1100101001001110

Tags:

Preview:

Click to see full reader

Citation preview

Jaime Peñalba @NighterMan

WHO AM I?

OGT OFFENSIVE LABS & -D--I

CISSP EN FRIGORIFICOS

CERTIFIED CALDERATOR

NIVEL 101 EN BF3

WHY EXPLOITING?

INTRODUCCION

DESMITIFICARLO (NO ES DIFICIL)

BECAUSE IT'S PHUN

PROTECCIONES ACTUALES

ESTO NO ES UNA GUIA COMPLETA

WHAT DO I NEED TO KNOW TO EXPLOIT?

FUNCIONAMIENTO BASICO DE UN PROCESADOR

ORGANIZACION DE LA MEMORIA

FUNCIONAMIENTO DE LA PILA (STACK)

PROTECCIONES

HOW CPU WORKS

HOW CPU WORKS

HOW CPU WORKS

HOW CPU WORKS

MEMORY LAYOUT

.RODATA

.BSS

.DATA

[STACK]

[STACK]

[HEAP]

MEMORY LAYOUT

MEMORY LAYOUT

FUNCION DEL STACK

CONTROL DEL FLUJO DE EJECUCION

ALMACENAMIENTO DE LOCAL VARS

PASAR ARGS A FUNCIONES

(DEPENDE DE LA ARCH Y EL CALLING CONVENTION)

STACK

%EBP (BASE DEL FRAME)

PUNTERO AL EBP ANTERIOR

%ESP (CIMA DE LA PILA)

PUSH (ESP = ESP-4)

POP (ESP = ESP+4)

STACK

STACK

MOST COMMON FLAWS

OVERFLOWDYNAMIC ALLOCATION

FORMAT STRING

STACK HEAP

USE AFTER FREENULL POINTER

BASIC EXPLOIT

BASIC EXPLOIT

OVERWRITES FULL FRAME

OVERWRITES SAVED EBP

OVERWRITES SAVED RET

NEW EIP POINTS TO JMP %ESP

JUMPS TO SHELLCODE

OVERWRITES FULL FRAME

OVERWRITES SAVED EBP

OVERWRITES SAVED RET

NEW EIP POINTS TO JMP %ESP

JUMPS TO SHELLCODE

BASIC EXPLOIT

COUNTERMEASURES VS EXPLOITATION

Stack Smashing

StackCanary

StackCanary Bypass

HeapExploitation

GOTOverwrite

PositionIndependent

CodeASLR

Return ToLibrary No eXecute Bit

RELocationRead-Only

Return OrientedProgramming

(ROP)

PositionIndepenentExecutable

(PIE)

MemoryDisclosure

ASLR

No eXecute Bit

Return Oriented Programming

ROP

RET

POP EIP

LEAVE

ESP = EBP

POP EBP

ROP GADGETS

UNALIGNED VS ALIGNED

SIMPLE ROP

SIMPLE ROP

BASIC EXPLOIT

STACK PIVOTING

mov eax 0xfff

xchg esp eax

ret

CREAMOS UNA PILA EN OTRA ZONA DE MEMORIA DONDE TENGAMOS MEJOR CONTROL

SALTAMOS A LA NUEVA PILA

COMPLEX ROP

Creamos una zona de memoria con permisos de ejecucion mmap()

Copiamos nuestro shellcode a la nueva zona memcpy()

Saltamos a nuestro shellcode

COMPLEX ROP

mmap() no esta importada pero dlsym() si lo esta

Sacamos la direccion de mmap() llamando a dlsym

Necesitamos la direccion de nuestro shellcode y no tenemos gadgets (stack pivoting)

mmap() y dlsym() utilizan argumentos con null bytes (stack pivoting)

COMPLEX ROP

BASIC EXPLOIT

CUIDADO CON LA BEBIDA!!!

THE END

Recommended

Refresh OKC
Technology
The Value of User Experience (from Web 2.0 Expo Berlin 2008)
Technology
Best Practice For UX Deliverables - Eventhandler, London, 05 March 2014
Technology
What is Big Data?
Technology
Become A Photographer
Technology
Leaving Positive Impression
Technology
Introduction to wireframes
Technology
Big Data - The 5 Vs Everyone Must Know
Technology
Automotive20
Technology
Advertising Psychology
Technology
Stop Buying Tech
Technology
Foursquare Wallet presentation
Technology
Designing With Vision
Technology
From Paths to Sandboxes
Technology
Snapshot of Digital India - March 2014
Technology
ROI in the age of keyword not provided [Mozinar]
Technology
Site Search Analytics in a Nutshell
Technology
Expert Positioning Using LinkedIn
Technology
6 key learnings for responsive webdesign
Technology
Profile & Resume Buzzkill - Words to avoid
Technology