/CSC-748-Software-Exploitation-Spring-2020

This course is designed to expose students to advanced exploitation techniques. Topics include the use of automated exploitation tools as well as the process of exploitation discovery and development. Vulnerability analysis, debugging, fuzzing, shellcode, and mitigation techniques will be explored. Both Windows and Linux platforms will be covered.

CSC-748 Software Exploitation: Spring 2020

This course is designed to expose students to advanced exploitation techniques. Topics include the use of automated exploitation tools as well as the process of exploitation discovery and development. Vulnerability analysis, debugging, fuzzing, shellcode, and mitigation techniques will be explored. Both Windows and Linux platforms will be covered.

Course Videos

Course Readings

Table of Contents

Class Videos

Special Topics

Mar 31st

Class Video 748-18 ROP chain via WinDbg & Mona

Related References

Key Takeaways

  • ROP chains require for elements: IpAddress, dwSize, flNewProtect and IpflOldProtect (see ShogunLab tutorial above)
  • These are the most important functions that can help you to bypass/disable DEP (from Corelan site above):
    • VirtualAlloc(MEM_COMMIT + PAGE_READWRITE_EXECUTE) + copy memory. This will allow you to create a new executable memory region, copy your shellcode to it, and execute it. This technique may require you to chain 2 API’s into each other.
    • HeapCreate(HEAP_CREATE_ENABLE_EXECUTE) + HeapAlloc() + copy memory. In essence, this function will provide a very similar technique as VirtualAlloc(), but may require 3 API’s to be chained together))
    • SetProcessDEPPolicy(). This allows you to change the DEP policy for the current process (so you can execute the shellcode from the stack) (Vista SP1, XP SP3, Server 2008, and only when DEP Policy is set to OptIn or OptOut)
    • NtSetInformationProcess(). This function will change the DEP policy for the current process so you can execute your shellcode from the stack.
    • VirtualProtect(PAGE_READ_WRITE_EXECUTE). This function will change the access protection level of a given memory page, allowing you to mark the location where your shellcode resides as executable.
    • WriteProcessMemory(). This will allow you to copy your shellcode to another (executable) location, so you can jump to it and execute the shellcode. The target location must be writable and executable.
  • The way DEP manifests itself within the Windows operating system is based on a setting which can be configured to one of the following values (from Corelan site above):
    • OptIn : Only a limited set of Windows system modules/binaries are protected by DEP.
    • OptOut : All programs, processes, services on the Windows system are protected, except for processes in the exception list
    • AlwaysOn : All programs, processes, services, etc on the Windows system are protected. No exceptions
    • AlwaysOff : DEP is turned off.

Mar 27

Links to specific spots in Class Video 748-17

  1. 010 Editor to find header info for exploit
  2. Exploit introduction
  3. Search within WinDbg
  4. mona egg hunter WinDbg
  5. WinDbg msfvenom (shellcode creator)
  6. metasploit msfvenom
  7. Kal Linux egg implementation xxd
  8. Exploit example compiling
  9. Egghunter added to script

Exploit References

  1. Corelan egghunter site
  2. QuckZip 4.6 exploit database
  3. Short Jump reference site

Use After Free exploits

Key Takeaways

  • Use after free attempts to use a memory location from the heap after it has been freed but not zeroed out.
  • memset function (C lang) can be used to zero out memory after free

Reverse Engineering

Assembly References

C References

Python Scripting References

Vocab

Wikipedia Links

Texts

Additional Research

Special Thanks

Github README Formating