The art of exploitation Hacking The art of exploitation

Contents 0x250 – Getting your hands dirty  The Bigger Picture (0x251) The x86 Processor (0x252) Assembly Language (0x253) 0x260 – Back to basics 0x270 – Memory segmentation

0x250 – Getting your hands dirty  Environment Language- C OS - Linux (live cd) just put the usb, and reboot your computer compiler – GCC(GNU Compiler Collection) Translate c into machine language CPU - x86 Virtual Machine: Virtual Box

firstprog.c gcc firstprog.c Result: a.out Main execution begins in main #include <stdio.h> Adds header file to the program when compiled ‘printf’ is in /usr/include/stdio.h

0x251 – Bigger Picture C code can’t actually do anything until it’s compiled into an executable binary file. Binary file is what actually gets executed in the real world CPU(x86) can read a.out

To examine compiled binaries “objdump” Memory Address Machine Language Assembly language (Intel syntax)

GDB Debugger included in GNU “A programmer who has never used a debugger to look at the inner workings of a program is like a seventeenth-century doctor who has never used a microscope.” Debugger can view the execution from all angles, pause it, and change anything along the way

GDB configuration & option Disassembly syntax can be set to intel gcc with –g flag To include extra debugging information Give gdb access to the source code

Intel syntax Operation <destination>, <source> ex. Move ebp, esp <destination> Will either be a register, a memory, address, or a value

In Lecture slides (ch01) GDB command summary (gdb) help (gdb) help disass (gdb) list (gdb) list 1,20 (gdb) disass main (gdb) disass /mr main (gdb) info registers (or i r) ; display x86 registers Examples: (gdb) i r (gdb) i r $eip (gdb) x ; examine (gdb) x/10i $eip ; display 10 instructions from eip (gdb) x/2x $eip ; display 2 words (4 bytes) in hex. B (byte), h (halfword), w (word, 4B), g (8B) (gdb) nexti ; execute 1 machine instruction. Will step into subfunctions (gdb) stepi ; execute 1 machine instruction. Will not enter subfunctions (gdb) next ; step program (gdb) step ; step program until it reaches a different source line

0x252 The x86 Processor X86 processor has several registers Internal variables for the processor

Registers X86 processor has several registers Internal variables for the processor EAX, ECX, EDX, and EBX General purpose registers Accumulator, Counter, Data, Base Mainly, act as Temporary variables for the CPU ESP, EBP, ESI, and EDI Stack Pointer, Base Pointer, Source Index, Destination Index EIP – Instruction pointer EFLAGS consists of several bit flags Used for comparison and memory segments

0x253 Assembly Language Firstprog.c Functional prologue gen by the compiler to set up mem for the rest of the main’s local variable Runnig Example with List Break x/ I r Nexti Print cont

x/? O : octal X: hexadecimal U: unsigned int T: binary I: instruction S:String B: single byte W: word, 4bytes in size

Something odd GDB is smart enough to know how value are stored

Something odd (2) 0x8048374 0x55 +4 0x89 +8 0xE5 +12 0x83

Back to basics 0x260

Low-level programming concepts String Signed, Unsigned, Long, and Shot Pointers Format Strings Typecasting Command-line arguments Variable Scoping

String To store “Hello, world!\n” Char str_a[20]; 1. str_a[0] = ‘H’; a[i] H 1 E 2 L 3 4 O 5 W 6 , 7 8 9 R 11 D 12 ! 13 \n 14 To store “Hello, world!\n” Char str_a[20]; 1. str_a[0] = ‘H’; 2. strcpy(str_a, "Hello, world!\n");

Signed, Unsigned All numerical values must be stored in binary Unsigned value make the most sense 1001 -> 9 Two’s complement 0100 -> 4 1100 -> -4

Signed, Unsigned, LonG, Short Variables can be declared as unsigned by prepending the keyword ‘unsigned’ unsigned int foo In addition, Size of variables can be extended or shortened reader@hacking:~/booksrc $ ./a.out The 'int' data type is 4 bytes The 'unsigned int' data type is 4 bytes The 'short int' data type is 2 bytes The 'long int' data type is 4 bytes The 'long long int' data type is 8 bytes The 'float' data type is 4 bytes The 'char' data type is 1 bytes

Pointer The EIP register is a pointer that “points” to the current instruction This Idea is used in C Pointers in C can be defined and used like any other variable type. 4byte size *! (asterisk) &(empersand)

Addressof.c #include <stdio.h> int main() { int int_var = 5; int *int_ptr; int_pt r = &int_var; // put the address of int_var into int_ptr }

Addressor.c with gdb

Format Strings A format string is just a character string with special parameter Prarmeter Output Type %d Decimal %u Unsigned Decimal %x Hexadecimal %s String …

printf printf("[A] Dec: %d, Hex: %x, Unsigned: %u\n", A, A, A); printf("[B] Dec: %d, Hex: %x, Unsigned: %u\n", B, B, B); printf("[field width on B] 3: '%3u', 10: '%10u', '%08u'\n", B, B, B); printf("[string] %s Address %08x\n", string, string); printf("variable A is at address: %08x\n", &A); [A] Dec: -73, Hex: ffffffb7, Unsigned: 4294967223 [B] Dec: 31337, Hex: 7a69, Unsigned: 31337 [field width on B] 3: '31337', 10: ' 31337', '00031337' [string] sample Address bffff870 variable A is at address: bffff86c

Typecasting Temporarily change a variable’s data type (typecast_data_type) variable #include <stdio.h> int main() { int a, b; float c, d; a = 13; b = 5; c = a / b; // Divide using integers. d = (float) a / (float) b; // Divide integers typecast as floats. printf("[integers]\t a = %d\t b = %d\n", a, b); printf("[floats]\t c = %f\t d = %f\n", c, d); } reader@hacking:~/booksrc $ gcc typecasting.c reader@hacking:~/booksrc $ ./a.out [integers] a = 13 b = 5 [floats] c = 2.000000 d = 2.600000

Command-line arguments don’t require user interaction after the program has begun execution #include <stdio.h> int main(int arg_count, char *arg_list[]) { int i; printf("There were %d arguments provided:\n", arg_count); for(i=0; i < arg_count; i++) printf("argument #%d\t-\t%s\n", i, arg_list[i]); }

Memory Segmentation 0x270

Memory Segmentation A compiled program’s memory is divided into Text Where the assembled machine language instructions of the program are located Data & Bss To store global and static program Heap Unfixed segment Stack Temporary scratch pad to store local function

Text Segmentation Contains assembled machine language instructions The processor read the instruction (which EIP points to), executes it. doesn’t care about the change of EIP (caused by jump, branch…) Read-Only, Fixed size Prevents people from modifying the code program will be killed with the warning msg Code can be shared among different copies of the program

Execution loop CPU Address Value 0x804837a 83 0x804837b e4 0x804837c f0 0x804837d b8 … 0x804837d 0x804837a 1. Reads the instruction that EIP is pointing to 2. Adds the byte length of the instruction to EIP 3. Executes the instruction that was read in step 1 4. Goes back to step 1

Data and bss Segmentation To store global and static program Data segment Initialized global and static variables Bss segment Uninitialized global and static variables Writable, Fixed size Global and static variables are able to persist Stored in their own mem seg

Heap Writable, unfixed size Programmer can directly control Can grow larger or smaller as needed Malloc, free The growth? Address 0x80497ec Global_ini_var 0x80497ec+4 Static_ini_var 0x80497ec+12 Static var 0x80497ec+16 Global var 0x80497+28 Heap_var …

Stack Writable, unfixed size Temporary scratch pad to store local function variables and context during function calls In fact, a Stack data structure (FILO) Push Pop Contains many ‘Stack frames’ The growth? Address … 0xbffff834 - 32 Func’s_st_var 0xbffff834 Stack_var

Stack frame Frame pointer EBP register : used to reference local function variables in the current stack frame Contains the parameters to the functions Local variables 2 pointers Saved frame pointer Used to restore EBP value to its previous value Return address (function caller)

Running example Stack_example.c Function prologue save the frame pointer on the stack Save stack memory for the local function variables

Stack frame(2) Frame pointer EBP register : used to reference local function variables in the current stack frame Contains the parameters to the functions Local variables 2 pointers Saved frame pointer Used to restore EBP value to its previous value Return address (function caller)

Backup slides 0x270~

Memory_segments.c

Memory_segments.c (result) global_initialized_var is at address 0x080497ec static_initialized_var is at address 0x080497f0 static_var is at address 0x080497f8 global_var is at address 0x080497fc heap_var is at address 0x0804a008 stack_var is at address 0xbffff834 the function's stack_var is at address 0xbffff814 Address 0x80497ec Global_ini_var 0x80497ec+4 Static_ini_var 0x80497ec+12 Static var 0x80497ec+16 Global var 0x80497+28 Heap_var … Address … 0xbffff834 - 32 Func’s_st_var 0xbffff834 Stack_var

Heap_example.c char_ptr = (char *) malloc(mem_size); // Allocating heap memory if(char_ptr == NULL) { // Error checking, in case malloc() fails fprintf(stderr, "Error: could not allocate heap memory.\n"); exit(-1); } strcpy(char_ptr, "This is memory is located on the heap."); printf("char_ptr (%p) --> '%s'\n", char_ptr, char_ptr); Address 0x80497ec Global_ini_var 0x80497ec+4 Static_ini_var 0x80497ec+12 Static var 0x80497ec+16 Global var 0x80497+28 Heap_var … printf("\t[-] freeing char_ptr's heap memory...\n"); free(char_ptr); // Freeing heap memory

Heap_example.c (result) reader@hacking:~/booksrc $ ./heap_example 100 [+] allocating 100 bytes of memory on the heap for char_ptr char_ptr (0x804a008) --> 'This is memory is located on the heap.' [+] allocating 12 bytes of memory on the heap for int_ptr int_ptr (0x804a070) --> 31337 [-] freeing char_ptr's heap memory... [+] allocating another 15 bytes for char_ptr char_ptr (0x804a008) --> 'new memory' [-] freeing int_ptr's heap memory... reader@hacking:~/booksrc $