namishelex01/Learn Exploit Development - 1

## Learn Exploit Development - 1
[Learning Exploit Development from fuzzysecurity.com]
Tools Needed:-
> Immunity debugger
> Mona.py
> Pvefindaddr.py
> Metasploit
> Virtual Box

Overflows to play with:-
1. Buffer overflow - A memory location receives more data than it was meant to
2. Stack Overflow - usually a BO that writes beyong the end of stack

When the vulnerability is detected, there a re two things to look for
1. Our buffer needs to overwrite EIP(Current Instruction Pointer)
2. One of the CPU registers needs to contain our buffer. Any of the CPU registers can store our buffer

EAX - ACCUMULATOR REGISTER for arithematic operations
EBX - BASE REGISTER
      Pointer to data in the DS segment
      Used to store the base address of the program
ECX - COUNTER REGISTER
      Used for iterations
EDX - GENERAL PURPOSE REGISTER
      For I/O OPERATIONS
      Allows complex calculations as extention to EAX
ESI - SOURCE INDEX REGISTER
      Holds location to Input data
EDI - DESTINATION INDEX REGISTER
      Points to location of where result of data operation is stored
EBP - BASE POINTER
ESP - STACK POINTER
EIP - INSTRUCTION POINTER

WINDOWS PROCESS MEMORY:-
1. CODE SEGMENT - Instructions to execute
2. DATA SEGMENT - Variables, Dynamic buffers
3. STACK SEGMENT - Arguments to function

_______________________________
|           STACK             |
|            HEAP             |
|       PROGRAM IMAGE         |
|         PE header           |
|           .text             |
|           .rdata            |
|           .data             |
|           .rsrc             |
|           DLL               |
|           DLL               |
|           PEB               |
|      data block for         |
|        main thread          |
|     SHARED USER PAGE        |
|         NO ACCESS           |
|_____________________________|

STACK POINTER:-
1. ESP points directly to top of stack i.e. HIGHEST MEMORY ADDRESS -> LOWER MEMORY ADDRESS
2. After a PUSH, ESP will point to a lower memory address
3. After a POP, ESP points to a higher address

WORKING:-
1. Get a program to store an overly long string
2. This string overwrites EIP and a part is stored in CPU register
3. Find a pointer that points to the register that contains our buffer
4. We put that pointer in our buffer so it overwrites EIP
5. When the program reaches our pointer it executes the instruction and jumps to the register that contains our buffer
6. We place our shellcode in the part of the buffer that is stored in the CPU register

METHODS OF EXECUTION OF SHELLCODE:-
1. JUMP or CALL - Use a register that contains the address where the shellcode resides and put that address in EIP
      >> JMP vs CALL : When you use call, the current value of Instruction Pointer is saved on the stack.
                       When the corresponding RET executes, it takes the address from the stack and jumps there.
                       IF JMP occurs, it doesn't save the current address on the stack
2. POP RETURN - If none of the registers point directly to the shellcode, but you can see an address on the stack that points to the shellcode, then you can load that value into EIP by first putting a pointer to POP RETN / POP POP RETN / POP POP POP RETN into EIP
3. PUSH RETURN - Same with a PUSH instruction
4. JMP [REG+OFFSET] - Register which is pointing to the buffer containing the shellcode, but doesn't point at beginning of shellcode, now try to find an instruction in one of the OS or app DLL, which will add the required bytes to the register and then jumps to the register
5. BLIND RETURN - RETN instruction will POP the last value (4 bytes) from the stack and will put the address in ESP. If EIP can be written withe address that will perform a RET instruction, the value stored at ESP will be loaded to EIP
6. SEH - Every application has a default exception handler which is provided for by the OS. So even if the application itself does not use exception handling, you can try to overwrite the SEH handler with your own address and make it jump to your shellcode
7. POPAD - POP all double will pop double words from the stack (ESP) into the GP registers, in one action. OPCODE is 0x61.
8. JMP to hardcode address - Offsets of a register, you simply need to find the opcode that will do the jump, and then use that opcode in the smaller "first"/stage1 buffer, in order to jump to real shellcode.
9. Backward Jumps - Perform backward jumps with negative offset(negative number and convert to hex)
	[Learning Exploit Development from fuzzysecurity.com]
	Tools Needed:-
	> Immunity debugger
	> Mona.py
	> Pvefindaddr.py
	> Metasploit
	> Virtual Box

	Overflows to play with:-
	1. Buffer overflow - A memory location receives more data than it was meant to
	2. Stack Overflow - usually a BO that writes beyong the end of stack

	When the vulnerability is detected, there a re two things to look for
	1. Our buffer needs to overwrite EIP(Current Instruction Pointer)
	2. One of the CPU registers needs to contain our buffer. Any of the CPU registers can store our buffer

	EAX - ACCUMULATOR REGISTER for arithematic operations
	EBX - BASE REGISTER
	Pointer to data in the DS segment
	Used to store the base address of the program
	ECX - COUNTER REGISTER
	Used for iterations
	EDX - GENERAL PURPOSE REGISTER
	For I/O OPERATIONS
	Allows complex calculations as extention to EAX
	ESI - SOURCE INDEX REGISTER
	Holds location to Input data
	EDI - DESTINATION INDEX REGISTER
	Points to location of where result of data operation is stored
	EBP - BASE POINTER
	ESP - STACK POINTER
	EIP - INSTRUCTION POINTER

	WINDOWS PROCESS MEMORY:-
	1. CODE SEGMENT - Instructions to execute
	2. DATA SEGMENT - Variables, Dynamic buffers
	3. STACK SEGMENT - Arguments to function

	_______________________________
	\| STACK \|
	\| HEAP \|
	\| PROGRAM IMAGE \|
	\| PE header \|
	\| .text \|
	\| .rdata \|
	\| .data \|
	\| .rsrc \|
	\| DLL \|
	\| DLL \|
	\| PEB \|
	\| data block for \|
	\| main thread \|
	\| SHARED USER PAGE \|
	\| NO ACCESS \|
	\|_____________________________\|

	STACK POINTER:-
	1. ESP points directly to top of stack i.e. HIGHEST MEMORY ADDRESS -> LOWER MEMORY ADDRESS
	2. After a PUSH, ESP will point to a lower memory address
	3. After a POP, ESP points to a higher address

	WORKING:-
	1. Get a program to store an overly long string
	2. This string overwrites EIP and a part is stored in CPU register
	3. Find a pointer that points to the register that contains our buffer
	4. We put that pointer in our buffer so it overwrites EIP
	5. When the program reaches our pointer it executes the instruction and jumps to the register that contains our buffer
	6. We place our shellcode in the part of the buffer that is stored in the CPU register

	METHODS OF EXECUTION OF SHELLCODE:-
	1. JUMP or CALL - Use a register that contains the address where the shellcode resides and put that address in EIP
	>> JMP vs CALL : When you use call, the current value of Instruction Pointer is saved on the stack.
	When the corresponding RET executes, it takes the address from the stack and jumps there.
	IF JMP occurs, it doesn't save the current address on the stack
	2. POP RETURN - If none of the registers point directly to the shellcode, but you can see an address on the stack that points to the shellcode, then you can load that value into EIP by first putting a pointer to POP RETN / POP POP RETN / POP POP POP RETN into EIP
	3. PUSH RETURN - Same with a PUSH instruction
	4. JMP [REG+OFFSET] - Register which is pointing to the buffer containing the shellcode, but doesn't point at beginning of shellcode, now try to find an instruction in one of the OS or app DLL, which will add the required bytes to the register and then jumps to the register
	5. BLIND RETURN - RETN instruction will POP the last value (4 bytes) from the stack and will put the address in ESP. If EIP can be written withe address that will perform a RET instruction, the value stored at ESP will be loaded to EIP
	6. SEH - Every application has a default exception handler which is provided for by the OS. So even if the application itself does not use exception handling, you can try to overwrite the SEH handler with your own address and make it jump to your shellcode
	7. POPAD - POP all double will pop double words from the stack (ESP) into the GP registers, in one action. OPCODE is 0x61.
	8. JMP to hardcode address - Offsets of a register, you simply need to find the opcode that will do the jump, and then use that opcode in the smaller "first"/stage1 buffer, in order to jump to real shellcode.
	9. Backward Jumps - Perform backward jumps with negative offset(negative number and convert to hex)