Partenaire Premium
c2b_default

Dobin 0x42_Exploit.pdf

Dobin 0x42_Exploit.pdf

Dobin 0x42_Exploit.pdf

9
0.0 (0)

Fichier Détails

Cartes-fiches 9
Langue English
Catégorie Religion / Ethique
Niveau Université
Crée / Actualisé 21.06.2019 / 28.06.2020
Attribution de licence Non précisé
Lien de web
https://card2brain.ch/box/20190621_dobin_0x33debugging_pdf
Intégrer
<iframe src="https://card2brain.ch/box/20190621_dobin_0x33debugging_pdf/embed" width="780" height="150" scrolling="no" frameborder="0"></iframe>
Connecte-toi pour voir des images.

-

What is needed to create a buffer overflow exploit?

  • The Shellcode
  • The distance to SIP (stored instruction pointer)
  • The address of the shellcode (in memory of the process)

What makes the creation of an overflow exploit possible?

Program execution is HIGHLY perdictable/deterministic

  • which is kind of suprising

Stack, Heap, Code all start at the same address

Same functions get called in the same order

  • And allocate the same sized buffers

Error/Overfloww in function X, every time has:

  • Same call stack
  • Same variables
  • Same registers

How can we find the address of buffer with the shellcode?

Debug the program.

Connecte-toi pour voir des images.

What is the offset?

Offset:

  • distance between start of buffer (firstname)
  • Till SIP (Stored instruction pointer)

What is the stuff:

  • Other local variables (isAdmin)
  • SBP (Stored Base Pointer)
  • Padding

How can you get the distance from your buffer to the SIP (Stored Instruction Pointer)?

How to get the distance to the SIP (Stored Instruction Pointer):

  1. Create overflow string
  2. Run the program in gdb (gnu debugger) with the string as an argument
  3. Check if RIP is modified (segmentation faultt?)
  4. If no crash:
    1. Increase overflow string length
    2. Goto 2
  5. If crash:
    1. Check if RIP is based on overflow string
    2. Check at which location in the string RIP is
    3. Modify overflow string at that location

RIP (64 bit) = EIP (32 bit)

How is the data that is written into the buffer structured to execute our shellcode?

Connecte-toi pour voir des images.

  • Fill buffer_len with NOP 
    • | NOP NOP |
    • exploit = "\x90" * (buf_size -len(shellcode))          "\x90" = NOP
  • add shellcode
    • | NOP NOP | shellcode |
    • exploit += shellcode
  • Fill with garbage till we reach the SIP
    • | NOP NOP | shellcode | fill |
    • exploit += "A" * (offset -len(exploit))
  • Last: put in the return address
    • | NOP NOP | shellcode | fill | ret_addr |
    • exploit += ret_addr

 

What is a nop sled and what is it good for?

Connecte-toi pour voir des images.

NOP Sled:

  • NOP = No Operation "0x90" on 32 bit

"A set of instructions which ultimately do not affect code execution. 
Does nothing except incrementing EIP"

 

The NOP sled is usefull so the SIP does not have to point EXACTLY at the beginning of the shellcode
just somewhere in the NOP sled.