|
don
|
 |
« on: May 04, 2010, 10:20:37 AM » |
|
I think all of you will really like this one, a step-by-step tutorial for exploit dev. Be sure to stop by Mark Nicholls security blog, isolated-threat, that focuses on malware, shellcode and exploits. After visiting, if there's any tutorials you'd like to see from Mark, feel free to ask. Permanent link: [Article]-Tutorial: SEH Based Exploits and the Development ProcessTutorial by Mark Nicholls AKA n1p The intent of this exploit tutorial is to educate the reader on the use and understanding of vulnerabilities and exploit development. This will hopefully enable readers to gain a better understanding of the use of exploitation tools and what goes on underneath to more accurately assess the risk of discovered vulnerabilities in a computer environment. It is important for security consultants and ethical hackers to understand how buffer overflows actually work, as having such knowledge will improve penetration testing capabilities. It will also give you the tools to more accurately assess the risk of vulnerabilities and develop effective countermeasures for exploits doing the rounds in the wild. With this in, I am going to focus exclusively on the practical skills needed to exploit Structured Exception Handler buffer overflows. I won't go into too much detail regarding the theory of how they work, or how buffer overflows can be discovered. There are many other resources available on this subject, and I encourage you to research this further Warning! Please note that this tutorial is intended for educational purposes only, and skills gained here should NOT be used to attack any system for which you don't have permission to access. It is illegal. Let us know what you think, Don |
|
|
|
|
Logged
|
CISSP, MCSE, CSTA, Security+ SME
|
|
|
|
hayabusa
|
 |
« Reply #1 on: May 04, 2010, 11:00:07 AM » |
|
Will have to give it a good read-over. Thanks, don!
|
|
|
|
|
Logged
|
~ hayabusa ~
"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'
OSCE, OSCP , GPEN, C|EH |
|
|
|
zeroflaw
|
|
« Reply #2 on: May 04, 2010, 11:12:11 AM » |
|
Very nice, I will definitely try this soon. Thanks!
|
|
|
|
|
Logged
|
ZF
|
|
|
|
n1p
|
|
« Reply #3 on: May 04, 2010, 01:38:23 PM » |
|
Cheers for that. Any questions just shout!
|
|
|
|
|
Logged
|
|
|
|
|
Ketchup
|
|
« Reply #4 on: May 04, 2010, 03:04:11 PM » |
|
n1p, that's a fantastic read! I skimmed through it once already, and plan to go back and read it again a few times. The links at the end are priceless on their own. Thanks!
|
|
|
|
|
Logged
|
~~~~~~~~~~~~~~
Ketchup
|
|
|
|
n1p
|
|
« Reply #5 on: May 04, 2010, 03:21:18 PM » |
|
Thanks! That is no problem. I might try make it a monthly thing, so if you have any suggestions let me know.
|
|
|
|
|
Logged
|
|
|
|
|
Ketchup
|
|
« Reply #6 on: May 04, 2010, 03:30:15 PM » |
|
You could write a tutorial on heap-based overflows. I haven't touched those at all, and would love to learn more.
You could also go into fuzzing a bit. For example, what do you watch for when looking for off by one or format string vulnerabilities?
|
|
|
|
|
Logged
|
~~~~~~~~~~~~~~
Ketchup
|
|
|
|
Synquell
|
|
« Reply #7 on: May 05, 2010, 02:55:28 AM » |
|
N1p: I'm starting the think you're going to be my guide to knowledge, with all your tutorials.
Thanks a lot for this m8!
|
|
|
|
|
Logged
|
|
|
|
|
Equix3n-
|
|
« Reply #8 on: May 05, 2010, 05:55:08 AM » |
|
The article was very informative. I do not have any experience with exploit development but even then was able to understand it  Looking forward to more stuff from you. @ketchup perhaps this will be a good starting point  |
|
|
|
« Last Edit: May 05, 2010, 06:00:03 AM by Equix3n- »
|
Logged
|
|
|
|
|
Ketchup
|
|
« Reply #9 on: May 05, 2010, 06:58:15 AM » |
|
Equix3n, lol, I knew that sounded familiar.
|
|
|
|
|
Logged
|
~~~~~~~~~~~~~~
Ketchup
|
|
|
|
sil
|
|
« Reply #10 on: May 07, 2010, 10:25:53 AM » |
|
Thanks! That is no problem. I might try make it a monthly thing, so if you have any suggestions let me know.
Article was cool. Corelan (since you linked it) has some very thorough works as does OpenRCE. I'd personally like to see more 'weaponization' articles, e.g. ActiveX anyone. It's surprising I didn't see mention of WinDBG in your article. pusscat has a wicked module (byakugan) that allows you to perform all sorts of stuff: (quoting) Real Time Heap Visualization, Buffer Identification and Hunting, Return Address Hunting... There are a lot of interesting and cool write-ups (yours included) lurking around, I wish I could find more WinDBG based content though. Olly is fine, Immunity - latest version is buggy - but nevertheless good. I find that WinDBG is a lot more powerful for windows debugging. I've just begun tinkering with Klockwork (Architect, etc.) and I'm definitely impressed and at times confused by a lot of it. I would have made mention in your article to those reading it, they may want to take a brief drive-by of Assembly programming and understand a little more about registers. E.g., you can manipulate other registers to eventually get control of EIP. You don't necessarily have to specifically target it outright. |
|
|
|
|
Logged
|
|
|
|
|
n1p
|
|
« Reply #11 on: May 08, 2010, 05:46:46 AM » |
|
Sil,
You certainly make some good points! Windbg is awesome and is covered greatly over at corelan, however to some people it can be entirely overwhelming when they start out learning about RE. It has quite a steep learning curve when compared with olly/immunity. Not to mention the interface!
You are right about the lack of docs on using it, so may be a useful addition to tuts.
Cheers
|
|
|
|
|
Logged
|
|
|
|
|
UNIX
|
|
« Reply #12 on: June 18, 2010, 02:21:12 AM » |
|
Thanks for your efforts n1p, really liked your article. |
|
|
|
|
Logged
|
|
|
|
|
