[Article]-Tutorial: SEH Based Exploits and the Development Process

Viewing 12 reply threads
  • Author
    Posts
    • #5004
      Don Donzal
      Keymaster

      I think all of you will really like this one, a step-by-step tutorial for exploit dev. Be sure to stop by Mark Nicholls security blog, isolated-threat, that focuses on malware, shellcode and exploits. After visiting, if there’s any tutorials you’d like to see from Mark, feel free to ask.

      Permanent link: [Article]-Tutorial: SEH Based Exploits and the Development Process

      [align=center:auhz410v][/align:auhz410v]

      Tutorial by Mark Nicholls AKA n1p

      The intent of this exploit tutorial is to educate the reader on the use and understanding of vulnerabilities and exploit development. This will hopefully enable readers to gain a better understanding of the use of exploitation tools and what goes on underneath to more accurately assess the risk of discovered vulnerabilities in a computer environment. It is important for security consultants and ethical hackers to understand how buffer overflows actually work, as having such knowledge will improve penetration testing capabilities. It will also give you the tools to more accurately assess the risk of vulnerabilities and develop effective countermeasures for exploits doing the rounds in the wild.

      With this in, I am going to focus exclusively on the practical skills needed to exploit Structured Exception Handler buffer overflows. I won’t go into too much detail regarding the theory of how they work, or how buffer overflows can be discovered. There are many other resources available on this subject, and I encourage you to research this further

      Warning! Please note that this tutorial is intended for educational purposes only, and skills gained here should NOT be used to attack any system for which you don’t have permission to access. It is illegal.

      Let us know what you think,
      Don

    • #31697
      hayabusa
      Participant

      Will have to give it a good read-over.  Thanks, don!

    • #31698
      zeroflaw
      Participant

      Very nice, I will definitely try this soon. Thanks!

    • #31699
      n1p
      Participant

      Cheers for that. Any questions just shout!

    • #31700
      Ketchup
      Participant

      n1p, that’s a fantastic read!  I skimmed through it once already, and plan to go back and read it again a few times.  The links at the end are priceless on their own.  Thanks!

    • #31701
      n1p
      Participant

      Thanks! That is no problem. I might try make it a monthly thing, so if you have any suggestions let me know.

    • #31702
      Ketchup
      Participant

      You could write a tutorial on heap-based overflows.  I haven’t touched those at all, and would love to learn more. 

      You could also go into fuzzing a bit.  For example, what do you watch for when looking for off by one or format string vulnerabilities?

    • #31703
      Anquilas
      Participant

      N1p: I’m starting the think you’re going to be my guide to knowledge, with all your tutorials.
      Thanks a lot for this m8!

    • #31704
      Xen
      Participant

      The article was very informative. I do not have any experience with exploit development but even then was able to understand it  🙂
      Looking forward to more stuff from you.

      @ketchup perhaps this will be a good starting point  😉

    • #31705
      Ketchup
      Participant

      Equix3n, lol, I knew that sounded familiar. 

    • #31706
      sil
      Participant

      @n1p wrote:

      Thanks! That is no problem. I might try make it a monthly thing, so if you have any suggestions let me know.

      Article was cool. Corelan (since you linked it) has some very thorough works as does OpenRCE. I’d personally like to see more ‘weaponization’ articles, e.g. ActiveX anyone. It’s surprising I didn’t see mention of WinDBG in your article. pusscat has a wicked module (byakugan) that allows you to perform all sorts of stuff: (quoting) Real Time Heap Visualization, Buffer Identification and Hunting, Return Address Hunting…

      There are a lot of interesting and cool write-ups (yours included) lurking around, I wish I could find more WinDBG based content though. Olly is fine, Immunity – latest version is buggy – but nevertheless good. I find that WinDBG is a lot more powerful for windows debugging. I’ve just begun tinkering with Klockwork (Architect, etc.) and I’m definitely impressed and at times confused by a lot of it. I would have made mention in your article to those reading it, they may want to take a brief drive-by of Assembly programming and understand a little more about registers. E.g., you can manipulate other registers to eventually get control of EIP. You don’t necessarily have to specifically target it outright.

    • #31707
      n1p
      Participant

      Sil,

      You certainly make some good points! Windbg is awesome and is covered greatly over at corelan, however to some people it can be entirely overwhelming when they start out learning about RE. It has quite a steep learning curve when compared with olly/immunity. Not to mention the interface!

      You are right about the lack of docs on using it, so may be a useful addition to tuts.

      Cheers

    • #31708
      UNIX
      Participant

      Thanks for your efforts n1p, really liked your article. 😉

Viewing 12 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?