RBS EverFocus Electronics Corp EPlusOcx ActiveX Control Multiple Stack Buffer Overflows of 10
|
|
- Jeffry Palmer
- 6 years ago
- Views:
Transcription
1 RBS EverFocus Electronics Corp EPlusOcx ActiveX Control Multiple Stack Buffer Overflows of 10
2 Table of Contents Table of Contents 2 About Risk Based Security 3 Company History 3 Solutions 3 Vulnerable Program Details 4 References 4 Credits 4 Vulnerability Details 5 LiveStream() Method Handling Stack Buffer Overflow 5 SendHttpRequest() Method Handling Stack Buffer Overflow 6 OpenArchive() Function Stack Buffer Overflow 8 Solution 10 Timeline of 10
3 About Risk Based Security Risk Based Security offers clients fully integrated security solutions, combining real time vulnerability and threat data, as well as the analytical resources to understand the implications of the data, resulting in not just security, but the right security. Company History Risk Based Security, Inc. (RBS) was established in early 2011 to better support the many users and initiatives of the Open Security Foundation including the OSVDB and DataLossDB projects. RBS was created to transform this wealth of security data into actionable information by enhancing the research available, and providing a first of its kind risk identification and evidence based security management service. As a data driven and vendor neutral organization, RBS is able to deliver focused security solutions that are timely, cost effective, and built to address the specific threats and vulnerabilities most relevant to the organizations we serve. We not only maintain vulnerability and data breach databases, we also use this information to inform our entire practice. Solutions VulnDB Vulnerability intelligence, alerting, and third party library tracking based on the largest and most comprehensive vulnerability database. Available as feature rich SaaS portal or powerful API Cyber Risk Analytics Extensive data breach database including interactive dashboards and breach analytics. Clients are able to gather and analyze security threat and data breach information on businesses, industries, geographies, and causes of loss. YourCISO Revolutionary service that provides organizations an affordable security solution including policies, vulnerability scans, awareness material, incident response, and access to high quality information security resources and consulting services. Vulnerability Assessments (VA) and Pentesting Regularly scheduled VAs and pentests help an organization identify weaknesses before the bad guys do. Managing the most comprehensive VDB puts us in a unique position to offer comprehensive assessments, combining the latest in scanning technology and our own data. Detailed and actionable reports are provided in a clear and easy to understand language. Security Development Lifecycle (SDL) Consulting, auditing, and verification specialized in breaking code, which in turn greatly increases the security of products of 10
4 Vulnerable Program Details Details for tested products and versions: Vendor: EverFocus Electronics Corporation Product: ECOR264 8D2 Version: Vendor: EverFocus Electronics Corporation Product: ECOR960 16X1 Version: Component: EPlusOcx ActiveX Control (eplusocx.ocx) Version: NOTE: It is suspected that many if not all DVRs in the EverFocus ECOR DVR product line bundle the vulnerable ActiveX control. Other models and versions are, therefore, likely affected. References RBS: RBS OSVDB / VulnDB: , , and CVE: N/A Credits Carsten Eiram, Risk Based Security of 10
5 Vulnerability Details DVRs in the EverFocus ECOR product line provide a web based interface for e.g. configuring device settings. When accessed for the first time using Internet Explorer, an ActiveX control, eplusocx.ocx, is installed on the client system. This bundled ActiveX control has been determined to be affected by three critical vulnerabilities, all allowing attackers to compromise the client system when viewing a malicious web page. LiveStream() Method Handling Stack Buffer Overflow One of the methods supported by the ActiveX control is LiveStream(), which is defined as: long LiveStream( long Mask); When the method is called, a debug string is crafted based on the supplied arguments..text:10017a60 M_LiveStream proc near ; DATA XREF:.rdata:10185EC0.text:10017A60.text:10017A60 szoutputstring = byte ptr 208h ; char[260].text:10017a60 szbuf = byte ptr 104h ; char[256].text:10017a60 var_4 = dword ptr 4.text:10017A60 pwzip = dword ptr 4.text:10017A60 lport = dword ptr 8.text:10017A60 pwzsessionid = dword ptr 0Ch.text:10017A60 lmask = dword ptr 10h.text:10017A60.text:10017A60 sub esp, 208h.text:10017A66 mov eax, dword_101dcd64.text:10017a6b xor eax, esp.text:10017a6d mov [esp+208h+var_4], eax.text:10017a74 push ebx.text:10017a75 mov ebx, [esp+20ch+pwzip].text:10017a7c push ebp.text:10017a7d mov ebp, [esp+210h+pwzsessionid].text:10017a84 push esi.text:10017a85 push edi.text:10017a86 push 103h ; size_t.text:10017a8b lea eax, [esp+21ch+szoutputstring+1] ; char[260].text:10017a8f push 0 ; int.text:10017a91 push eax ; void *.text:10017a92 mov esi, ecx.text:10017a94 mov [esp+224h+szoutputstring], 0 ; char[260] of 10
6 .text:10017a99 call _memset.text:10017a9e mov ecx, [esp+224h+lmask].text:10017aa5 mov edx, [esp+224h+lport].text:10017aac push ecx.text:10017aad push ebp.text:10017aae push edx.text:10017aaf push ebx.text:10017ab0 lea eax, [esp+234h+szoutputstring] ; char[260].text:10017ab4 push offset alivestreamipsp ; "LiveStream IP = %s Port = %d SessionID "....text:10017ab9 push eax ; char *.text:10017aba call _sprintf ; b0f! The string is written to a 260 byte stack buffer using sprintf() without performing any bounds checks. By providing sufficiently long arguments to the method, it is possible to trigger a stack based buffer overflow and gain control of the program flow. SendHttpRequest() Method Handling Stack Buffer Overflow The ActiveX control supports the SendHttpRequest() method, which takes eight arguments: long SendHttpRequest( long nverb, BSTR szid, BSTR szip, long nport, BSTR szusr, BSTR szpwd, BSTR szobject, BSTR szxmlcmd); When the method is called, a debug string is crafted based on the supplied arguments..text:100254b0 M_SendHttpRequest proc near.text:100254b0.text:100254b0 var_134 = dword ptr 134h.text:100254B0 Src = dword ptr 130h.text:100254B0 var_12c = dword ptr 12Ch.text:100254B0 var_128 = dword ptr 128h.text:100254B0 var_124 = dword ptr 124h.text:100254B0 var_120 = dword ptr 120h.text:100254B0 var_11c = byte ptr 11Ch.text:100254B0 szoutputstring = byte ptr 110h.text:100254B0 var_10 = dword ptr 10h.text:100254B0 var_c = dword ptr 0Ch.text:100254B0 var_4 = dword ptr 4 ; DATA XREF:.rdata: ; char[256] of 10
7 .text:100254b0 lnverb = dword ptr 4.text:100254B0 pszid = dword ptr 8.text:100254B0 pszip = dword ptr 0Ch.text:100254B0 lnport = dword ptr 10h.text:100254B0 pszusr = dword ptr 14h.text:100254B0 pszpwd = dword ptr 18h.text:100254B0 pszobject = dword ptr 1Ch.text:100254B0 pszxmlcmd = dword ptr 20h.text:100254B0.text:100254B0 push 0FFFFFFFFh.text:100254B2 push offset loc_10179e54.text:100254b7 mov eax, large fs:0.text:100254bd push eax.text:100254be sub esp, 128h.text:100254EB mov edx, [esp+148h+pszxmlcmd].text:100254f2 mov ebp, [esp+148h+pszobject].text:100254f9 mov ebx, [esp+148h+pszpwd].text: mov edi, [esp+148h+pszusr].text: mov eax, [esp+148h+pszid].text: e push edx.text: f push ebp.text: push ebx.text: push edi.text: mov [esp+158h+var_128], ecx.text: mov ecx, [esp+158h+pszip].text: d push ecx.text: e push eax.text: f mov [esp+160h+var_120], eax.text: lea eax, [esp+160h+szoutputstring] ; char[256].text: push offset asendhttpreques ; "SendHttpRequest: id=%s ip=%s usr=%s pwd"....text: c push eax ; char *.text: d mov [esp+168h+src], ecx.text: mov [esp+168h+var_124], ebp.text: mov [esp+168h+var_12c], edx.text: call _sprintf ; b0f! The string is written to a 256 byte stack buffer using sprintf() without performing any bounds checks. By providing sufficiently long arguments to the method, it is possible to trigger a stack based buffer overflow and gain control of the program flow of 10
8 OpenArchive() Function Stack Buffer Overflow The ActiveX control supports the five following methods used for handling archives: long ArchiveStream( unsigned long Mask, long StartTime, long EndTime, long MaxFileLenth); long ArchiveStreamExRV( unsigned long Mask, long StartTime, long EndTime, long VideoType, long MaxFileLength, short SelcetFile, BSTR FileName); long ArchiveStreamEx( unsigned long Mask, long StartTime, long EndTime, long MaxFileLenth, short SelectFile, BSTR FileName); long ArchiveStreamExNRV( unsigned long Mask, long StartTime, long EndTime, long ArchiveType, long VideoType, long MaxFileLength, short SelectFile, BSTR FileName); long ArchiveStreamExPlus( double Mask, long StartTime, long EndTime, long FileSize, short SelectFile, BSTR FileName); of 10
9 When called, each method may eventually end up calling the OpenArchive() function within eplusocx.ocx to retrieve an archive from a device at a specified IP. The OpenArchive() function starts out by creating a debug string ( OpenArchive ip=%s max=%d\n ) using the IP string argument supplied to each of the five methods..text:10034b90 OpenArchive proc near ; CODE XREF: M_ArchiveStream+67p.text:10034B90 ; M_ArchiveStreamEx+6Bp....text:10034B90 add ecx, 0F2A8h.text:10034B96 jmp loc_10012e50.text:10012e50 loc_10012e50: ; CODE XREF: OpenArchive+6j.text:10012E50 push 0FFFFFFFFh.text:10012E52 push offset loc_ d.text:10012e57 mov eax, large fs:0.text:10012e5d push eax.text:10012e5e sub esp, 414h.text:10012E8B mov edi, [esp+434h+arg_0].text:10012e92 mov eax, [esp+434h+arg_8].text:10012e99 mov esi, [esp+434h+src].text:10012ea0 mov ebp, ecx.text:10012ea2 mov ecx, [esp+434h+arg_18].text:10012ea9 push ecx.text:10012eaa push edi.text:10012eab lea edx, [esp+43ch+szoutputstring] ; char[256].text:10012eb2 push offset aopenarchiveips ; "OpenArchive ip=%s max=%d\n".text:10012eb7 push edx ; char *.text:10012eb8 mov [esp+444h+var_414], edi.text:10012ebc mov [esp+444h+var_408], eax.text:10012ec0 call _sprintf ; b0f! The string is written to a 256 byte stack buffer using sprintf() without performing any bounds checks. By providing sufficiently long IP argument to one of the five methods, it is possible to trigger a stack based buffer overflow and gain control of the program flow of 10
10 Solution The vendor was not responsive, and we are not aware of any available fix for these vulnerabilities. Timeline 2014/10/23 Vulnerabilities discovered. 2014/12/08 ed vendor to obtain details for security contact. 2015/01/01 4 OSVDB entry published and details made available on VulnDB. 2015/05/21 Publication of this vulnerability report. 4 data analytics/vulnerability database/ of 10
RBS Asante VMS ActiveXCoat ActiveX Control ConnectToVMS() Method Heap Buffer Overflow of 7
RBS 2014 003 Asante VMS ActiveXCoat ActiveX Control ConnectToVMS() Method Heap Buffer Overflow 2015 04 29 1 of 7 Table of Contents Table of Contents 2 About Risk Based Security 3 Mission 3 Background 3
More informationRBS S Pocketnet Tech MediaViewer ActiveX Control Multiple Buffer Overflow Vulnerabilities of 14
RBS 2014 005 3S Pocketnet Tech MediaViewer ActiveX Control Multiple Buffer Overflow Vulnerabilities 2015 05 06 1 of 14 Table of Contents Table of Contents 2 About Risk Based Security 3 Company History
More informationRBS of 6
RBS 2014 001 Schneider Electric CitectSCADA Citect.Platform.Transport.dll IdentifyMessageAdapter::ExtractIdentifyMessage Function Invalid IdentifyMessage Handling DoS 2015 04 29 1 of 6 Table of Contents
More informationRBS OpenEMR Multisite Setup Improper Access Restriction Remote Code Execution of 5
RBS-2017-001 OpenEMR Multisite Setup Improper Access Restriction Remote Code Execution 2018-03-22 1 of 5 Vendor / Product Information OpenEMR is a Free and Open Source electronic health records and medical
More informationRBS EverFocus Electronics Corp EverNet3 ActiveX Control Multiple Vulnerabilities of 28
RBS 2015 002 EverFocus Electronics Corp EverNet3 ActiveX Control Multiple Vulnerabilities 2015 07 31 1 of 28 Table of Contents Table of Contents 2 About Risk Based Security 3 Company History 3 Solutions
More informationRBS Axis Products Management Web Interface Multiple Vulnerabilities of 9
RBS-2018-003 Axis Products Management Web Interface Multiple Vulnerabilities 2018-05-23 1 of 9 Table of Contents Table of Contents... 2 Vendor / Product Information.... 3 Vulnerable Program Details.. 3
More informationSA30285 / CVE
Generated by Secunia 17 December, 2008 6 pages Table of Contents Introduction 2 Technical Details 2 Exploitation 5 Characteristics 6 Tested Versions 6 Fixed Versions 6 References 6 Generated by Secunia
More informationRBS NetGain Enterprise Manager Multiple Vulnerabilities of 11
RBS-2018-004 NetGain Enterprise Manager Multiple Vulnerabilities 2018-03-22 1 of 11 Table of Contents Vendor / Product Information 3 Vulnerable Program Details 3 Credits 3 Impact 3 Vulnerability Details
More informationRBS NetGain Enterprise Manager Web Interface Multiple Vulnerabilities of 9
RBS-2017-003 NetGain Enterprise Manager Web Interface Multiple Vulnerabilities 2018-03-22 1 of 9 Table of Contents Vendor / Product Information 3 Vulnerable Program Details 3 Credits 3 Impact 3 Vulnerability
More informationRBS Rockwell Automation FactoryTalk Services Platform RNADiagnostics Module Missing Size Field Validation Remote Denial of Service.
RBS 2013 002 Rockwell Automation FactoryTalk Services Platform RNADiagnostics Module Missing Size Field Validation Remote Denial of Service 1 of 7 Table of Contents Table of Contents 2 About Risk Based
More informationSA31675 / CVE
Generated by Secunia 10 September, 2008 5 pages Table of Contents Introduction 2 Technical Details 2 Exploitation 4 Characteristics 4 Tested Versions 4 Fixed Versions 5 References 5 Generated by Secunia
More informationSA33901 / CVE
Released by Secunia 23 February, 2009 6 pages Table of Contents Terms and Conditions 2 Introduction 3 Technical Details 3 Exploitation 5 Characteristics 5 Tested Versions 6 Fixed Versions 6 References
More informationAbysssec Research. 1) Advisory information. 2) Vulnerability Information. Class 1- Stack overflow. Impact
Abysssec Research 1) Advisory information Title Version Analysis Vendor Impact Contact Twitter : Novell Netware NWFTPD RMD/RNFR/DELE Argument Parsing Buffer overflow : NWFTPD.NLM 5.09.02 (Netware 6.5 SP8)
More informationIBM Global Services. Reversing C++ Paul Vincent Sabanal X-Force R&D Mark Vincent Yason X-Force R&D. IBM Internet Security Systems Ahead of the threat.
IBM Global Services Reversing C++ Paul Vincent Sabanal X-Force R&D Mark Vincent Yason X-Force R&D IBM Internet Security Systems Ahead of the threat. IBM Global Services Reversing C++ Part I. Introduction
More informationSilent Signal Kft. Web: Budapest,
Silent Signal Kft. E-mail: vpbalint@silentsignal.eu Web: www.silentsignal.eu Budapest, 2018.01.08. Background... 3 Self-Defense... 4 Crossing Privilege Boundaries... 5 1. Quarantine Restoration... 5 2.
More informationAbysssec Research. 1) Advisory information. 2) Vulnerable version
Abysssec Research 1) Advisory information Title : Adobe Acrobat and Reader "newclass" invalid pointer vulnerability Version :
More informationEECE.3170: Microprocessor Systems Design I Summer 2017 Homework 4 Solution
1. (40 points) Write the following subroutine in x86 assembly: Recall that: int f(int v1, int v2, int v3) { int x = v1 + v2; urn (x + v3) * (x v3); Subroutine arguments are passed on the stack, and can
More informationMWR InfoSecurity Security Advisory. IBM WebSphere MQ - rridecompress Remote Denial of Service Vulnerability. 4th March 2010
MWR InfoSecurity Security Advisory IBM WebSphere MQ - rridecompress Remote Denial of Service Vulnerability 4th March 2010 2010-03-04 Page 1 of 9 Contents Contents 1 Detailed Vulnerability Description...
More informationX86 Addressing Modes Chapter 3" Review: Instructions to Recognize"
X86 Addressing Modes Chapter 3" Review: Instructions to Recognize" 1 Arithmetic Instructions (1)! Two Operand Instructions" ADD Dest, Src Dest = Dest + Src SUB Dest, Src Dest = Dest - Src MUL Dest, Src
More informationIn executable we have several anti-debugging, anti-tracing and anti-patching tricks:
------------------------------------------------------------------ Author: ReWolf e-mail: rewolf@rewolf.pl www : http://rewolf.pl ------------------------------------------------------------------ HACKER
More informationProgram Exploitation Intro
Program Exploitation Intro x86 Assembly 04//2018 Security 1 Univeristà Ca Foscari, Venezia What is Program Exploitation "Making a program do something unexpected and not planned" The right bugs can be
More informationSA28083 / CVE
Generated by Secunia 9 April, 2008 5 pages Table of Contents Introduction 2 Technical Details 2 Exploitation 4 Characteristics 4 Affected Versions 5 Fixed Versions 5 References 5 Generated by Secunia 9
More informationEECE.3170: Microprocessor Systems Design I Summer 2017
EECE.3170: Microprocessor Systems Design I Summer 2017 Lecture 8: Key Questions June 5, 2017 1. (Review) Describe the structure of a typical x86 stack frame. EECE.3170: Microprocessor Systems Design I
More informationOperation RussianDoll: Adobe & Windows Zero Day Exploits LikelyLeveraged by Russia s APT28 in Highly Targeted Attack
Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia s APT28 in Highly-Targeted Attack «Threat Research FireEye Inc fireeye.com Operation RussianDoll: Adobe & Windows Zero
More informationStack -- Memory which holds register contents. Will keep the EIP of the next address after the call
Call without Parameter Value Transfer What are involved? ESP Stack Pointer Register Grows by 4 for EIP (return address) storage Stack -- Memory which holds register contents Will keep the EIP of the next
More informationCSCI 334: Principles of Programming Languages. Computer Architecture (a really really fast introduction) Lecture 11: Control Structures II
1 byte{ 1 byte{ CSCI 334: Principles of Programming Languages Lecture 11: Control Structures II Computer Architecture (a really really fast introduction) Instructor: Dan Barowy Memory Instructions main
More informationCVE EXPLOIT USING 108 BYTES AND DOWNLOADING A FILE WITH YOUR UNLIMITED CODE BY VALTHEK
CVE-2017-11882 EXPLOIT USING 108 BYTES AND DOWNLOADING A FILE WITH YOUR UNLIMITED CODE BY VALTHEK First words of thank to Embedy Company to discover the initial exploit and POC of 44 bytes máximum, Ridter
More informationThe IA-32 Stack and Function Calls. CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta
1 The IA-32 Stack and Function Calls CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta 2 Important Registers used with the Stack EIP: ESP: EBP: 3 Important Registers used with the Stack EIP:
More informationCS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 21: Generating Pentium Code 10 March 08
CS412/CS413 Introduction to Compilers Tim Teitelbaum Lecture 21: Generating Pentium Code 10 March 08 CS 412/413 Spring 2008 Introduction to Compilers 1 Simple Code Generation Three-address code makes it
More information16.317: Microprocessor Systems Design I Fall 2014
16.317: Microprocessor Systems Design I Fall 2014 Exam 2 Solution 1. (16 points, 4 points per part) Multiple choice For each of the multiple choice questions below, clearly indicate your response by circling
More informationExploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it
Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it 29.11.2012 Secure Software Engineering Andreas Follner 1 Andreas Follner Graduated earlier
More informationFlare-On 3: Challenge 7 Solution - hashes.exe
Flare-On 3: Challenge 7 Solution - hashes.exe Challenge Author: Alex Berry This challenge starts with a single executable file: hashes. Opening this file in a hex editor quickly reveals that it is a 32-bit
More informationFunction Call Convention
Function Call Convention Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch Content Intel Architecture Memory Layout
More informationIslamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB. Lab # 10. Advanced Procedures
Islamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB Lab # 10 Advanced Procedures May, 2014 1 Assembly Language LAB Stack Parameters There are
More informationBetriebssysteme und Sicherheit Sicherheit. Buffer Overflows
Betriebssysteme und Sicherheit Sicherheit Buffer Overflows Software Vulnerabilities Implementation error Input validation Attacker-supplied input can lead to Corruption Code execution... Even remote exploitation
More informationAssembly Language: Function Calls
Assembly Language: Function Calls 1 Goals of this Lecture Help you learn: Function call problems: Calling and returning Passing parameters Storing local variables Handling registers without interference
More informationAssembly Language: Function Calls" Goals of this Lecture"
Assembly Language: Function Calls" 1 Goals of this Lecture" Help you learn:" Function call problems:" Calling and returning" Passing parameters" Storing local variables" Handling registers without interference"
More informationUniversità Ca Foscari Venezia
Stack Overflow Security 1 2018-19 Università Ca Foscari Venezia www.dais.unive.it/~focardi secgroup.dais.unive.it Introduction Buffer overflow is due to careless programming in unsafe languages like C
More informationAutodesk AutoCAD DWG-AC1021 Heap Corruption
security research Autodesk AutoCAD DWG-AC1021 Heap Corruption Mar 2013 AutoCAD is a software for computer-aided design (CAD) and technical drawing in 2D/3D, being one of the worlds leading CAD design tools.
More information16.317: Microprocessor Systems Design I Fall 2015
16.317: Microprocessor Systems Design I Fall 2015 Exam 2 Solution 1. (16 points, 4 points per part) Multiple choice For each of the multiple choice questions below, clearly indicate your response by circling
More informationAssembly Language: Function Calls" Goals of this Lecture"
Assembly Language: Function Calls" 1 Goals of this Lecture" Help you learn:" Function call problems:" Calling and urning" Passing parameters" Storing local variables" Handling registers without interference"
More informationAssembly Language: Function Calls. Goals of this Lecture. Function Call Problems
Assembly Language: Function Calls 1 Goals of this Lecture Help you learn: Function call problems: Calling and urning Passing parameters Storing local variables Handling registers without interference Returning
More informationAbysssec Research. 1) Advisory information. 2) Vulnerable version. : Microsoft Excel SxView Record Parsing Memory Corruption
Abysssec Research 1) Advisory information Title Version Analysis Vendor Impact Contact Twitter CVE : Microsoft Excel SxView Record Parsing Memory Corruption : Excel 2002 SP3 : http://www.abysssec.com :
More informationBuffer Overflows Defending against arbitrary code insertion and execution
www.harmonysecurity.com info@harmonysecurity.com Buffer Overflows Defending against arbitrary code insertion and execution By Stephen Fewer Contents 1 Introduction 2 1.1 Where does the problem lie? 2 1.1.1
More informationHacking the Packer. Introduction
Hacking the Packer I. Introduction II. Observing Code Obscurities III. Stripping Down Source Code IV. Hacking the Packer V. Producing Packed Samples VI. Possible Signature Set VII. Extended Kernel32 Resolution
More informationIslamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB. Lab # 7. Procedures and the Stack
Islamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB Lab # 7 Procedures and the Stack April, 2014 1 Assembly Language LAB Runtime Stack and Stack
More informationCSC 2400: Computer Systems. Towards the Hardware: Machine-Level Representation of Programs
CSC 2400: Computer Systems Towards the Hardware: Machine-Level Representation of Programs Towards the Hardware High-level language (Java) High-level language (C) assembly language machine language (IA-32)
More informationCSC 405 Computer Security Reverse Engineering Part 1
CSC 405 Computer Security Reverse Engineering Part 1 Alexandros Kapravelos akaprav@ncsu.edu Introduction Reverse engineering process of analyzing a system understand its structure and functionality used
More information/ 28 HLL assembly Q4: Conditional instructions / 40 TOTAL SCORE / 100 EXTRA CREDIT / 10
16.317: Microprocessor Systems Design I Fall 2014 Exam 2 November 5, 2014 Name: ID #: For this exam, you may use a calculator and one 8.5 x 11 double-sided page of notes. All other electronic devices (e.g.,
More informationBasic Pentium Instructions. October 18
Basic Pentium Instructions October 18 CSC201 Section 002 Fall, 2000 The EFLAGS Register Bit 11 = Overflow Flag Bit 7 = Sign Flag Bit 6 = Zero Flag Bit 0 = Carry Flag "Sets the flags" means sets OF, ZF,
More informationReverse Engineering II: The Basics
Reverse Engineering II: The Basics This document is only to be distributed to teachers and students of the Malware Analysis and Antivirus Technologies course and should only be used in accordance with
More informationADDRESSING MODES. Operands specify the data to be used by an instruction
ADDRESSING MODES Operands specify the data to be used by an instruction An addressing mode refers to the way in which the data is specified by an operand 1. An operand is said to be direct when it specifies
More information12 th January MWR InfoSecurity Security Advisory. WebSphere MQ xcsgetmem Heap Overflow Vulnerability. Contents
Contents MWR InfoSecurity Security Advisory WebSphere MQ xcsgetmem Heap Overflow Vulnerability 12 th January 2009 2009-01-05 Page 1 of 9 Contents Contents 1 Detailed Vulnerability Description...5 1.1 Introduction...5
More informationMWR InfoSecurity Security Advisory. Intersystems Caché CSP (Caché Server Pages) Stack Overflow. 17 th December 2009
MWR InfoSecurity Security Advisory Intersystems Caché CSP (Caché Server Pages) Stack Overflow 17 th December 2009 2009-12-17 Page 1 of 8 CONTENTS CONTENTS 1 Detailed Vulnerability Description... 5 1.1
More informationComputer Systems Lecture 9
Computer Systems Lecture 9 CPU Registers in x86 CPU status flags EFLAG: The Flag register holds the CPU status flags The status flags are separate bits in EFLAG where information on important conditions
More informationComputer Architecture and Assembly Language. Practical Session 5
Computer Architecture and Assembly Language Practical Session 5 Addressing Mode - "memory address calculation mode" An addressing mode specifies how to calculate the effective memory address of an operand.
More informationFunction Calls COS 217. Reading: Chapter 4 of Programming From the Ground Up (available online from the course Web site)
Function Calls COS 217 Reading: Chapter 4 of Programming From the Ground Up (available online from the course Web site) 1 Goals of Today s Lecture Finishing introduction to assembly language o EFLAGS register
More informationExploits and gdb. Tutorial 5
Exploits and gdb Tutorial 5 Exploits and gdb 1. Buffer Vulnerabilities 2. Code Injection 3. Integer Attacks 4. Advanced Exploitation 5. GNU Debugger (gdb) Buffer Vulnerabilities Basic Idea Overflow or
More informationCPS104 Recitation: Assembly Programming
CPS104 Recitation: Assembly Programming Alexandru Duțu 1 Facts OS kernel and embedded software engineers use assembly for some parts of their code some OSes had their entire GUIs written in assembly in
More informationCSC 8400: Computer Systems. Machine-Level Representation of Programs
CSC 8400: Computer Systems Machine-Level Representation of Programs Towards the Hardware High-level language (Java) High-level language (C) assembly language machine language (IA-32) 1 Compilation Stages
More informationIslamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB
Islamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB Lab # 6 Input/output using a Library of Procedures April, 2014 1 Assembly Language LAB Using
More informationThe Geometry of Innocent Flesh on the Bone
The Geometry of Innocent Flesh on the Bone Return-into-libc without Function Calls (on the x86) Hovav Shacham hovav@cs.ucsd.edu CCS 07 Technical Background Gadget: a short instructions sequence (e.x. pop
More informationApology of 0days. Nicolás Waisman
Apology of 0days Nicolás Waisman Who Am I? Senior Security Researcher and Regional Manager at Immunity, Inc. Research and Development of reliable Heap Overflow exploitation for CANVAS attack framework
More informationRootkits n Stuff
Rootkits n Stuff www.sigmil.org What a rootkit is(n t) IS Software intended to conceal running processes, files, etc from the OS A way to maintain control of a system after compromising it. ISN T A buffer
More informationCMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING
CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING LECTURE 16, SPRING 2013 TOPICS TODAY Project 6 Perils & Pitfalls of Memory Allocation C Function Call Conventions in Assembly Language PERILS
More informationCMSC 313 Lecture 12. Project 3 Questions. How C functions pass parameters. UMBC, CMSC313, Richard Chang
Project 3 Questions CMSC 313 Lecture 12 How C functions pass parameters UMBC, CMSC313, Richard Chang Last Time Stack Instructions: PUSH, POP PUSH adds an item to the top of the stack POP
More informationIs stack overflow still a problem?
Morris Worm (1998) Code Red (2001) Secure Programming Lecture 4: Memory Corruption II (Stack Overflows) David Aspinall, Informatics @ Edinburgh 31st January 2017 Memory corruption Buffer overflow remains
More informationUMBC. 1 (Feb. 9, 2002) seg_base + base + index. Systems Design & Programming 80x86 Assembly II CMPE 310. Base-Plus-Index addressing:
Data Addressing Modes Base-Plus-Index addressing: Effective address computed as: seg_base base index. Base registers: Holds starting location of an array. ebp (stack) ebx (data) Any 32-bit register except
More informationCS61 Section Solutions 3
CS61 Section Solutions 3 (Week of 10/1-10/5) 1. Assembly Operand Specifiers 2. Condition Codes 3. Jumps 4. Control Flow Loops 5. Procedure Calls 1. Assembly Operand Specifiers Q1 Operand Value %eax 0x104
More informationChapter 11. Addressing Modes
Chapter 11 Addressing Modes 1 2 Chapter 11 11 1 Register addressing mode is the most efficient addressing mode because the operands are in the processor itself (there is no need to access memory). Chapter
More informationCSC 591 Systems Attacks and Defenses Reverse Engineering Part 1
CSC 591 Systems Attacks and Defenses Reverse Engineering Part 1 Alexandros Kapravelos akaprav@ncsu.edu Reverse engineering Introduction process of analyzing a system understand its structure and functionality
More informationCPEG421/621 Tutorial
CPEG421/621 Tutorial Compiler data representation system call interface calling convention Assembler object file format object code model Linker program initialization exception handling relocation model
More informationReverse Engineering I: Introduction
Reverse Engineering I: Introduction Antti Tikkanen Protecting the irreplaceable f-secure.com What is Reverse Engineering? 2 Reverse Code Engineering Reverse Engineering is also known as RE or RCE RE: Reverse
More informationScott M. Lewandowski CS295-2: Advanced Topics in Debugging September 21, 1998
Scott M. Lewandowski CS295-2: Advanced Topics in Debugging September 21, 1998 Assembler Syntax Everything looks like this: label: instruction dest,src instruction label Comments: comment $ This is a comment
More informationSecurity-Aware Processor Architecture Design. CS 6501 Fall 2018 Ashish Venkat
Security-Aware Processor Architecture Design CS 6501 Fall 2018 Ashish Venkat Agenda Theme Selection (due today at 11:59:59pm) Readings and Presentation Logistics Quick Processor Architecture Review (continued
More informationcomplement) Multiply Unsigned: MUL (all operands are nonnegative) AX = BH * AL IMUL BH IMUL CX (DX,AX) = CX * AX Arithmetic MUL DWORD PTR [0x10]
The following pages contain references for use during the exam: tables containing the x86 instruction set (covered so far) and condition codes. You do not need to submit these pages when you finish your
More informationProcedure Calls. Young W. Lim Sat. Young W. Lim Procedure Calls Sat 1 / 27
Procedure Calls Young W. Lim 2016-11-05 Sat Young W. Lim Procedure Calls 2016-11-05 Sat 1 / 27 Outline 1 Introduction References Stack Background Transferring Control Register Usage Conventions Procedure
More informationBuffer-Overflow Attacks on the Stack
Computer Systems Buffer-Overflow Attacks on the Stack Introduction A buffer overflow occurs when a program, while writing data to a buffer, overruns the buffer's boundary and overwrites memory in adjacent
More information16.317: Microprocessor Systems Design I Spring 2015
16.317: Microprocessor Systems Design I Spring 2015 Exam 2 Solution 1. (16 points, 4 points per part) Multiple choice For each of the multiple choice questions below, clearly indicate your response by
More informationProcess Layout and Function Calls
Process Layout and Function Calls CS 6 Spring 07 / 8 Process Layout in Memory Stack grows towards decreasing addresses. is initialized at run-time. Heap grow towards increasing addresses. is initialized
More informationBuffer Overflow Attack
Buffer Overflow Attack What every applicant for the hacker should know about the foundation of buffer overflow attacks By (Dalgona@wowhacker.org) Email: zinwon@gmail.com 2005 9 5 Abstract Buffer overflow.
More informationRoadmap: Security in the software lifecycle. Memory corruption vulnerabilities
Secure Programming Lecture 3: Memory Corruption I (introduction) David Aspinall, Informatics @ Edinburgh 24th January 2019 Roadmap: Security in the software lifecycle Security is considered at different
More informationBuffer-Overflow Attacks on the Stack
Computer Systems Buffer-Overflow Attacks on the Stack Introduction A buffer overflow occurs when a program, while writing data to a buffer, overruns the buffer's boundary and overwrites memory in adjacent
More informationSecure Programming Lecture 3: Memory Corruption I (Stack Overflows)
Secure Programming Lecture 3: Memory Corruption I (Stack Overflows) David Aspinall, Informatics @ Edinburgh 24th January 2017 Outline Roadmap Memory corruption vulnerabilities Instant Languages and Runtimes
More informationAssembly Language Programming: Procedures. EECE416 uc. Charles Kim Howard University. Fall
Assembly Language Programming: Procedures EECE416 uc Charles Kim Howard University Fall 2013 www.mwftr.com Before we start Schedule of the next few weeks T Nov 19: Procedure and Calls (continued) R Nov
More informationBuffer Overflows. Buffer Overflow. Many of the following slides are based on those from
s Many of the following slides are based on those from 1 Complete Powerpoint Lecture Notes for Computer Systems: A Programmer's Perspective (CS:APP) Randal E. Bryant and David R. O'Hallaron http://csapp.cs.cmu.edu/public/lectures.html
More informationThe Instruction Set. Chapter 5
The Instruction Set Architecture Level(ISA) Chapter 5 1 ISA Level The ISA level l is the interface between the compilers and the hardware. (ISA level code is what a compiler outputs) 2 Memory Models An
More informationOverview. Constructors and destructors Virtual functions Single inheritance Multiple inheritance RTTI Templates Exceptions Operator Overloading
How C++ Works 1 Overview Constructors and destructors Virtual functions Single inheritance Multiple inheritance RTTI Templates Exceptions Operator Overloading Motivation There are lot of myths about C++
More informationIntroduction to Reverse Engineering. Gergely Erdélyi Senior Antivirus Researcher
Introduction to Reverse Engineering Gergely Erdélyi Senior Antivirus Researcher Agenda Reverse Engineering Intro Ethical and Legal Aspects Process of Reverse Engineering Tools of the Trade 11 February,
More informationCNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux
CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Stack-based Buffer Overflows Most popular and best understood exploitation method Aleph One's "Smashing the Stack for Fun and Profit" (1996)
More informationRegister Allocation, iii. Bringing in functions & using spilling & coalescing
Register Allocation, iii Bringing in functions & using spilling & coalescing 1 Function Calls ;; f(x) = let y = g(x) ;; in h(y+x) + y*5 (:f (x
More informationISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002
ISO 27002 COMPLIANCE GUIDE How Rapid7 Can Help You Achieve Compliance with ISO 27002 A CONTENTS Introduction 2 Detailed Controls Mapping 3 About Rapid7 8 rapid7.com ISO 27002 Compliance Guide 1 INTRODUCTION
More informationRev101. spritzers - CTF team. spritz.math.unipd.it/spritzers.html
Rev101 spritzers - CTF team spritz.math.unipd.it/spritzers.html Disclaimer All information presented here has the only purpose of teaching how reverse engineering works. Use your mad skillz only in CTFs
More informationLab 3. The Art of Assembly Language (II)
Lab. The Art of Assembly Language (II) Dan Bruce, David Clark and Héctor D. Menéndez Department of Computer Science University College London October 2, 2017 License Creative Commons Share Alike Modified
More informationMWR InfoSecurity Security Advisory. IBM WebSphere MQ - rrilookupget Remote Denial of Service Vulnerability. 4th March 2010
MWR InfoSecurity Security Advisory IBM WebSphere MQ - rrilookupget Remote Denial of Service Vulnerability 4th March 2010 2010-03-04 Page 1 of 9 Contents Contents 1 Detailed Vulnerability Description...
More informationAssembly Programmer s View Lecture 4A Machine-Level Programming I: Introduction
Assembly Programmer s View Lecture 4A Machine-Level Programming I: Introduction E I P CPU isters Condition Codes Addresses Data Instructions Memory Object Code Program Data OS Data Topics Assembly Programmer
More informationReturn-orientated Programming
Return-orientated Programming or The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham, CCS '07 Return-Oriented oriented Programming programming
More informationData Exfiltration Techniques
Data Exfiltration Techniques Introduction In this article we will see how malware encode or encrypt data that s exfiltrated to the Command and Control Server from infected machines. This is often done
More informationCSC 591 Systems Attacks and Defenses Return-into-libc & ROP
CSC 591 Systems Attacks and Defenses Return-into-libc & ROP Alexandros Kapravelos akaprav@ncsu.edu NOEXEC (W^X) 0xFFFFFF Stack Heap BSS Data 0x000000 Code RW RX Deployment Linux (via PaX patches) OpenBSD
More informationCS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly
Raluca Popa Spring 2018 CS 161 Computer Security Discussion 1 Week of January 22, 2018: GDB and x86 assembly Objective: Studying memory vulnerabilities requires being able to read assembly and step through
More information