Reverse Engineering for exploit writers

Nibin Varghese iViZ Security, Kolkata Reverse Engineering for Exploit Writers

Agenda ,[object Object],[object Object],[object Object]

Exploitation Overview ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Reverse Engineering Tools ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

MS08-067 ,[object Object],[object Object],[object Object],[object Object]

Structure of X86 stack frame Stack grows towards lower addresses Local Variables Saved EBP Saved IP Arguments

Classical Overflow Return address overwritten with address of shellcode Local Variables Saved EBP Saved IP Arguments

Reverse engineering the patch ,[object Object]

The Bug ,[object Object],[object Object]

The Bug(contd..) ptr_path computername....AAAAAAAAAAAAAAAAAAAAAAAAA ptr_previous_slash ptr_current_slash ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],..AAAAAAAAAAAAAAAAAAAAAAAAA Lower Address Higher Address

path Return Address of vulnerable_function Saved EBP Netapi32!NetpwPathCanonicalize vulnerable_function( wchar *path ) wcscpy(dst,src) Return Address of wcscpy Saved EBP ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],..AAAAAA ..AAAAAAAAAAA (ptr1 – 1) ptr2 ptr1 ptr_path c.... AAAAAAAAAAA AAAA AAAA AAAA Shell Code

The Bug (contd..) ,[object Object],[object Object],[object Object]

Ready for PoC ,[object Object],[object Object],[object Object],[object Object],[object Object]

Mass Exploitation ,[object Object],[object Object],[object Object],[object Object]

Thank You ,[object Object],[object Object],[object Object]

Reverse Engineering for exploit writers

Recomendados

Recomendados

Mais conteúdo relacionado

Semelhante a Reverse Engineering for exploit writers

Semelhante a Reverse Engineering for exploit writers (20)

Mais de amiable_indian

Mais de amiable_indian (20)

Último

Último (20)

Reverse Engineering for exploit writers