junsoo STUDY

Easy RM to MP3 Converter(BOF 실습 - mona)

이전 글에서는 windbg만 사용했는데 mona와 칼리 설치 기념으로 빠르게 다시 하겠습니다! 1. 실습 환경 OS : Windows 10 64bit Language : python 2.7.13 Tool : windbg(x86) 2. Crash 확인 metasploit-framework를 통해 패턴을 3만개 만든다. 잘 못 찾는 거 같다.. 이전 글 처럼 gdb pattern을 사용하면 offset은 26074인걸 알 수 있다. (칼리 pattern 5천개 정도는 잘 찾는다.. 3만개가 많아서 그런가..) 위 명령어를 통해 mona를 실행한다. ㅎㅎ modules 명령어를 통해 모듈의 보호 기법을 쉽게 확인할 수 있다... 감동... 역시 MSRMfilter03.dll은 Reabse와 ASLR이 fals..

Easy RM to MP3 Converter(BOF 실습)

Exploit writing tutorial part 1에서 못 했던 실습을 하겠습니다! 1. 실습 환경 OS : Windows 10 32bit Language : python 2.7.13 Target Easy RM to MP3 Converter 2. Crash 확인 payload 폴더에서 python file을 만들어 준다. A 3만개를 넣어 크래시를 내자! windbg에서 프로그램 attach 하고 exploit.py를 load하면 위 그림처럼 eip 값이 A로 덮인 걸 확인할 수 있다. 추가로 esp 위치를 확인하면 마찬가지로 A로 덮여있다. 따라서, stack에 shellcode를 넣고 eip를 컨트롤해서 shellcode에 위치 시키면 된다! 일단, eip를 컨트롤 하기 위해 offset를 구해..

Exploit writing tutorial part 10

https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/ Exploit writing tutorial part 10 : Chaining DEP with ROP – the Rubik’s[TM] Cube | Corelan Cybersecurity Research About 3 months after finishing my previous exploit writing related tutorial, I finally found some time and fresh energy to start writing a new article. In the previous..

Exploit writing tutorial part 9

https://www.corelan.be/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/ Exploit writing tutorial part 9 : Introduction to Win32 shellcoding | Corelan Cybersecurity Research Over the last couple of months, I have written a set of tutorials about building exploits that target the Windows stack. One of the primary goals of anyone writing an exploit is to modif..

Exploit writing tutorial part 8

https://www.corelan.be/index.php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/ Exploit writing tutorial part 8 : Win32 Egg Hunting | Corelan Cybersecurity Research Introduction Easter is still far away, so this is probably the right time to talk about ways to hunting for eggs (so you would be prepared when the easter bunny brings you another 0day vulnerability) In the first parts..

Exploit writing tutorial part 7

https://www.corelan.be/index.php/2009/11/06/exploit-writing-tutorial-part-7-unicode-from-0x00410041-to-calc/ Exploit writing tutorial part 7 : Unicode – from 0x00410041 to calc | Corelan Cybersecurity Research Finally … after spending a couple of weeks working on unicode and unicode exploits, I’m glad and happy to be able to release this next article in my basic exploit writing series : writing ..

Exploit writing tutorial part 6

https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/ Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR | Corelan Cybersecurity Research Introduction In all previous tutorials in this Exploit writing tutorial series, we have looked at building exploits that would work on Windows XP / 2..

Exploit writing tutorial part 3

https://www.corelan.be/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/ Exploit writing tutorial part 3 : SEH Based Exploits | Corelan Cybersecurity Research In the first 2 parts of the exploit writing tutorial series, I have discussed how a classic stack buffer overflow works and how you can build a reliable exploit by using various techniques to jump..