1. Week 2: Buffer Overflow
Part 1

2. Outline Buffer overflow introduction – continued
Understanding x86 executables
X86 assembly – overview
Calling conventions
Buffer overflow techniques
Change variables by overflowing them
Change the control flow by overflowing return address on the stack
Ret2libc (0x6b0)
Return oriented programming (ROP)

3. Buffer Overflow Example

6. x86 Assembly Registers Memory and addressing modes Instructions
Static data regions using .DATA directives
Memory addressing modes
Size directives (BYTE, WORD, DWORD)
Instructions
Calling convention

7. x86 Registers

8. Additional Registers QQ

9. x86 FLAGS Registers

10. x86 FLAGS Registers

11. Bit and Byte Ordering

12. Intel Assembly Each instruction is represented by
Label: mnemonic argument1, argument2, argument3
Where label presents the line
A mnemonic is a reserved name for a class of instruction opcodes which have the same function.
The operands argument1, argument2, and argument3 are optional. There may be from zero to three operands, depending on the instruction

13. Memory Modes

14. Addressing The processors use byte addressing
Intel processors support segmented addressing
Each address is specified by a segment register and byte address within the segment

15. Basic Program Execution Registers
General purpose registers
There are eight registers (note that they are not quite general purpose as some instructions assume certain registers)
Segment registers
They define up to six segment selectors
EIP register – Effective instruction pointer
EFLAGS – Program status and control register

16. General Purpose and Segment Registers

17. General Purpose Registers
EAX — Accumulator for operands and results data
EBX — Pointer to data in the DS segment
ECX — Counter for string and loop operations
EDX — I/O pointer
ESI — Pointer to data in the segment pointed to by the DS register; source pointer for string operations
EDI — Pointer to data (or destination) in the segment pointed to by the ES register; destination pointer for string operations
ESP — Stack pointer (in the SS segment)
EBP — Pointer to data on the stack (in the SS segment)

18. Alternative General Purpose Register Names

19. Registers in IA-64

20. Segment Registers

21. Operand Addressing Immediate addressing Register addressing
Maximum value allowed varies among instructions and it can be 8-bit, 16-bit, or 32-bit
Register addressing
Register addressing depends on the mode (IA-32 or IA-64)

22. Register Addressing

23. Memory Operand
Memory operand is specified by a segment and offset

24. Offset Displacement - An 8-, 16-, or 32-bit value.
Base - The value in a general-purpose register.
Index — The value in a general-purpose register.
Scale factor — A value of 2, 4, or 8 that is multiplied by the index value.

25. Effective Address

26. Effective Address Common combinations Displacement Base
Base + displacement
(Index * scale) + displacement
Base + index + displacement
Base + (Index * scale) + displacement

27. Addressing Mode Encoding

28. Fundamental Data Types

29. Example

30. Note Note that a number can be written and saved in different ways
For example, number 1234 can be represented as “1234” (as a string)
number 1234 can be represented as a two’s complement integer

31. Number 1234 in Memory

32. Pointer Data Types
Near pointer
Far pointer

33. 128-bit SIMD Data Types

34. BCD Integers
Intel also supports BCD integers, where each digit (0-9) is represented by 4 bits

35. Floating Point Numbers

36. General Purpose Instructions
Data transfer Instructions

37. Data Transfer Instructions

38. Data Transfer Instructions

39. Binary Arithmetic Instructions

40. Decimal Arithmetic Instructions

41. Logic Instructions

42. Shift and Rotate Instructions

43. Bit and Byte Instructions

44. Bit and Byte Instructions

45. Control Transfer Instructions

47. String Instructions

48. I/O Instructions
These instructions move data between the processor’s I/O ports and a register or memory

49. Enter and Leave Instructions
These instructions provide machine-language support for procedure calls in block structured languages

50. Segment Register Instructions
The segment register instructions allow far pointers (segment addresses) to be loaded into the segment registers

51. Procedure Call Types
The processor supports procedure calls in the following two different ways:
CALL and RET instructions.
ENTER and LEAVE instructions, in conjunction with the CALL and RET instructions

52. Stack

53. Calling Procedures using CALL and RET
Near call (within the current code segment)
Near return

54. Far Call and Far Return
Far Call
Far Return

55. Stack During Call and Return

56. Stack for Calling and Called Procedure

57. Parameter Passing
Passing parameters through the general-purpose registers
Can pass up to six parameters by copying the parameters to the general-purpose registers
Passing parameters on the stack
Stack can be used to pass a large number of parameters and also return a large number of values
Passing parameters in an argument list
Place the parameters in an argument list
A pointer to the argument list can then be passed to the called procedure

58. Saving Procedure State Information
The processor does not save general purpose registers
A calling procedure should explicitly save the values in any of the general-purpose registers that it will need when it resumes execution after a return
One can use PUSHA and POPA to save and restore all the general purpose registers (except ESP)

59. Calls to Other Privilege Levels

60. Procedure Calls for Block-Structured Languages
ENTER and LEAVE instructions automatically create and release, respectively, stack frames for called procedures
The ENTER instruction creates a stack frame compatible with the scope rules typically used in block-structured languages
The LEAVE instruction, which does not have any operands, reverses the action of the previous ENTER instruction

61. Enter Instruction

62. IA-32 and IA-64 Instruction Format

63. Examples of Instruction Formats

64. ADD Instructions

65. Add Instructions

66. ADD Instruction Description

67. SCAS/SCASB/SCASW/SCASD – Scan String

68. Compilation and Linking

69. Linking

70. File Format - ELF

71. Executable and Linking Format
.init - Startup
.text - String
.fini - Shutdown
.rodata - Read Only
.data - Initialized Data
.tdata - Initialized Thread Data
.tbss - Uninitialized Thread Data
.ctors - Constructors
.dtors - Destructors
.got - Global Offset Table
.bss - Uninitialized Data
See for further information about the sections

72. Memory Layout (LINUX)

73. Stack Organization

75. Stack Organization

76. Changing Local Variables by Overflowing the buffer
After all the “hard” work, we are ready to deploy the exploitation
Local variable auth_flag is at ebp-12 and the buffer is at ebp-28
We can use Perl to generate the string we need

77. Can we now call I_am_the_King function using buffer_overflow?

78. Can we now call I_am_the_King function using buffer_overflow?
How can we do it?
We just need to find out the address of the function?
In gdb, we can simply use
x/x I_am_the_King
We can also find the address using objdump
We then need to overflow the return address

79. Can we now call I_am_the_King function using buffer_overflow?
How can we do it?
We just need to find out the address of the function?
In gdb, we can simply use
x/x I_am_the_King
We can also find the address using objdump
We then need to overflow the return address
Before we do it, think about what happens after printing out the message “I am on the way to become the King of Penetration Testing.”

80. Can we now call I_am_the_King function using buffer_overflow?
How can we do it?
We just need to find out the address of the function?
In gdb, we can simply use
x/x I_am_the_King
We can also find the address using objdump
We then need to overflow the return address
Before we do it, think about what happens after printing out the message “I am on the way to become the King of Penetration Testing.”
Why? Can we fix the problem?

81. Calling a Function with a Parameter by Buffer Overflow
How about a function with a parameter?

82. Calling a function with a parameter?
How about a function with a parameter?

83. Comments
Please note the instructions used and generated are system and compiler dependent
The instructions depend on the libraries available in the system
The compiler can apply optimization techniques, which can change the order of variables allocated
Some of the local variables can even be optimized away (such as using registers only, which will be much faster)

86. Ret2LibC See 0x6b0 in the Art textbook
Also 0x331
Note that we can overflow the return address, causing the program to call other functions in the program
Note that we can also cause the program to jump into any address that is executable
Can we also call other functions (the ones in libraries and so on)?

87. Ret2LibC
Note that we can overflow the return address, causing the program to call other functions in the program
Note that we can also cause the program to jump into any address that is executable
Can we also call other functions (the ones in libraries and so on)?
Yes. A common way is to return to libc (the most commonly used C/C++ library functions)
In particular, we can try to call the system function, which can create a shell

88. Ret2LibC System function System can be used to run programs
For example, system(“/bin/sh ”) will create a shell
How can we do it?

89. Ret2LibC System function System can be used to run programs
System(“/bin/sh ”) will create a shell
How can we do it?

90. Ret2LibC from auth_overflow example

91. Return Oriented Programming

92. ROP

93. ROP

94. ROP

95. CVE-2013-3893 Internet Explorer Zero Day

96. CVE-2013-3893 Internet Explorer Zero DayQ

98. Summary
By exploiting a buffer overflow vulnerability, we can always overflow the return address
Therefore we can always change the control flow
We can call other functions in the executable file
We can jump to other instructions in the executable file
We can call functions in libraries (such as return to libc)
We can also change the values of local variables allocated higher than the buffer on the stack
If the stack is executable, we can also inject (malicious) instructions on the stack
We will cover it next time (Sections 0x330, 0x510, 0x511, 0x520, and 0x530)

99. Before Class Discussion

100. Before Class Discussion
2015 Chrysler Next Generation Midsize Sedan.

101. Before Class Discussion

102. Before Class Discussion

103. Citations