Created
July 13, 2019 01:48
-
-
Save SkyBulk/7a969e8854730d90f0c91929e41dc87f to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Table of Contents | |
| 0. Testing Environment | |
| 0.1 Testing Environment | |
| 1. Software Vulnerability Review | |
| 1.1 Buffer OverFlow | |
| 1.2 Format String Bug | |
| 1.3 Integer OverFlow | |
| 2. Classic Technique Review | |
| 2.1 Writing RET Based Buffer OverFlow Exploits | |
| 2-1-1. Direct-RET | |
| 2-1-2. Trampoline | |
| 2-1-3. Real Application Attack(A-PDF All to MP3) | |
| 3. Win32 ShellCode | |
| 3-1. Making Win32 ShellCode | |
| 3-2. Win32 ShellCode Unicode Problem | |
| 3-3. Making Universal ShellCode | |
| 3-4. Using Metasploit Payload and Encoder | |
| 4. About Defence Technique | |
| 4-1. GS(Stack Guard) | |
| 4-2. SafeSEH(SEH Handler Validation Check) | |
| 4-3. DEP(Data Execution Prevension) | |
| 4-4. ASLR(Address Space Layout Randomization) | |
| 4-5. SEHOP(Structured Error Handling Overwrite Protection) | |
| 5. SEH(Structured Error Handling) | |
| 5-1. SEH(Structured Error Handling)? | |
| 5-2. Debugging SEH Chain | |
| 5-2-1. Using Immunity Debugger | |
| 5-2-2. Using WinDbg | |
| 5-3. Debugging Stack View On The SEH Chain | |
| 6. Writing SEH Based Buffer OverFlow Exploits | |
| 6-1. SEH Handler OverWrite | |
| 6-1-1. Debugging GS Option Enable | |
| 6-1-2. Check SafeSEH | |
| 6-1-3. Writing Exploit | |
| 6-2. Real Application Attack(MP3 CD Converter) | |
| 7. RTL(Return To Library) | |
| 7-1. About DEP | |
| 7-2. RTL(Return To Library) | |
| 7-3. Chaining RTL | |
| 7-4. Problem Of RTL? | |
| 8. ROP(Return Oriented Programming) | |
| 8-1. ROP(Return Oriented Programming)? | |
| 8-2. Gadjet | |
| 8-3. Weapon | |
| 8-3-1. API Chain | |
| 8-3-2. Function Parameter | |
| 8-3-3. Weapon Test by DEP Policy(OptOut, AlwaysOn) | |
| 8-4. Flowing Going To ROP | |
| 8-4-1. RET Based | |
| 8-4-2. SEH Based | |
| 8-5. ROP Based Exploit Composition | |
| 8-5-1. StackPivot | |
| 8-5-2. ROP Chain(General-purpose Registers or Stack?) | |
| 8-6. Training ROP Based Exploit ROP by POC Code | |
| 8-7. Universal ROP Exploit | |
| 8-8. Using mona.py Plug-in | |
| 8-9. RET Based ROP - BlazeDVD - DEP(OptOut) | |
| 8-10. SEH Based ROP - WireShark - DEP(AlwaysOn) | |
| 9. Heap | |
| 9-1. About Heap | |
| 9-2. Debugging Heap | |
| 10. Heap Spray Part 1 : Basic Scripting | |
| 10-1. Heap Spray? | |
| 10-2. Debugging String Allocation by JavaScript | |
| 10-2-1. Basic String Allocation | |
| 10-2-2. String Allocation by Unescape() | |
| 10-3. Heap Spray Memory Layout | |
| 10-3-1. Desired Heap Spray Memory Layout | |
| 10-3-2. Heap Spray Script by Exploit-DB(IE6) | |
| 10-3-3. Heap Spray Script by Exploit-DB(IE7) | |
| 10-4. Reliability Pointer Verification by Heap Spray Code(IE6 and IE7) | |
| 10-5. Exploit by Heap Spray - RSP MP3 Player(OCX ActiveX BOF) | |
| 10-6. Non Browser Heap Spray | |
| 10-6-1. Adobe PDF Reader - JavaScript | |
| 10-6-2. Adobe Flash Player - Action Script | |
| 10-6-3. MS Office - VB Script | |
| 11. Heap Spray Part 2 : ROP Heap Spray | |
| 11-1. Internet Explorer 8 Problem | |
| 11-2. ByPass DEP by Heap Spray Composition | |
| 11-2-1. ROP Heap Spray Memory Layout | |
| 11-2-2. Flowing Going To ROP Chain | |
| 11-3. Converting Exploit Code – RSP MP3 Player | |
| 11-4. FF/IE8/IE9/IE10 Heap Spray Script | |
| 12. ByPass Defence Technique of Windows 7 | |
| 11-1. ASLR(Address Space Layout Randomization) | |
| 11-1-1. Debugging ASLR | |
| 11-1-2. ByPass ASLR with DEP - BlazeDVD | |
| 11-2. SEHOP(Structured Error Handling Overwirte Protection) | |
| 11-2-1. Debugging SEHOP Enable | |
| 11-2-2. Execution Condition by _except_handler3() | |
| 11-2-3. ByPass SEHOP - AudioTran - SEH Scope Table Overwrite |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment