Presentation is loading. Please wait.

Presentation is loading. Please wait.

The art of exploitation

Published byGeoffrey Sell Modified over 9 years ago

Similar presentations

Presentation on theme: "The art of exploitation"— Presentation transcript:

1 The art of exploitation
Hacking The art of exploitation

2 Contents 0x250 – Getting your hands dirty  The Bigger Picture (0x251)
The x86 Processor (0x252) Assembly Language (0x253) 0x260 – Back to basics 0x270 – Memory segmentation

3 0x250 – Getting your hands dirty 
Environment Language- C OS - Linux (live cd) just put the usb, and reboot your computer compiler – GCC(GNU Compiler Collection) Translate c into machine language CPU - x86 Virtual Machine: Virtual Box

4 firstprog.c gcc firstprog.c Result: a.out
Main execution begins in main #include <stdio.h> Adds header file to the program when compiled ‘printf’ is in /usr/include/stdio.h

5 0x251 – Bigger Picture C code can’t actually do anything
until it’s compiled into an executable binary file. Binary file is what actually gets executed in the real world CPU(x86) can read a.out

6 To examine compiled binaries
“objdump” Memory Address Machine Language Assembly language (Intel syntax)

7 GDB Debugger included in GNU
“A programmer who has never used a debugger to look at the inner workings of a program is like a seventeenth-century doctor who has never used a microscope.” Debugger can view the execution from all angles, pause it, and change anything along the way

8 GDB configuration & option
Disassembly syntax can be set to intel gcc with –g flag To include extra debugging information Give gdb access to the source code

9 Intel syntax Operation <destination>, <source>
ex. Move ebp, esp <destination> Will either be a register, a memory, address, or a value

10 In Lecture slides (ch01) GDB command summary
(gdb) help (gdb) help disass (gdb) list (gdb) list 1,20 (gdb) disass main (gdb) disass /mr main (gdb) info registers (or i r) ; display x86 registers Examples: (gdb) i r (gdb) i r $eip (gdb) x ; examine (gdb) x/10i $eip ; display 10 instructions from eip (gdb) x/2x $eip ; display 2 words (4 bytes) in hex. B (byte), h (halfword), w (word, 4B), g (8B) (gdb) nexti ; execute 1 machine instruction. Will step into subfunctions (gdb) stepi ; execute 1 machine instruction. Will not enter subfunctions (gdb) next ; step program (gdb) step ; step program until it reaches a different source line

11 0x252 The x86 Processor X86 processor has several registers
Internal variables for the processor

12 Registers X86 processor has several registers
Internal variables for the processor EAX, ECX, EDX, and EBX General purpose registers Accumulator, Counter, Data, Base Mainly, act as Temporary variables for the CPU ESP, EBP, ESI, and EDI Stack Pointer, Base Pointer, Source Index, Destination Index EIP – Instruction pointer EFLAGS consists of several bit flags Used for comparison and memory segments

13 0x253 Assembly Language Firstprog.c Functional prologue
gen by the compiler to set up mem for the rest of the main’s local variable Runnig Example with List Break x/ I r Nexti Print cont

14 x/? O : octal X: hexadecimal U: unsigned int T: binary I: instruction
S:String B: single byte W: word, 4bytes in size

15 Something odd GDB is smart enough to know how value are stored

16 Something odd (2) 0x 0x55 +4 0x89 +8 0xE5 +12 0x83

17 Back to basics 0x260

18 Low-level programming concepts
String Signed, Unsigned, Long, and Shot Pointers Format Strings Typecasting Command-line arguments Variable Scoping

19 String To store “Hello, world!\n” Char str_a[20]; 1. str_a[0] = ‘H’;
a[i] H 1 E 2 L 3 4 O 5 W 6 , 7 8 9 R 11 D 12 ! 13 \n 14 To store “Hello, world!\n” Char str_a[20]; 1. str_a[0] = ‘H’; 2. strcpy(str_a, "Hello, world!\n");

20 Signed, Unsigned All numerical values must be stored in binary
Unsigned value make the most sense 1001 -> 9 Two’s complement 0100 -> 4 1100 -> -4

21 Signed, Unsigned, LonG, Short
Variables can be declared as unsigned by prepending the keyword ‘unsigned’ unsigned int foo In addition, Size of variables can be extended or shortened $ ./a.out The 'int' data type is 4 bytes The 'unsigned int' data type is 4 bytes The 'short int' data type is 2 bytes The 'long int' data type is 4 bytes The 'long long int' data type is 8 bytes The 'float' data type is 4 bytes The 'char' data type is 1 bytes

22 Pointer The EIP register is a pointer that “points” to the current instruction This Idea is used in C Pointers in C can be defined and used like any other variable type. 4byte size *! (asterisk) &(empersand)

23 Addressof.c #include <stdio.h> int main() { int int_var = 5;
int *int_ptr; int_pt r = &int_var; // put the address of int_var into int_ptr }

24 Addressor.c with gdb

25 Format Strings A format string is just a character string with special parameter Prarmeter Output Type %d Decimal %u Unsigned Decimal %x Hexadecimal %s String

26 printf printf("[A] Dec: %d, Hex: %x, Unsigned: %u\n", A, A, A);
printf("[B] Dec: %d, Hex: %x, Unsigned: %u\n", B, B, B); printf("[field width on B] 3: '%3u', 10: '%10u', '%08u'\n", B, B, B); printf("[string] %s Address %08x\n", string, string); printf("variable A is at address: %08x\n", &A); [A] Dec: -73, Hex: ffffffb7, Unsigned: [B] Dec: 31337, Hex: 7a69, Unsigned: 31337 [field width on B] 3: '31337', 10: ' 31337', ' ' [string] sample Address bffff870 variable A is at address: bffff86c

27 Typecasting Temporarily change a variable’s data type
(typecast_data_type) variable #include <stdio.h> int main() { int a, b; float c, d; a = 13; b = 5; c = a / b; // Divide using integers. d = (float) a / (float) b; // Divide integers typecast as floats. printf("[integers]\t a = %d\t b = %d\n", a, b); printf("[floats]\t c = %f\t d = %f\n", c, d); } $ gcc typecasting.c $ ./a.out [integers] a = 13 b = 5 [floats] c = d =

28 Command-line arguments
don’t require user interaction after the program has begun execution #include <stdio.h> int main(int arg_count, char *arg_list[]) { int i; printf("There were %d arguments provided:\n", arg_count); for(i=0; i < arg_count; i++) printf("argument #%d\t-\t%s\n", i, arg_list[i]); }

29 Memory Segmentation 0x270

30 Memory Segmentation A compiled program’s memory is divided into Text
Where the assembled machine language instructions of the program are located Data & Bss To store global and static program Heap Unfixed segment Stack Temporary scratch pad to store local function

31 Text Segmentation Contains assembled machine language instructions
The processor read the instruction (which EIP points to), executes it. doesn’t care about the change of EIP (caused by jump, branch…) Read-Only, Fixed size Prevents people from modifying the code program will be killed with the warning msg Code can be shared among different copies of the program

32 Execution loop CPU Address Value 0x804837a 83 0x804837b e4 0x804837c
f0 0x804837d b8 0x804837d 0x804837a 1. Reads the instruction that EIP is pointing to 2. Adds the byte length of the instruction to EIP 3. Executes the instruction that was read in step 1 4. Goes back to step 1

33 Data and bss Segmentation
To store global and static program Data segment Initialized global and static variables Bss segment Uninitialized global and static variables Writable, Fixed size Global and static variables are able to persist Stored in their own mem seg

34 Heap Writable, unfixed size Programmer can directly control
Can grow larger or smaller as needed Malloc, free The growth? Address 0x80497ec Global_ini_var 0x80497ec+4 Static_ini_var 0x80497ec+12 Static var 0x80497ec+16 Global var 0x Heap_var

35 Stack Writable, unfixed size Temporary scratch pad
to store local function variables and context during function calls In fact, a Stack data structure (FILO) Push Pop Contains many ‘Stack frames’ The growth? Address 0xbffff Func’s_st_var 0xbffff834 Stack_var

36 Stack frame Frame pointer
EBP register : used to reference local function variables in the current stack frame Contains the parameters to the functions Local variables 2 pointers Saved frame pointer Used to restore EBP value to its previous value Return address (function caller)

37 Running example Stack_example.c Function prologue
save the frame pointer on the stack Save stack memory for the local function variables

38 Stack frame(2) Frame pointer
EBP register : used to reference local function variables in the current stack frame Contains the parameters to the functions Local variables 2 pointers Saved frame pointer Used to restore EBP value to its previous value Return address (function caller)

39 Backup slides 0x270~

40 Memory_segments.c

41 Memory_segments.c (result)
global_initialized_var is at address 0x080497ec static_initialized_var is at address 0x080497f0 static_var is at address 0x080497f8 global_var is at address 0x080497fc heap_var is at address 0x0804a008 stack_var is at address 0xbffff834 the function's stack_var is at address 0xbffff814 Address 0x80497ec Global_ini_var 0x80497ec+4 Static_ini_var 0x80497ec+12 Static var 0x80497ec+16 Global var 0x Heap_var Address 0xbffff Func’s_st_var 0xbffff834 Stack_var

42 Heap_example.c char_ptr = (char *) malloc(mem_size); // Allocating heap memory if(char_ptr == NULL) { // Error checking, in case malloc() fails fprintf(stderr, "Error: could not allocate heap memory.\n"); exit(-1); } strcpy(char_ptr, "This is memory is located on the heap."); printf("char_ptr (%p) --> '%s'\n", char_ptr, char_ptr); Address 0x80497ec Global_ini_var 0x80497ec+4 Static_ini_var 0x80497ec+12 Static var 0x80497ec+16 Global var 0x Heap_var printf("\t[-] freeing char_ptr's heap memory...\n"); free(char_ptr); // Freeing heap memory

43 Heap_example.c (result)
$ ./heap_example 100 [+] allocating 100 bytes of memory on the heap for char_ptr char_ptr (0x804a008) --> 'This is memory is located on the heap.' [+] allocating 12 bytes of memory on the heap for int_ptr int_ptr (0x804a070) --> 31337 [-] freeing char_ptr's heap memory... [+] allocating another 15 bytes for char_ptr char_ptr (0x804a008) --> 'new memory' [-] freeing int_ptr's heap memory... $

Download ppt "The art of exploitation"

Similar presentations

Practical Malware Analysis

Practical Malware Analysis
Dynamic Memory Allocation in C.  What is Memory What is Memory  Memory Allocation in C Memory Allocation in C  Difference b\w static memory allocation.

Dynamic Memory Allocation in C.  What is Memory What is Memory  Memory Allocation in C Memory Allocation in C  Difference b\w static memory allocation.
Machine/Assembler Language Putting It All Together Noah Mendelsohn Tufts University Web:

Machine/Assembler Language Putting It All Together Noah Mendelsohn Tufts University Web:
1 Lecture 4: Procedure Calls Today’s topics:  Procedure calls  Large constants  The compilation process Reminder: Assignment 1 is due on Thursday.

1 Lecture 4: Procedure Calls Today’s topics:  Procedure calls  Large constants  The compilation process Reminder: Assignment 1 is due on Thursday.
Gnu Debugger (GDB) Topics Overview Quick Reference Card Readings: Quick Reference Card February 7, 2012 CSCE 212Honors Computer Organization.

Gnu Debugger (GDB) Topics Overview Quick Reference Card Readings: Quick Reference Card February 7, 2012 CSCE 212Honors Computer Organization.
Utilizing the GDB debugger to analyze programs Background and application.

Utilizing the GDB debugger to analyze programs Background and application.
Prof. Necula CS 164 Lecture 141 Run-time Environments Lecture 8.

Prof. Necula CS 164 Lecture 141 Run-time Environments Lecture 8.
Debugging What can debuggers do? Run programs Make the program stops on specified places or on specified conditions Give information about current variables’

Debugging What can debuggers do? Run programs Make the program stops on specified places or on specified conditions Give information about current variables’
Memory Image of Running Programs Executable file on disk, running program in memory, activation record, C-style and Pascal-style parameter passing.

Memory Image of Running Programs Executable file on disk, running program in memory, activation record, C-style and Pascal-style parameter passing.
Outline Learning Assembly by an Example.  Program Formats  Some Simple Instructions  Assemble and Execute Learning Another Example  Data Definition.

Outline Learning Assembly by an Example.  Program Formats  Some Simple Instructions  Assemble and Execute Learning Another Example  Data Definition.
CS 536 Spring 20011 Run-time organization Lecture 19.

CS 536 Spring Run-time organization Lecture 19.
PC hardware and x86 3/3/08 Frans Kaashoek MIT

PC hardware and x86 3/3/08 Frans Kaashoek MIT
1 Homework Reading –PAL, pp 201-216, 297-312 Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.

1 Homework Reading –PAL, pp , Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.
Run-time Environment and Program Organization

Run-time Environment and Program Organization
September 22, 2014 Pengju (Jimmy) Jin Section E

September 22, 2014 Pengju (Jimmy) Jin Section E
Web siteWeb site ExamplesExamples Irvine, Kip R. Assembly Language for Intel-Based Computers, 2003. 1 Stack Operations Runtime Stack PUSH Operation POP.

Web siteWeb site ExamplesExamples Irvine, Kip R. Assembly Language for Intel-Based Computers, Stack Operations Runtime Stack PUSH Operation POP.
CEG 320/520: Computer Organization and Assembly Language ProgrammingIntel Assembly 1 Intel IA-32 vs Motorola 68000.

CEG 320/520: Computer Organization and Assembly Language ProgrammingIntel Assembly 1 Intel IA-32 vs Motorola
6.828: PC hardware and x86 Frans Kaashoek

6.828: PC hardware and x86 Frans Kaashoek
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Chapter 3 Elements of Assembly Language. 3.1 Assembly Language Statements.

Chapter 3 Elements of Assembly Language. 3.1 Assembly Language Statements.

Similar presentations

Ads by Google