Local Exploits

  • 236 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
236
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Seguretat Local exploits v2011/01 Carles Mateu i Ramon Bèjar Departament d'Informàtica i Enginyeria Industrial Universitat de Lleida
  • 2. Exploits
    • Programs and tools that, take profit from a vulnerability (usually a programming error) to gain access, scalate privileges, etc.
  • 3. Programming 101
    • Computer memory (executing programs)
    • 4. C Calling Convention
    • 5. Buffer management
  • 6. Computer memory
  • 9. Computer memory basics
    • Endianness:
      • Byte order when storing multibyte data in memory.
      • 10. Little endian:
        • L1 L2 H1 H2
      • Big endian:
        • H1 H2 L1 L2
      • Intel: little endian. Motorola: big endian. Network: big endian.
  • 11. Computer memory: Segments
    • .text : Executable code. RO and Fixed Size.
    • 12. .data : Global initialized variables. Fixed Size.
    • 13. .bss : (below stack section). Global NON -initialized variables. Fixed Size.
    • 14. Heap: Dynamic allocated space. Grows from low -> high. (malloc, free).
    • 15. Stack: Dynamic. Grows from high -> low. Keeps calling stack and local variables.
    • 16. Env: System environment variables and program arguments.
  • 17. Computer memory: Segment layout.
  • 18. Segment layout example. int index = 5; // data (initialized) char * str; // bss (uninitialized) int nothing; // bss (uninitialized) void fun(int c) // stack { int i=c; // stack region str = (char*)malloc(10*sizeof (char)); // heap strncpy(str, "abcde", 5); } void main () { fun(1); }
  • 19. Buffer overflow
    • Situation where an allocated buffer gets more data that it can handle.
    • 20. If we can fill stack we can disrupt program function.
      • <demo overflow>
  • 21. Stack operation
    • LIFO (FILO) operation.
    • 22. Controlled by 2 reg: ebp, esp.
  • 23. Calling convention.
    • How a program keeps state and variables when jumping to a function (and returns back)?
    • 24. Calling code:
      • Calling code places parameters on stack.
      • 25. Calling code saves EIP on stack.
      • 26. Call is executed.
    • Called code:
      • Save EBP in stack
      • 27. ESP -> EBP
      • 28. ESP - = Local variables space
  • 29. Calling convention. void fun(int c, int d) { int i; .... } void main () { Fun(1,3); }
  • 30. Calling convention. void fun(int c, int d) { int i; .... } void main () { Fun(1,3); }
  • 31. Calling convention. void fun(int c, int d) { int i; .... } void main () { Fun(1,3); }
  • 32. Calling convention. void fun(int c, int d) { int i; .... } void main () { Fun(1,3); }
  • 33. Calling convention. void fun(int c, int d) { int i; .... } void main () { Fun(1,3); }
  • 34. Shellcode
    • Program code (assembly) that calls/executes designed to be injected as data and run from stack.
    • 35. Many available on the web.
  • 36. Demo