Exploitation Part 1
Little vs Big Endian Big is "Normal": Little weird Words in order Bytes in a word backwards
Little Endian Arrangement Little Endian Arrangement Results 15 (F16) followed by 258 (10216) Little Endian Arrangement Meaning 0F 00 Little Endian Arrangement Meaning 02 01 00
When Endianess Matters We see endianness effect when: Bytes stored to memory from program Reading raw bytes in file We don’t see it when: Word stored to memory from program Objdump/debugger interprets instruction as full word
Tools
Tools Source Code If available, use to understand program flow and look for vectors of attack
Tools Debugger If we have access to executable Helps if compiled in debug mode Step through program, examine memory and dynamic state Keys: nexti to run one machine instruction next to run one C++ instruction Step only if you want to go into functions
Tools Debugger info to list local variables or args to current function (C++)
Tools Debugger x &variableName to list variable use /codes to specify format Display authorized Display authorized as hex word Display name as 10 chars and as c-string
Tools objdump Use to view actual machine code Key Flags: -d disassemble .text section -C demangle names -F show file offsets as well as memory offsets Dump to file with > objdump foo.exe -d -F -C > fooCode.txt
Objdump Addresses code will be loaded to
Objdump Addresses code is at in file
Objdump Memory address = Files Offset + 0x10000 This must be byte 564 in file
Compiler Tricks Push fp and lr at start, pop back into fp and lr Moves lr to pc automatically at end
Compiler Tricks movw : put 16 bit value into low order bits movt : put 16 bit value into high order bits Result
Tools hexeditor hexcurse Left pane hex, right ascii view Tab to switch panes
Tools hexeditor hexcurse Ctrl + First letter to execute command: Goto and type file offset (objdump) to locate line of code
Tools hexeditor hexcurse Data is in little endian format: Word at this location is E9 2D 48 00
Binary Modification
Binary Modification Situation Have full access to an executable Want behavior modified
Binary Modification Situation Have full access to an executable Want behavior modified Edit the machine code! Analyze source if possible Analyze objdump Look for things to change Constants Branch conditions / targets Complete instructions to noop
Binary Modification Tricks: First nibble (hex char) is condition All 0’s is no-op (ANDEQ r0, r0, r0)
Buffer Overflow
Buffer Overflow Situation No access to executable Limited rights on system Remote application Accepts some form of input
Buffer Overflow Situation No access to executable Limited rights on system Remote application Accepts some form of input Try to overflow the input buffer!
Overflow Overflow can write into existing data or code Space for 8 chars Scanf will read a string of any length
Overflow Memory View name is at 5dc, is 8 bytes authorized is at 5e7, 1 byte
Overflow Memory View After entering “Andrew”
Overflow Memory View After entering “aaaaaaaab”
Overflow Memory View After entering “aaaaaaaabbbb”
Reading Safely scanf("%s", myCString) potentially unsafe But can specify number of characters to read with %NUMBERs
Reading Safely Prevent overflow fgets(myCString, size, stdin) only reads in size -1 chars Prevent overflow