OP 25 October, 2020 - 08:17 PM
How To Make Exploit
Hello, Today I am going to describe how to make application exploits.
There are 3 Steps to make exploit.
1. Making a Input that application get crash.
2. Analyse application with crashed input, determine is it possible to make exploit.
3. If it's possible control input file and make exploit.
Now I am going to describe one by one.
1. Making a Input that application get crash.
All of exploits is fake input to the application.
So if you want make application crash you have to make fake input.
There are 2 method.
1) Debugging application that process input files with your reverse engineering skills.
But this is most difficult method.
2) Fuzzing.
This method is useful that make exploit makers use.
There are 2 kind of fuzzing: Dumb fuzzing and Smart fuzzing.
Dumb fuzzing is change input file randomly and input the application and check if application crash or not.
If there is structure of the file it may be helpful and easy to make fuzzing program but it's not efficient.
Smart fuzzing is more efficient and difficult fuzzing method.
For this you have to analyze structure of input file.
For example if you are fuzzing Microsoft Word you have to know about OLE structure for doc file and OpenXML structure for docx file.
And you have to find all possible input options and combine randomly and make input file and input to the application.
And you can use windbg's cdb.exe or python's debugging library and watch if there is bug or not and record it.
If you find crashing input you can go to step 2.
2. Analyse application with crashed input, determine is it possible to make exploit.
This step is also very important.
You have to analyze with crashed input why this bug occurred.
If you can control RIP (Instruction Pointer) it will be possible to make exploit.
3. If it's possible control input file and make exploit.
This step is most important and complicate step.
First you have to make shell code using assembly and build and get machine code.
And to change RIP to your shell code you have to find heap spray method for example images or chart and so on.
Then what is heap spray?
This is the method that fill memory with value to control eip and bypass code flow.
You have to spary value about 4~500 MB with this values series.
If it finished you can easily control eip and bypass code flow.
If then you have to bypass DEP to execute shellcode.
DEP is Microsoft Windows OS's security policy that stop execute code in heap memory.
So you have to call VirtualAlloc or VirtualProtect to the shell code.
So you have to find offset from kernel32.dll or kernelbase.dll.
But it's difficult because ASLR that randomize the dll's imagebase address.
So you have to find vulnerability of information disclosure and get one dll's base address and using this you can get VirtualProtect function's offset.
And you have to make ROP and you have make heap spray array.
And you can finally made a exploit.
Hello, Today I am going to describe how to make application exploits.
There are 3 Steps to make exploit.
1. Making a Input that application get crash.
2. Analyse application with crashed input, determine is it possible to make exploit.
3. If it's possible control input file and make exploit.
Now I am going to describe one by one.
1. Making a Input that application get crash.
All of exploits is fake input to the application.
So if you want make application crash you have to make fake input.
There are 2 method.
1) Debugging application that process input files with your reverse engineering skills.
But this is most difficult method.
2) Fuzzing.
This method is useful that make exploit makers use.
There are 2 kind of fuzzing: Dumb fuzzing and Smart fuzzing.
Dumb fuzzing is change input file randomly and input the application and check if application crash or not.
If there is structure of the file it may be helpful and easy to make fuzzing program but it's not efficient.
Smart fuzzing is more efficient and difficult fuzzing method.
For this you have to analyze structure of input file.
For example if you are fuzzing Microsoft Word you have to know about OLE structure for doc file and OpenXML structure for docx file.
And you have to find all possible input options and combine randomly and make input file and input to the application.
And you can use windbg's cdb.exe or python's debugging library and watch if there is bug or not and record it.
If you find crashing input you can go to step 2.
2. Analyse application with crashed input, determine is it possible to make exploit.
This step is also very important.
You have to analyze with crashed input why this bug occurred.
If you can control RIP (Instruction Pointer) it will be possible to make exploit.
3. If it's possible control input file and make exploit.
This step is most important and complicate step.
First you have to make shell code using assembly and build and get machine code.
And to change RIP to your shell code you have to find heap spray method for example images or chart and so on.
Then what is heap spray?
This is the method that fill memory with value to control eip and bypass code flow.
You have to spary value about 4~500 MB with this values series.
If it finished you can easily control eip and bypass code flow.
If then you have to bypass DEP to execute shellcode.
DEP is Microsoft Windows OS's security policy that stop execute code in heap memory.
So you have to call VirtualAlloc or VirtualProtect to the shell code.
So you have to find offset from kernel32.dll or kernelbase.dll.
But it's difficult because ASLR that randomize the dll's imagebase address.
So you have to find vulnerability of information disclosure and get one dll's base address and using this you can get VirtualProtect function's offset.
And you have to make ROP and you have make heap spray array.
And you can finally made a exploit.