Scribd
Upload
8 views1 page

Gray Hat Hacking 19

The document outlines various topics related to shellcode implementation, encoding, and automation using Metasploit, as well as Windows exploits, including compiling, debugging, and writing exploits. It also covers Windows memory protections and methods for bypassing them, along with an introduction to content-type attacks and the exploitation of specific file formats. Key sections include reverse connecting shellcode, structured exception handling, and detecting content-type attacks.

Uploaded by

digapo7593
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
8 views1 page

Gray Hat Hacking 19

The document outlines various topics related to shellcode implementation, encoding, and automation using Metasploit, as well as Windows exploits, including compiling, debugging, and writing exploits. It also covers Windows memory protections and methods for bypassing them, along with an introduction to content-type attacks and the exploitation of specific file formats. Key sections include reverse connecting shellcode, structured exception handling, and detecting content-type attacks.

Uploaded by

digapo7593
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

Contents

xv
Implementing Reverse Connecting Shellcode . . . . . . . . . . . . . . . . . . . . 284
Reverse Connecting C Program . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Reverse Connecting Assembly Program . . . . . . . . . . . . . . . . . . . . 285
Encoding Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Simple XOR Encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Structure of Encoded Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . 288
JMP/CALL XOR Decoder Example . . . . . . . . . . . . . . . . . . . . . . . . 288
FNSTENV XOR Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Putting the Code Together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Automating Shellcode Generation with Metasploit . . . . . . . . . . . . . . . 294
Generating Shellcode with Metasploit . . . . . . . . . . . . . . . . . . . . . 294
Encoding Shellcode with Metasploit . . . . . . . . . . . . . . . . . . . . . . 295

Chapter 15 Windows Exploits ...................................... 297


Compiling and Debugging Windows Programs . . . . . . . . . . . . . . . . . . 297
Compiling on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Debugging on Windows with OllyDbg . . . . . . . . . . . . . . . . . . . . 299
Writing Windows Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Exploit Development Process Review . . . . . . . . . . . . . . . . . . . . . 305
ProSSHD Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Control eip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Determine the Offset(s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Determine the Attack Vector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Build the Exploit Sandwich . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Debug the Exploit if Needed . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Understanding Structured Exception Handling (SEH) . . . . . . . . . . . . . 316
Implementation of SEH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Understanding Windows Memory Protections (XP SP3, Vista, 7,
and Server 2008) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Stack-Based Buffer Overrun Detection (/GS) . . . . . . . . . . . . . . . 318
Safe Structured Exception Handling (SafeSEH) . . . . . . . . . . . . . 320
SEH Overwrite Protection (SEHOP) . . . . . . . . . . . . . . . . . . . . . . 320
Heap Protections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Data Execution Prevention (DEP) . . . . . . . . . . . . . . . . . . . . . . . . 321
Address Space Layout Randomization (ASLR) . . . . . . . . . . . . . . 321
Bypassing Windows Memory Protections . . . . . . . . . . . . . . . . . . . . . . . 322
Bypassing /GS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Bypassing SafeSEH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Bypassing ASLR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Bypassing DEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Bypassing SEHOP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Summary of Memory Bypass Methods . . . . . . . . . . . . . . . . . . . . 338

Chapter 16 Understanding and Detecting Content-Type Attacks ........... 341


How Do Content-Type Attacks Work? . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Which File Formats Are Being Exploited Today? . . . . . . . . . . . . . . . . . . 343
Intro to the PDF File Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy