• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Emo-Exploitation
 

Emo-Exploitation

on

  • 478 views

 

Statistics

Views

Total Views
478
Views on SlideShare
478
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as OpenOffice

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Emo-Exploitation Emo-Exploitation Presentation Transcript

    • ExploitingMemory Overflows
    • Action PlanSystem Organization BasicsMemory Organization BasicsBuffer Overflow BasicsDemoHeap Overflow BasicsDemo
    • System Organization Basics CPU System Bus Memory A/D/CI/O Devices
    • Numbering Systems Binary: 11011 Octal: 33 Decimal: 27 Hexadecimal: 1B
    • Data Representations Bit: 1 bit (0/1) Nibble: 4 bits (0-15) Byte: 8 bits (0-255) Word: 16 bits (0-65535)Double Word(DWORD): 32 bits (0-4294967295) Quad Word(QWORD): 64 bits (0-18446744073709551615) 0 10110000 01001011101100 1 0 1 0 0 1 0 1 0 33,373 148 10 16bits WORD 8bits BYTE 4bits NIBBLE 32bits DWORD 1,881,526,604
    • 15 Memory Organization14 Basics13 0 1 1 0 1 1 0 1 0 0 1 0 0 0 0 01211 MSB LSB10 Little Endian Big Endian 9 0x46 0x69 8 0x1D 0xAB 7 0xAB 0x1D 6 0x461DAB69 0x461DAB69 0x69 0x46 5 4 0x6D 0x20 3 0x6D20 0x20 0x6D 2 1 0x2A 0x2A 0x2A 0x2A Intel x86, x86_64 Motorola
    • EAX – Accumulator, used for default operands and results EBX – Base, used to store pointers to dataC ECX – Counter, used to count up or downP EDX – Data, used as an I/O pointerU ESP – Stack Pointer, points to the top of the stack frame EBP – Base Pointer, points to the base of the stack frameR ESI – Source Index, points to the source for dataE EDI – Destination Index, points to the data destinationGI Flag – Provides result for the latest operationS EIP – Instruction Pointer, points to the next instructionTE CS – Code Segment, points to the source of code segmentR DS – Data Segment, points to the source of data segmentS SS – Stack Segment, points to the source of stack segment CS – Extra Segment, points to the source of extra segment
    • . .HIGH Segment Size: 0x100SE 0x400 EDX, EBX, ESI, EDI ESG 0x400ME ESP, EBPN SS 0x300 0x300TAT 0x200 EDX, EBX, ESI, EDI DSI 0x200ON 0x100 EIP CS 0x100 . LOW .
    • 56 Buffer Overflow Basics5248 Stack Operations4440 PUSH – Subtract 4 from36 1A EBP ESP ESP and put new value at that address32 CF28 09 AC POP – Add 4 to ESP24 direction... Stack grows in this20 OPER EBP ESP16 PUSH 1A 36 3612 PUSH CF 36 32 8 PUSH 09 36 28 4 POP 36 32 0 PUSH AC 36 28
    • Function Calls and StackHIGH direction... Stack grows in this main() main() main() main() main() fun1() fun1() fun1() fun2()LOW 1 2 3 4 5 main() -> fun1() -> fun2() > fun1() > main()
    • 56 Stack Organization for52 Function Calls48 local_var1 EBP44 arg240 arg1 int fun (int arg1, int arg2){36 RETN ADDR ESP int lvar1 = arg1 + arg2; OLD EBP }3228 lvar1 int main () {24 int local_var1;20 fun (arg1, arg2); }1612 8 4 0
    • 56 Stack Organization for52 Function Calls48 x=18 EBP44 640 3 int add (int a, int b) {36 RA=999 ESP int c = a + b;32 OLD EBP=48 }28 c=9 int main () {24 int x = 18;20 add (3, 6);16 }12 8 4 0
    • 220 Buffer Overflow Example216 x=6212 &argv[1]208 int vuln (char *argv) { RA=999 char buf[80];204 OLD EBP=212 EBP int a = 9;200 strcpy (buf, argv); } int main (int argc, char **argv) { int x = 6; buf[80] vuln (argv[1]);120 a=9 ESP }116112108104
    • 220 Buffer Overflow Example216 x=6 int vuln (char *argv) {212 &argv[1] char buf[80];208 int a = 9; RA=999 strcpy (buf, argv);204 OLD EBP=212 EBP }200 AAAA int main (int argc, char **argv) { ... int x = 6; vuln (argv[1]); } AAAA120 a=9 ESP116112 python -c print “A”*80108104
    • 220 Buffer Overflow Example216 x=6 int vuln (char *argv) {212 &argv[1] char buf[80];208 int a = 9; RA=999 strcpy (buf, argv);204 AAAA EBP }200 AAAA int main (int argc, char **argv) { ... int x = 6; vuln (argv[1]); } AAAA120 a=9 ESP116112 python -c print “A”*84108104
    • 220 Buffer Overflow Example216 x=6 int vuln (char *argv) {212 &argv[1] char buf[80];208 int a = 9; AAAA strcpy (buf, argv);204 AAAA EBP }200 AAAA int main (int argc, char **argv) { ... int x = 6; vuln (argv[1]); } AAAA120 a=9 ESP116112 python -c print “A”*88108104
    • So, you can overflow a buffer... now what? Sky is the limit...! Well, not really :) Lets just dig deep andsee what exactly the scope of such a vulnerability is
    • 220 EIP 220216 41414141 216 x=6 SIGSEGV x=6212 212 &argv[1] &argv[1]208 208 41414141 RTN ADDR 00000120204 204 41414141 90909090200 EBP 200 41414141 6851C931 D0FF77C2 ... 93C7B854 90909090 41414141 90909090120 ESP 120 a=9 a=9116 116112 EIP 112108 00000120 108104 GAME OVER! 104
    • Finally, its time to witness some live action...!
    • That’s all folks!!!Ready with your questions? Start firing them, now...