Software Exploitation in Windows Environment: Part 1

Source: OpenSecurityTraining.info
Part 1

  • ​Fuzzing and crash dump analysis
  • From crash dump to working exploit lab in WinDBG
Picture

Here  is  a  very  basic  program  to  help  us  explore  our  exploit  environment.  The
basic_vuln  program  reads  in  a  binary  file  and  displays  the  first  64  hexadecimal
bytes  from  that  file.  The  program  prints  various  meta  data  such  as  the  location  of
variables  and  functions  in  the  process  address  space.  This  meta  information  will
help  simplify  the  exploitation  process  as  we  are  learning.  
Picture

There  is  an  obvious  overflow  in  line  27  where  the  fread  call  reads  128  bytes  into  a  64  byte
Buffer.  This  leads  to  a  traditonal  stack  overflow,  among  other  possibilites. 
Picture

In  this  case  we  create  a  file  of  128  bytes  of  0xdeadbeef.  This  will  overflow  the  64  byte
buffer  in  the  hexdump_file  function,  smashing  the  stack,  and  generating  a  crash dump.
Picture

Picture

First*we*set*a*break*point*before*the*fread*call*in*hexdump_file*that*will*ul)mately*corrupt* the*stack,*so*we*can*check*out*the*stack*before*its*destroyed.*In*this*case*I*switch*to*source* mode,*open*up*the*disassembly*window,*put*my*cursor*on*the*push*ecx*before*the*call*to* fread,*then*tell*windbg*to*run*to*cursor.*Once*the*break*point*before*fread*is*hit,*I*can* inspect*the*saved*frame*pointer*and*saved*return*address*on*the*stack*with*ddebp*L2.* Everything*looks*sane*at*this*point*since*the*stack*hasn’t*been*smashed.*
Picture

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s