Exploiting Memory Overflows

780 views
571 views

Published on

This presentation is designed to provide a basic overview of the following: System Organization, Memory Organization, Stack Organization (For Function Calls), A Vulnerable C Program, Exploiting Buffer Overflow

Published in: Education, Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
780
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
30
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Exploiting Memory Overflows

  1. 1. Exploiting Memory Overflows
  2. 2. Action Plan <ul><li>System Organization Basics
  3. 3. Memory Organization Basics
  4. 4. Buffer Overflow Basics
  5. 5. Demo
  6. 6. Heap Overflow Basics
  7. 7. Demo </li></ul>
  8. 8. System Organization Basics CPU System Bus A/D/C
  9. 9. <ul>Numbering Systems </ul><ul><ul><li>Octal: 33 </li></ul></ul><ul><ul><li>Hexadecimal: 1B </li></ul></ul><ul><ul><li>Binary: 11011 </li></ul></ul><ul><ul><li>Decimal: 27 </li></ul></ul>
  10. 10. <ul>Data Representations </ul><ul><ul><li>Bit: 1 bit (0/1) </li></ul></ul><ul><ul><li>Nibble: 4 bits (0-15)
  11. 11. Byte: 8 bits (0-255)
  12. 12. Word: 16 bits (0-65535)
  13. 13. Double Word(DWORD): 32 bits (0-4294967295) </li></ul></ul><ul><ul><li>Quad Word(QWORD): 64 bits (0-18446744073709551615) </li></ul></ul>32bits DWORD 16bits WORD 8bits BYTE 4bits NIBBLE 10 148 33,373 1,881,526,604
  14. 14. MSB LSB 12 11 10 9 8 7 6 5 4 3 2 1 13 14 15 Little Endian Big Endian Motorola Intel x86, x86_64 Memory Organization Basics 0x2A 0x2A 0x2A 0x6D20 0x20 0x6D 0x6D 0x20 0x461DAB69 0x69 0xAB 0x1D 0x46 0x69 0xAB 0x1D 0x46
  15. 15. EAX – Accumulator, used for default operands and results EBX – Base, used to store pointers to data ECX – Counter, used to count up or down EDX – Data, used as an I/O pointer EIP – Instruction Pointer, points to the next instruction Flag – Provides result for the latest operation CS – Code Segment, points to the source of code segment CS – Extra Segment, points to the source of extra segment SS – Stack Segment, points to the source of stack segment DS – Data Segment, points to the source of data segment EBP – Base Pointer, points to the base of the stack frame ESP – Stack Pointer, points to the top of the stack frame EDI – Destination Index, points to the data destination ESI – Source Index, points to the source for data C P U R E G I S T E R S
  16. 16. 0x100 0x200 0x300 0x400 . LOW . . .HIGH ES SS DS CS ESP, EBP EIP EDX, EBX, ESI, EDI EDX, EBX, ESI, EDI Segment Size: 0x100 S E G M EN T A T I O N
  17. 17. Buffer Overflow Basics 44 40 36 32 28 24 20 16 12 8 4 0 48 52 56 EBP ESP Stack Operations PUSH – Subtract 4 from ESP and put new value at that address POP – Add 4 to ESP 1A AC 09 CF PUSH 1A P USH CF PUSH 09 POP PUSH AC OPER EBP ESP 36 36 32 28 32 28 36 36 36 36 Stack grows in this direction...
  18. 18. main() main() main() main() main() main() fun1() fun1() fun1() fun2() LOW HIGH 1 5 4 3 2 -> fun1() -> fun2() -> fun1() -> main() Stack grows in this direction... Function Calls and Stack
  19. 19. int fun (int arg1, int arg2){ int lvar1 = arg1 + arg2; } int main () { int local_var1; fun (arg1, arg2); } 44 40 36 32 28 24 20 16 12 8 4 0 48 52 56 EBP ESP OLD EBP lvar1 local_var1 arg2 arg1 RETN ADDR Stack Organization for Function Calls
  20. 20. int add (int a, int b) { int c = a + b; } int main () { int x = 18; add (3, 6); } 44 40 36 32 28 24 20 16 12 8 4 0 48 52 56 EBP ESP x=18 6 3 RA=999 OLD EBP=48 c=9 Stack Organization for Function Calls
  21. 21. int vuln (char *argv) { char buf[80]; int a = 9; strcpy (buf, argv); } int main (int argc, char **argv) { int x = 6; vuln (argv[1]); } 120 116 112 108 104 204 EBP ESP 200 220 216 212 208 Buffer Overflow Example
  22. 22. int vuln (char *argv) { char buf[80]; int a = 9; strcpy (buf, argv); } int main (int argc, char **argv) { int x = 6; vuln (argv[1]); } 120 116 112 108 104 204 200 220 216 212 208 python -c 'print “A”*80' EBP ESP Buffer Overflow Example
  23. 23. int vuln (char *argv) { char buf[80]; int a = 9; strcpy (buf, argv); } int main (int argc, char **argv) { int x = 6; vuln (argv[1]); } 120 116 112 108 104 204 200 220 216 212 208 EBP ESP Buffer Overflow Example python -c 'print “A”*84'
  24. 24. int vuln (char *argv) { char buf[80]; int a = 9; strcpy (buf, argv); } int main (int argc, char **argv) { int x = 6; vuln (argv[1]); } 120 116 112 108 104 204 200 220 216 212 208 EBP ESP Buffer Overflow Example python -c 'print “A”*88'
  25. 25. So, you can overflow a buffer... now what? Sky is the limit...! Well, not really :) Let's just dig deep and see what exactly the scope of such a vulnerability is
  26. 26. 120 116 112 108 104 204 200 220 216 212 208 EBP ESP 120 116 112 108 104 204 200 220 216 212 208 RTN ADDR EIP 41414141 EIP 00000120 GAME OVER! SIGSEGV
  27. 27. Finally, its time to witness some live action...!
  28. 28. That’s all folks!!! Ready with your questions? Start firing them, now...

×