Rob Gillen, profile picture
Uploaded byRob Gillen
1,331 views

ETCSS: Into the Mind of a Hacker

The document describes an anatomy of a buffer overflow attack. It begins with disclaimers about the legal and ethical responsibilities when discussing exploits. It then provides an overview of the scenario which involves exploiting a vulnerability in a Windows FTP server to obtain a reverse shell. It defines relevant terminology like buffers, fuzzing, shellcode and bind/reverse shells. It also provides examples of assembly shellcode and encoded shellcode. Finally, it outlines the process of identifying the vulnerability, designing an exploit through fuzzing and overwriting registers, and obtaining a shell through the exploit.

Anatomy of a Buffer Overflow Attack Rob Gillen @argodev
Don’t Be Stupid The following presentation describes real attacks on real systems. Please note that most of the attacks described would be considered ILLEGAL if attempted on machines that you do not have explicit permission to test and attack. I assume no responsibility for any actions you perform based on the content of this presentation or subsequent conversations. Please remember this basic guideline: With knowledge comes responsibility.
Disclaimer The content of this presentation represents my personal views and thoughts at the present time. This content is not endorsed by, or representative in any way of my employer nor is it intended to be a view into my work or a reflection on the type of work that I or my group performs. It is simply a hobby and personal interest and should be considered as such.
Credits The vulnerability that we’ll be discussing was initially discovered by C4SS!0 G0M3S (louredo_@hotmail.com) and was published on June 17, 2011. http://www.exploit-db.com/exploits/17539/ James Fitts created a MetaSploit module that I also reviewed while building this module http://www.exploit-db.com/exploits/17540/
Overview • Scenario – Machine 1: Kali Linux (BackTrack) – Machine 2: • Windows 7 Professional x64, SP1 • Freefloat FTP Server v1.0 • Tasks – Discover a vulnerability exists – Craft & test an exploit • Goal: Obtain reverse shell
Attack Process • Identify target of interest • Identify software/versions being used • Setup local Instance • Fuzz to identify vulnerability • Design/Develop Exploit • Test • Package/Weaponize
Terminology • • • • • • • CPU Registers Debugger Buffer Overflows Fuzzing Shellcode Encoding Bind Shell/Reverse Shell
CPU Registers (8086) • • • • • • • • EAX EBX ECX EDX ESI EDI EBP ESP – – – – – – – – Accumulator Register Base Register Counter Register Data Register Source Index Destination Index Base Pointer Stack Pointer Content from: http://www.swansontec.com/sregisters.html
CPU Registers (8086) • EIP – program counter or commonly “instruction pointer” – a processor register that indicates where a computer is in its program sequence. • Holds the memory address of (“points to”) the next instruction that would be executed. • Any thoughts on why this specific register is particularly interesting? Content from: http://en.wikipedia.org/wiki/Instruction_pointer
Debugger
Buffer Overflow Content from: http://en.wikipedia.org/wiki/Buffer_overflow
Fuzzing • Identify points where application or service accepts data • Send varying lengths/types of data until we crash the service and/or overwrite key buffers. • Increase buffer length until no longer successful (identify upper bounds of memory space available for exploit)
Shellcode • Small piece of code used as the payload in the exploitation of a software vulnerability • Name comes from the purpose – usually spawns a shell and performs some action • Often written in assembly code • Types: – “normal”, Staged, Egg-hunt, Omelette Content from: http://en.wikipedia.org/wiki/Shellcode
Shellcode Example [BITS 32] mov ebx, 0x00424F52 push ebx mov esi, esp xor eax, eax push eax push esi push esi push eax mov eax, 0x7E45058A call eax
[BITS 32] mov ebx, 0x00424F52 ; Loads a null-terminated string “ROB” to ebx push ebx ; pushes ebx to the stack mov esi, esp ; saves null-terminated string “ROB” in esi xor eax, eax ; Zero our eax (eax=0) push eax ; Push the fourth parameter (uType) to the stack (value 0) push esi ; Push the third parameter (lpCaption) to the stack (value ROB00) push esi ; Push the second parameter (lpText) to the stack (value ROB00) push eax ; Push the first parameter (hWnd) to the stack (value 0) mov eax, 0x7E45058A ; Move the MessageBoxA address in to eax call eax ; Call the MessageBoxA function with all parameters supplied.
Shellcode Example BB 52 4F 42 00 53 89 E6 31 C0 50 56 56 50 B8 8A 05 45 7E FF D0
Encoding • There are often restrictions as to what data can be sent via the exploit (NULLs, etc.) • Self-extracting (smaller shellcode) • Self-decrypting (avoid IDS signatures) • Tools such as msfencode offer many options.
Encoded Shellcode xbex13xafx49x81xdaxc7 xd9x74x24xf4x58x31xc9 xb1x06x83xe8xfcx31x70 x0fx03x70x1cx4dxbcx3a x70xdex7dx3dx27x69x67 x0cx07x39x3ex39xd7x02 x34xc0x92x0cxb6x1b
Bind Shell/Reverse Shell • Bind Shell – Target exposes a shell on a given port – Attacker connects to that port and executes commands – Remote Administration • Reverse Shell – Attacker listens for connections on a given port – Shell code on target connects to attacker and sends a shell – NAT-safe!
Bind Shell Code executes on target and exposes a listener on a specific port (i.e. 4444) Attacker connects (Binds) to client ip:4444 Attacker Target Target sends shell to attacker
Reverse Shell Code executes on target and connects to the attacker ip:4444 Attacker exposes a listener on a specific port (i.e. 4444) Attacker Target Target sends shell to attacker
Fuzzing Pseudo-Code • Build array of increasing length strings (“A”) • Build array of valid commands • For each command in arrayOfCommands – For each string in arrayOfStrings • Establish FTP connection • Submit command + string • Watch for application hang/crash • Inspect register values/pointers
Demonstration FUZZING THE SERVICE
Design The Exploit • Iterate with various malicious buffer sizes to see how much space is available • Locate where within the evil buffer we actually overwrite EIP • Locate where within the evil buffer we can locate our shellcode (pointed to by other register)
Design The Exploit • Select / configure / encode shellcode • Integrate into exploit script (NOP slide, breakpoints, etc) • Identify reusable jump address to consistently move to shellcode • Test with breakpoints • Test in “real world” scenario
Demonstration DESIGNING THE EXPLOIT
Solutions? • • • • This was an “easy” scenario Bounds checking is critical! Fuzz your own applications Address Space Layout Randomization (ASLR) makes life harder • Operating System Support – Data Execution Prevention
Questions/Contact Rob Gillen rob@gillenfamily.net http://rob.gillenfamily.net @argodev

More Related Content

PPTX
Hands On with Amazon Web Services (StirTrek)
byRob Gillen
 
PPTX
Scaling Document Clustering in the Cloud
byRob Gillen
 
PPTX
(Training) Malware - To the Realm of Malicious Code
bySatria Ady Pradana
 
PPTX
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
byEC-Council
 
PPTX
Path of Cyber Security
bySatria Ady Pradana
 
PPTX
Web Security Workshop : A Jumpstart
bySatria Ady Pradana
 
PDF
Password Cracking using dictionary attacks
bylord
 
PPTX
Defending Against 1,000,000 Cyber Attacks by Michael Banks
byEC-Council
 
Hands On with Amazon Web Services (StirTrek)
byRob Gillen
 
Scaling Document Clustering in the Cloud
byRob Gillen
 
(Training) Malware - To the Realm of Malicious Code
bySatria Ady Pradana
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
byEC-Council
 
Path of Cyber Security
bySatria Ady Pradana
 
Web Security Workshop : A Jumpstart
bySatria Ady Pradana
 
Password Cracking using dictionary attacks
bylord
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
byEC-Council
 

What's hot

PPTX
Another Side of Hacking
bySatria Ady Pradana
 
PPTX
Billions & Billions of Logs
byJack Crook
 
DOC
SEC 572 Inspiring Innovation / tutorialrank.com
byBromleyz38
 
PDF
La Quadrature Du Cercle - The APTs That Weren't
bypinkflawd
 
DOC
Sec 572 Effective Communication / snaptutorial.com
byBaileyabl
 
DOC
Sec 572 Education Specialist-snaptutorial.com
byrobertlesew79
 
DOCX
SEC 572 Entire Course NEW
byshyamuopiv
 
DOCX
Sec 572 Enhance teaching / snaptutorial.com
byHarrisGeorg69
 
Another Side of Hacking
bySatria Ady Pradana
 
Billions & Billions of Logs
byJack Crook
 
SEC 572 Inspiring Innovation / tutorialrank.com
byBromleyz38
 
La Quadrature Du Cercle - The APTs That Weren't
bypinkflawd
 
Sec 572 Effective Communication / snaptutorial.com
byBaileyabl
 
Sec 572 Education Specialist-snaptutorial.com
byrobertlesew79
 
SEC 572 Entire Course NEW
byshyamuopiv
 
Sec 572 Enhance teaching / snaptutorial.com
byHarrisGeorg69
 

Similar to ETCSS: Into the Mind of a Hacker

PPTX
Anatomy of a Buffer Overflow Attack
byRob Gillen
 
PDF
Dive into exploit development
byPayampardaz
 
PDF
Fuzzing: Finding Your Own Bugs and 0days! 1.0
byRodolpho Concurde
 
PDF
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
byNETWAYS
 
PDF
Fuzzing: Finding Your Own Bugs and 0days! at Arab Security Conference
byRodolpho Concurde
 
PPT
Writing Metasploit Plugins
byamiable_indian
 
PPTX
Buffer Overflows Shesh Jun 3 09
bydhanya.sumeru
 
PDF
Buffer Overflow Attacks
bysecurityxploded
 
PDF
Buffer overflow Attacks
byCysinfo Cyber Security Community
 
PPTX
Tranning-2
byAli Hussain
 
ODP
Introduction to Binary Exploitation
byCysinfo Cyber Security Community
 
PPTX
Fuzzing | Null OWASP Mumbai | 2016 June
bynullowaspmumbai
 
PDF
Unix executable buffer overflow
byAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
PPTX
Sending a for ahuh. win32 exploit development old school
byNahidul Kibria
 
PDF
From SEH Overwrite with Egg Hunter to Get a Shell_by_RodolphoConcurde
byRodolpho Concurde
 
PDF
From SEH Overwrite with Egg Hunter to Get a Shell!
byRodolpho Concurde
 
PPT
Dau Hoang - Buffer Overflows 8980 for Stu
byQueenNicki1
 
PDF
Buffer overflow tutorial
byhughpearse
 
PDF
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
byJongWon Kim
 
PPTX
Vulnerability, exploit to metasploit
byTiago Henriques
 
Anatomy of a Buffer Overflow Attack
byRob Gillen
 
Dive into exploit development
byPayampardaz
 
Fuzzing: Finding Your Own Bugs and 0days! 1.0
byRodolpho Concurde
 
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
byNETWAYS
 
Fuzzing: Finding Your Own Bugs and 0days! at Arab Security Conference
byRodolpho Concurde
 
Writing Metasploit Plugins
byamiable_indian
 
Buffer Overflows Shesh Jun 3 09
bydhanya.sumeru
 
Buffer Overflow Attacks
bysecurityxploded
 
Buffer overflow Attacks
byCysinfo Cyber Security Community
 
Tranning-2
byAli Hussain
 
Introduction to Binary Exploitation
byCysinfo Cyber Security Community
 
Fuzzing | Null OWASP Mumbai | 2016 June
bynullowaspmumbai
 
Unix executable buffer overflow
byAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Sending a for ahuh. win32 exploit development old school
byNahidul Kibria
 
From SEH Overwrite with Egg Hunter to Get a Shell_by_RodolphoConcurde
byRodolpho Concurde
 
From SEH Overwrite with Egg Hunter to Get a Shell!
byRodolpho Concurde
 
Dau Hoang - Buffer Overflows 8980 for Stu
byQueenNicki1
 
Buffer overflow tutorial
byhughpearse
 
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
byJongWon Kim
 
Vulnerability, exploit to metasploit
byTiago Henriques
 

More from Rob Gillen

PDF
CodeStock14: Hiding in Plain Sight
byRob Gillen
 
PDF
What's in a password
byRob Gillen
 
PPTX
How well do you know your runtime
byRob Gillen
 
PPTX
Software defined radio and the hacker
byRob Gillen
 
PPTX
So whats in a password
byRob Gillen
 
PPTX
Hiding in plain sight
byRob Gillen
 
PPTX
DevLink - WiFu: You think your wireless is secure?
byRob Gillen
 
PPTX
You think your WiFi is safe?
byRob Gillen
 
PPTX
Intro to GPGPU with CUDA (DevLink)
byRob Gillen
 
PPTX
AWS vs. Azure
byRob Gillen
 
PPTX
A Comparison of AWS and Azure - Part2
byRob Gillen
 
PPTX
A Comparison of AWS and Azure - Part 1
byRob Gillen
 
PPTX
Intro to GPGPU Programming with Cuda
byRob Gillen
 
PPTX
Windows Azure: Lessons From The Field
byRob Gillen
 
PPTX
Amazon Web Services for the .NET Developer
byRob Gillen
 
PPT
05561 Xfer Research 02
byRob Gillen
 
PPT
05561 Xfer Research 01
byRob Gillen
 
PPT
05561 Xfer Consumer 01
byRob Gillen
 
PPT
Cloud Storage Upload Tests 02
byRob Gillen
 
PPTX
Cloud Storage Cross Test
byRob Gillen
 
CodeStock14: Hiding in Plain Sight
byRob Gillen
 
What's in a password
byRob Gillen
 
How well do you know your runtime
byRob Gillen
 
Software defined radio and the hacker
byRob Gillen
 
So whats in a password
byRob Gillen
 
Hiding in plain sight
byRob Gillen
 
DevLink - WiFu: You think your wireless is secure?
byRob Gillen
 
You think your WiFi is safe?
byRob Gillen
 
Intro to GPGPU with CUDA (DevLink)
byRob Gillen
 
AWS vs. Azure
byRob Gillen
 
A Comparison of AWS and Azure - Part2
byRob Gillen
 
A Comparison of AWS and Azure - Part 1
byRob Gillen
 
Intro to GPGPU Programming with Cuda
byRob Gillen
 
Windows Azure: Lessons From The Field
byRob Gillen
 
Amazon Web Services for the .NET Developer
byRob Gillen
 
05561 Xfer Research 02
byRob Gillen
 
05561 Xfer Research 01
byRob Gillen
 
05561 Xfer Consumer 01
byRob Gillen
 
Cloud Storage Upload Tests 02
byRob Gillen
 
Cloud Storage Cross Test
byRob Gillen
 

Recently uploaded

PDF
Transform Your Online Store with AltiusNxt AI Enriched data
byAltiusNxt Technologies
 
PDF
Spec Driven Development with Kiro: Ensuring Quality and Traceability in the A...
byHaim Michael
 
PDF
Data Center Exit to Cloud _ Managed Datacenter Migration.pdf
byAstuteBusiness
 
PPTX
UiPath Automation Suite_Community Session_3/3
bysuhanisingh58689
 
PDF
NPTEL Assignment Completed PDF FILE with ans
byadultme43
 
PDF
Transcript: Ready, set, go: Pre-fall sales trends and data-driven insights - ...
byBookNet Canada
 
PDF
GDG Cloud Southlake #47: Bala Desikan: Build Autonomous Agentic AI Apps on GCP
byJames Anderson
 
PDF
The Future-Ready PMO: Unlocking Project Success with Copilot and AI Innovatio...
byWellingtone
 
PDF
Log-based anomaly detection using BiLSTM-Autoencoder
byMohammed BEKKOUCHE
 
PDF
UiPath Community Day UNI - Nuevos productos de UiPath.pdf
byfelixluen
 
PDF
GDG Boise - Innovating with Google Cloud Artificial Intelligence
byJoey Brown
 
PDF
Unleash AI power with the Dell Pro 14 Plus - Interactive PDF
byPrincipled Technologies
 
PDF
How Generative AI Helps US Healthcare Startups Save 40.pdf
byimoliviabennett
 
PDF
AI Demands More: Help Ensure Network Readiness With ThousandEyes
byThousandEyes
 
PDF
The new commer in Oracle memory architecture _Database Box).pdf
byAlireza Kamrani
 
PDF
Q8 DIGITAL IDENTITY HUB - WSO2 Oxygenate Italy 2025
byProfesia Srl, Lynx Group
 
PPTX
OutSystems ONE 2025-recap presentation.pptx
bymostafaothman27
 
PDF
TrustArc Webinar - It’s Time to Rethink Privacy
byTrustArc
 
PDF
RR B.Ed. educational trust. Ashish Tiwari
byat386834
 
PDF
2025 AI Adoption Report: Gen AI Fast-Tracks Into the Enterprise
byRazin Mustafiz
 
Transform Your Online Store with AltiusNxt AI Enriched data
byAltiusNxt Technologies
 
Spec Driven Development with Kiro: Ensuring Quality and Traceability in the A...
byHaim Michael
 
Data Center Exit to Cloud _ Managed Datacenter Migration.pdf
byAstuteBusiness
 
UiPath Automation Suite_Community Session_3/3
bysuhanisingh58689
 
NPTEL Assignment Completed PDF FILE with ans
byadultme43
 
Transcript: Ready, set, go: Pre-fall sales trends and data-driven insights - ...
byBookNet Canada
 
GDG Cloud Southlake #47: Bala Desikan: Build Autonomous Agentic AI Apps on GCP
byJames Anderson
 
The Future-Ready PMO: Unlocking Project Success with Copilot and AI Innovatio...
byWellingtone
 
Log-based anomaly detection using BiLSTM-Autoencoder
byMohammed BEKKOUCHE
 
UiPath Community Day UNI - Nuevos productos de UiPath.pdf
byfelixluen
 
GDG Boise - Innovating with Google Cloud Artificial Intelligence
byJoey Brown
 
Unleash AI power with the Dell Pro 14 Plus - Interactive PDF
byPrincipled Technologies
 
How Generative AI Helps US Healthcare Startups Save 40.pdf
byimoliviabennett
 
AI Demands More: Help Ensure Network Readiness With ThousandEyes
byThousandEyes
 
The new commer in Oracle memory architecture _Database Box).pdf
byAlireza Kamrani
 
Q8 DIGITAL IDENTITY HUB - WSO2 Oxygenate Italy 2025
byProfesia Srl, Lynx Group
 
OutSystems ONE 2025-recap presentation.pptx
bymostafaothman27
 
TrustArc Webinar - It’s Time to Rethink Privacy
byTrustArc
 
RR B.Ed. educational trust. Ashish Tiwari
byat386834
 
2025 AI Adoption Report: Gen AI Fast-Tracks Into the Enterprise
byRazin Mustafiz
 

ETCSS: Into the Mind of a Hacker

  • 1.
    Anatomy of aBuffer Overflow Attack Rob Gillen @argodev
  • 2.
    Don’t Be Stupid Thefollowing presentation describes real attacks on real systems. Please note that most of the attacks described would be considered ILLEGAL if attempted on machines that you do not have explicit permission to test and attack. I assume no responsibility for any actions you perform based on the content of this presentation or subsequent conversations. Please remember this basic guideline: With knowledge comes responsibility.
  • 3.
    Disclaimer The content ofthis presentation represents my personal views and thoughts at the present time. This content is not endorsed by, or representative in any way of my employer nor is it intended to be a view into my work or a reflection on the type of work that I or my group performs. It is simply a hobby and personal interest and should be considered as such.
  • 4.
    Credits The vulnerability thatwe’ll be discussing was initially discovered by C4SS!0 G0M3S (louredo_@hotmail.com) and was published on June 17, 2011. http://www.exploit-db.com/exploits/17539/ James Fitts created a MetaSploit module that I also reviewed while building this module http://www.exploit-db.com/exploits/17540/
  • 5.
    Overview • Scenario – Machine1: Kali Linux (BackTrack) – Machine 2: • Windows 7 Professional x64, SP1 • Freefloat FTP Server v1.0 • Tasks – Discover a vulnerability exists – Craft & test an exploit • Goal: Obtain reverse shell
  • 6.
    Attack Process • Identifytarget of interest • Identify software/versions being used • Setup local Instance • Fuzz to identify vulnerability • Design/Develop Exploit • Test • Package/Weaponize
  • 7.
  • 8.
    CPU Registers (8086) • • • • • • • • EAX EBX ECX EDX ESI EDI EBP ESP – – – – – – – – AccumulatorRegister Base Register Counter Register Data Register Source Index Destination Index Base Pointer Stack Pointer Content from: http://www.swansontec.com/sregisters.html
  • 9.
    CPU Registers (8086) •EIP – program counter or commonly “instruction pointer” – a processor register that indicates where a computer is in its program sequence. • Holds the memory address of (“points to”) the next instruction that would be executed. • Any thoughts on why this specific register is particularly interesting? Content from: http://en.wikipedia.org/wiki/Instruction_pointer
  • 10.
  • 11.
    Buffer Overflow Content from:http://en.wikipedia.org/wiki/Buffer_overflow
  • 12.
    Fuzzing • Identify pointswhere application or service accepts data • Send varying lengths/types of data until we crash the service and/or overwrite key buffers. • Increase buffer length until no longer successful (identify upper bounds of memory space available for exploit)
  • 13.
    Shellcode • Small pieceof code used as the payload in the exploitation of a software vulnerability • Name comes from the purpose – usually spawns a shell and performs some action • Often written in assembly code • Types: – “normal”, Staged, Egg-hunt, Omelette Content from: http://en.wikipedia.org/wiki/Shellcode
  • 14.
    Shellcode Example [BITS 32] movebx, 0x00424F52 push ebx mov esi, esp xor eax, eax push eax push esi push esi push eax mov eax, 0x7E45058A call eax
  • 15.
    [BITS 32] mov ebx,0x00424F52 ; Loads a null-terminated string “ROB” to ebx push ebx ; pushes ebx to the stack mov esi, esp ; saves null-terminated string “ROB” in esi xor eax, eax ; Zero our eax (eax=0) push eax ; Push the fourth parameter (uType) to the stack (value 0) push esi ; Push the third parameter (lpCaption) to the stack (value ROB00) push esi ; Push the second parameter (lpText) to the stack (value ROB00) push eax ; Push the first parameter (hWnd) to the stack (value 0) mov eax, 0x7E45058A ; Move the MessageBoxA address in to eax call eax ; Call the MessageBoxA function with all parameters supplied.
  • 16.
    Shellcode Example BB 524F 42 00 53 89 E6 31 C0 50 56 56 50 B8 8A 05 45 7E FF D0
  • 17.
    Encoding • There areoften restrictions as to what data can be sent via the exploit (NULLs, etc.) • Self-extracting (smaller shellcode) • Self-decrypting (avoid IDS signatures) • Tools such as msfencode offer many options.
  • 18.
  • 19.
    Bind Shell/Reverse Shell •Bind Shell – Target exposes a shell on a given port – Attacker connects to that port and executes commands – Remote Administration • Reverse Shell – Attacker listens for connections on a given port – Shell code on target connects to attacker and sends a shell – NAT-safe!
  • 20.
    Bind Shell Code executeson target and exposes a listener on a specific port (i.e. 4444) Attacker connects (Binds) to client ip:4444 Attacker Target Target sends shell to attacker
  • 21.
    Reverse Shell Code executeson target and connects to the attacker ip:4444 Attacker exposes a listener on a specific port (i.e. 4444) Attacker Target Target sends shell to attacker
  • 22.
    Fuzzing Pseudo-Code • Buildarray of increasing length strings (“A”) • Build array of valid commands • For each command in arrayOfCommands – For each string in arrayOfStrings • Establish FTP connection • Submit command + string • Watch for application hang/crash • Inspect register values/pointers
  • 23.
  • 24.
    Design The Exploit •Iterate with various malicious buffer sizes to see how much space is available • Locate where within the evil buffer we actually overwrite EIP • Locate where within the evil buffer we can locate our shellcode (pointed to by other register)
  • 25.
    Design The Exploit •Select / configure / encode shellcode • Integrate into exploit script (NOP slide, breakpoints, etc) • Identify reusable jump address to consistently move to shellcode • Test with breakpoints • Test in “real world” scenario
  • 26.
  • 27.
    Solutions? • • • • This was an“easy” scenario Bounds checking is critical! Fuzz your own applications Address Space Layout Randomization (ASLR) makes life harder • Operating System Support – Data Execution Prevention
  • 28.