DSU-Projects/CSC-748-Software-Exploitation-Spring-2020

This course is designed to expose students to advanced exploitation techniques. Topics include the use of automated exploitation tools as well as the process of exploitation discovery and development. Vulnerability analysis, debugging, fuzzing, shellcode, and mitigation techniques will be explored. Both Windows and Linux platforms will be covered.

CSC-748 Software Exploitation: Spring 2020

This course is designed to expose students to advanced exploitation techniques. Topics include the use of automated exploitation tools as well as the process of exploitation discovery and development. Vulnerability analysis, debugging, fuzzing, shellcode, and mitigation techniques will be explored. Both Windows and Linux platforms will be covered.

---

Course Videos

Course Readings

Table of Contents

Class Videos

• Mar 31st Class Video 748-18 ROP chain via WinDbg & Mona
• Mar 27th Class Video 748-17
• Mar 05th & 06th Class Video 748-15 & 16 ROP Overflow
• Feb 27th Class Video 748-14
• Feb 20th Class Video: 745-12 SEH in class
• Feb 18th Class Video: 745-10
• Feb 13th Class Video 748-09 SEH
• Feb 4 Class Video: 745-07 AFL and Peach Homework Videos
• Jan 30 Class Video: 748-06
• Jan 28 Class Video: 748-05
• Jan 23 Class Video

Special Topics

• C References
• Assembly References
• Reverse Engineering
• Vocab
• Texts

---

Mar 31st

Class Video 748-18 ROP chain via WinDbg & Mona

Related References

• Corelan ROP tutorial/Primer
• Medium follow up on Corelan tutorial above
• ShogunLab ROP tutorial Vuplayer
• h0mbre Awesome ROP tutorial
• Bencode.net ROP tutorial Winamp
• FuzzySecurity ROP tutorial
• Homebre ROP guide
• ROP impact on RETN +4 in ROP chain

Key Takeaways

• ROP chains require for elements: IpAddress, dwSize, flNewProtect and IpflOldProtect (see ShogunLab tutorial above)
• These are the most important functions that can help you to bypass/disable DEP (from Corelan site above):
  • VirtualAlloc(MEM_COMMIT + PAGE_READWRITE_EXECUTE) + copy memory. This will allow you to create a new executable memory region, copy your shellcode to it, and execute it. This technique may require you to chain 2 API’s into each other.
  • HeapCreate(HEAP_CREATE_ENABLE_EXECUTE) + HeapAlloc() + copy memory. In essence, this function will provide a very similar technique as VirtualAlloc(), but may require 3 API’s to be chained together))
  • SetProcessDEPPolicy(). This allows you to change the DEP policy for the current process (so you can execute the shellcode from the stack) (Vista SP1, XP SP3, Server 2008, and only when DEP Policy is set to OptIn or OptOut)
  • NtSetInformationProcess(). This function will change the DEP policy for the current process so you can execute your shellcode from the stack.
  • VirtualProtect(PAGE_READ_WRITE_EXECUTE). This function will change the access protection level of a given memory page, allowing you to mark the location where your shellcode resides as executable.
  • WriteProcessMemory(). This will allow you to copy your shellcode to another (executable) location, so you can jump to it and execute the shellcode. The target location must be writable and executable.
• The way DEP manifests itself within the Windows operating system is based on a setting which can be configured to one of the following values (from Corelan site above):
  • OptIn : Only a limited set of Windows system modules/binaries are protected by DEP.
  • OptOut : All programs, processes, services on the Windows system are protected, except for processes in the exception list
  • AlwaysOn : All programs, processes, services, etc on the Windows system are protected. No exceptions
  • AlwaysOff : DEP is turned off.

Mar 27

Links to specific spots in Class Video 748-17

1. 010 Editor to find header info for exploit
2. Exploit introduction
3. Search within WinDbg
4. mona egg hunter WinDbg
5. WinDbg msfvenom (shellcode creator)
6. metasploit msfvenom
7. Kal Linux egg implementation xxd
8. Exploit example compiling
9. Egghunter added to script

Exploit References

1. Corelan egghunter site
2. QuckZip 4.6 exploit database
3. Short Jump reference site

Use After Free exploits

• Youtube video walkthrough Example
• Associated script discussion from above video

Key Takeaways

• Use after free attempts to use a memory location from the heap after it has been freed but not zeroed out.
• memset function (C lang) can be used to zero out memory after free

Reverse Engineering

• Immunity Overview
• Corelan Mona.py manual
• Series of RE tutorials from Shogun Lab
• Exploit database
• Corelan SEH tutorial
• Manage DEP for Windows
• Same Bowne RE Course
• Sam Bowne CCSF Coursework
• Basic Buffer Overflow Explained
• Intro to PE File Format
• Intro to Windows shellcoding
• Building shellcode from Assembly
• Binary Obfuscation
• Deobfuscate/Decode Files or Info, list of available techniques
• Anti VM techniques
• Win Kernel32 shellcode development
• AWESOME Win Kernel32 shellcode development

Assembly References

• x86 Assembly Guide
• x86 Assembly Guide II
• Assembly & Registers
• Inverting/Negate bits calculator

C References

• Primer on Compiling C
• inline assembly in C

Python Scripting References

• Python 3 unicode bytes and strings
• Python virtual environment

Vocab

Wikipedia Links

• DEP: Windows data execution prevention
• ASLR: Address space layout randomization
• Return-oriented programming

Texts

Additional Research

• Bypassing ASLR Windows 10
• AutoRecon Network Analysis Tool
• ASLR Attack two processes vs one DLL
• Immunity Debugger walkthrough password crack
• Code Caving tutorial
• ROP with address leak tutorial

Special Thanks

Github README Formating