- This topic has 12 replies, 9 voices, and was last updated 10 years, 8 months ago by
.
-
Posts
-
-
I think all of you will really like this one, a step-by-step tutorial for exploit dev. Be sure to stop by Mark Nicholls security blog, isolated-threat, that focuses on malware, shellcode and exploits. After visiting, if there’s any tutorials you’d like to see from Mark, feel free to ask.
Permanent link: [Article]-Tutorial: SEH Based Exploits and the Development Process
[align=center:auhz410v]
[/align:auhz410v]Tutorial by Mark Nicholls AKA n1p
The intent of this exploit tutorial is to educate the reader on the use and understanding of vulnerabilities and exploit development. This will hopefully enable readers to gain a better understanding of the use of exploitation tools and what goes on underneath to more accurately assess the risk of discovered vulnerabilities in a computer environment. It is important for security consultants and ethical hackers to understand how buffer overflows actually work, as having such knowledge will improve penetration testing capabilities. It will also give you the tools to more accurately assess the risk of vulnerabilities and develop effective countermeasures for exploits doing the rounds in the wild.
With this in, I am going to focus exclusively on the practical skills needed to exploit Structured Exception Handler buffer overflows. I won’t go into too much detail regarding the theory of how they work, or how buffer overflows can be discovered. There are many other resources available on this subject, and I encourage you to research this further
Warning! Please note that this tutorial is intended for educational purposes only, and skills gained here should NOT be used to attack any system for which you don’t have permission to access. It is illegal.
Let us know what you think,
Don -
-
-
-
-
-
-
-
-
-
@n1p wrote:
Thanks! That is no problem. I might try make it a monthly thing, so if you have any suggestions let me know.
Article was cool. Corelan (since you linked it) has some very thorough works as does OpenRCE. I’d personally like to see more ‘weaponization’ articles, e.g. ActiveX anyone. It’s surprising I didn’t see mention of WinDBG in your article. pusscat has a wicked module (byakugan) that allows you to perform all sorts of stuff: (quoting) Real Time Heap Visualization, Buffer Identification and Hunting, Return Address Hunting…
There are a lot of interesting and cool write-ups (yours included) lurking around, I wish I could find more WinDBG based content though. Olly is fine, Immunity – latest version is buggy – but nevertheless good. I find that WinDBG is a lot more powerful for windows debugging. I’ve just begun tinkering with Klockwork (Architect, etc.) and I’m definitely impressed and at times confused by a lot of it. I would have made mention in your article to those reading it, they may want to take a brief drive-by of Assembly programming and understand a little more about registers. E.g., you can manipulate other registers to eventually get control of EIP. You don’t necessarily have to specifically target it outright.
-
Sil,
You certainly make some good points! Windbg is awesome and is covered greatly over at corelan, however to some people it can be entirely overwhelming when they start out learning about RE. It has quite a steep learning curve when compared with olly/immunity. Not to mention the interface!
You are right about the lack of docs on using it, so may be a useful addition to tuts.
Cheers
-
-
- You must be logged in to reply to this topic.
