Dobin 0x42_Exploit.pdf
Dobin 0x42_Exploit.pdf
Dobin 0x42_Exploit.pdf
9
0.0 (0)
Kartei Details
Karten | 9 |
---|---|
Sprache | English |
Kategorie | Religion/Ethik |
Stufe | Universität |
Erstellt / Aktualisiert | 21.06.2019 / 28.06.2020 |
Lizenzierung | Keine Angabe |
Weblink |
https://card2brain.ch/box/20190621_dobin_0x33debugging_pdf
|
Einbinden |
<iframe src="https://card2brain.ch/box/20190621_dobin_0x33debugging_pdf/embed" width="780" height="150" scrolling="no" frameborder="0"></iframe>
|
What is needed to create a buffer overflow exploit?
- The Shellcode
- The distance to SIP (stored instruction pointer)
- The address of the shellcode (in memory of the process)
What makes the creation of an overflow exploit possible?
Program execution is HIGHLY perdictable/deterministic
- which is kind of suprising
Stack, Heap, Code all start at the same address
Same functions get called in the same order
- And allocate the same sized buffers
Error/Overfloww in function X, every time has:
- Same call stack
- Same variables
- Same registers
How can we find the address of buffer with the shellcode?
Debug the program.
How can you get the distance from your buffer to the SIP (Stored Instruction Pointer)?
How to get the distance to the SIP (Stored Instruction Pointer):
- Create overflow string
- Run the program in gdb (gnu debugger) with the string as an argument
- Check if RIP is modified (segmentation faultt?)
- If no crash:
- Increase overflow string length
- Goto 2
- If crash:
- Check if RIP is based on overflow string
- Check at which location in the string RIP is
- Modify overflow string at that location
RIP (64 bit) = EIP (32 bit)
How is the data that is written into the buffer structured to execute our shellcode?
- Fill buffer_len with NOP
- | NOP NOP |
- exploit = "\x90" * (buf_size -len(shellcode)) "\x90" = NOP
- add shellcode
- | NOP NOP | shellcode |
- exploit += shellcode
- Fill with garbage till we reach the SIP
- | NOP NOP | shellcode | fill |
- exploit += "A" * (offset -len(exploit))
- Last: put in the return address
- | NOP NOP | shellcode | fill | ret_addr |
- exploit += ret_addr
What is a nop sled and what is it good for?