Skip to content

Instantly share code, notes, and snippets.

@namishelex01
Last active June 24, 2022 18:03
Show Gist options
  • Save namishelex01/3424cf7b958a14efddde211503432b01 to your computer and use it in GitHub Desktop.
Save namishelex01/3424cf7b958a14efddde211503432b01 to your computer and use it in GitHub Desktop.
[Learning Exploit Development from fuzzysecurity.com]
Tools Needed:-
> Immunity debugger
> Mona.py
> Pvefindaddr.py
> Metasploit
> Virtual Box
Overflows to play with:-
1. Buffer overflow - A memory location receives more data than it was meant to
2. Stack Overflow - usually a BO that writes beyong the end of stack
When the vulnerability is detected, there a re two things to look for
1. Our buffer needs to overwrite EIP(Current Instruction Pointer)
2. One of the CPU registers needs to contain our buffer. Any of the CPU registers can store our buffer
EAX - ACCUMULATOR REGISTER for arithematic operations
EBX - BASE REGISTER
Pointer to data in the DS segment
Used to store the base address of the program
ECX - COUNTER REGISTER
Used for iterations
EDX - GENERAL PURPOSE REGISTER
For I/O OPERATIONS
Allows complex calculations as extention to EAX
ESI - SOURCE INDEX REGISTER
Holds location to Input data
EDI - DESTINATION INDEX REGISTER
Points to location of where result of data operation is stored
EBP - BASE POINTER
ESP - STACK POINTER
EIP - INSTRUCTION POINTER
WINDOWS PROCESS MEMORY:-
1. CODE SEGMENT - Instructions to execute
2. DATA SEGMENT - Variables, Dynamic buffers
3. STACK SEGMENT - Arguments to function
_______________________________
| STACK |
| HEAP |
| PROGRAM IMAGE |
| PE header |
| .text |
| .rdata |
| .data |
| .rsrc |
| DLL |
| DLL |
| PEB |
| data block for |
| main thread |
| SHARED USER PAGE |
| NO ACCESS |
|_____________________________|
STACK POINTER:-
1. ESP points directly to top of stack i.e. HIGHEST MEMORY ADDRESS -> LOWER MEMORY ADDRESS
2. After a PUSH, ESP will point to a lower memory address
3. After a POP, ESP points to a higher address
WORKING:-
1. Get a program to store an overly long string
2. This string overwrites EIP and a part is stored in CPU register
3. Find a pointer that points to the register that contains our buffer
4. We put that pointer in our buffer so it overwrites EIP
5. When the program reaches our pointer it executes the instruction and jumps to the register that contains our buffer
6. We place our shellcode in the part of the buffer that is stored in the CPU register
METHODS OF EXECUTION OF SHELLCODE:-
1. JUMP or CALL - Use a register that contains the address where the shellcode resides and put that address in EIP
>> JMP vs CALL : When you use call, the current value of Instruction Pointer is saved on the stack.
When the corresponding RET executes, it takes the address from the stack and jumps there.
IF JMP occurs, it doesn't save the current address on the stack
2. POP RETURN - If none of the registers point directly to the shellcode, but you can see an address on the stack that points to the shellcode, then you can load that value into EIP by first putting a pointer to POP RETN / POP POP RETN / POP POP POP RETN into EIP
3. PUSH RETURN - Same with a PUSH instruction
4. JMP [REG+OFFSET] - Register which is pointing to the buffer containing the shellcode, but doesn't point at beginning of shellcode, now try to find an instruction in one of the OS or app DLL, which will add the required bytes to the register and then jumps to the register
5. BLIND RETURN - RETN instruction will POP the last value (4 bytes) from the stack and will put the address in ESP. If EIP can be written withe address that will perform a RET instruction, the value stored at ESP will be loaded to EIP
6. SEH - Every application has a default exception handler which is provided for by the OS. So even if the application itself does not use exception handling, you can try to overwrite the SEH handler with your own address and make it jump to your shellcode
7. POPAD - POP all double will pop double words from the stack (ESP) into the GP registers, in one action. OPCODE is 0x61.
8. JMP to hardcode address - Offsets of a register, you simply need to find the opcode that will do the jump, and then use that opcode in the smaller "first"/stage1 buffer, in order to jump to real shellcode.
9. Backward Jumps - Perform backward jumps with negative offset(negative number and convert to hex)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment