Presentation is loading. Please wait.

Presentation is loading. Please wait.

HACKING The art of exploitation. CONTENTS  0x250 – Getting your hands dirty   The Bigger Picture (0x251)  The x86 Processor (0x252)  Assembly Language.

Similar presentations


Presentation on theme: "HACKING The art of exploitation. CONTENTS  0x250 – Getting your hands dirty   The Bigger Picture (0x251)  The x86 Processor (0x252)  Assembly Language."— Presentation transcript:

1 HACKING The art of exploitation

2 CONTENTS  0x250 – Getting your hands dirty   The Bigger Picture (0x251)  The x86 Processor (0x252)  Assembly Language (0x253)  0x260 – Back to basics  0x270 – Memory segmentation

3 0X250 – GETTING YOUR HANDS DIRTY   Environment  Language- C  OS - Linux (live cd)  just put the usb, and reboot your computer  compiler – GCC(GNU Compiler Collection)  Translate c into machine language  CPU - x86  Virtual Machine: Virtual Box

4 FIRSTPROG.C  gcc firstprog.c  Result: a.out  Main execution begins in main  #include  Adds header file to the program when compiled  ‘printf’ is in /usr/include/stdio.h

5 0X251 – BIGGER PICTURE  C code can’t actually do anything  until it’s compiled into an executable binary file.  Binary file is what actually gets executed in the real world  CPU(x86) can read a.out

6 TO EXAMINE COMPILED BINARIES  “objdump” Memory Address Machine Language Assembly language (Intel syntax)

7 GDB  Debugger included in GNU  “A programmer who has never used a debugger to look at the inner workings of a program is like a seventeenth-century doctor who has never used a microscope.”  Debugger can view the execution from all angles, pause it, and change anything along the way

8 GDB CONFIGURATION & OPTION  Disassembly syntax can be set to intel  gcc with –g flag  To include extra debugging information  Give gdb access to the source code

9 INTEL SYNTAX  Operation,  ex. Move ebp, esp   Will either be a register, a memory, address, or a value

10 IN LECTURE SLIDES (CH01)  GDB command summary  (gdb) help (gdb) help disass  (gdb) list (gdb) list 1,20  (gdb) disass main (gdb) disass /mr main  (gdb) info registers (or i r ) ; display x86 registers  Examples: (gdb) i r (gdb) i r $eip  (gdb) x ; examine  (gdb) x/10i $eip ; display 10 instructions from eip  (gdb) x/2x $eip ; display 2 words (4 bytes) in hex. B (byte), h (halfword), w (word, 4B), g (8B)  (gdb) nexti ; execute 1 machine instruction. Will step into subfunctions  (gdb) stepi ; execute 1 machine instruction. Will not enter subfunctions  (gdb) next ; step program  (gdb) step ; step program until it reaches a different source line

11 0X252 THE X86 PROCESSOR  X86 processor has several registers  Internal variables for the processor

12 REGISTERS  EAX, ECX, EDX, and EBX  General purpose registers  Accumulator, Counter, Data, Base  Mainly, act as Temporary variables for the CPU  ESP, EBP, ESI, and EDI  General purpose registers  Stack Pointer, Base Pointer, Source Index, Destination Index  EIP – Instruction pointer  EFLAGS consists of several bit flags  Used for comparison and memory segments  X86 processor has several registers  Internal variables for the processor

13 0X253 ASSEMBLY LANGUAGE  Firstprog.c Functional prologue gen by the compiler to set up mem for the rest of the main’s local variable Runnig Example with List Break x/ I r Nexti Print cont

14 X/?  O : octal  X: hexadecimal  U: unsigned int  T: binary  I: instruction  S:String  B: single byte  W: word, 4bytes in size

15 SOMETHING ODD  GDB is smart enough to know how value are stored

16 SOMETHING ODD (2) 0x x55 +40x89 +80xE5 +120x83

17 BACK TO BASICS 0x260

18 LOW-LEVEL PROGRAMMING CONCEPTS  String  Signed, Unsigned, Long, and Shot  Pointers  Format Strings  Typecasting  Command-line arguments  Variable Scoping

19 STRING  To store “Hello, world!\n”  Char str_a[20];  1. str_a[0] = ‘H’;  2. strcpy(str_a, "Hello, world!\n"); Ia[i] 0H 1E 2L 3L 4O 5W 6, 7W 8O 9R 0L 11D 12! 13\n 140

20 SIGNED, UNSIGNED  All numerical values must be stored in binary  Unsigned value make the most sense  > 9  Two’s complement  > 4  > -4

21 SIGNED, UNSIGNED, LONG, SHORT  Variables can be declared as unsigned by prepending the keyword ‘unsigned’  unsigned int foo  In addition,  Size of variables can be extended or shortened $./a.out The 'int' data type is 4 bytes The 'unsigned int' data type is 4 bytes The 'short int' data type is 2 bytes The 'long int' data type is 4 bytes The 'long long int' data type is 8 bytes The 'float' data type is 4 bytes The 'char' data type is 1 bytes

22 POINTER  The EIP register is a pointer that “points” to the current instruction  This Idea is used in C  Pointers in C can be defined and used like any other variable type.  4byte size  *! (asterisk) &(empersand)

23 ADDRESSOF.C #include int main() { int int_var = 5; int *int_ptr; int_ptr = &int_var; // put the address of int_var into int_ptr }

24 ADDRESSOR.C WITH GDB

25 FORMAT STRINGS  A format string is just a character string with special parameter PrarmeterOutput Type %dDecimal %uUnsigned Decimal %xHexadecimal %sString ……

26 PRINTF printf("[A] Dec: %d, Hex: %x, Unsigned: %u\n", A, A, A); printf("[B] Dec: %d, Hex: %x, Unsigned: %u\n", B, B, B); printf("[field width on B] 3: '%3u', 10: '%10u', '%08u'\n", B, B, B); printf("[string] %s Address %08x\n", string, string); printf("variable A is at address: %08x\n", &A); [A] Dec: -73, Hex: ffffffb7, Unsigned: [B] Dec: 31337, Hex: 7a69, Unsigned: [field width on B] 3: '31337', 10: ' 31337', ' ' [string] sample Address bffff870 variable A is at address: bffff86c

27 TYPECASTING  Temporarily change a variable’s data type  (typecast_data_type) variable #include int main() { int a, b; float c, d; a = 13; b = 5; c = a / b; // Divide using integers. d = (float) a / (float) b; // Divide integers typecast as floats. printf("[integers]\t a = %d\t b = %d\n", a, b); printf("[floats]\t c = %f\t d = %f\n", c, d); } $ gcc typecasting.c $./a.out [integers] a = 13 b = 5 [floats] c = d =

28 COMMAND-LINE ARGUMENTS  don’t require user interaction after the program has begun execution #include int main(int arg_count, char *arg_list[]) { int i; printf("There were %d arguments provided:\n", arg_count); for(i=0; i < arg_count; i++) printf("argument #%d\t-\t%s\n", i, arg_list[i]); }

29 MEMORY SEGMENTATION 0x270

30 MEMORY SEGMENTATION  A compiled program’s memory is divided into  Text  Where the assembled machine language instructions of the program are located  Data & Bss  To store global and static program  Heap  Unfixed segment  Stack  Temporary scratch pad to store local function

31 TEXT SEGMENTATION  Contains assembled machine language instructions  The processor read the instruction (which EIP points to), executes it.  doesn’t care about the change of EIP (caused by jump, branch…)  Read-Only, Fixed size  Prevents people from modifying the code  program will be killed with the warning msg  Code can be shared among different copies of the program

32 EXECUTION LOOP CPU 1. Reads the instruction that EIP is pointing to AddressValue 0x804837a83 0x804837be4 0x804837cf0 0x804837db8 …… 0x804837a 2. Adds the byte length of the instruction to EIP 0x804837d 3. Executes the instruction that was read in step 1 4. Goes back to step 1

33 DATA AND BSS SEGMENTATION  To store global and static program  Data segment  Initialized global and static variables  Bss segment  Uninitialized global and static variables  Writable, Fixed size  Global and static variables are able to persist  Stored in their own mem seg

34 HEAP  Writable, unfixed size  Programmer can directly control  Can grow larger or smaller as needed  Malloc, free  The growth? Address 0x80497ecGlobal_ini_var 0x80497ec+4Static_ini_var 0x80497ec+12Static var 0x80497ec+16Global var 0x Heap_var ……

35 STACK  Writable, unfixed size  Temporary scratch pad  to store local function variables and context during function calls  In fact, a Stack data structure (FILO)  Push  Pop  Contains many ‘Stack frames’  The growth? Address …… 0xbffff Func’s_st_var 0xbffff834Stack_var

36 STACK FRAME  Frame pointer  EBP register : used to reference local function variables in the current stack frame  Contains  the parameters to the functions  Local variables  2 pointers  Saved frame pointer  Used to restore EBP value to its previous value  Return address (function caller)

37 RUNNING EXAMPLE  Stack_example.c  Function prologue  save the frame pointer on the stack  Save stack memory for the local function variables

38 STACK FRAME(2)  Frame pointer  EBP register : used to reference local function variables in the current stack frame  Contains  the parameters to the functions  Local variables  2 pointers  Saved frame pointer  Used to restore EBP value to its previous value  Return address (function caller)

39 BACKUP SLIDES 0x270~

40 MEMORY_SEGMENTS.C

41 MEMORY_SEGMENTS.C (RESULT) global_initialized_var is at address 0x080497ec static_initialized_var is at address 0x080497f0 static_var is at address 0x080497f8 global_var is at address 0x080497fc heap_var is at address 0x0804a008 stack_var is at address 0xbffff834 the function's stack_var is at address 0xbffff814 Address 0x80497ecGlobal_ini_var 0x80497ec+4Static_ini_var 0x80497ec+12Static var 0x80497ec+16Global var 0x Heap_var …… Address …… 0xbffff Func’s_st_var 0xbffff834Stack_var

42 HEAP_EXAMPLE.C char_ptr = (char *) malloc(mem_size); // Allocating heap memory if(char_ptr == NULL) { // Error checking, in case malloc() fails fprintf(stderr, "Error: could not allocate heap memory.\n"); exit(-1); } strcpy(char_ptr, "This is memory is located on the heap."); printf("char_ptr (%p) --> '%s'\n", char_ptr, char_ptr); printf("\t[-] freeing char_ptr's heap memory...\n"); free(char_ptr); // Freeing heap memory Address 0x80497ecGlobal_ini_var 0x80497ec+4Static_ini_var 0x80497ec+12Static var 0x80497ec+16Global var 0x Heap_var ……

43 HEAP_EXAMPLE.C (RESULT) $./heap_example 100 [+] allocating 100 bytes of memory on the heap for char_ptr char_ptr (0x804a008) --> 'This is memory is located on the heap.' [+] allocating 12 bytes of memory on the heap for int_ptr int_ptr (0x804a070) --> [-] freeing char_ptr's heap memory... [+] allocating another 15 bytes for char_ptr char_ptr (0x804a008) --> 'new memory' [-] freeing int_ptr's heap memory... [-] freeing char_ptr's heap memory... $


Download ppt "HACKING The art of exploitation. CONTENTS  0x250 – Getting your hands dirty   The Bigger Picture (0x251)  The x86 Processor (0x252)  Assembly Language."

Similar presentations


Ads by Google