Tutorial By: corelanc0d3r
Preview:
Obviously, not every application crash can lead to an exploitation. In many cases, an application
crash will not lead to exploitation… But sometimes it does. With “exploitation”, I mean that you
want the application to do something it was not intended to do… such as running your own code.
The easiest way to make an application do something different is by controlling its application
flow (and redirect it to somewhere else). This can be done by controlling the Instruction Pointer
(or Program Counter), which is a CPU register that contains a pointer to where the next instruction
that needs to be executed is located.
Suppose an application calls a function with a parameter. Before going to the function, it saves the
current location in the instruction pointer (so it knows where to return when the function
completes). If you can modify the value in this pointer, and point it to a location in memory that
contains your own piece of code, then you can change the application flow and make it execute
something different (other than returning back to the original place). The code that you want to be
executed after controlling the flow is often referred to as “shellcode”. So if we make the
application run our shellcode, we can call it a working exploit. In most cases, this pointer is
referenced by the term EIP. This register size is 4 bytes. So if you can modify those 4 bytes, you
own the application (and the computer the application runs on)
[ad]
Download Link: https://www.ihteam.net/papers/How-To-Write-an-Exploit-Part1.pdf
https://www.ihteam.net/papers/How-To-Write-an-Exploit-Part2.pdf
https://www.ihteam.net/papers/How-To-Write-an-Exploit-Part3.pdf
https://www.ihteam.net/papers/How-To-Write-an-Exploit-Part4.pdf
https://www.ihteam.net/papers/How-To-Write-an-Exploit-Part5.pdf
https://www.ihteam.net/papers/How-To-Write-an-Exploit-Part6.pdf
https://www.ihteam.net/papers/How-To-Write-an-Exploit-Part7.pdf
https://www.ihteam.net/papers/How-To-Write-an-Exploit-Part8.pdf