Art of Exploit Writing

ART OF EXPLOIT WRITING

Ashfaq Ansari

Security Researcher & Penetration Tester

Founder Of: HackSys Team http://hacksys.vfreaks.com/

null Meet @Bangalore – 19th Jan 2013

Buffer Overflow • Writing more data into a buffer than the

allocated size.

• Two types:

– Stack Overflow corrupt the execution stack by writing past the end of an array (aka. smashing the stack/ stack overflow)

–Heap Overflow corrupt the heap

Process Memory Organization

Text

Data

Heap

Stack

Text • Fixed by the program

• Read-only

Data • Initialized & Uninitialized Data

• Static variables are stored here

Stack • Local variables for functions

• Return address and local stack pointer

The Stack - We Must Know Him

c

b

a

RET

SFP

Buffer 1

Buffer 2

• Stack is LIFO – Last In First Out

• PUSH & POP operation LIFO

• Dynamically allocate local variables used in functions

• Pass parameters to functions, etc.

Used

• Stack Pointer (SP) points to the top of the stack

• Contains return address and local stack pointer

Info

x86 General Purpose Register

Fuzzing

• Black Box software testing technique, which helps in finding implementation bugs using malformed /semi-malformed data injection in an automated fashion

1

• Lazy mans tool 2

Overview

The Stack - Overflow

AAAA

AAAA

AAAA

DDDD

CCCC

BBBB

BBBB

AAAA

AAAA

AAAA

• Overwritten by A’s & B’s

Buffer 1 & 2

• Overwritten by C’s SFP

• Return Overwritten by D’s RET

Bad Characters

NULL \x00

\n \x0a

\r \x0d

DEMO

Time Spent

Exp

loit

s W

ork

ed O

n

Get Familiar

Achieve Mastery

Work Hard Toward Mastery

Get Experienced