ROP It Like It s Hot!
|
|
- Laureen Hutchinson
- 5 years ago
- Views:
Transcription
1 Wednesday, December 3, Red Canari, Inc. All rights reserved. 1 I N F O R M AT I O N S E C U R I T Y ROP It Like It s Hot! A 101 on Buffer Overflows, Return Oriented Programming, & Shell- code Development on Linux x86 Systems Author: Nadeem Douba
2 Wednesday, December 3, Red Canari, Inc. All rights reserved. 2 Introductions Nadeem Douba (GWAPT, GPEN) Founder and Principal of Red Canari, Inc. Specialize in: Application Security (Web, Desktop, etc.) Open Source Intelligence Enjoys: Hacking all the things! Some of my work: Sploitego & Canari Framework (DEFCON 2012) Python Micro Proxy (Internet Archive) All my other projects:
3 Wednesday, December 3, Red Canari, Inc. All rights reserved. 3 Today s Agenda Our Topic: Buffer Overflows Brief Introductions to: CPU & Memory x86 Assembly (32- bit only) Linux x86 ABI Our Exploit Development Toolkit Labs Classic Buffer Overflow Defeating Non- executable Stacks Defeating Address Layout Randomization Defeating Stack Canaries Next Steps
4 Wednesday, December 3, Red Canari, Inc. All rights reserved. 4 What is a Buffer Overflow? In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. - Wikipedia This can be used for: Remote/local code execution Denial of Service Etc. This course will focus on stack- based buffer overflow vulnerabilities.
5 Wednesday, December 3, Red Canari, Inc. All rights reserved. 5 What is a stack? The stack is a Last In First Out (LIFO) data structure. It s tightly coupled with three registers in the CPU. It is one of the ways programs allocate temporary storage space during execution. More on it later First let s introduce you to your target.
6 Wednesday, December 3, Red Canari, Inc. All rights reserved. 6 The Bit Basic unit of information in computing can be either 1 or 0 Data is stored using a series of bits (i.e , etc.). How does it work? For example, binary = 170 decimal = AA hex 1* * * * * * * *2 0
7 Wednesday, December 3, Red Canari, Inc. All rights reserved. 7 Standard units of data Double-Word (32 bits) Word (16 bits) Byte (8 bits) Nibble (4 bits)
8 Wednesday, December 3, Red Canari, Inc. All rights reserved. 8 Simplifying binary Hexadecimal or base 16: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F Each hexadecimal digit represents a nibble (4- bits) Which means, you need two hexadecimal digits to represent a byte (i.e. FFh, 0x01, etc.) Memory addresses, integers, etc. are usually represented in hexadecimal (i.e. 0xdeadbeef) in your debugger Don t panic! This is just another way of expressing a number J
9 Wednesday, December 3, Red Canari, Inc. All rights reserved. 9 Characters & Strings in C A character is usually one byte and can be represented numerically A = 41h = 65 = b Corresponding C type: char A string is a series of characters terminated by a null character hello = { h, e, l, l, o, \0 }; or hello = { 68h, 65h, 6Ch, 6Ch, 6Fh, 00h }; Corresponding C type: char *
10 Wednesday, December 3, Red Canari, Inc. All rights reserved. 10 ASCII Table
11 Wednesday, December 3, Red Canari, Inc. All rights reserved. 11 Integers Can be double- words, words, and bytes Their corresponding C types are: unsigned int or signed int, unsigned short int or signed short int, unsigned char byte or signed char byte, Respectively. You can think of virtual memory addresses as unsigned int s
12 Wednesday, December 3, Red Canari, Inc. All rights reserved. 12 A Brief Introduction
13 Wednesday, December 3, Red Canari, Inc. All rights reserved. 13 (Physical) Random Access Memory Fast storage space for instructions & data Byte- addressable Memory addresses are 36- bits wide in x86.
14 Wednesday, December 3, Red Canari, Inc. All rights reserved. 14 Virtual Memory Physical memory is managed directly by the operating system Address 0xdeadbeef: Data J The operating system abstracts memory to processes. Each program thinks it has 4 gigabytes of addressable memory From 0x to 0xffffffff Higher Addresses 0xdeadbeee: 0xdeadbeed: 0xdeadbeec: 0xdeadbeeb: 0xdeadbeea: 0xdeadbee9: 0xdeadbee8: I H G F E D C Virtual memory addresses are double- words (32- bits) 0xdeadbee7: 0xdeadbee6: B A
15 Wednesday, December 3, Red Canari, Inc. All rights reserved. 15 Virtual Memory 4- byte Aligned Higher Addresses Address: xdeadbf04: o l! 00h 0xdeadbf00: e c o 0xdeadbefc: s a r 0xdeadbef8: o b a r 0xdeadbef4: o 00h f o 0xdeadbef0: h e l l 0xdeadbeec: efh beh adh deh = 0xdeadbeef 0xdeadbee8: 01h 02h 03h 04h = 0x xdeadbee4: E F G H 0xdeadbee0: A B C D
16 Wednesday, December 3, Red Canari, Inc. All rights reserved. 16 How integers are stored in RAM Double word, word integers are stored in Little- endian format Least significant byte is stored in the lower address Most significant byte is stored in the higher address IMPORTANT: This does not apply to strings! Reference:
17 Wednesday, December 3, Red Canari, Inc. All rights reserved. 17 Why is Little Endian Important We need to know how to write memory addresses/ integer values to memory. For example, 0xdeadbeef stored in memory would be \xef\xbe\xad\xde How did we get that? 1. Break your double word into bytes: 0xdeadbeef => 0xde, 0xad, 0xbe, 0xef 2. Reverse the order: 0xef, 0xbe, 0xad, 0xde or \xef\xbe\xad\xde in string format
18 Wednesday, December 3, Red Canari, Inc. All rights reserved. 18 x86 CPU: Registers General Index & Pointer Segment Indicator EAX EBX ECX EDX ESI EDI EBP EIP ESP CS DS ES FS GS SS EFLAGS
19 Wednesday, December 3, Red Canari, Inc. All rights reserved. 19 x86 CPU: Registers General Index & Pointer Segment Indicator EAX EBX ECX EDX ESI EDI EBP EIP ESP CS DS ES FS GS SS EFLAGS
20 Wednesday, December 3, Red Canari, Inc. All rights reserved. 20 x86 Index & Pointer Registers EIP: Extended Instruction Pointer Points to (or holds the address of) the next instruction EBP: Extended Base Pointer Points to the bottom of the stack ESP: Extended Stack Pointer Points to the top of the stack
21 Wednesday, December 3, Red Canari, Inc. All rights reserved. 21 What is a pointer? Higher Addresses Address: xdeadbf04: o l! 00h 0xdeadbf00: e c o 0xdeadbefc: s a r 0xdeadbef8: o b a r 0xdeadbef4: o 00h f o 0xdeadbef0: h e l l 0xdeadbeec: e0h beh adh deh = 0xdeadbee0 0xdeadbee8: 01h 02h 03h 04h = 0x xdeadbee4: E F G 00h 0xdeadbee0: A B C D
22 Wednesday, December 3, Red Canari, Inc. All rights reserved. 22 What is the stack? Last In, First Out (LIFO) Used for storage of local variables and parameters. Usually 4- byte aligned Two common operations: push: Put a value on the stack pop: Remove a value from the stack EBP points to the bottom of the stack ESP points to the top of the stack 0x13 0x10 0x0C 0x08 0x04 0x00 DE AD BE EF DE AD BE EF DE AD BE EF DE AD BE EF DE AD BE EF push(0xefbeadde) pop() Lower Addresses
23 Wednesday, December 3, Red Canari, Inc. All rights reserved. 23 Stack & EIP Coupling When the CPU is instructed to call a function: The address of the next instruction in the original thread of execution is pushed on the stack When the CPU is instructed to return from a function The address located at the top of the stack (pointed to by ESP) is popped into EIP
24 Wednesday, December 3, Red Canari, Inc. All rights reserved. 24 call Example - Before Scenario Stack Before Execution Processor State: EIP = EBP = FFFF 0023 ESP = FFFF 001C Address FFFF 0020 FFFF 001C FFFF 0018 Contents DEAD BEEF DEAD BEEF DEAD BEEF EBP ESP Function foo() at address 0x FFFF 0014 FFFF 0010 FFFF 000C DEAD BEEF DEAD BEEF DEAD BEEF Code: 0x : call _foo; 0x804800B: nop; FFFF 0008 FFFF 0004 FFFF 0000 DEAD BEEF DEAD BEEF DEAD BEEF
25 Wednesday, December 3, Red Canari, Inc. All rights reserved. 25 call Example - After Scenario Stack After Execution Processor State: EIP = EBP = FFFF 0023 ESP = FFFF 0018 Function foo() at address 0x Code: 0x : call _foo; 0x804800B: nop; Address Contents FFFF 0020 DEAD BEEF FFFF 001C DEAD BEEF FFFF B FFFF 0014 DEAD BEEF FFFF 0010 DEAD BEEF FFFF 000C DEAD BEEF FFFF 0008 DEAD BEEF FFFF 0004 DEAD BEEF FFFF 0000 DEAD BEEF EBP ESP
26 Wednesday, December 3, Red Canari, Inc. All rights reserved. 26 ret Example - Before Scenario Stack Before Execution Processor State: EIP = EBP = FFFF 0023 ESP = FFFF 0018 Executing first instruction at foo() Code: 0x : ret; Address Contents FFFF 0020 DEAD BEEF FFFF 001C DEAD BEEF FFFF B FFFF 0014 DEAD BEEF FFFF 0010 DEAD BEEF FFFF 000C DEAD BEEF FFFF 0008 DEAD BEEF FFFF 0004 DEAD BEEF FFFF 0000 DEAD BEEF EBP ESP
27 Wednesday, December 3, Red Canari, Inc. All rights reserved. 27 ret Example - After Scenario Stack After Execution Processor State: EIP = B EBP = FFFF 0023 ESP = FFFF 001C Address Contents FFFF 0020 DEAD BEEF FFFF 001C DEAD BEEF FFFF B FFFF 0014 DEAD BEEF EBP ESP Executing first instruction at foo() Code: 0x : ret; FFFF 0010 FFFF 000C FFFF 0008 FFFF 0004 FFFF 0000 DEAD BEEF DEAD BEEF DEAD BEEF DEAD BEEF DEAD BEEF
28 Wednesday, December 3, Red Canari, Inc. All rights reserved. 28 x86 Linux ABI A Brief Introduction
29 Wednesday, December 3, Red Canari, Inc. All rights reserved. 29 x86 Linux ABI Application Binary Interface (ABI): Interface between two program modules (i.e. libraries, OS, etc.) Defines: Executable and Linkable Format (ELF) Function calling convention/sequence (CDECL) And more Based on System V Release 4 (SRV4) specification - circa 1999 See:
30 Wednesday, December 3, Red Canari, Inc. All rights reserved. 30 Executable and Linkable Format (ELF) Standard file format for Linux executables, shared objects, core dumps, etc. Broken into sections and segments Mini lab: sh$ readelf -S /bin/ ls
31 Wednesday, December 3, Red Canari, Inc. All rights reserved. 31 GNU C standard library Reference:
32 Wednesday, December 3, Red Canari, Inc. All rights reserved. 32 Glibc Interesting Functions execve(char *command, char *argv[], char *envp[]) command: is a string which contains the name of the executable you want to execute. argv: is a null terminated array of strings containing the arguments to pass to the program. envp: is a null terminated array of strings containing the environment variable to pass to the program. system(char *command) command: is a string which contains the name of the executable you want to execute. mprotect(void *addr, size_t len, int prot) addr: is a page- aligned memory address (multiples of 0x1000). len: is the length of the memory region you wish to change permissions for starting from addr. prot: is the permission you wish to set for that memory region (0=PROT_NONE, 1=PROT_READ, 2=PROT_WRITE, 4=PROT_EXEC).
33 Wednesday, December 3, Red Canari, Inc. All rights reserved. 33 ELF at Runtime Memory Layout Reference: of- a- program- in- memory/
34 Wednesday, December 3, Red Canari, Inc. All rights reserved. 34 x86 Linux Function Calling Sequence Linux uses a standard called cdecl (C declaration) The agreement: 1. The caller pushes arguments on the stack from left to right (or reverse order). 2. The callee is responsible for backing up registers prior to manipulating their values 3. The callee returns its result in register EAX 4. The caller is responsible for cleaning up the arguments from the stack Functions allocate storage for local variables/buffers on the stack
35 Wednesday, December 3, Red Canari, Inc. All rights reserved. 35 What does cdecl look like in Assembly? C Code int callee(int, int, int); int caller(void) { int ret; ret = callee(1, 2, 3); ret += 5; return ret; } Assembly Code caller: push ebp mov ebp, esp sub esp, 4 push 3 push 2 push 1 call callee add eax, 5 mov [ebp - 4], eax add esp, 16 pop ebp ret ; end of caller
36 Wednesday, December 3, Red Canari, Inc. All rights reserved. 36 But GCC C Code int callee(int, int, int); int caller(void) { int ret; ret = callee(1, 2, 3); ret += 5; return ret; } Assembly Code caller: push ebp mov ebp, esp sub esp, 16 mov [esp + 8], 1 mov [esp + 4], 2 mov [esp], 3 call callee add eax, 5 mov esp, ebp leave ; mov esp, ebp ; pop ebp ret ; end of caller
37 Wednesday, December 3, Red Canari, Inc. All rights reserved. 37 Linux x86 Stack Frame Memory range between where EBP and ESP point to. Previous stack frame Local variables can be referenced relative to EBP or ESP. Current stack frame Reference: callconv- asm.html
38 Wednesday, December 3, Red Canari, Inc. All rights reserved. 38 Remember our definition of buffer overflows? Assume local var #1 (LV1) was a four byte character array. What would happen if we copied 12 bytes of data into LV1?
39 Wednesday, December 3, Red Canari, Inc. All rights reserved. 39 Classic Buffer Overflow Lab Smashing the Stack
40 Wednesday, December 3, Red Canari, Inc. All rights reserved. 40 Let s run this C code in our head. C Code: int main( int argc, char *argv[] ) { } char buf[4]; strcpy(buf, argv[1]); Execution: sh$./a.out EEEEFFFFGGGG Higher Addresses Address: old EBP fcn param #n fcn param #2 fcn param #1 old EIP old EBP local var #1 B0 B1 B2 B3 local var #2
41 Wednesday, December 3, Red Canari, Inc. All rights reserved. 41 Let s run this C code in our head. C Code: int main( int argc, char *argv[] ) { } char buf[4] = ABCD ; strcpy(buf, argv[1]); Result: sh$./a.out EEEEFFFFGGGG Segmentation Fault sh$ Higher Addresses Address: old EBP fcn param #n fcn param #2 fcn param #1 00 old EIP G G G G old EBP F F F F local var #1 E E E E local var #2
42 Wednesday, December 3, Red Canari, Inc. All rights reserved. 42 What happened? We overwrote old EIP on the stack with 0x or GGGG When main returned, EIP was set to 0x an invalid memory address Memory region may not be executable or accessible because of permissions May not contain valid instructions Etc. Since 0x is an invalid memory address the program crashes with a Segmentation fault
43 Wednesday, December 3, Red Canari, Inc. All rights reserved. 43 How do we exploit this? Instead of just crashing the application, let s try to execute code! We can control EIP by writing over old EIP on the stack with a valid address. We can also write instructions on the stack.
44 Wednesday, December 3, Red Canari, Inc. All rights reserved. 44 Unreliable Remote Code Execution Let s overwrite old EIP with a hard- coded return address. Address: xbfff0120 0xbfff011C Let s append a int 3 CPU instruction to the end of our buffer. Result: sh$./a.out $ EEEEFFFF \x10\x01\xff\xbf\xcd\x03 Trace/breakpoint trap sh$ Higher Addresses 0xbfff0118 0xbfff0114 0xbfff0110 CD old EIP FF BF old EBP F F F F local var #1 E E E E local var #2
45 Wednesday, December 3, Red Canari, Inc. All rights reserved. 45 What happened this time? We overwrote old EIP on the stack with address 0xbfff the address just above old EIP When main returned, EIP was set to 0xbfff0110 Our int 3 CPU instruction is located At address 0xbfff0110 The CPU executes our instruction (breakpoint) which emits the Trace/breakpoint trap message In other words, we ve got code execution!
46 Wednesday, December 3, Red Canari, Inc. All rights reserved. 46 Now let s try this in real life! Open your terminal Navigate to ~/labs/lab1 Type gdb./lab1 If all is well you should get a peda-gdb$ prompt. Now follow along.
47 Wednesday, December 3, Red Canari, Inc. All rights reserved. 47
48 Wednesday, December 3, Red Canari, Inc. All rights reserved. 48 Places to Learn WeChall ( has a list of a lot of online gaming/exploitable servers OTW ( is largerly focused on linux- based vulnerabilities great learning resource Phrack Magazine ( is fantastic if you don t mind reading ASCII articles.
49 Wednesday, December 3, Red Canari, Inc. All rights reserved. 49 Thank You! Questions?
CNIT 127: Exploit Development. Ch 1: Before you begin. Updated
CNIT 127: Exploit Development Ch 1: Before you begin Updated 1-14-16 Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend, such as Denial
More informationPractical Malware Analysis
Practical Malware Analysis Ch 4: A Crash Course in x86 Disassembly Revised 1-16-7 Basic Techniques Basic static analysis Looks at malware from the outside Basic dynamic analysis Only shows you how the
More informationReverse Engineering II: Basics. Gergely Erdélyi Senior Antivirus Researcher
Reverse Engineering II: Basics Gergely Erdélyi Senior Antivirus Researcher Agenda Very basics Intel x86 crash course Basics of C Binary Numbers Binary Numbers 1 Binary Numbers 1 0 1 1 Binary Numbers 1
More informationUniversità Ca Foscari Venezia
Stack Overflow Security 1 2018-19 Università Ca Foscari Venezia www.dais.unive.it/~focardi secgroup.dais.unive.it Introduction Buffer overflow is due to careless programming in unsafe languages like C
More informationFrom Over ow to Shell
From Over ow to Shell An Introduction to low-level exploitation Carl Svensson @ Google, December 2018 1 / 25 Biography MSc in Computer Science, KTH Head of Security, KRY/LIVI CTF: HackingForSoju E-mail:
More informationBinghamton University. CS-220 Spring X86 Debug. Computer Systems Section 3.11
X86 Debug Computer Systems Section 3.11 GDB is a Source Level debugger We have learned how to debug at the C level Now, C has been translated to X86 assembler! How does GDB play the shell game? Makes it
More informationCMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING
CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING LECTURE 16, SPRING 2013 TOPICS TODAY Project 6 Perils & Pitfalls of Memory Allocation C Function Call Conventions in Assembly Language PERILS
More informationCNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux
CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Stack-based Buffer Overflows Most popular and best understood exploitation method Aleph One's "Smashing the Stack for Fun and Profit" (1996)
More informationCS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly
Raluca Popa Spring 2018 CS 161 Computer Security Discussion 1 Week of January 22, 2018: GDB and x86 assembly Objective: Studying memory vulnerabilities requires being able to read assembly and step through
More informationBiography. Background
From Over ow to Shell An Introduction to low-level exploitation Carl Svensson @ KTH, January 2019 1 / 28 Biography MSc in Computer Science, KTH Head of Security, KRY/LIVI CTF: HackingForSoju E-mail: calle.svensson@zeta-two.com
More informationReverse Engineering II: The Basics
Reverse Engineering II: The Basics Gergely Erdélyi Senior Manager, Anti-malware Research Protecting the irreplaceable f-secure.com Binary Numbers 1 0 1 1 - Nibble B 1 0 1 1 1 1 0 1 - Byte B D 1 0 1 1 1
More informationFunction Calls COS 217. Reading: Chapter 4 of Programming From the Ground Up (available online from the course Web site)
Function Calls COS 217 Reading: Chapter 4 of Programming From the Ground Up (available online from the course Web site) 1 Goals of Today s Lecture Finishing introduction to assembly language o EFLAGS register
More informationStack -- Memory which holds register contents. Will keep the EIP of the next address after the call
Call without Parameter Value Transfer What are involved? ESP Stack Pointer Register Grows by 4 for EIP (return address) storage Stack -- Memory which holds register contents Will keep the EIP of the next
More informationx86 assembly CS449 Fall 2017
x86 assembly CS449 Fall 2017 x86 is a CISC CISC (Complex Instruction Set Computer) e.g. x86 Hundreds of (complex) instructions Only a handful of registers RISC (Reduced Instruction Set Computer) e.g. MIPS
More informationBUFFER OVERFLOW DEFENSES & COUNTERMEASURES
BUFFER OVERFLOW DEFENSES & COUNTERMEASURES CMSC 414 FEB 01 2018 RECALL OUR CHALLENGES How can we make these even more difficult? Putting code into the memory (no zeroes) Finding the return address (guess
More informationThis time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask
This time We will continue Buffer overflows By looking at Overflow Defenses and other memory safety vulnerabilities Everything you ve always wanted to know about gdb but were too afraid to ask Overflow
More informationReverse Engineering II: The Basics
Reverse Engineering II: The Basics This document is only to be distributed to teachers and students of the Malware Analysis and Antivirus Technologies course and should only be used in accordance with
More informationX86 Review Process Layout, ISA, etc. CS642: Computer Security. Drew Davidson
X86 Review Process Layout, ISA, etc. CS642: Computer Security Drew Davidson davidson@cs.wisc.edu From Last Time ACL-based permissions (UNIX style) Read, Write, execute can be restricted on users and groups
More informationSistemi Operativi. Lez. 16 Elementi del linguaggio Assembler AT&T
Sistemi Operativi Lez. 16 Elementi del linguaggio Assembler AT&T Data Sizes Three main data sizes Byte (b): 1 byte Word (w): 2 bytes Long (l): 4 bytes Separate assembly-language instructions E.g., addb,
More informationLecture 08 Control-flow Hijacking Defenses
Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides adapted from Miller, Bailey, and Brumley Control Flow Hijack: Always control + computation
More informationAssembly Language: Function Calls
Assembly Language: Function Calls 1 Goals of this Lecture Help you learn: Function call problems: Calling and returning Passing parameters Storing local variables Handling registers without interference
More informationbuffer overflow exploitation
buffer overflow exploitation Samuele Andreoli, Nicolò Fornari, Giuseppe Vitto May 11, 2016 University of Trento Introduction 1 introduction A Buffer Overflow is an anomaly where a program, while writing
More informationAssembly Language: Function Calls" Goals of this Lecture"
Assembly Language: Function Calls" 1 Goals of this Lecture" Help you learn:" Function call problems:" Calling and returning" Passing parameters" Storing local variables" Handling registers without interference"
More informationBuffer-Overflow Attacks on the Stack
Computer Systems Buffer-Overflow Attacks on the Stack Introduction A buffer overflow occurs when a program, while writing data to a buffer, overruns the buffer's boundary and overwrites memory in adjacent
More informationIslamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB. Lab # 7. Procedures and the Stack
Islamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB Lab # 7 Procedures and the Stack April, 2014 1 Assembly Language LAB Runtime Stack and Stack
More informationAssembly Language: Function Calls" Goals of this Lecture"
Assembly Language: Function Calls" 1 Goals of this Lecture" Help you learn:" Function call problems:" Calling and urning" Passing parameters" Storing local variables" Handling registers without interference"
More informationWe can study computer architectures by starting with the basic building blocks. Adders, decoders, multiplexors, flip-flops, registers,...
COMPUTER ARCHITECTURE II: MICROPROCESSOR PROGRAMMING We can study computer architectures by starting with the basic building blocks Transistors and logic gates To build more complex circuits Adders, decoders,
More informationCNIT 127: Exploit Development. Ch 3: Shellcode. Updated
CNIT 127: Exploit Development Ch 3: Shellcode Updated 1-30-17 Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object files strace System Call Tracer Removing
More informationBuffer-Overflow Attacks on the Stack
Computer Systems Buffer-Overflow Attacks on the Stack Introduction A buffer overflow occurs when a program, while writing data to a buffer, overruns the buffer's boundary and overwrites memory in adjacent
More information18-600: Recitation #4 Exploits
18-600: Recitation #4 Exploits 20th September 2016 Agenda More x86-64 assembly Buffer Overflow Attack Return Oriented Programming Attack 3 Recap: x86-64: Register Conventions Arguments passed in registers:
More informationSystem calls and assembler
System calls and assembler Michal Sojka sojkam1@fel.cvut.cz ČVUT, FEL License: CC-BY-SA 4.0 System calls (repetition from lectures) A way for normal applications to invoke operating system (OS) kernel's
More informationBuffer Overflow Attack (AskCypert CLaaS)
Buffer Overflow Attack (AskCypert CLaaS) ---------------------- BufferOverflow.c code 1. int main(int arg c, char** argv) 2. { 3. char name[64]; 4. printf( Addr;%p\n, name); 5. strcpy(name, argv[1]); 6.
More informationComputer Architecture and Assembly Language. Practical Session 3
Computer Architecture and Assembly Language Practical Session 3 Advanced Instructions division DIV r/m - unsigned integer division IDIV r/m - signed integer division Dividend Divisor Quotient Remainder
More information238P: Operating Systems. Lecture 3: Calling conventions. Anton Burtsev October, 2018
238P: Operating Systems Lecture 3: Calling conventions Anton Burtsev October, 2018 What does CPU do internally? (Remember Lecture 01 - Introduction?) CPU execution loop CPU repeatedly reads instructions
More informationAssembly Language: Function Calls. Goals of this Lecture. Function Call Problems
Assembly Language: Function Calls 1 Goals of this Lecture Help you learn: Function call problems: Calling and urning Passing parameters Storing local variables Handling registers without interference Returning
More informationProgram Exploitation Intro
Program Exploitation Intro x86 Assembly 04//2018 Security 1 Univeristà Ca Foscari, Venezia What is Program Exploitation "Making a program do something unexpected and not planned" The right bugs can be
More informationmith College Computer Science CSC231 Assembly Week #12 Thanksgiving 2017 Dominique Thiébaut
mith College Computer Science CSC231 Assembly Week #12 Thanksgiving 2017 Dominique Thiébaut dthiebaut@smith.edu ;;; FUNCTION SIDE function: ebp ;save old ebp ebp, esp ;make ebp point ;to stack frame Summary
More informationLab 10: Introduction to x86 Assembly
CS342 Computer Security Handout # 8 Prof. Lyn Turbak Wednesday, Nov. 07, 2012 Wellesley College Revised Nov. 09, 2012 Lab 10: Introduction to x86 Assembly Revisions: Nov. 9 The sos O3.s file on p. 10 was
More informationSYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14
SYSTEM CALL IMPLEMENTATION CS124 Operating Systems Fall 2017-2018, Lecture 14 2 User Processes and System Calls Previously stated that user applications interact with the kernel via system calls Typically
More informationDr. Ramesh K. Karne Department of Computer and Information Sciences, Towson University, Towson, MD /12/2014 Slide 1
Dr. Ramesh K. Karne Department of Computer and Information Sciences, Towson University, Towson, MD 21252 rkarne@towson.edu 11/12/2014 Slide 1 Intel x86 Aseembly Language Assembly Language Assembly Language
More informationAssembly Language. Lecture 2 - x86 Processor Architecture. Ahmed Sallam
Assembly Language Lecture 2 - x86 Processor Architecture Ahmed Sallam Introduction to the course Outcomes of Lecture 1 Always check the course website Don t forget the deadline rule!! Motivations for studying
More informationReturn Oriented Programming
ROP gadgets Small instruction sequence ending with a ret instruction 0xc3 Gadgets are found in existing, resident code and libraries There exist tools to search for and find gadgets Gadgets are put together
More informationThe IA-32 Stack and Function Calls. CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta
1 The IA-32 Stack and Function Calls CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta 2 Important Registers used with the Stack EIP: ESP: EBP: 3 Important Registers used with the Stack EIP:
More informationLecture 4 CIS 341: COMPILERS
Lecture 4 CIS 341: COMPILERS CIS 341 Announcements HW2: X86lite Available on the course web pages. Due: Weds. Feb. 7 th at midnight Pair-programming project Zdancewic CIS 341: Compilers 2 X86 Schematic
More informationCPEG421/621 Tutorial
CPEG421/621 Tutorial Compiler data representation system call interface calling convention Assembler object file format object code model Linker program initialization exception handling relocation model
More informationBuffer Overflow Attack
Buffer Overflow Attack What every applicant for the hacker should know about the foundation of buffer overflow attacks By (Dalgona@wowhacker.org) Email: zinwon@gmail.com 2005 9 5 Abstract Buffer overflow.
More informationBasic Buffer Overflows
Operating Systems Security Basic Buffer Overflows (Stack Smashing) Computer Security & OS lab. Cho, Seong-je ( 조성제 ) Fall, 2018 sjcho at dankook.ac.kr Chapter 10 Buffer Overflow 2 Contents Virtual Memory
More informationx86 Assembly Tutorial COS 318: Fall 2017
x86 Assembly Tutorial COS 318: Fall 2017 Project 1 Schedule Design Review: Monday 9/25 Sign up for 10-min slot from 3:00pm to 7:00pm Complete set up and answer posted questions (Official) Precept: Monday
More informationSimple C Program. Assembly Ouput. Using GCC to produce Assembly. Assembly produced by GCC is easy to recognize:
Simple C Program Helloworld.c Programming and Debugging Assembly under Linux slides by Alexandre Denault int main(int argc, char *argv[]) { } printf("hello World"); Programming and Debugging Assembly under
More information18-600: Recitation #4 Exploits (Attack Lab)
18-600: Recitation #4 Exploits (Attack Lab) September 19th, 2017 Announcements Some students have triggered the bomb multiple times Use breakpoints for explode_bomb() Attack lab will be released on Sep.
More informationCS642: Computer Security
X86 Review Process Layout, ISA, etc. CS642: Computer Security Drew Davidson davidson@cs.wisc.edu From Last Week ACL- based permissions (UNIX style) Read, Write, execute can be restricted on users and groups
More informationBuffer Overflows Defending against arbitrary code insertion and execution
www.harmonysecurity.com info@harmonysecurity.com Buffer Overflows Defending against arbitrary code insertion and execution By Stephen Fewer Contents 1 Introduction 2 1.1 Where does the problem lie? 2 1.1.1
More informationSystems I. Machine-Level Programming V: Procedures
Systems I Machine-Level Programming V: Procedures Topics abstraction and implementation IA32 stack discipline Procedural Memory Usage void swap(int *xp, int *yp) int t0 = *xp; int t1 = *yp; *xp = t1; *yp
More informationAssembly Language. Lecture 2 x86 Processor Architecture
Assembly Language Lecture 2 x86 Processor Architecture Ahmed Sallam Slides based on original lecture slides by Dr. Mahmoud Elgayyar Introduction to the course Outcomes of Lecture 1 Always check the course
More informationBinghamton University. CS-220 Spring X86 Debug. Computer Systems Section 3.11
X86 Debug Computer Systems Section 3.11 GDB is a Source Level debugger We have learned how to debug at the C level But the machine is executing X86 object code! How does GDB play the shell game? Makes
More informationIntroduction to Reverse Engineering. Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins
Introduction to Reverse Engineering Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins Reverse Engineering (of Software) What is it? What is it for? Binary exploitation (the cool
More informationANITA S SUPER AWESOME RECITATION SLIDES
ANITA S SUPER AWESOME RECITATION SLIDES 15/18-213: Introduction to Computer Systems Stacks and Buflab, 11 Jun 2013 Anita Zhang, Section M WHAT S NEW (OR NOT) Bomblab is due tonight, 11:59 PM EDT Your late
More informationHow Software Executes
How Software Executes CS-576 Systems Security Instructor: Georgios Portokalidis Overview Introduction Anatomy of a program Basic assembly Anatomy of function calls (and returns) Memory Safety Intel x86
More informationExploits and gdb. Tutorial 5
Exploits and gdb Tutorial 5 Exploits and gdb 1. Buffer Vulnerabilities 2. Code Injection 3. Integer Attacks 4. Advanced Exploitation 5. GNU Debugger (gdb) Buffer Vulnerabilities Basic Idea Overflow or
More informationLab 2: Buffer Overflows
Lab 2: Buffer Overflows Fengwei Zhang Wayne State University Course: Cyber Security Prac@ce 1 Buffer Overflows One of the most common vulnerabili@es in soeware Programming languages commonly associated
More informationExploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it
Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it 29.11.2012 Secure Software Engineering Andreas Follner 1 Andreas Follner Graduated earlier
More informationCSE 351: Week 4. Tom Bergan, TA
CSE 35 Week 4 Tom Bergan, TA Does this code look okay? int binarysearch(int a[], int length, int key) { int low = 0; int high = length - ; while (low
More informationAssembly Language Lab # 9
Faculty of Engineering Computer Engineering Department Islamic University of Gaza 2011 Assembly Language Lab # 9 Stacks and Subroutines Eng. Doaa Abu Jabal Assembly Language Lab # 9 Stacks and Subroutines
More informationThe Instruction Set. Chapter 5
The Instruction Set Architecture Level(ISA) Chapter 5 1 ISA Level The ISA level l is the interface between the compilers and the hardware. (ISA level code is what a compiler outputs) 2 Memory Models An
More informationU23 - Binary Exploitation
U23 - Binary Exploitation Stratum Auhuur robbje@aachen.ccc.de November 21, 2016 Context OS: Linux Context OS: Linux CPU: x86 (32 bit) Context OS: Linux CPU: x86 (32 bit) Address Space Layout Randomization:
More informationReturn-orientated Programming
Return-orientated Programming or The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham, CCS '07 Return-Oriented oriented Programming programming
More informationLinux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.
Lecture 6B Machine-Level Programming V: Miscellaneous Topics Topics Linux Memory Layout Understanding Pointers Buffer Overflow Upper 2 hex digits of address Red Hat v. 6.2 ~1920MB memory limit FF C0 Used
More informationMachine-level Representation of Programs. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University
Machine-level Representation of Programs Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu Program? 짬뽕라면 준비시간 :10 분, 조리시간 :10 분 재료라면 1개, 스프 1봉지, 오징어
More informationScott M. Lewandowski CS295-2: Advanced Topics in Debugging September 21, 1998
Scott M. Lewandowski CS295-2: Advanced Topics in Debugging September 21, 1998 Assembler Syntax Everything looks like this: label: instruction dest,src instruction label Comments: comment $ This is a comment
More informationBuffer Overflows. Buffer Overflow. Many of the following slides are based on those from
s Many of the following slides are based on those from 1 Complete Powerpoint Lecture Notes for Computer Systems: A Programmer's Perspective (CS:APP) Randal E. Bryant and David R. O'Hallaron http://csapp.cs.cmu.edu/public/lectures.html
More informationThe Microprocessor and its Architecture
The Microprocessor and its Architecture Contents Internal architecture of the Microprocessor: The programmer s model, i.e. The registers model The processor model (organization) Real mode memory addressing
More informationRepresentation of Information
Representation of Information CS61, Lecture 2 Prof. Stephen Chong September 6, 2011 Announcements Assignment 1 released Posted on http://cs61.seas.harvard.edu/ Due one week from today, Tuesday 13 Sept
More informationLecture 09 Code reuse attacks. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017
Lecture 09 Code reuse attacks Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Last time No good reason for stack/heap/static data to be executable No good reason for code to be writable
More information18-600: Recitation #3
18-600: Recitation #3 Bomb Lab & GDB Overview September 12th, 2017 1 Today X86-64 Overview Bomb Lab Introduction GDB Tutorial 2 3 x86-64: Register Conventions Arguments passed in registers: %rdi, %rsi,
More information3. Process Management in xv6
Lecture Notes for CS347: Operating Systems Mythili Vutukuru, Department of Computer Science and Engineering, IIT Bombay 3. Process Management in xv6 We begin understanding xv6 process management by looking
More informationWar Industries Presents: An Introduction to Programming for Hackers Part V - Functions. By Lovepump, Visit:
War Industries Presents: An Introduction to Programming for Hackers Part V - Functions By Lovepump, 2004 Visit: www.warindustries.com Goals: At the end of Part IV, you should be able to competently code
More informationCMPSC 497 Buffer Overflow Vulnerabilities
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Buffer Overflow
More informationCSCE 212H, Spring 2008 Lab Assignment 3: Assembly Language Assigned: Feb. 7, Due: Feb. 14, 11:59PM
CSCE 212H, Spring 2008 Lab Assignment 3: Assembly Language Assigned: Feb. 7, Due: Feb. 14, 11:59PM February 7, 2008 1 Overview The purpose of this assignment is to introduce you to the assembly language
More informationProject 1 Notes and Demo
Project 1 Notes and Demo Overview You ll be given the source code for 7 short buggy programs (target[1-7].c). These programs will be installed with setuid root Your job is to write exploits (sploit[1-7].c)
More informationEECE416 :Microcomputer Fundamentals and Design. X86 Assembly Programming Part 1. Dr. Charles Kim
EECE416 :Microcomputer Fundamentals and Design X86 Assembly Programming Part 1 Dr. Charles Kim Department of Electrical and Computer Engineering Howard University www.mwftr.com 1 Multiple Address Access
More informationCS165 Computer Security. Understanding low-level program execution Oct 1 st, 2015
CS165 Computer Security Understanding low-level program execution Oct 1 st, 2015 A computer lets you make more mistakes faster than any invention in human history - with the possible exceptions of handguns
More information143A: Principles of Operating Systems. Lecture 4: Calling conventions. Anton Burtsev October, 2017
143A: Principles of Operating Systems Lecture 4: Calling conventions Anton Burtsev October, 2017 Recap from last time Stack and procedure calls What is stack? Stack It's just a region of memory Pointed
More informationSecure Programming Lecture 3: Memory Corruption I (Stack Overflows)
Secure Programming Lecture 3: Memory Corruption I (Stack Overflows) David Aspinall, Informatics @ Edinburgh 24th January 2017 Outline Roadmap Memory corruption vulnerabilities Instant Languages and Runtimes
More informationBuffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts
This time We will begin our 1st section: Software Security By investigating Buffer overflows and other memory safety vulnerabilities History Memory layouts Buffer overflow fundamentals Software security
More informationX86 Stack Calling Function POV
X86 Stack Calling Function POV Computer Systems Section 3.7 Stack Frame Reg Value ebp xffff FFF0 esp xffff FFE0 eax x0000 000E Memory Address Value xffff FFF8 xffff FFF4 x0000 0004 xffff FFF4 x0000 0003
More informationArchitecture-level Security Vulnerabilities
Architecture-level Security Vulnerabilities Björn Döbel Outline How stacks work Smashing the stack for fun and profit Preventing stack smashing attacks Circumventing stack smashing prevention The Battlefield:
More informationSubprograms: Local Variables
Subprograms: Local Variables ICS312 Machine-Level and Systems Programming Henri Casanova (henric@hawaii.edu) Local Variables in Subprograms In all the examples we have seen so far, the subprograms were
More informationQuestion 4.2 2: (Solution, p 5) Suppose that the HYMN CPU begins with the following in memory. addr data (translation) LOAD 11110
Questions 1 Question 4.1 1: (Solution, p 5) Define the fetch-execute cycle as it relates to a computer processing a program. Your definition should describe the primary purpose of each phase. Question
More informationLow Level Programming Lecture 2. International Faculty of Engineerig, Technical University of Łódź
Low Level Programming Lecture 2 Intel processors' architecture reminder Fig. 1. IA32 Registers IA general purpose registers EAX- accumulator, usually used to store results of integer arithmetical or binary
More informationProcedure Calls. Young W. Lim Mon. Young W. Lim Procedure Calls Mon 1 / 29
Procedure Calls Young W. Lim 2017-08-21 Mon Young W. Lim Procedure Calls 2017-08-21 Mon 1 / 29 Outline 1 Introduction Based on Stack Background Transferring Control Register Usage Conventions Procedure
More informationIs stack overflow still a problem?
Morris Worm (1998) Code Red (2001) Secure Programming Lecture 4: Memory Corruption II (Stack Overflows) David Aspinall, Informatics @ Edinburgh 31st January 2017 Memory corruption Buffer overflow remains
More informationIntro to x86 Binaries. From ASM to exploit
Intro to x86 Binaries From ASM to exploit Intro to x86 Binaries I lied lets do a quick ctf team thing Organization Ideas? Do we need to a real structure right now? Mailing list is OTW How do we get more
More informationBuffer Overflows Many of the following slides are based on those from Complete Powerpoint Lecture Notes for Computer Systems: A Programmer's Perspective (CS:APP) Randal E. Bryant and David R. O'Hallaron
More informationLecture 04 Control Flow II. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Based on Michael Bailey s ECE 422
Lecture 04 Control Flow II Stehen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Based on Michael Bailey s ECE 422 Function calls on 32-bit x86 Stack grows down (from high to low addresses)
More informationComplex Instruction Set Computer (CISC)
Introduction ti to IA-32 IA-32 Processors Evolutionary design Starting in 1978 with 886 Added more features as time goes on Still support old features, although obsolete Totally dominate computer market
More informationCSE 361S Intro to Systems Software Lab Assignment #4
Due: Thursday, October 23, 2008. CSE 361S Intro to Systems Software Lab Assignment #4 In this lab, you will mount a buffer overflow attack on your own program. As stated in class, we do not condone using
More informationFunction Call Convention
Function Call Convention Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch Content Intel Architecture Memory Layout
More informationBuffer Overflow Vulnerability
Buffer Overflow Vulnerability 1 Buffer Overflow Vulnerability Copyright c 2006 2014 Wenliang Du, Syracuse University. The development of this document is/was funded by three grants from the US National
More informationCSC 8400: Computer Systems. Using the Stack for Function Calls
CSC 84: Computer Systems Using the Stack for Function Calls Lecture Goals Challenges of supporting functions! Providing information for the called function Function arguments and local variables! Allowing
More informationCPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e
CPSC 213 Introduction to Computer Systems Unit 1e Procedures and the Stack 1 Reading Companion 2.8 Textbook Procedures, Out-of-Bounds Memory References and Buffer Overflows 3.7, 3.12 2 Local Variables
More information