Exploiting Memory Overflows

Exploiting Memory Overflows
Action Plan
System Organization Basics Memory Organization Basics Buffer Overflow Basics Demo Heap Overflow Basics Demo
System Organization Basics

CPU
System Bus A/D/C
Memory
I/O Devices
Numbering Systems
Binary: Octal: Decimal: Hexadecimal:
11011
33 27 1B
Data Representations
Bit: 1 bit (0/1) Nibble: 4 bits (0-15) Byte: 8 bits (0-255) Word: 16 bits (0-65535) Double Word(DWORD): 32 bits (0-4294967295) Quad Word(QWORD): 64 bits (0-18446744073709551615)
0 10110000 01001011101100 1 0 1 0 0 1 0 1 0 33,373 16bits WORD 148 8bits BYTE 10 4bits NIBBLE
32bits DWORD 1,881,526,604
15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0x2A 0x2A 0x6D20 0x461DAB69 0x461DAB69
Memory Organization Basics

0 1 1 0 1 1 0 1 MSB Little Endian 0x46 0x1D 0xAB 0x69 0 0 1 0 0 0 0 0 LSB Big Endian 0x69 0xAB 0x1D 0x46
0x6D 0x20
0x20 0x6D
0x2A Intel x86, x86_64
0x2A Motorola
EAX Accumulator, used for default operands and results
C P U R E G I S T E R S
EBX Base, used to store pointers to data ECX Counter, used to count up or down EDX Data, used as an I/O pointer ESP Stack Pointer, points to the top of the stack frame EBP Base Pointer, points to the base of the stack frame ESI Source Index, points to the source for data EDI Destination Index, points to the data destination Flag Provides result for the latest operation EIP Instruction Pointer, points to the next instruction CS Code Segment, points to the source of code segment DS Data Segment, points to the source of data segment SS Stack Segment, points to the source of stack segment CS Extra Segment, points to the source of extra segment
. .HIGH
S E G M E N T A T I O N
Segment Size: 0x100

0x400
ES
EDX, EBX, ESI, EDI

0x400
SS
0x300
ESP, EBP
0x300
DS
0x200
EDX, EBX, ESI, EDI

0x200
CS
0x100
EIP
0x100
. LOW .
56 52 48 44 40 36 32 28 24 20 16 12 8 4 0 1A CF 09 AC Stack grows in this direction...
Buffer Overflow Basics

Stack Operations PUSH Subtract 4 from ESP and put new value at that address POP Add 4 to ESP OPER PUSH 1A PUSH CF PUSH 09 POP PUSH AC EBP 36 36 36 36 36 ESP 36 32 28 32 28
EBP
ESP
Function Calls and Stack

HIGH
Stack grows in this direction...
main()
main() fun1()
main() fun1() fun2()
main() fun1()
main()
LOW
main() -> fun1() -> fun2() -> fun1() -> main()
56 52 48 44 40 36 32 28 24 20 16 12 8 4 0
local_var1 arg2 arg1 RETN ADDR OLD EBP lvar1
EBP
Stack Organization for Function Calls
ESP
int fun (int arg1, int arg2){ int lvar1 = arg1 + arg2; } int main () { int local_var1; fun (arg1, arg2); }
56 52 48 44 40 36 32 28 24 20 16 12 8 4 0
x=18 6 3 RA=999 OLD EBP=48 c=9
EBP
Stack Organization for Function Calls
ESP
int add (int a, int b) { int c = a + b; } int main () { int x = 18; add (3, 6); }
220 216 212 208 204 200
Buffer Overflow Example

x=6 &argv[1] RA=999 OLD EBP=212
EBP
int vuln (char *argv) { char buf[80]; int a = 9; strcpy (buf, argv); } int main (int argc, char **argv) { int x = 6; vuln (argv[1]); }
120 116 112 108 104
buf[80] a=9
ESP
220 216 212 208 204 200

x=6 &argv[1] RA=999 OLD EBP=212 AAAA ... AAAA a=9 int vuln (char *argv) { char buf[80]; int a = 9; strcpy (buf, argv); } int main (int argc, char **argv) { int x = 6; vuln (argv[1]); } ESP
EBP
120 116 112 108 104
python -c 'print A*80'
220 216 212 208 204 200

x=6 &argv[1] RA=999 AAAA AAAA ... AAAA a=9 int vuln (char *argv) { char buf[80]; int a = 9; strcpy (buf, argv); } int main (int argc, char **argv) { int x = 6; vuln (argv[1]); } ESP
EBP
120 116 112 108 104
220 216 212 208 204 200

x=6 &argv[1] AAAA AAAA AAAA ... AAAA a=9 int vuln (char *argv) { char buf[80]; int a = 9; strcpy (buf, argv); } int main (int argc, char **argv) { int x = 6; vuln (argv[1]); } ESP
EBP
120 116 112 108 104
So, you can overflow a buffer... now what? Sky is the limit...! Well, not really :) Let's just dig deep and see what exactly the scope of such a vulnerability is
220 216 212 208 204 200
x=6 &argv[1] 41414141 41414141 41414141 ... 41414141 a=9
EIP 41414141 SIGSEGV RTN ADDR EBP
220
x=6 &argv[1] 00000120 90909090 6851C931 D0FF77C2 93C7B854 90909090
216 212 208 204 200
120 116 112 108 104
ESP EIP 00000120 GAME OVER!
90909090 a=9
120 116 112 108 104
Finally, its time to witness some live action...!
Thats all folks!!! Ready with your questions? Start firing them, now...

Exploiting Memory Overflows

Transféré par

Informations du document

Description originale:

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Exploiting Memory Overflows

Transféré par

Droits d'auteur :

Formats disponibles

Exploiting Memory Overflows

System Organization Basics

System Bus A/D/C

32bits DWORD 1,881,526,604

15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0x2A 0x2A 0x6D20 0x461DAB69 0x461DAB69

Memory Organization Basics

0x2A Intel x86, x86_64

EAX Accumulator, used for default operands and results

Segment Size: 0x100

EDX, EBX, ESI, EDI

EDX, EBX, ESI, EDI

56 52 48 44 40 36 32 28 24 20 16 12 8 4 0 1A CF 09 AC Stack grows in this direction...

Buffer Overflow Basics

Function Calls and Stack

Stack grows in this direction...

main() fun1() fun2()

main() -> fun1() -> fun2() -> fun1() -> main()

local_var1 arg2 arg1 RETN ADDR OLD EBP lvar1

Stack Organization for Function Calls

x=18 6 3 RA=999 OLD EBP=48 c=9

Stack Organization for Function Calls

220 216 212 208 204 200

Buffer Overflow Example

120 116 112 108 104

220 216 212 208 204 200

Buffer Overflow Example

120 116 112 108 104

python -c 'print A*80'

220 216 212 208 204 200

Buffer Overflow Example

120 116 112 108 104

python -c 'print A*84'

220 216 212 208 204 200

Buffer Overflow Example

120 116 112 108 104

python -c 'print A*88'

220 216 212 208 204 200

x=6 &argv[1] 41414141 41414141 41414141 ... 41414141 a=9

EIP 41414141 SIGSEGV RTN ADDR EBP

x=6 &argv[1] 00000120 90909090 6851C931 D0FF77C2 93C7B854 90909090

216 212 208 204 200

120 116 112 108 104

ESP EIP 00000120 GAME OVER!

120 116 112 108 104

Finally, its time to witness some live action...!

Vous aimerez peut-être aussi