Exploit writing FOR Beginners

Download Report

Transcript Exploit writing FOR Beginners 

What is exactly Exploit writing?

Writing a piece of code which is capable
of exploit the vulnerability in the target
software.
What is the impact of Exploits?

Remote code execution : leads to running
malicious application in victim’s system
Denial of Service attacks
…

What I am going to explain
today…
Intro to Stack
 Stack Buffer Overflow attack
 Demo

Intro to Stack
A piece of the Process memory
 Used for storing variables, function call,return
address,…
 Allocated by the OS, for each thread (when
the thread is created). When the thread ends,
the stack is cleared as well.
 The size of the stack is defined when it gets
created and doesn’t change
 Increase to lower address( 0041008
0041004 0041002…)

void vulnfun(char *in)
{
char buf[10];
}
int main(int argc,char *argv[])
{
vulnfun(argv[1]);
return 0;
}
0x00000000
Stack Pointer
(ESP)
Stack Pointer
(ESP)
Stack Pointer
(ESP)
Stack Pointer
(ESP)
Base Pointer
(EBP)
ofPointer
VulnFun
Stack
(ESP)
Stack Pointer
(ESP)
Stack Pointer
Stack Pointer (ESP)
(ESP)
Base Pointer
(EBP)
main
StackofPointer
(ESP)
Local Variable of
VulnFun( buf)
Save previous Base Pointer
Return Address
Stack Frame for
Vulnfun
Arguments for VulnFun
function ( argv[1] )
Local variables of Main
Save previous Base Pointer
Return Address
Stack Frame for
Main
Arguments for Main Function
.
.
.
.
0xFFFFFFFF
Stack Buffer Overflow

Result of giving Input that is longer than
the memory allocated for the variable

For instance, “Char a[10]” can store 10
characters. If you try to enter more than
10 characters that results in overflow
Stack Pointer
(ESP)
AAAAAAA
AAAAAAA
Local variable “buf”
AAAAAAA
Saved Base
pointer overwritten
Return Address
Base Pointer
(EBP) of
VulnFun
Arguments for VulnFun
function ( argv[1] )
Local variables of Main
Save previous Base Pointer
Return Address
Base Pointer
(EBP) of main
Arguments for Main Function
.
.
.
.
Stack Pointer
(ESP)
Base Pointer
(EBP) of VulnFun
AAAAAAA
AAAAAAA
AAAAAAA
Saved Base pointer
overwritten
0x004012C9
Return Address
modified by exploiting
the overflow
Arguments for VulnFun
function ( argv[1] )
Local variables of Main
Save previous Base Pointer
Return Address
Base Pointer
(EBP) of Main
Local variable “buf”
Arguments for Main Function
.
.
.
.
Thank You