Exploitation Part 1.

Slides:



Advertisements
Similar presentations
CH10 Instruction Sets: Characteristics and Functions
Advertisements

INSTRUCTION SET ARCHITECTURES
ECE 353 Introduction to Microprocessor Systems Michael G. Morrow, P.E. Week 6.
Utilizing the GDB debugger to analyze programs Background and application.
Binghamton University CS-220 Spring 2015 Binghamton University CS-220 Spring 2015 Object Code.
Debugging What can debuggers do? Run programs Make the program stops on specified places or on specified conditions Give information about current variables’
Embedded Systems Programming Introduction to cross development techniques.
Introduction to C Programming Overview of C Hello World program Unix environment C programming basics.
Chapter 4 H1 Assembly Language: Part 2. Direct instruction Contains the absolute address of the memory location it accesses. ld instruction:
OllyDbg Debuger.
Homework Reading –Finish K&R Chapter 1 (if not done yet) –Start K&R Chapter 2 for next time. Programming Assignments –DON’T USE and string library functions,
Chapter 2 Software Tools and Assembly Language Syntax.
F13 Forensic tool analysis Dr. John P. Abraham Professor UTPA.
Homework Reading Programming Assignments
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
CP104 Introduction to Programming File I/O Lecture 33 __ 1 File Input/Output Text file and binary files File Input/output File input / output functions.
Computer Engineering 1 nd Semester Dr. Rabie A. Ramadan 2.
Memory and Addressing How and Where Information is Stored.
Classifying GPR Machines TypeNumber of Operands Memory Operands Examples Register- Register 30 SPARC, MIPS, etc. Register- Memory 21 Intel 80x86, Motorola.
Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Info stored in computer (memory) Numbers All in binaray – can be converted to octal, hex Characters ASCII – 1-byte/char Unicode – 2-byte/char Unicode-table.com/en.
Chapter 10 Instruction Sets: Characteristics and Functions Felipe Navarro Luis Gomez Collin Brown.
Reminder Bomb lab is due tomorrow! Attack lab is released tomorrow!!
What is a program? A sequence of steps
Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.
C Strings Doing strings the old fashioned way. strings vs c-strings C++ strings are an object data type – State : list of characters – Can ask it to perform.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2014.
Binary IO Writing and Reading Raw Data. Files Two major flavors of file: Text Binary.
Some of the utilities associated with the development of programs. These program development tools allow users to write and construct programs that the.
Variables Bryce Boe 2012/09/05 CS32, Summer 2012 B.
Bitwise Operations C includes operators that permit working with the bit-level representation of a value. You can: - shift the bits of a value to the left.
Shellcode COSC 480 Presentation Alison Buben.
Instruction Set Architectures
MIPS Instruction Set Advantages
A Closer Look at Instruction Set Architectures
More GDB, Intro to x86 Calling Conventions, Control Flow, & Lab 2
Dynamic Analysis ddaa.
Writing and Reading Raw Data
System Programming and administration
Assembly Language Programming Part 3
Mixing C & Assembly.
Debugging with gdb gdb is the GNU debugger on our CS machines.
Chapter 18 I/O in C.
Computer Engineering 1nd Semester
CSC 495/583 Topics of Software Security Stack Overflows (2)
A Closer Look at Instruction Set Architectures
Computer Architecture and Organization Miles Murdocca and Vincent Heuring Chapter 4 – The Instruction Set Architecture.
Recitation: Attack Lab
CS 301 Fall 2001 – Chapter 3 Slides by Prof. Hartman, following “IBM PC Assembly Language Programming” by Peter Abel 9/17/2018.
Computer Architecture “Bomb Lab Hints”
Bits and Bytes Topics Representing information as bits
ECEG-3202 Computer Architecture and Organization
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2015.
ECEG-3202 Computer Architecture and Organization
File Analysis with MicroSoft DEBUG
Buffer Overflows.
Homework Reading Programming Assignments Finish K&R Chapter 1
Microprocessor and Assembly Language
Instruction Set Principles
Comp Org & Assembly Lang
Computer Architecture and System Programming Laboratory
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2016.
Understanding and Preventing Buffer Overflow Attacks in Unix
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2013.
Format String Vulnerability
Chapter 10 Instruction Sets: Characteristics and Functions
Return-to-libc Attacks
By Hugues Leger / Intro to GDB debugger By Hugues Leger / 11/16/2019.
Presentation transcript:

Exploitation Part 1

Little vs Big Endian Big is "Normal": Little weird Words in order Bytes in a word backwards

Little Endian Arrangement Little Endian Arrangement Results 15 (F16) followed by 258 (10216) Little Endian Arrangement Meaning 0F 00 Little Endian Arrangement Meaning 02 01 00

When Endianess Matters We see endianness effect when: Bytes stored to memory from program Reading raw bytes in file We don’t see it when: Word stored to memory from program Objdump/debugger interprets instruction as full word

Tools

Tools Source Code If available, use to understand program flow and look for vectors of attack

Tools Debugger If we have access to executable Helps if compiled in debug mode Step through program, examine memory and dynamic state Keys: nexti to run one machine instruction next to run one C++ instruction Step only if you want to go into functions

Tools Debugger info to list local variables or args to current function (C++)

Tools Debugger x &variableName to list variable use /codes to specify format Display authorized Display authorized as hex word Display name as 10 chars and as c-string

Tools objdump Use to view actual machine code Key Flags: -d disassemble .text section -C demangle names -F show file offsets as well as memory offsets Dump to file with > objdump foo.exe -d -F -C > fooCode.txt

Objdump Addresses code will be loaded to

Objdump Addresses code is at in file

Objdump Memory address = Files Offset + 0x10000 This must be byte 564 in file

Compiler Tricks Push fp and lr at start, pop back into fp and lr Moves lr to pc automatically at end

Compiler Tricks movw : put 16 bit value into low order bits movt : put 16 bit value into high order bits Result

Tools hexeditor hexcurse Left pane hex, right ascii view Tab to switch panes

Tools hexeditor hexcurse Ctrl + First letter to execute command: Goto and type file offset (objdump) to locate line of code

Tools hexeditor hexcurse Data is in little endian format: Word at this location is E9 2D 48 00

Binary Modification

Binary Modification Situation Have full access to an executable Want behavior modified

Binary Modification Situation Have full access to an executable Want behavior modified Edit the machine code! Analyze source if possible Analyze objdump Look for things to change Constants Branch conditions / targets Complete instructions to noop

Binary Modification Tricks: First nibble (hex char) is condition All 0’s is no-op (ANDEQ r0, r0, r0)

Buffer Overflow

Buffer Overflow Situation No access to executable Limited rights on system Remote application Accepts some form of input

Buffer Overflow Situation No access to executable Limited rights on system Remote application Accepts some form of input Try to overflow the input buffer!

Overflow Overflow can write into existing data or code Space for 8 chars Scanf will read a string of any length

Overflow Memory View name is at 5dc, is 8 bytes authorized is at 5e7, 1 byte

Overflow Memory View After entering “Andrew”

Overflow Memory View After entering “aaaaaaaab”

Overflow Memory View After entering “aaaaaaaabbbb”

Reading Safely scanf("%s", myCString) potentially unsafe But can specify number of characters to read with %NUMBERs

Reading Safely Prevent overflow fgets(myCString, size, stdin) only reads in size -1 chars Prevent overflow