Presented at ToorCon San Diego 20 (2018)
Sept. 16, 2018, 11 a.m.
This talk covers finding a buffer overflow vulnerability in some old Windows 3.x-based Internet software and constructing a payload to exploit it. The segmented memory model of 16-bit x86 code complicates exploitation and provides accidental defenses similar to ASLR and DEP. I walk through finding the exploit, developing a ROP chain and shellcode, culminating in the calculator.
What if I told you that Windows 3.x provided Data Execution Prevention and a crude form of Address Space Layout Randomization? The segmented memory model that made 16-bit x86 code difficult to program also complicates building an exploit. Blending nostalgia and plain curiosity into exploiting "weird" systems, I demonstrate what may be the first public writeup (try Googling for one) of a buffer overflow targeting a Windows 3.x application, complete with ROP chain and shellcode. Everyone loves a good exploit and demo or just shuffling program groups--so stop by for a look back into the four-megabyte era equipped with a copy of Visual Studio 1.52c and modern techniques.
Jacob Thompson is a Principal Security Analyst for Independent Security Evaluators, where he specializes in high-end, custom security assessments of computer hardware and software products. With over 10 years’ experience, Mr. Thompson has a propensity toward hands-on security assessment, and proficiencies in reverse engineering, DRM systems, cryptography, system and application security, and secure system design. Through his 6 years’ work with ISE, Mr. Thompson has partaken in multiple major vulnerabilities and assessments, customer visits, and progress presentations. He has presented his research at DEF CON, BSides DC, DERBYCON, and ToorCon.