Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Intel x86-64 Assembly, Architecture, Applications, & Alliteration Xeno Kovah – 2014 xkovah at gmail.

Published byἘλισάβετ Καλάρης Modified over 5 years ago

Similar presentations

Presentation on theme: "Introduction to Intel x86-64 Assembly, Architecture, Applications, & Alliteration Xeno Kovah – 2014 xkovah at gmail."— Presentation transcript:

1 Introduction to Intel x86-64 Assembly, Architecture, Applications, & Alliteration
Xeno Kovah – 2014 xkovah at gmail

2 All materials is licensed under a Creative Commons “Share Alike” license.
Attribution condition: You must indicate that derivative work "Is derived from Xeno Kovah's ‘Intro x86-64’ class, available at Attribution condition: You must indicate that derivative work "Is derived from Xeno Kovah's 'Intro x86-64’ class, available at

3 Are you ready to feel the POWER (buffer over)flow through you?!?!
53

4 BasicBufferOverflow.c: Don’t be lame! Force it to call AwesomeSauce()!
#include <stdio.h> #include <stdlib.h> #include <string.h> int lame(__int64 value){ __int64 array1[4]; __int64 array2[4]; array2[0] = array2[1] = array2[2] = array2[3] = value; memcpy(&array1, &array2, 4 * sizeof(__int64)); return 1; } int lame2(__int64 size, __int64 value){ memcpy(&array1, &array2, size * sizeof(__int64)); void AwesomeSauce(){ printf("Awwwwwww yeaaahhhhh! All awesome, all the time!\n"); int main(unsigned int argc, char ** argv){ __int64 size, value; size = _strtoi64(argv[1], "", 10); value = _strtoi64(argv[2], "", 16); if(!lame(value) || !lame2(size,value)){ AwesomeSauce(); else{ printf("I am soooo lame :(\n"); return 0xdeadbeef; Awesome 53

5 HINT! Seriously though, make a stack diagram, it will help…

6 Lab time! 53

7 Solution Simple, right? :) 53

8 The stack looks like this at line 9 in lame() before the memcpy():
`0012FE80 arg1 = ecx = value `0012FE78 return address = f0 `0012FE70 undef `0012FE68 array2[3] = undef `0012FE60 array2[2] = undef `0012FE58 array2[1] = undef `0012FE50 array2[0] = undef `0012FE48 array1[3] = value `0012FE40 array1[2] = value `0012FE38 array1[1] = value `0012FE30 array1[0] = value RSP+0x20

9 The stack looks like this at line 10 in lame() after the memcpy():
`0012FE80 arg1 = ecx = value `0012FE78 return address = f0 `0012FE70 undef `0012FE68 array2[3] = value `0012FE60 array2[2] = value `0012FE58 array2[1] = value `0012FE50 array2[0] = value `0012FE48 array1[3] = value `0012FE40 array1[2] = value `0012FE38 array1[1] = value `0012FE30 array1[0] = value RSP+0x20

10 but still actually = value
The stack looks like this at line 17 in lame2() before the memcpy(): addresses look familiar? `0012FE80 arg1 = ecx = value `0012FE78 return address = f0 `0012FE70 undef `0012FE68 array2[3] = “undef” but still actually = value `0012FE60 array2[2] = “undef” `0012FE58 array2[1] = “undef” `0012FE50 array2[0] = “undef” `0012FE48 array1[3] = value `0012FE40 array1[2] = value `0012FE38 array1[1] = value `0012FE30 array1[0] = value RSP+0x20

11 The stack looks like this at line 17 in lame2() before the memcpy():
addresses look familiar? `0012FE80 arg1 = ecx = value `0012FE78 return address = value! WINNER! `0012FE70 value `0012FE68 array1[3] = value `0012FE60 array1[2] = value `0012FE58 array1[1] = value `0012FE50 array1[0] = value `0012FE48 `0012FE40 `0012FE38 `0012FE30 So set the size to 6 QWORDs to copy, and set the value to the address of AwesomeSauce() and collect your winner winner chicken dinner! RSP+0x20

12 Exploit mitigations This is a good example of how MS’s compiler has exploit mitigations baked in. I was trying to just take my old, simple, and explicitly exploitable piece of code and port it to x86-64. But when I would put my buffers so that the big one would overwrite the small one, it placed the big buffer next to the stack pointer. This is smart since presumably writes will tend to be from the small to the big. But even if it’s from the big to the small, it still won’t naturally overflow into the stack pointer with contents from the buffer

13 Exploit mitigations 2 params params params params params params
return address return address return address big buffer return address return address big buffer big buffer big buffer big buffer return address big buffer small buffer small buffer big buffer big buffer small buffer small buffer small buffer small buffer small buffer

14 True power can not be had so simply, novice…
NX, ASLR, SEHOP…all these would stand in your way. For a taste of true power, you must start start down a different path…a darker path

Download ppt "Introduction to Intel x86-64 Assembly, Architecture, Applications, & Alliteration Xeno Kovah – 2014 xkovah at gmail."

Similar presentations

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
Stack buffer overflow.

Stack buffer overflow.
Stack buffer overflow http://en.wikipedia.org/wiki/Stack_buffer_overflow.

Stack buffer overflow
Computer Security Buffer Overflow lab Eu-Jin Goh.

Computer Security Buffer Overflow lab Eu-Jin Goh.
Some Example C Programs. These programs show how to use the exec function.

Some Example C Programs. These programs show how to use the exec function.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Buffer overflows.

Buffer overflows.
Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.

Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.
Buffer Overflows Lesson 14. Example of poor programming/errors Buffer Overflows result of poor programming practice use of functions such as gets and.

Buffer Overflows Lesson 14. Example of poor programming/errors Buffer Overflows result of poor programming practice use of functions such as gets and.
Variables, Functions & Parameter Passing CSci 588 Fall 2013 All material not from online sources copyright © Travis Desell, 2011.

Variables, Functions & Parameter Passing CSci 588 Fall 2013 All material not from online sources copyright © Travis Desell, 2011.
What is exactly Exploit writing?  Writing a piece of code which is capable of exploit the vulnerability in the target software.

What is exactly Exploit writing?  Writing a piece of code which is capable of exploit the vulnerability in the target software.
CS415 C++ Programming Takamitsu Kawai 304-293-0405 x4212 G11 CERC building WV Virtual Environments Lab West Virginia University.

CS415 C++ Programming Takamitsu Kawai x4212 G11 CERC building WV Virtual Environments Lab West Virginia University.
CS 155 Section 1 PP1 Eu-Jin Goh. Setting up Environment Demo.

CS 155 Section 1 PP1 Eu-Jin Goh. Setting up Environment Demo.
Chapter 10 Chapter 10 Implementing Subprograms. Implementing Subprograms  The subprogram call and return operations are together called subprogram linkage.

Chapter 10 Chapter 10 Implementing Subprograms. Implementing Subprograms  The subprogram call and return operations are together called subprogram linkage.
“Success consists of going from failure to failure without loss of enthusiasm.” Winston Churchill.

“Success consists of going from failure to failure without loss of enthusiasm.” Winston Churchill.
BIG DATA Initiative SMART SubstationBig Data Solution.

BIG DATA Initiative SMART SubstationBig Data Solution.
Content Coverity Static Analysis Use cases of Coverity Examples

Content Coverity Static Analysis Use cases of Coverity Examples
Buffer Overflow By Collin Donaldson.

Buffer Overflow By Collin Donaldson.
Sabrina Wilkes-Morris CSCE 548 Student Presentation

Sabrina Wilkes-Morris CSCE 548 Student Presentation
LINKED LISTS.

LINKED LISTS.

Similar presentations

Ads by Google