prodil89 Posted August 13, 2010 Report Posted August 13, 2010 (edited) Contents I Introduction and Theoretical Background 51 Theoretical Background 1.1 Processes and memory layout in x86 . . . . . . . . . . . . . . . . . . . . . . . . 5 1.2 Registers, Pointers and Assembler . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.3 Stack layout in x86 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1.4 Function call and termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1.5 Buer Over ow issue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 1.6 Shellcodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13II Hands on Linux 212 Setup Testbed environment 21 3 Linux buer over ow 101 22 3.1 How to change the ow of execution . . . . . . . . . . . . . . . . . . . . . . . . . 22 3.2 How to spawn a Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 3.3 Polite exit from a process: exit system call . . . . . . . . . . . . . . . . . . . . . 30 3.4 Write an exploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 4 Protections against buer over ow 35 4.1 Programmers protections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 4.2 System default protections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 4.2.1 Address Space Layout Randomization (ASLR) . . . . . . . . . . . . . . . 36 4.2.2 Stack Execute Invalidation (NX bit) . . . . . . . . . . . . . . . . . . . . 39 4.3 Compiler and linker protections . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 4.3.1 StackShield (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 4.3.2 StackGuard (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 4.3.3 Stack Smashing Protector - ProPolice (Default installed) . . . . . . . . . 43 4.3.4 Run time checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 4.4 Protections in a practical scenario . . . . . . . . . . . . . . . . . . . . . . . . . . 44 4.5 Combined Tricks in a future scenario . . . . . . . . . . . . . . . . . . . . . . . . 45 III Hands on Windows 47 Setup Testbed environment 6 Windows buer over ow 101.................................................................. 48 6.1 How to change the ow of execution . . . . . . . . . . . . . . . . . . . . . . . . . 48 6.2 How to spawn a shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 6.3 ExitProcess system call . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 6.4 Write an exploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 7 Protections against buer over ow 60 7.1 Buer Security Check - /GS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 7.2 /SafeSEH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 7.2.1 /GS & /SafeSEH possible tricks . . . . . . . . . . . . . . . . . . . . . . . 63 7.3 Address Space Layout Randomization (ASLR) . . . . . . . . . . . . . . . . . . . 64 7.3.1 Address Space Layout Randomization (ASLR) possible tricks . . . . . . 66 7.4 Data Execution Prevention (DEP) . . . . . . . . . . . . . . . . . . . . . . . . . 66 7.4.1 Data Execution Prevention (DEP) possible tricks . . . . . . . . . . . . . 68 7.5 Runtime Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 7.6 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 7.7 Today, tomorrow, the future . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 7.8 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 [url]http://mariano-graziano.llab.it/docs/report.pdf[/url] Edited August 13, 2010 by prodil89 1 Quote
Usr6 Posted January 6, 2012 Report Posted January 6, 2012 ...improvedcele de mai sus+IV Real Scenario 75 8 Attacks and memory corruption 75 9 Memory corruption in practice 76 10 Examples of real attacks 77 10.1 Theory: Heap Spraying . . . . . . . . . . . . . . . . . 77 10.2 CVE-2010-0249 – Internet Explorer 6, 2010 – Graziano. . 78 10.3 CVE-2010-2883 – Adobe Acrobat Reader, 2010 – Graziano . 84http://www.mgraziano.info/docs/stsi2010.pdf 1 Quote
