Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Published byCollin Jackson Modified over 9 years ago

Similar presentations

Presentation on theme: "Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)"— Presentation transcript:

1 Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

2 Today More assembly tips Binary Patching o Tools Review of the stack Stack overflows Implementation o Tools

3 Little vs Big Endian Endian-ity is the definition of how numbers are represented in memory (or on a data bus) In the x86 architecture 0x11223344 would be represented in memory: o 44 33 22 11 Intel Architecture is little endian. (we are using little) However the same number in Big Endian would be: o 11 22 33 44 (we don’t see the bit reordering because our minimum working unit is a byte)

4 Registers Common uses: Eax – used usually for fast calculations / system call numbers /used to pass the return value or self class in c++. Ecx – used as a counter frequently. Ebp – used to store the stack frame pointer Esp – used to store the stack pointer edi/esi – used for string/buffer manipulations Ip – used to store the current instruction pointer – can not be accessed directly!

5 x86 There are lots of assembly instructions with varying sizes, and they can be used alternative to fit certain constraints. Examples: o MOV EAX, 0 o Alternatively: o XOR EAX,EAX There are also 8 bit commands to access partial registers o MOV AL, 5 There are 16 bit commands o Mov ax, 65535

6 Binary Patching Motivation: o Change the behavior of a program o Disable software protections for further analysis Examples: o Bypass checks in the program o Adding new functionality o Blocking weak/vulnerable functionality Process: o Find relevant code to modify o Understand code using reverse engineering o Find hook point in the code o Find location to insert new code without damaging the original operation or file structure as much as possible. o Divert flow from the hook point to the inserted code o Write the needed new functionality o Return the point of origin, or other appropriate point in the original code.

7 Example 1 Pre patched code: o Load input strings to compare to existing o CALL strcmp o ADD ESP,8 o TEST EAX,EAX o JZ end_of_function o LEA EBX, [address to user input command ] o PUSH EBX o LEA EBX, [address to user parameter] o CALL execv o ADD ESP,4 end_of_function: o LEAVE o RET

8 Example 1-Identify Pre patched code: o Load input strings to compare to existing o CALL strcmp o ADD ESP,8 o TEST EAX,EAX o JZ end_of_function o LEA EBX, [address to user input command ] o PUSH EBX o LEA EBX, [address to user parameter] o CALL execv o ADD ESP,4 end_of_function: o LEAVE o RET

9 Example 1-Patched Patched code: o Load input strings to compare to existing o CALL strcmp o ADD ESP,8 o TEST EAX,EAX o NOP o LEA EBX, [address to user input command ] o PUSH EBX o LEA EBX, [address to user parameter] o CALL execv o ADD ESP,4 end_of_function: o LEAVE o RET Why 2 NOPs ?

10 patch_util_gcc.py Compiles assembly and patches input binary into output binary. Parameters: o Original binary that will be patched o Output binary, this will be patch o Address.patch – code in assembly that will be compiled by gcc and put in the new binary in address which is the same as the patch. o Address2.patch – another patch Don’t forget to “chmod +x [output binary]” after creation. Running “patch_util_gcc.py empty.bin shellcode.bin 0.patch” – can be used to write shellcode.

11 va_to_offset.py Reads the FL structure and converts virtual addresses given at process startup (as shown in IDA). To the actual location in the file. An alternative solution is to search for the original code with ghex and patch it with the hex editor.

12 Example 2 Binary_patching_example_verify We will override the verification of the login, by seeking the appropriate point, which will be most easy. Create a patch and apply, verify that everything is well with IDA. Run and test and hope for the best.

13 Buffer’Os History: o First documented buffer overflows were thought of in 1972 COMPUTER SECURITY TECHNOLOGY PLANNING STUDY (Page 61)COMPUTER SECURITY TECHNOLOGY PLANNING STUDY o The first buffer overflows known in the wild were Stack’Os o Stack Overflows were widely introduced by Aleph One Phrack Magazine Issue 49 on November 8, 1996 o Title: Smashing the stack for fun and profit o http://www.phrack.org/issues.html?issue=49&id=14#article http://www.phrack.org/issues.html?issue=49&id=14#article Purpose: o Like when patching, we re-route the code to new code which adds new functionility. o We modify the behavior of a program without modifying the binary, and only by controlling the input! o Therefore we can subvert the original functionality of the code to any purpose.

14 Where does it get really interesting When the program input is from a remote connection o Example: telnet When the program has higher privileges o Example: su

15 Process Memory Abstract /------------------\ lower | | memory | Text | addresses | | |------------------| | (Initialized) | | Data | | (Uninitialized) | |------------------| | | | Stack | higher | | memory \------------------/ addresses

16 Example1.c void function(int a, int b, int c) { char buffer1[5]; char buffer2[10]; } void main() { function(1,2,3); }

17 Stack Structure bottom of top of memory memory buffer2 buffer1 sfp ret a b c <------ [ ][ ][ ][ ][ ][ ][ ] top of bottom of stack stack

18 Tools List gdb – GNU Debugger o Core dumping: gdb –core=core.dump o Ollydbg – (for windows) which we will not cover in the course. IDA o va_to_offset.py – easy program to get offset of code in orig file. gcc – the gnu compiler o For the course we have prepared an easy utility for compiling small assembly bits: patch_util_gcc.py ghex – can be used to patch the binary : o Once we have a search string to find the binary code, we can modify it Other common tools for linux debugging: o ltrace – library tracing o strace – system call tracing o Objdump – dump elf file and symbol information shellcode

19 shellcode example with interrupt calls jmp call_start # jump to the end of the code to /bin/sh start_shellcode: # label to jump back pop ebx # put point to /bin/sh in ebx xor eax,eax # zero eax, but dont use mov, because it include \x00 mov al, 0xb # system call 0xb, - execve xor ecx, ecx # clear pointer to envp int 0x80 # call a system call! xor eax,eax # ignore return and reset to zero. mov al, 0x1 # call exit system call int 0x80 call_start: call start_shellcode.string "/bin/sh"

20 GDB Quick browse si, ni – step instruction s, n – step info reg – print all registers dump memory filename startaddress stopaddress x/i address – disassemble at this address p (char *) 0x234234 – print at this address as if it was a c- string. x/bx address – print hex starting from this address c – continue r arg1 arg2 – runs the file with the specified arguments b somefunction – sets a breakpoint

21 The end

Download ppt "Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)"

Similar presentations

Practical Malware Analysis

Practical Malware Analysis
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Utilizing the GDB debugger to analyze programs Background and application.

Utilizing the GDB debugger to analyze programs Background and application.
1 ICS 51 Introductory Computer Organization Fall 2006 updated: Oct. 2, 2006.

1 ICS 51 Introductory Computer Organization Fall 2006 updated: Oct. 2, 2006.
Accessing parameters from the stack and calling functions.

Accessing parameters from the stack and calling functions.
1 Homework Reading –PAL, pp 201-216, 297-312 Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.

1 Homework Reading –PAL, pp , Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.
September 22, 2014 Pengju (Jimmy) Jin Section E

September 22, 2014 Pengju (Jimmy) Jin Section E
15-213 Recitation: Bomb Lab June 5, 2015 Dipayan Bhattacharya.

Recitation: Bomb Lab June 5, 2015 Dipayan Bhattacharya.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 18: 0xCAFEBABE (Java Byte Codes)

David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 18: 0xCAFEBABE (Java Byte Codes)
CS162B: Assembly and C Jacob T. Chan. Objectives ▪ System calls ▪ Relation of System calls to Assembly and C ▪ Special System Calls (exit, write, print,

CS162B: Assembly and C Jacob T. Chan. Objectives ▪ System calls ▪ Relation of System calls to Assembly and C ▪ Special System Calls (exit, write, print,
Application Security Tom Chothia Computer Security, Lecture 14.

Application Security Tom Chothia Computer Security, Lecture 14.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.

Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.
Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)

Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
Carnegie Mellon Introduction to Computer Systems 15-213/18-243, spring 2009 Recitation, Jan. 14 th.

Carnegie Mellon Introduction to Computer Systems /18-243, spring 2009 Recitation, Jan. 14 th.
Buffer Overflows : An In-depth Analysis. Introduction Buffer overflows were understood as early as 1972 The legendary Morris Worm made use of a Buffer.

Buffer Overflows : An In-depth Analysis. Introduction Buffer overflows were understood as early as 1972 The legendary Morris Worm made use of a Buffer.
Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,

Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,
Practical Session 4. Labels Definition - advanced label: (pseudo) instruction operands ; comment valid characters in labels are: letters, numbers, _,

Practical Session 4. Labels Definition - advanced label: (pseudo) instruction operands ; comment valid characters in labels are: letters, numbers, _,
Goals: To gain an understanding of assembly To get your hands dirty in GDB.

Goals: To gain an understanding of assembly To get your hands dirty in GDB.

Similar presentations

Ads by Google