Louisville Infosec - Metasploit Class - Fuzzing and Exploit Development with Metasploit

•

1 gostou•1,247 visualizações

This document discusses fuzzing and exploit development using the Metasploit framework. It begins with an introduction and overview of buffer overflows and the stack. It then demonstrates through examples how to fuzz an application to cause a crash, use patterns to find the EIP overwrite location, build a skeleton exploit, find and add a JMP instruction to redirect execution, and finally add shellcode to achieve remote code execution. Countermeasures like ASLR and DEP are also briefly mentioned. The goal is to provide hands-on examples of the full exploit development process from start to finish.

Tecnologia

Fuzzing and Exploit
Development with
Metasploit Framework

Who am I
• Elliott Cutright aka Nullthreat
• Senior Information Security Analyst
• Do not take anything I say as fact. I have
been wrong before and I will be wrong
again.

What is an overﬂow
• Too much data in a space not designed for
it
• Stack Based (Focus on today)
• Heap Based
• Smashing the stack for fun and proﬁt
• Phrack 49 by Aleph One

What is the Stack
• Holds the functions and function variables
• User Input
• Data needed by the app
• First in, ﬁrst out

Fuzzing
• Sending random info to the application and
monitor for a crash
• Make the app cry
• GET /AAAAAAAAAAAAAA......
• EIP = 0x41414141

X86 Registers
• EIP - Address of next instruction
• ESP - Address for the top of the stack
• EBP - Stack Base Address
• EAX/ECX/EDX - Holds variables and data
for the application

x86 Registers
• EIP = Instruction Pointer
• ESP = Stack Pointer
• EAX = Accumulator
• EBX = Base Index
• ECX = Counter
• EDX = Data
• ESI = Source Index
• EDI = Destination Index

Awesome...wait..what?
• EIP = 0x41414141
• 0x41 = A
• We control EIP, so we can tell the
application what to do
• Now we need to ﬁnd the location of the
EIP overwrite

Enter Pattern_create()
• MSF Pattern Create creates a easy-to-
predict string to assist with EIP location
• EIP overwritten with pattern and use MSF
Pattern Offset to determine location

Lets Break Some Stuff
• DEMO
• MSF Pattern Create/Offset

EIP Overwrite
• We now know it takes 256 bytes to get to
the EIP over write
• Use this to build out skeleton exploit

Skeleton Exploit
“x00x01” - Sets the mode in TFTP
“x41” * 256 - Sends 256 A’s, overﬂow buffer
“x42” * 4 - Sets EIP to 0x42424242
“x43” * 250 - Sends 250 C’s as fake payload
“x00” - Ends the packet

Exploit in Metasploit
crash = "x00x01"
crash += "x41" * 256
crash += [target.ret].pack('V')
crash += "x43" * 250
crash += "x00"

Lets Break Some Stuff
• DEMO
• Skeleton Exploit

A Closer Look
0x42424242
0x42424242
0x0012FBE0
0x0012FBE0

Find the JMP
• We control EIP and ESP
• The data we want it is ESP
• We want to ﬁnd a JMP ESP
• This will place us at the start of our
“shellcode”

Finding the JMP
• Ollydbg or ImmunityDBG
• Use the search feature
• Find in application or windows lib

Testing the return
• Use break point at the address
• Make sure we jump to the right spot

Lets Break Some Stuff
• DEMO
• Finding and adding the JMP
• Testing the JMP

Adding the Shellcode
• Metasploit has a large library
• Very easy to add to exploit
• replace “x43” * 250 with
payload.encoded
• This exploit has small space for shellcode
• For this proof of concept we will launch
calc.exe

Lets Break Some Stuff
• DEMO
• Shellcode and Final Exploit

Buzz Kills
• ASLR - Address Space Layout
Randomization
• Vista and Server ’08 enabled by default
• DEP - Data Execution Prevention
• XP SP2 and newer
• Prevents code execution in non-
executable memory

Resources
• www.nullthreat.net - Slides and demos
• www.offsec.com - Cracking the Perimeter
• www.corelan.be:8800 - Awesome tutorials
on exploit dev
• DHAtEnclaveForensics -Youtube channel
• www.exploit-db.com - take working
exploits apart and re-write them

Mais conteúdo relacionado

Mais procurados

High Performance Solr

Shalin Shekhar Mangar

This session will introduce and demonstrate several techniques for enhancing the search experience by augmenting documents during indexing. First we'll survey the analysis components available in Solr, and then we'll delve into using Solr's update processing pipeline to modify documents on the way in. The session will build on Erik's "Poor Man's Entity Extraction" blog at http://www.searchhub.org/2013/06/27/poor-mans-entity-extraction-with-solr/

Solr Indexing and Analysis Tricks

Erik Hatcher

Spark Summit EU talk by Ted Malaska

Spark Summit

SFBay Area Solr Meetup - June 18th: Benchmarking Solr Performance

Lucidworks (Archived)

Lucene for Solr Developers

Erik Hatcher

Webinar: What's New in Solr 6

Lucidworks

Search-time Parallelism: Presented by Shikhar Bhushan, Etsy

Lucidworks

My presentation focuses on how we implemented Solr 4 to be the cornerstone of our social marketing analytics platform. Our platform analyzes relationships, behaviors, and conversations between 30,000 brands and 100M social accounts every 15 minutes. Combined with our Hadoop cluster, we have achieved throughput rates greater than 8,000 documents per second. Our index currently contains more than 620M documents and is growing by 3 to 4 million documents per day. My presentation will include details about: 1) Designing a Solr Cloud cluster for scalability and high-availability using sharding and replication with Zookeeper, 2) Operations concerns like how to handle a failed node and monitoring, 3) How we deal with indexing big data from Pig/Hadoop as an example of using the CloudSolrServer in SolrJ and managing searchers for high indexing throughput, 4) Example uses of key features like real-time gets, atomic updates, custom hashing, and distributed facets. Attendees will come away from this presentation with a real-world use case that proves Solr 4 is scalable, stable, and is production ready.

Lucene Revolution 2013 - Scaling Solr Cloud for Large-scale Social Media Anal...

thelabdude

Scaling Solr with Solr Cloud

Sematext Group, Inc.

Apache SolrCloud

Michał Warecki

Organizations continue to adopt Solr because of its ability to scale to meet even the most demanding workflows. Recently, LucidWorks has been leading the effort to identify, measure, and expand the limits of Solr. As part of this effort, we've learned a few things along the way that should prove useful for any organization wanting to scale Solr. Attendees will come away with a better understanding of how sharding and replication impact performance. Also, no benchmark is useful without being repeatable; Tim will also cover how to perform similar tests using the Solr-Scale-Toolkit in Amazon EC2.

Benchmarking Solr Performance at Scale

thelabdude

Solr introduction

Lap Tran

How Rackspace Cloud Monitoring uses Cassandra

gdusbabek

Repl internals

MongoDB

Faster Data Analytics with Apache Spark using Apache Solr - Kiran Chitturi, L...

Lucidworks

Reactive Summit 2017 Highlights!

Fabio Tiriticco

Mais procurados (16)

High Performance Solr

Solr Indexing and Analysis Tricks

Spark Summit EU talk by Ted Malaska

SFBay Area Solr Meetup - June 18th: Benchmarking Solr Performance

Lucene for Solr Developers

Webinar: What's New in Solr 6

Search-time Parallelism: Presented by Shikhar Bhushan, Etsy

Lucene Revolution 2013 - Scaling Solr Cloud for Large-scale Social Media Anal...

Scaling Solr with Solr Cloud

Apache SolrCloud

Benchmarking Solr Performance at Scale

Solr introduction

How Rackspace Cloud Monitoring uses Cassandra

Repl internals

Faster Data Analytics with Apache Spark using Apache Solr - Kiran Chitturi, L...

Reactive Summit 2017 Highlights!

Semelhante a Louisville Infosec - Metasploit Class - Fuzzing and Exploit Development with Metasploit

Sending a for ahuh. win32 exploit development old school

Nahidul Kibria

Saving The World From Guaranteed APOCALYPSE* Using Varnish and Memcached

georgepenkov

Process Doppelgänging

KarlFrank99

PL/Perl - New Features in PostgreSQL 9.0 201012

Tim Bunce

Failure Of DEP And ASLR

n|u - The Open Security Community

fg.workshop: Software vulnerability

fg.informatik Universität Basel

Smash the Stack: Writing a Buffer Overflow Exploit (Win32)

Elvin Gentiles

Modern operating systems include hardened security mechanisms to block exploit attempts. ASLR and NX (DEP) are two examples of the mechanisms that are widely implemented for the sake of security. However, there exists ways to bypass such protections by leveraging advanced exploitation techniques. It becomes harder to achieve code execution when the exploitation originates from a remote location, such as when the attack originates from a client, targeting server daemons. In such cases it is harder to find out the context information of target systems and, therefore, harder to achieve code execution. Knowledge on the memory layout of the targeted process is a crucial piece of the puzzle in developing an exploit, but it is harder to figure out when the exploit attempt is performed remotely. Recently, there have been techniques to leverage information disclosure (memory leak) vulnerabilities to figure out where specific library modules are loaded in the memory layout space, and such classes of vulnerabilities have been proven to be useful to bypass ASLR. However, there is also a different way of figuring out the memory layout of a process running in a remote environment. This method involves probing for valid addresses in target remote process. In a Linux environment, forked child processes will inherit already randomized memory layout from the parent process. Thus every client connection made to server daemons will share the same memory layout. The memory layout randomization is only done during the startup of the parent service process, and not randomized again when it is forking a child process to handle client connections. Due to the inheritance of child processes, it is possible to figure out a small piece of different information from every connection, and these pieces can be assembled later to get the idea of a big picture of the target process's remote memory layout. Probing to see if a given address is a valid memory address in context of the target remote process and assembling such information together, an attacker can figure out where the libc library is loaded on the memory, thus allowing exploits to succeed further in code execution. One might call it brute force, but with a smart brute forcing strategy, the number of minimal required attempts are significantly reduced to less than 10 in usual cases. In this talk, we will be talking about how it is possible to probe for memory layout space utilizing a piece of code to put the target in a blocked state, and to achieve stable code execution in remote exploit attempt scenarios using such information, as well as other tricks that are often used in remote exploit development in the Linux environment. http://codeblue.jp/en-speaker.html#SeokHaLee

various tricks for remote linux exploits　 by Seok-Ha Lee (wh1ant)

CODE BLUE

backgroundcommunicationandwaitevents-180124221026.pdf

ssuser785ce21

Basic buffer overflow part1

Payampardaz

Tanel Poder Oracle Scripts and Tools (2010)

Tanel Poder

Lie to Me: Bypassing Modern Web Application Firewalls

Ivan Novikov

SQLT XPLORE - The SQLT XPLAIN Hidden Child

Enkitec

Chapter 4 stack

jadhav_priti

Bh ad-12-stealing-from-thieves-saher-slides

Matt Kocubinski

Ruxmon cve 2012-2661

snyff

Advanced Windows Exploitation

UTD Computer Security Group

Speaker: Peter Hlavaty Language: English This talk will cover how powerfull are buffer overflows, how weak are mitigations against them, why are buffer overflows still possible in those days, how generic are they, and example how useful is turn race conditions to buffer overflow. Race conditions are nice example for that, because they are one of the hardest to find and on of the easiest to make. example is on Linux kernel (droids included), but talk will be keeped for buffer overflows in general (mainly for windows & Linux kernel) CONFidence: http://confidence.org.pl/pl/

CONFidence 2015: when something overflowing... - Peter Hlavaty

PROIDEA

This talk will cover how powerfull are buffer overflows, how weak are mitigations against them, why are buffer overflows still possible in those days, how generic are they, and example how useful is turn race conditions to buffer overflow. Race conditions are nice example for that, because they are one of the hardest to find and on of the easiest to make. example is on Linux kernel (droids included), but talk will be keeped for buffer overflows in general (mainly for windows & Linux kernel)

When is something overflowing

Peter Hlavaty

ShmooCON 2009 : Re-playing with (Blind) SQL Injection

Chema Alonso

Semelhante a Louisville Infosec - Metasploit Class - Fuzzing and Exploit Development with Metasploit (20)

Sending a for ahuh. win32 exploit development old school

Saving The World From Guaranteed APOCALYPSE* Using Varnish and Memcached

Process Doppelgänging

PL/Perl - New Features in PostgreSQL 9.0 201012

Failure Of DEP And ASLR

fg.workshop: Software vulnerability

Smash the Stack: Writing a Buffer Overflow Exploit (Win32)

various tricks for remote linux exploits　 by Seok-Ha Lee (wh1ant)

backgroundcommunicationandwaitevents-180124221026.pdf

Basic buffer overflow part1

Tanel Poder Oracle Scripts and Tools (2010)

Lie to Me: Bypassing Modern Web Application Firewalls

SQLT XPLORE - The SQLT XPLAIN Hidden Child

Chapter 4 stack

Bh ad-12-stealing-from-thieves-saher-slides

Ruxmon cve 2012-2661

Advanced Windows Exploitation

CONFidence 2015: when something overflowing... - Peter Hlavaty

When is something overflowing

ShmooCON 2009 : Re-playing with (Blind) SQL Injection

Último

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on the deployment of external web forms using Jotform for Bonterra Impact Management. This solution can be customized to your organization’s needs and deployed to support the common use cases below: - Intake and consent - Assessments - Surveys - Applications - Program registration Interested in deploying web form automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Jeffrey Haguewood

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

💉💊+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHABI}}+971581248768 +971581248768 Mtp-Kit (500MG) Prices » Dubai [(+971581248768**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Maya Whatsapp +971581248768 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971581248768''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971581248768' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Cl

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

GenAI Risks & Security Meetup 01052024.pdf

lior mazor

Created by Mozilla Research in 2012 and now part of Linux Foundation Europe, the Servo project is an experimental rendering engine written in Rust. It combines memory safety and concurrency to create an independent, modular, and embeddable rendering engine that adheres to web standards. Stewardship of Servo moved from Mozilla Research to the Linux Foundation in 2020, where its mission remains unchanged. After some slow years, in 2023 there has been renewed activity on the project, with a roadmap now focused on improving the engine’s CSS 2 conformance, exploring Android support, and making Servo a practical embeddable rendering engine. In this presentation, Rakhi Sharma reviews the status of the project, our recent developments in 2023, our collaboration with Tauri to make Servo an easy-to-use embeddable rendering engine, and our plans for the future to make Servo an alternative web rendering engine for the embedded devices industry. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://ossna2024.sched.com/event/1aBNF/a-year-of-servo-reboot-where-are-we-now-rakhi-sharma-igalia

A Year of the Servo Reboot: Where Are We Now?

Igalia

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

Modernizing Securities Finance: The cloud-native prime brokerage platform transforming capital markets. Madhu Subbu, Managing Director, Head of Securities Finance Engineering Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu

apidays

MS Copilot expands with MS Graph connectors

Nanddeep Nachan

A Beginners Guide to Building a RAG App Using Open Source Milvus

Zilliz

Following the popularity of "Cloud Revolution: Exploring the New Wave of Serverless Spatial Data," we're thrilled to announce this much-anticipated encore webinar. In this sequel, we'll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you're building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data. With state-specific privacy laws coming up in multiple states this year, it is essential to understand what their unique data protection regulations will require clearly. How will data privacy evolve in the US in 2024? How to stay compliant? Our panellists will guide you through the intricacies of these states' specific data privacy laws, clarifying complex legal frameworks and compliance requirements. This webinar will review: - The essential aspects of each state's privacy landscape and the latest updates - Common compliance challenges faced by organizations operating in multiple states and best practices to achieve regulatory adherence - Valuable insights into potential changes to existing regulations and prepare your organization for the evolving landscape

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc

Artificial Intelligence Chap.5 : Uncertainty

Khushali Kathiriya

Manulife - Insurer Transformation Award 2024

The Digital Insurer

FWD Group - Insurer Innovation Award 2024

The Digital Insurer

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

Whatsapp Number Escorts Call girls 8617370543 Available 24x7 Navi Mumbai Call Girls Service Offer Genuine VIP Model Escorts Call Girls in Your Budget. Navi Mumbai Call Girls Service Provide Real Call Girls Number. Make Your Sexual Pleasure Memorable with Our Navi Mumbai Call Girls at Affordable Price. Top VIP Escorts Call Girls, High Profile Independent Escorts Call Girls, Housewife Women Escorts Call Girl, College Girls Escorts Call Girls, Russian Escorts Call girls Service in Your Budget.

Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model

Deepika Singh

Louisville Infosec - Metasploit Class - Fuzzing and Exploit Development with Metasploit

1. Fuzzing and Exploit Development with Metasploit Framework

2. Who am I • Elliott Cutright aka Nullthreat • Senior Information Security Analyst • Do not take anything I say as fact. I have been wrong before and I will be wrong again.

3. What is an overﬂow • Too much data in a space not designed for it • Stack Based (Focus on today) • Heap Based • Smashing the stack for fun and proﬁt • Phrack 49 by Aleph One

4. What is the Stack • Holds the functions and function variables • User Input • Data needed by the app • First in, ﬁrst out

5. The Stack

6. The Stack (now with more data)

7. The Stack (Smashed)

8. Fuzzing • Sending random info to the application and monitor for a crash • Make the app cry • GET /AAAAAAAAAAAAAA...... • EIP = 0x41414141

9. X86 Registers • EIP - Address of next instruction • ESP - Address for the top of the stack • EBP - Stack Base Address • EAX/ECX/EDX - Holds variables and data for the application

10. x86 Registers • EIP = Instruction Pointer • ESP = Stack Pointer • EAX = Accumulator • EBX = Base Index • ECX = Counter • EDX = Data • ESI = Source Index • EDI = Destination Index

11. Lets Break Some Stuff • DEMO • Fuzzing

12. Awesome...wait..what? • EIP = 0x41414141 • 0x41 = A • We control EIP, so we can tell the application what to do • Now we need to ﬁnd the location of the EIP overwrite

13. Enter Pattern_create() • MSF Pattern Create creates a easy-to- predict string to assist with EIP location • EIP overwritten with pattern and use MSF Pattern Offset to determine location

14. Lets Break Some Stuff • DEMO • MSF Pattern Create/Offset

15. EIP Overwrite • We now know it takes 256 bytes to get to the EIP over write • Use this to build out skeleton exploit

16. Skeleton Exploit “x00x01” - Sets the mode in TFTP “x41” * 256 - Sends 256 A’s, overﬂow buffer “x42” * 4 - Sets EIP to 0x42424242 “x43” * 250 - Sends 250 C’s as fake payload “x00” - Ends the packet

17. Exploit in Metasploit crash = "x00x01" crash += "x41" * 256 crash += [target.ret].pack('V') crash += "x43" * 250 crash += "x00"

18. Lets Break Some Stuff • DEMO • Skeleton Exploit

19. A Closer Look 0x42424242 0x42424242 0x0012FBE0 0x0012FBE0

20. Find the JMP • We control EIP and ESP • The data we want it is ESP • We want to ﬁnd a JMP ESP • This will place us at the start of our “shellcode”

21. Finding the JMP • Ollydbg or ImmunityDBG • Use the search feature • Find in application or windows lib

22. Testing the return • Use break point at the address • Make sure we jump to the right spot

23. Lets Break Some Stuff • DEMO • Finding and adding the JMP • Testing the JMP

24. Adding the Shellcode • Metasploit has a large library • Very easy to add to exploit • replace “x43” * 250 with payload.encoded • This exploit has small space for shellcode • For this proof of concept we will launch calc.exe

25. Lets Break Some Stuff • DEMO • Shellcode and Final Exploit

26. Buzz Kills • ASLR - Address Space Layout Randomization • Vista and Server ’08 enabled by default • DEP - Data Execution Prevention • XP SP2 and newer • Prevents code execution in non- executable memory

27. Resources • www.nullthreat.net - Slides and demos • www.offsec.com - Cracking the Perimeter • www.corelan.be:8800 - Awesome tutorials on exploit dev • DHAtEnclaveForensics -Youtube channel • www.exploit-db.com - take working exploits apart and re-write them

28. Q&A

Louisville Infosec - Metasploit Class - Fuzzing and Exploit Development with Metasploit

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (16)

Semelhante a Louisville Infosec - Metasploit Class - Fuzzing and Exploit Development with Metasploit

Semelhante a Louisville Infosec - Metasploit Class - Fuzzing and Exploit Development with Metasploit (20)

Último

Último (20)

Louisville Infosec - Metasploit Class - Fuzzing and Exploit Development with Metasploit