# whoami ironSourceTomer Zait • Application Security Engineer at • Practical Software Engineer (Ort Singalovsky) • Offensive Security Certified Professional (OSCP) • OpenSource Projects: o PyMultitor o HackMe Credit o AutoBrowser o SubDomain Analyzer o Proxist • 1st Place at The Israel Cyber Challenge, 2014
  • 3. Today we will focus on: • Past Events • What Is Stack • Assembly – Registers • Stack Overflow • Shell Code • Exploit Development
  • 5. • Exploits a buffer overflow vulnerability in Microsoft DCOM RPC interface. • Worm downloads a copy of mblast.exe to compromised host from infecting host via TFTP and runs commands to execute it. • mblast.exe attempts to carry out SYN flood attack on windowsupdate.com as well as scanning/infecting other hosts. BLASTER WORM Hex dump of the Blaster worm
  • 6. • DOS attack on windowsupdate.com failed - the regular domain name is windowsupdate.microsoft.com. • Windowsupdate.com was just a pointer to the windowsupdate.microsoft.com - so Microsoft just decomissioned it. BLASTER WORM - EFFECTS
  • 7. • August 11, 2003: Original version of the worm appears on the internet. • August 12, 2003: The number of infected systems is reported at 30,000. • August 15, 2003:The number of infected systems is reported at 423,000. • August 16, 2003: DDoS attack against windowsupdate.com starts. (Largely unsuccessful because that url is merely a redirect to the real site, windowsupdate.microsoft.com) • January 28, 2005: The creator of the "B" variant of MSBlaster is sentenced to 18 months in jail. BLASTER WORM - TIMELINE
  • 8. • Exploits a buffer overflow vulnerability in Microsoft NET BIOS interface (MS08-067). • Dictionary attack on ADMIN$ shares. • Creates DLL-based AutoRun trojan on attached removable drives. • Downloads daily from any of 250 pseudorandom domains over 5 TLDs (Top-level domains). • Updates self to Conficker B, C or D. CONFICKER WORM
  • 9. • Account lockout policies being reset automatically. • Certain Microsoft Windows services such as Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender and Windows Error Reporting disabled. • Domain controllers responding slowly to client requests. • Congestion on local area networks (ARP flood as consequence of network scan). • Web sites related to antivirus software or the Windows Update service becoming inaccessible CONFICKER WORM - EFFECTS
  • 10. • Discovered in early November 2008. • The French Navy computer network, was infected with Conficker on 15 January 2009. • An infection of Manchester City Council's IT system caused an estimated £1.5m worth of disruption in February 2009. • The estimated number of infected computers ranged from almost 9 million to 15 million. • Microsoft has reported the total number of infected computers detected by its antimalware products has remained steady at around 1.7 million from mid-2010 to mid- 2011. CONFICKER WORM - TIMELINE
  • 12. It's a special region of your computer's memory that stores temporary variables created by each function (including the main() function), The stack is a “LIFO” (last in , first out) data structure. Principal operations: • push adds an element to the collection. • pop removes the last element that was added. • Stack Real Life example is weapon's magazine STACK - EXPLANATION
  • 14. On today’s average WinTel CPU you have 9 32bit registers (w/o flag registers). Their names are: EAX: Extended Accumulator Register EBX: Extended Base Register ECX: Extended Counter Register EDX: Extended Data Register ESI: Extended Source Index EDI: Extended Destination Index EBP: Extended Base Pointer ESP: Extended Stack Pointer EIP: Extended Instruction Pointer CPU REGISTERS
  • 15. The ESP register serves as an indirect memory operand pointing to the top of the stack at any time. WORD takes 2 bytes In memory. • When a word value is pushed onto the stack, the assembler decreases the ESP (Stack Pointer) register by 2. • When a word value is popped off the stack, the assembler increases the ESP register by 2. ESP REGISTER
  • 16. The instruction pointer register points to the memory addresswhich the processor will next attempt to execute. it cannot be directly accessed in 16-bit or 32-bit mode, but a sequence like the following can be written to put the address of next_line into eax: call next_line next_line: pop eax This sequence of instructions generates position-independent code because call takes an instruction-pointer-relative immediate operand describing the offset in bytes of the target instruction from the next instruction (in this case 0). EIP REGISTER
  • 18. A stack overflow is an undesirable condition in which a particular computer program tries to use more memory space than the call stack has available. In programming, the call stack is a buffer that stores requests that need to be handled. The size of a call stack depends on various factors. It is usually defined at the start of a program. Its size can depend on the architecture of the computer on which the program runs, the language in which the program is written, and the total amount of available memory in the system. When a stack overflow occurs as a result of a program's excessive demand for memory space, that program (and sometimes the entire computer) may crash. STACK OVERFLOW - EXPLANATION
  • 20. # Metasploit generated – write.exe – x86 – Windows XP Pro SP2 shellcode="x68x97x4Cx80x7CxB8x4Dx11x86x7CxFFxD0”; Let’s disassemble these bytes into instructions : You don’t need to run this code to figure out what it will do. SHELLCODE - WINDOWS XP PRO SP2 32BIT (1) C:shellcode>"c:program filesnasmndisasm.exe" -b 32 c:tmpshellcode.bin 00000000 68974C807C push dword 0x7c804c97 00000005 B84D11867C mov eax,0x7c86114d 0000000A FFD0 call eax
  • 21. If the exploit is indeed written for Windows XP Pro SP2 then this will happen: at 0x7c804c97 on XP SP2, we find (windbg output) : So push dword 0x7c804c97 will push “Write” onto the stack. SHELLCODE - WINDOWS XP PRO SP2 32BIT (2) 0:001> d 0x7c804c97 7c804c97 57 72 69 74 65 00 42 61-73 65 43 68 65 63 6b 41 Write.BaseCheckA 7c804ca7 70 70 63 6f 6d 70 61 74-43 61 63 68 65 00 42 61 ppcompatCache.Ba 7c804cb7 73 65 43 6c 65 61 6e 75-70 41 70 70 63 6f 6d 70 seCleanupAppcomp 7c804cc7 61 74 43 61 63 68 65 00-42 61 73 65 43 6c 65 61 atCache.BaseClea 7c804cd7 6e 75 70 41 70 70 63 6f-6d 70 61 74 43 61 63 68 nupAppcompatCach 7c804ce7 65 53 75 70 70 6f 72 74-00 42 61 73 65 44 75 6d eSupport.BaseDum 7c804cf7 70 41 70 70 63 6f 6d 70-61 74 43 61 63 68 65 00 pAppcompatCache. 7c804d07 42 61 73 65 46 6c 75 73-68 41 70 70 63 6f 6d 70 BaseFlushAppcomp
  • 22. Next, 0x7c86114d is moved into eax and a call eax is made. At 0x7c86114d, we find : Conclusion : this code will execute “write” (=wordpad). SHELLCODE - WINDOWS XP PRO SP2 32BIT (3) 0:001> ln 0x7c86114d (7c86114d) kernel32!WinExec | (7c86123c) kernel32!`string' Exact matches: kernel32!WinExec =
  • 23. SHELLCODE TEST - WINDOWS XP PRO SP2 32BIT char code[] = "x68x97x4Cx80x7CxB8x4Dx11x86x7CxFFxD0"; int main(int argc, char **argv) { int (*func)(); func = (int (*)()) code; (int)(*func)(); }
  • 25. VULNERABLE CODE - EXAMPLE #include <string.h> void foo (char *bar) { char c[12]; strcpy(c, bar); // no bounds checking } int main (int argc, char **argv) { foo(argv[1]); }
  • 27. VULNERABLE CODE - EXPLOTION This code takes an argument from the command line and copies it to a local stack variable c. This works fine for command line arguments smaller than 12 characters (as you can see in figure B below). Any arguments larger than 11 characters long will result in corruption of the stack. (The maximum number of characters that is safe is one less than the size of the buffer here because in the C programming language strings are terminated by a zero byte character. A twelve-character input thus requires thirteen bytes to store, the input followed by the sentinel zero byte. The zero byte then ends up overwriting a memory location that's one byte beyond the end of the buffer.)
  • 28. THE PROGRAM STACK IN foo() WITH VARIOUS INPUTS (1) A. - Before data is copied.
  • 29. THE PROGRAM STACK IN foo() WITH VARIOUS INPUTS (2) B. - "hello" is the first command line argument.
  • 30. THE PROGRAM STACK IN foo() WITH VARIOUS INPUTS (3) A. - Before data is copied.
  • 31. VULNERABLE CODE - SUMMARY Notice in figure C above, when an argument larger than 11 bytes is supplied on the command line foo() overwrites local stack data, the saved frame pointer, and most importantly, the return address. When foo() returns it pops the return address off the stack and jumps to that address (i.e. starts executing instructions from that address). Thus, the attacker has overwritten the return address with a pointer to the stack buffer char c[12], which now contains attacker-supplied data. In an actual stack buffer overflow exploit the string of "A"'s would instead be shellcode suitable to the platform and desired function. If this program had special privileges (e.g. the SUID bit set to run as the superuser), then the attacker could use this vulnerability to gain superuser privileges on the affected machine.
  • 33. 1. Wikipedia - http://www.wikipedia.org/ 2. Corelan Team- https://www.corelan.be/ 3. Natashenka - http://natashenka.ca/ BIBLIOGRAPHY

Editor's Notes

  • #34: להסביר לאנשים לא להדליף את ההרצאה הפנימית. היא סודית.