Seguretat Local exploits v2011/01 Carles Mateu i Ramon Bèjar Departament d'Informàtica i Enginyeria Industrial Universitat...
Exploits <ul><li>Programs and tools that, take profit from a vulnerability (usually a programming error) to gain access, s...
Programming 101 <ul><li>Computer memory (executing programs)
C Calling Convention
Buffer management </li></ul>
Computer memory <ul><li>Basics
Segments
Stacks </li></ul>
Computer memory basics <ul><li>Endianness: </li><ul><li>Byte order when storing multibyte data in memory.
Little endian: </li><ul><li>L1 L2 H1 H2 </li></ul><li>Big endian: </li><ul><li>H1 H2 L1 L2 </li></ul><li>Intel: little end...
Computer memory: Segments <ul><li>.text : Executable code. RO and Fixed Size.
.data : Global  initialized  variables. Fixed Size.
.bss : (below stack section). Global  NON -initialized variables. Fixed Size.
Heap: Dynamic allocated space. Grows from low -> high.  (malloc, free).
Stack: Dynamic. Grows from high -> low. Keeps calling stack and local variables.
Env: System environment variables and program arguments.  </li></ul>
Computer memory: Segment layout.
Segment layout example. int index = 5; // data (initialized) char * str; // bss (uninitialized) int nothing; // bss (unini...
Upcoming SlideShare
Loading in...5
×

Local Exploits

271

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
271
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Local Exploits

  1. 1. Seguretat Local exploits v2011/01 Carles Mateu i Ramon Bèjar Departament d'Informàtica i Enginyeria Industrial Universitat de Lleida
  2. 2. Exploits <ul><li>Programs and tools that, take profit from a vulnerability (usually a programming error) to gain access, scalate privileges, etc. </li></ul>
  3. 3. Programming 101 <ul><li>Computer memory (executing programs)
  4. 4. C Calling Convention
  5. 5. Buffer management </li></ul>
  6. 6. Computer memory <ul><li>Basics
  7. 7. Segments
  8. 8. Stacks </li></ul>
  9. 9. Computer memory basics <ul><li>Endianness: </li><ul><li>Byte order when storing multibyte data in memory.
  10. 10. Little endian: </li><ul><li>L1 L2 H1 H2 </li></ul><li>Big endian: </li><ul><li>H1 H2 L1 L2 </li></ul><li>Intel: little endian. Motorola: big endian. Network: big endian. </li></ul></ul>
  11. 11. Computer memory: Segments <ul><li>.text : Executable code. RO and Fixed Size.
  12. 12. .data : Global initialized variables. Fixed Size.
  13. 13. .bss : (below stack section). Global NON -initialized variables. Fixed Size.
  14. 14. Heap: Dynamic allocated space. Grows from low -> high. (malloc, free).
  15. 15. Stack: Dynamic. Grows from high -> low. Keeps calling stack and local variables.
  16. 16. Env: System environment variables and program arguments. </li></ul>
  17. 17. Computer memory: Segment layout.
  18. 18. Segment layout example. int index = 5; // data (initialized) char * str; // bss (uninitialized) int nothing; // bss (uninitialized) void fun(int c) // stack { int i=c; // stack region str = (char*)malloc(10*sizeof (char)); // heap strncpy(str, &quot;abcde&quot;, 5); } void main () { fun(1); }
  19. 19. Buffer overflow <ul><li>Situation where an allocated buffer gets more data that it can handle.
  20. 20. If we can fill stack we can disrupt program function. </li><ul><li><demo overflow> </li></ul></ul>
  21. 21. Stack operation <ul><li>LIFO (FILO) operation.
  22. 22. Controlled by 2 reg: ebp, esp. </li></ul>
  23. 23. Calling convention. <ul><li>How a program keeps state and variables when jumping to a function (and returns back)?
  24. 24. Calling code: </li><ul><li>Calling code places parameters on stack.
  25. 25. Calling code saves EIP on stack.
  26. 26. Call is executed. </li></ul><li>Called code: </li><ul><li>Save EBP in stack
  27. 27. ESP -> EBP
  28. 28. ESP - = Local variables space </li></ul></ul>
  29. 29. Calling convention. void fun(int c, int d) { int i; .... } void main () { Fun(1,3); }
  30. 30. Calling convention. void fun(int c, int d) { int i; .... } void main () { Fun(1,3); }
  31. 31. Calling convention. void fun(int c, int d) { int i; .... } void main () { Fun(1,3); }
  32. 32. Calling convention. void fun(int c, int d) { int i; .... } void main () { Fun(1,3); }
  33. 33. Calling convention. void fun(int c, int d) { int i; .... } void main () { Fun(1,3); }
  34. 34. Shellcode <ul><li>Program code (assembly) that calls/executes designed to be injected as data and run from stack.
  35. 35. Many available on the web. </li></ul>
  36. 36. Demo

×