1. Exploitation Part 1

2. Little vs Big Endian Big is "Normal": Little weird Words in order
Bytes in a word backwards

3. Little Endian Arrangement Little Endian Arrangement
Results
15 (F16) followed by 258 (10216)
Little Endian Arrangement
Meaning 0F 00
Little Endian Arrangement
Meaning 02 01 00

4. When Endianess Matters
We see endianness effect when:
Bytes stored to memory from program
Reading raw bytes in file
We don’t see it when:
Word stored to memory from program
Objdump/debugger interprets instruction as full word

5. Tools

6. Tools
Source Code
If available, use to understand program flow and look for vectors of attack

7. Tools Debugger If we have access to executable
Helps if compiled in debug mode
Step through program, examine memory and dynamic state
Keys:
nexti to run one machine instruction
next to run one C++ instruction
Step only if you want to go into functions

8. Tools
Debugger
info to list local variables or args to current function (C++)

9. Tools Debugger x &variableName to list variable
use /codes to specify format
Display authorized
Display authorized as hex word
Display name as 10 chars and as c-string

10. Tools objdump Use to view actual machine code
Key Flags:
-d disassemble .text section
-C demangle names
-F show file offsets as well as memory offsets
Dump to file with > objdump foo.exe -d -F -C > fooCode.txt

11. Objdump
Addresses code will be loaded to

12. Objdump
Addresses code is at in file

13. Objdump Memory address = Files Offset + 0x10000
This must be byte 564 in file

14. Compiler Tricks Push fp and lr at start, pop back into fp and lr
Moves lr to pc automatically at end

15. Compiler Tricks movw : put 16 bit value into low order bits
movt : put 16 bit value into high order bits
Result

16. Tools hexeditor hexcurse Left pane hex, right ascii view
Tab to switch panes

17. Tools hexeditor hexcurse Ctrl + First letter to execute command:
Goto and type file offset (objdump) to locate line of code

18. Tools hexeditor hexcurse Data is in little endian format:
Word at this location is E9 2D 48 00

19. Binary Modification

20. Binary Modification Situation Have full access to an executable
Want behavior modified

21. Binary Modification Situation Have full access to an executable
Want behavior modified
Edit the machine code!
Analyze source if possible
Analyze objdump
Look for things to change
Constants
Branch conditions / targets
Complete instructions to noop

22. Binary Modification Tricks: First nibble (hex char) is condition
All 0’s is no-op (ANDEQ r0, r0, r0)

23. Buffer Overflow

24. Buffer Overflow Situation No access to executable
Limited rights on system
Remote application
Accepts some form of input

25. Buffer Overflow Situation No access to executable
Limited rights on system
Remote application
Accepts some form of input
Try to overflow the input buffer!

26. Overflow Overflow can write into existing data or code
Space for 8 chars
Scanf will read a string of any length

27. Overflow Memory View name is at 5dc, is 8 bytes
authorized is at 5e7, 1 byte

28. Overflow
Memory View
After entering “Andrew”

29. Overflow
Memory View
After entering “aaaaaaaab”

30. Overflow
Memory View
After entering “aaaaaaaabbbb”

31. Reading Safely
scanf("%s", myCString) potentially unsafe
But can specify number of characters to read with %NUMBERs

32. Reading Safely Prevent overflow
fgets(myCString, size, stdin) only reads in size -1 chars
Prevent overflow