SlideShare a Scribd company logo

Exploit generation automation with WinDBG (Hacktivity 2017)

C
Csaba Fitzl

This document discusses an automated tool written in Python that uses the pykd library to interact with WinDBG to automate the entire exploit writing process from a crash proof of concept to a working exploit for classic buffer overflows without any manual interaction. The tool finds the EIP overwrite location, registers pointing to buffers, bad characters, and a way to jump to shellcode to generate a successful exploit from a simple crash by automating the entire process.

Technology
1 of 12
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
Exploit generation automation with WinDBG Csaba Fitzl
whoami blue teamer security researcher, blogger husband, father hiker
Exploit writing challenges Time consuming Heavily manual intensive process Discovering memory layout Finding bad characters While (exploit doesn’t work == True): Start process, attach debugger, crash, Modify exploit
Exploit writing methodology - BoF Find EIP overwrite location Examine memory layout, registries Somehow jump to shellcode Generate shellcode Put all together
The task A tool which can automate the entire exploit writing process From crash PoC to working Exploit If possible n0 manual interaction
The tool Written in Python Uses the “pykd” library to interact with WinDBG
What can it do? Currently works for classic BoFs Can bypass ASLR Works for network and file based exploits Will create a successful exploit from a simple crash Automates the entire process (even finding bad characters!) No need to manually start the process / WinDBG
The logic Find EIP overwrite location / offset Find registers pointing to the buffers Find bad characters Find a way to jump to the shellcode (JMP, CALL, etc…) Generate shellcode Put it all together
demo time
How to use it? Some pre-work needs to be done Exploit is a Class Has to be populated with initial info (crash)
What has to be changed? def exploit(self): """ This function runs the actual exploit """ sleep(1) sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect(('127.0.0.1',80)) message = "GET " + ''.join(self.buffer) + " HTTP/ 1.1rnrn" sock.send(message) sock.close()
? twitter: @theevilbit tool: https://github.com/theevilbit/exploit_generator

More Related Content

PDF
Browser controller testing for webapps (in Windows environment)
Adrian Spinei
 
PDF
Look beyond PHP
Fabien Potencier
 
PPTX
De was doen. gr 1 2.pptx
Marjolein de Groot
 
PPTX
Windows custom shellcoding
Mihir Shah
 
PDF
Dive into exploit development
Payampardaz
 
PDF
From SEH Overwrite with Egg Hunter to Get a Shell!
Rodolpho Concurde
 
PDF
From SEH Overwrite with Egg Hunter to Get a Shell_by_RodolphoConcurde
Rodolpho Concurde
 
PDF
Fuzzing: Finding Your Own Bugs and 0days! at Arab Security Conference
Rodolpho Concurde
 
Browser controller testing for webapps (in Windows environment)
Adrian Spinei
 
Look beyond PHP
Fabien Potencier
 
De was doen. gr 1 2.pptx
Marjolein de Groot
 
Windows custom shellcoding
Mihir Shah
 
Dive into exploit development
Payampardaz
 
From SEH Overwrite with Egg Hunter to Get a Shell!
Rodolpho Concurde
 
From SEH Overwrite with Egg Hunter to Get a Shell_by_RodolphoConcurde
Rodolpho Concurde
 
Fuzzing: Finding Your Own Bugs and 0days! at Arab Security Conference
Rodolpho Concurde
 

Similar to Exploit generation automation with WinDBG (Hacktivity 2017) (20)

PDF
2011-03 Developing Windows Exploits
Raleigh ISSA
 
PDF
Writing simple buffer_overflow_exploits
D4rk357 a
 
PDF
Fuzzing: Finding Your Own Bugs and 0days! 1.0
Rodolpho Concurde
 
PDF
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
NETWAYS
 
PPTX
Anatomy of a Buffer Overflow Attack
Rob Gillen
 
PPTX
Baab (Bug as a Backdoor) through automatic exploit generation (CRAX)
Shih-Kun Huang
 
PPTX
Tranning-2
Ali Hussain
 
PDF
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
JongWon Kim
 
PDF
smash the stack , Menna Essa
CATReloaded
 
PDF
Toorcon Seattle 2011 - Browser Exploit Packs
Aditya K Sood
 
PPTX
ETCSS: Into the Mind of a Hacker
Rob Gillen
 
PDF
Unix executable buffer overflow
Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
PDF
A CTF Hackers Toolbox
Stefan
 
ODP
Exploiting buffer overflows
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
PPTX
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
midnite_runr
 
PPTX
Fuzzing | Null OWASP Mumbai | 2016 June
nullowaspmumbai
 
PDF
AEG_ Automatic Exploit Generation
Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
 
PDF
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Georg Wicherski
 
PPTX
Fun with exploits old and new
Larry Cashdollar
 
PDF
What is Remote Buffer Overflow Attack.pdf
uzair
 
2011-03 Developing Windows Exploits
Raleigh ISSA
 
Writing simple buffer_overflow_exploits
D4rk357 a
 
Fuzzing: Finding Your Own Bugs and 0days! 1.0
Rodolpho Concurde
 
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
NETWAYS
 
Anatomy of a Buffer Overflow Attack
Rob Gillen
 
Baab (Bug as a Backdoor) through automatic exploit generation (CRAX)
Shih-Kun Huang
 
Tranning-2
Ali Hussain
 
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
JongWon Kim
 
smash the stack , Menna Essa
CATReloaded
 
Toorcon Seattle 2011 - Browser Exploit Packs
Aditya K Sood
 
ETCSS: Into the Mind of a Hacker
Rob Gillen
 
Unix executable buffer overflow
Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
A CTF Hackers Toolbox
Stefan
 
Exploiting buffer overflows
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
midnite_runr
 
Fuzzing | Null OWASP Mumbai | 2016 June
nullowaspmumbai
 
AEG_ Automatic Exploit Generation
Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
 
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Georg Wicherski
 
Fun with exploits old and new
Larry Cashdollar
 
What is Remote Buffer Overflow Attack.pdf
uzair
 

More from Csaba Fitzl (14)

PDF
The Final Chapter - Unlimited Ways to Bypass Your macOS Privacy Mechanisms
Csaba Fitzl
 
PDF
Launch and Environment Constraints Overview
Csaba Fitzl
 
PDF
macOS Vulnerabilities Hiding in Plain Sight
Csaba Fitzl
 
PDF
SecurityFest-22-Fitzl-beyond.pdf
Csaba Fitzl
 
PDF
Mitigating Exploits Using Apple's Endpoint Security
Csaba Fitzl
 
PDF
Csaba fitzl - Mount(ain) of Bugs
Csaba Fitzl
 
PDF
20+ ways to bypass your mac os privacy mechanisms
Csaba Fitzl
 
PDF
Exploiting Directory Permissions on macOS
Csaba Fitzl
 
PDF
Exploiting XPC in AntiVirus
Csaba Fitzl
 
PDF
GateKeeper - bypass or not bypass?
Csaba Fitzl
 
PDF
Getting root with benign app store apps vsecurityfest
Csaba Fitzl
 
PDF
Getting root with benign app store apps
Csaba Fitzl
 
PDF
Exploit generation and javascript analysis automation with WinDBG lu
Csaba Fitzl
 
PDF
How to convince a malware to avoid us
Csaba Fitzl
 
The Final Chapter - Unlimited Ways to Bypass Your macOS Privacy Mechanisms
Csaba Fitzl
 
Launch and Environment Constraints Overview
Csaba Fitzl
 
macOS Vulnerabilities Hiding in Plain Sight
Csaba Fitzl
 
SecurityFest-22-Fitzl-beyond.pdf
Csaba Fitzl
 
Mitigating Exploits Using Apple's Endpoint Security
Csaba Fitzl
 
Csaba fitzl - Mount(ain) of Bugs
Csaba Fitzl
 
20+ ways to bypass your mac os privacy mechanisms
Csaba Fitzl
 
Exploiting Directory Permissions on macOS
Csaba Fitzl
 
Exploiting XPC in AntiVirus
Csaba Fitzl
 
GateKeeper - bypass or not bypass?
Csaba Fitzl
 
Getting root with benign app store apps vsecurityfest
Csaba Fitzl
 
Getting root with benign app store apps
Csaba Fitzl
 
Exploit generation and javascript analysis automation with WinDBG lu
Csaba Fitzl
 
How to convince a malware to avoid us
Csaba Fitzl
 

Recently uploaded (20)

PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
KodekX | Application Modernization Development
KodekX
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 

Exploit generation automation with WinDBG (Hacktivity 2017)

  • 2. whoami blue teamer security researcher, blogger husband, father hiker
  • 3. Exploit writing challenges Time consuming Heavily manual intensive process Discovering memory layout Finding bad characters While (exploit doesn’t work == True): Start process, attach debugger, crash, Modify exploit
  • 4. Exploit writing methodology - BoF Find EIP overwrite location Examine memory layout, registries Somehow jump to shellcode Generate shellcode Put all together
  • 5. The task A tool which can automate the entire exploit writing process From crash PoC to working Exploit If possible n0 manual interaction
  • 6. The tool Written in Python Uses the “pykd” library to interact with WinDBG
  • 7. What can it do? Currently works for classic BoFs Can bypass ASLR Works for network and file based exploits Will create a successful exploit from a simple crash Automates the entire process (even finding bad characters!) No need to manually start the process / WinDBG
  • 8. The logic Find EIP overwrite location / offset Find registers pointing to the buffers Find bad characters Find a way to jump to the shellcode (JMP, CALL, etc…) Generate shellcode Put it all together
  • 10. How to use it? Some pre-work needs to be done Exploit is a Class Has to be populated with initial info (crash)
  • 11. What has to be changed? def exploit(self): """ This function runs the actual exploit """ sleep(1) sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect(('127.0.0.1',80)) message = "GET " + ''.join(self.buffer) + " HTTP/ 1.1rnrn" sock.send(message) sock.close()