Deok9_Exploit Technique

Exploit Technique CodeEngn Co-Administrator!!! and Team Sur3x5F Member Nick : Deok9 E-mail : DDeok9@gmail.com HomePage : http://deok9.sur3x5f.org Twitter :@DDeok9 << Contents >> 1. Shell Code 2. Security Cookie Overwriting 3. Trampoline Technique 4. SEH Overwriting 5. Heap Spray! 1! Copyright 2011 Deok9 All rights Reserved

1) Shell Code ( cmd.exe ) 1. Shell Code Window ShellCode WinExec. WinExec(LPCSTR lpcmdline,uint ucmdshow) Format. Linux /bin/sh. Assembly WinExec Depends Tool. [ 1-1 - 1 ] Depends Tool WinExec WinExec Kernel32.dll, Entry Point : 0x0006250D, Kernel32.dll Base Address : 0x7C7D0000, 0x7C83250D. Visual Studio cmd Code. [ 1-1 - 2 ] cmd Code cmd[4] WinExec, cmd [4], SW_SHOWNORMAL Option. Code main Breakpoint, Debugging Mode Disassemble Shell Code.! 2! Copyright 2011 Deok9 All rights Reserved

[ 1-1 - 3 ] Debugging Disassembly LEA edi, [ebp+ffffff34h] REP STOS dword ptr es:[edi] CMP esi, esp CALL 00411140. '\0' Shell Code NULL xor. CALL dword ptr ds:[0041819ch] [004182B4h] Data, Shell Code. Depends Tool. [ 1-1 - 4 ] Inline Assem Code Code Debugging Mode Disassemble Shell Code.! 3! Copyright 2011 Deok9 All rights Reserved

[ 1-1 - 5 ] Shell Code! 4! Copyright 2011 Deok9 All rights Reserved

1) Security Cookie? 2. Security Cookie Overwriting Window Stack, SFP Buffer Hacker Buffer Overflow Security Cookie Stack Security Data Security Cookie BOF. [ 2-1 - 1 ] IDA Security Cookie [ 2-1 - 2 ] Security Cookie Stack! 5! Copyright 2011 Deok9 All rights Reserved

2) Security Cookie Overwrite BOF Shell Code, RET ( EIP ) Memory Security Cookie, SFP, RET 3. RET Security Cookie Debugging Security Cookie [ 2-2 - 1 ] Security Cookie Save EAX B516410E, Security Cookie Check. [ 2-2 - 2 ] ECX Security Cookie 41414141,. [ 2-2 - 3 ] Security Cookie EIP Error Security Cookie, Error EIP, RET Error.! 6! Copyright 2011 Deok9 All rights Reserved

3. Trampoline Technique 1) ASLR ( Address Space Layout Randomization )? Process Mapping Object & Random, BOF Object BOF. [ 3-1 - 1 ] ASLR Visual Studio Alt + F7.. [ 3-1 - 2 ] ASLR! 7! Copyright 2011 Deok9 All rights Reserved

2) Trampoline Technique Trampoline JMP. [ 3-2 - 1 ] Trampoline Technique Memory RET Shell Code., ESP. ESP 00 NULL. Stack Random ASLR. ESP RET ( RET Memory ) ESP JMP ESP, CALL ESP [ 3-2 - 2 ].text Section ( Code ) [ 3-2 - 3 ] JMP ESP Code JMP ESP. ntdll 7CXXXXXX 00 NULL.! 8! Copyright 2011 Deok9 All rights Reserved

4. SEH Overwriting 1) SEH ( Structed Exception Handling )? Window, Program Hardware Exception, Handle Software Exception. Thread, Error Exception = Error. [ 4-1 - 1 ] Exception Handler EstabilisherFrame EXCEPTION_REGISTRATION. _CONTEXT *ContextRecord Thread. Exception Register. Exception Handler Chain insert, Chain EXCEPTION_REGISTRATION. [ 4-1 - 2 ] EXCEPTION_REGISTRATION EXCEPTION_REGISTRATION Pointer. Exception Handler Pointer. [ 4-1 - 3 ] SEH Chain Layout! 9! Copyright 2011 Deok9 All rights Reserved

2) SEH Overwriting Exception Stack SEH, ESP SEH Ret. Hacker SEH 2 ( Handler Next ) EIP. ESP Argument 2 POP POP RET, JMP [esp+8], CALL [esp+8], ADD esp,8 RET EIP. Handler Next. SEH Handler ( SEH Handler Code. ) [ 4-2 - 1 ] SEH Offset Backtrack patternoffset.pl SEH Handler. Offset Exploit Code [ 4-2 - 3 ] Exploit Code [ 4-2 - 3 ] ESP SEH RET ADD ESP, 8 RETN Handler Next, Next Hacker Shell Code JMP,. EB 06 90 90 SHORT JMP, Ollydbg.! 10! Copyright 2011 Deok9 All rights Reserved

5. Heap Spray 1) Heap Spray? Heap Memory Data EIP Heap,. html javascript Heap Memory Program. Code [ 5-1 - 1 ] Heap Spray Memory %u0505 ( NOP code ) + ShellCode 0x80000 Size Heap Memory. Hacker NOP EIP. Exploit Code Heap Memory [ 5-1 - 2 ] Heap Memory Dump Memory 05050505...... ( MOV edi, edi ).! 11! Copyright 2011 Deok9 All rights Reserved