U23 - Binary Exploitation

Similar documents
W4118: PC Hardware and x86. Junfeng Yang

Program Exploitation Intro

Function Call Convention

Assembly Language: Function Calls

Assembly Language: Function Calls" Goals of this Lecture"

Assembly Language: Function Calls" Goals of this Lecture"

Assembly Language: Function Calls. Goals of this Lecture. Function Call Problems

Credits and Disclaimers

CS165 Computer Security. Understanding low-level program execution Oct 1 st, 2015

x86 Assembly Tutorial COS 318: Fall 2017

CS642: Computer Security

X86 Review Process Layout, ISA, etc. CS642: Computer Security. Drew Davidson

The IA-32 Stack and Function Calls. CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Lecture 15 Intel Manual, Vol. 1, Chapter 3. Fri, Mar 6, Hampden-Sydney College. The x86 Architecture. Robb T. Koether. Overview of the x86

The x86 Architecture

Lecture 4 CIS 341: COMPILERS

Function Calls COS 217. Reading: Chapter 4 of Programming From the Ground Up (available online from the course Web site)

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Machine Code and Assemblers November 6

Università Ca Foscari Venezia

Credits and Disclaimers

CPS104 Recitation: Assembly Programming

CS 31: Intro to Systems ISAs and Assembly. Martin Gagné Swarthmore College February 7, 2017

CS 31: Intro to Systems Functions and the Stack. Martin Gagne Swarthmore College February 23, 2016

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

Processes (Intro) Yannis Smaragdakis, U. Athens

Process Layout and Function Calls

x86 assembly CS449 Fall 2017

X86 Stack Calling Function POV

Buffer Overflow Attack

x86 architecture et similia

CPEG421/621 Tutorial

How Software Executes

Assembly Programmer s View Lecture 4A Machine-Level Programming I: Introduction

x86 Assembly Crash Course Don Porter

Intel Architecture. Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona

Ethical Hacking: Preventing & Writing Buffer Overflow Exploits

Instruction Set Architectures

Compiler Construction D7011E

Systems I. Machine-Level Programming V: Procedures

ASSEMBLY III: PROCEDURES. Jo, Heeseung

CSC 2400: Computer Systems. Towards the Hardware: Machine-Level Representation of Programs

X86 Addressing Modes Chapter 3" Review: Instructions to Recognize"

Assembly III: Procedures. Jo, Heeseung

Reverse Engineering II: Basics. Gergely Erdélyi Senior Antivirus Researcher

An Experience Like No Other. Stack Discipline Aug. 30, 2006

AS08-C++ and Assembly Calling and Returning. CS220 Logic Design AS08-C++ and Assembly. AS08-C++ and Assembly Calling Conventions

mith College Computer Science CSC231 Assembly Week #12 Thanksgiving 2017 Dominique Thiébaut

Configurations. Make menuconfig : Kernel hacking/

What is a Compiler? Compiler Construction SMD163. Why Translation is Needed: Know your Target: Lecture 8: Introduction to code generation

Machine Program: Procedure. Zhaoguo Wang

CNIT 127: Exploit Development. Ch 3: Shellcode. Updated

Instruction Set Architectures

System calls and assembler

CSC 8400: Computer Systems. Machine-Level Representation of Programs

Assembly Language for Intel-Based Computers, 4 th Edition. Chapter 2: IA-32 Processor Architecture Included elements of the IA-64 bit

CS 33: Week 3 Discussion. x86 Assembly (v1.0) Section 1G

CMSC Lecture 03. UMBC, CMSC313, Richard Chang

Reverse Engineering II: The Basics

CSE 351: Week 4. Tom Bergan, TA

Machine and Assembly Language Principles

MODE (mod) FIELD CODES. mod MEMORY MODE: 8-BIT DISPLACEMENT MEMORY MODE: 16- OR 32- BIT DISPLACEMENT REGISTER MODE

Machine Programming 3: Procedures

CS241 Computer Organization Spring 2015 IA

Question 4.2 2: (Solution, p 5) Suppose that the HYMN CPU begins with the following in memory. addr data (translation) LOAD 11110

Registers. Ray Seyfarth. September 8, Bit Intel Assembly Language c 2011 Ray Seyfarth

Assembly III: Procedures. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

x86 assembly CS449 Spring 2016

Hands-on Ethical Hacking: Preventing & Writing Buffer Overflow Exploits

Dr. Ramesh K. Karne Department of Computer and Information Sciences, Towson University, Towson, MD /12/2014 Slide 1

Low Level Programming Lecture 2. International Faculty of Engineerig, Technical University of Łódź

Turning C into Object Code Code in files p1.c p2.c Compile with command: gcc -O p1.c p2.c -o p Use optimizations (-O) Put resulting binary in file p

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

Stack Discipline Jan. 19, 2018

Assembly Language. Lecture 2 - x86 Processor Architecture. Ahmed Sallam

The von Neumann Machine

Lecture 2 Assembly Language

MACHINE-LEVEL PROGRAMMING I: BASICS COMPUTER ARCHITECTURE AND ORGANIZATION

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

CSC 2400: Computing Systems. X86 Assembly: Function Calls

administrivia today start assembly probably won t finish all these slides Assignment 4 due tomorrow any questions?

UMBC. A register, an immediate or a memory address holding the values on. Stores a symbolic name for the memory location that it represents.

Islamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB. Lab # 7. Procedures and the Stack

The Instruction Set. Chapter 5

CS 31: Intro to Systems ISAs and Assembly. Kevin Webb Swarthmore College February 9, 2016

We can study computer architectures by starting with the basic building blocks. Adders, decoders, multiplexors, flip-flops, registers,...

Chapter 11. Addressing Modes

CS 31: Intro to Systems ISAs and Assembly. Kevin Webb Swarthmore College September 25, 2018

Access. Young W. Lim Sat. Young W. Lim Access Sat 1 / 19

Low-Level Essentials for Understanding Security Problems Aurélien Francillon

ROP It Like It s Hot!

Assembly Language. Lecture 2 x86 Processor Architecture

Writing Exploits. Nethemba s.r.o.

CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING

CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING LECTURE 03, SPRING 2013

idkwim in SecurityFirst 0x16 years old Linux system security researcher idkwim.tistory.com idkwim.linknow.

CSCI 192 Engineering Programming 2. Assembly Language

Process Layout, Function Calls, and the Heap

The von Neumann Machine

Transcription:

U23 - Binary Exploitation Stratum Auhuur robbje@aachen.ccc.de November 21, 2016

Context OS: Linux

Context OS: Linux CPU: x86 (32 bit)

Context OS: Linux CPU: x86 (32 bit) Address Space Layout Randomization: off No execution: off Stack cookies: off

From source code to binary *.c *.s *.o Compiler Assembler Linker

From source code to binary *.c *.s *.o Compiler Assembler Linker 1. $ gcc -S test.c -o test.s

From source code to binary *.c *.s *.o Compiler Assembler Linker 1. $ gcc -S test.c -o test.s 2. $ gcc -c test.s -o test.o

From source code to binary *.c *.s *.o Compiler Assembler Linker 1. $ gcc -S test.c -o test.s 2. $ gcc -c test.s -o test.o 3. $ gcc test.o -o test

From source code to binary *.c *.s *.o Compiler Assembler Linker 1. $ gcc -S test.c -o test.s 2. $ gcc -c test.s -o test.o 3. $ gcc test.o -o test (There s also a preprocessor stage...)

Memory layout: Flat memory model Userspace (3GB): 0x00000000 = 0xbfffffff Kernelspace (1GB): 0xc0000000 = 0xffffffff 00 01 02 03 04... Every program has this address space available

A binary is loaded into memory....text.rodata.bss [stack] Stack grows to low addresses!

A binary is loaded into memory....text.rodata.bss [stack] Stack grows to low addresses!

Demo of readelf

Functions Func A Func B Func C calls We can call functions and they return

Functions Func A Func B Func C calls returns calls We can call functions and they return

Functions Func A Func B Func C calls returns calls returns We can call functions and they return

Functions 2 Func A Func B Func C calls calls returns returns

Functions 2 Func A Func B Func C calls calls returns returns How does the CPU know where to return to?

The Stack layout Environment

The Stack layout Cmdline args Environment

The Stack layout EntryFn Frame Cmdline args Environment

The Stack layout Return addr ESP EBP EntryFn Frame Cmdline args Environment

The Stack layout Local vars Saved EBP Return addr ESP EBP EntryFn Frame Cmdline args Environment

Demo of gdb

CPU Registers: dumbed down Stack related: ESP, EBP

CPU Registers: dumbed down Stack related: ESP, EBP Instruction Pointer: EIP

CPU Registers: dumbed down Stack related: ESP, EBP Instruction Pointer: EIP More or less multi-purpose: EAX, EBX, ECX, EDX, ESI, EDI

CPU Registers: dumbed down Stack related: ESP, EBP Instruction Pointer: EIP More or less multi-purpose: EAX, EBX, ECX, EDX, ESI, EDI EAX

CPU Registers: dumbed down Stack related: ESP, EBP Instruction Pointer: EIP More or less multi-purpose: EAX, EBX, ECX, EDX, ESI, EDI EAX AX

CPU Registers: dumbed down Stack related: ESP, EBP Instruction Pointer: EIP More or less multi-purpose: EAX, EBX, ECX, EDX, ESI, EDI EAX AX AH AL

String and memory copy operations void *memcpy(void *dest, const void *src, size t n);

String and memory copy operations void *memcpy(void *dest, const void *src, size t n); char *strcpy(char *dest, const char *src);

String and memory copy operations void *memcpy(void *dest, const void *src, size t n); char *strcpy(char *dest, const char *src); char *strncpy(char *dest, const char *src, size t n);

String and memory copy operations void *memcpy(void *dest, const void *src, size t n); char *strcpy(char *dest, const char *src); char *strncpy(char *dest, const char *src, size t n); memmove, bcopy, memccpy, etc...

String and memory copy operations void *memcpy(void *dest, const void *src, size t n); char *strcpy(char *dest, const char *src); char *strncpy(char *dest, const char *src, size t n); memmove, bcopy, memccpy, etc... gets, fgets, read, fread (files, network)

String and memory copy operations void *memcpy(void *dest, const void *src, size t n); char *strcpy(char *dest, const char *src); char *strncpy(char *dest, const char *src, size t n); memmove, bcopy, memccpy, etc... gets, fgets, read, fread (files, network) rep movsb,... (from [%esi] to [%edi], %ecx bytes)

Stack growth vs copy operations memcpy, strcpy, strncpy,... Local vars Saved EBP Return addr ESP EBP EntryFn Frame Cmdline args Environment

pwn demo

Pwning Check /u23/pwn for sources and binaries Use gdb and reproduce my exploit Use the shellcode provided and try to execute it instead Pwn sob2 (advanced)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback