1. Exploit Development
Win32 Buffer Overflow Exploitation
By
Kyaw Thiha

2. Whoami?
• Info-sec analyst
• Currently working at Kernellix
• Ex-team member of mmCERT
• Participate some bug bounty programs

3. Prerequisties Knowledge
• Memory stack
• CPU Register
• Knowledge on assembly language
• Buffer overflow attack
• Understanding Shellcode

4. CPU Register
General Purpose Registers
EAX EBX ECX EDX
Segment Registers
CS DS SS ES FS GS

5. CPU Register
Index and Pointer Register
EFLAGS Registers
EDIESI EBP ESP EIP
EFLAGS

6. General Purpose Registers
Base register It is used as a base pointer for memory access Gets some
interrupt return values
EAX
EBX
ECX
EDX
Counter register It is used as a loop counter and for shifts Gets some
interrupt values
Accumulator register.It is used for I/O port access, arithmetic, interrupt
calls, etc...
Data register It is used for I/O port access, arithmetic, some interruptcalls.

7. Segment Registers
Holds the Data segment that your program accesses. Changing its value
might give erronous data.
CS
DS
SS
ES
FS
GP
These are extra segment registers available for far pointer addressing like
video memory and such.
Holds the Stack segment your program uses. Sometimes has the same value as
DS.Changing its value can give unpredictable results, mostly data related.
Holds the Code segment in which your program runs. Changing its value
might make the computer hang.

8. Index and pointer Registers
EDI
ESI
ESP
EBP
Data Pointer Register for memory operations
Stack Pointer Register
Stack Data Pointer Register
EIP Next Instruction

9. EFLAGSRegisters
Bit Label Desciption
---------------------------
0 CF Carry flag
2 PF Parity flag
4 AF Auxiliary carry flag
6 ZF Zero flag
7 SF Sign flag
8 TF Trap flag
9 IF Interrupt enable flag
10 DF Direction flag
11 11 OF Overflow flag
12-13 IOPL I/O Priviledge level
14 NT Nested task flag
16 RF Resume flag
17 VM Virtual 8086 mode flag
18 AC Alignment check flag (486+)
19 VIF Virutal interrupt flag
20 VIP Virtual interrupt pending flag
21 ID ID flag
Those that are not listed are reserved by Intel.

10. General Purpose Register
EAX
AX
31 0
31 01516
AH AL
07815

11. Program Memory Layout
Stack
Unused
Memory
Heap
.bss
.data
.text
Used for stroing function
Dynamic Memory
Unintialize Data
Intialize Data
Program Code
0xffffffff
0x80961025

12. What is Buffer Overflow?
A buffer overflow condition exists when a program attempts to put
more data in a buffer than it can hold or when a program attempts to
put data in a memory area past a buffer

13. What is Buffer Overflow?
Environments Affected
Almost all known web servers, application servers, and web application
environments are susceptible to buffer overflows, the notable exception
being environments written in interpreted languages like Java or Python,
which are immune to these attacks (except for overflows in the Interpretor
itself).

14. Stack Layout
EIP
EBP
EBX
EAX
High Memory
Low Memory
Data
Data
Instruction

15. Sample Stack Overflow
AAAA
AAAA
AAAA
AAAA
High Memory
Low Memory
Data
Data
Instruction

16. Vul code sample
 Array
int [20];
int [20][5];
int [20][5][3];
 Format Strings;
printf(), fprint(),sprint(),sprintf()
 Overflow
strcpy()
strcat()
sprintf()
vsprint()
scanf()

17. Sample Program
GetInput()
{
char buffer[8];
gets(buffer);
puts(buffer);
}

18. Sample Program

19. Demo
• Prerequisites
• Freefloat FTP
• Debugger
• Python
• Metasploit

20. Fuzzing – the very first step
• Need to know crash point
• Need to know vul command

21. Fuzzing Framework
• Spike
• Sulley
• Peach

22. Overwrite EIP

23. Know Crash Point

24. Know crash point

25. Program stack
Buffer EIP Shellcode NOPs
Esp
Jmp esp

26. Control EIP

27. Shellcode Generate

28. Final Payload

29. Final Payload

30. Thanks !
Question ??