Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Local Exploits

425 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Local Exploits

  1. 1. Seguretat Local exploits v2011/01 Carles Mateu i Ramon Bèjar Departament d'Informàtica i Enginyeria Industrial Universitat de Lleida
  2. 2. Exploits <ul><li>Programs and tools that, take profit from a vulnerability (usually a programming error) to gain access, scalate privileges, etc. </li></ul>
  3. 3. Programming 101 <ul><li>Computer memory (executing programs)
  4. 4. C Calling Convention
  5. 5. Buffer management </li></ul>
  6. 6. Computer memory <ul><li>Basics
  7. 7. Segments
  8. 8. Stacks </li></ul>
  9. 9. Computer memory basics <ul><li>Endianness: </li><ul><li>Byte order when storing multibyte data in memory.
  10. 10. Little endian: </li><ul><li>L1 L2 H1 H2 </li></ul><li>Big endian: </li><ul><li>H1 H2 L1 L2 </li></ul><li>Intel: little endian. Motorola: big endian. Network: big endian. </li></ul></ul>
  11. 11. Computer memory: Segments <ul><li>.text : Executable code. RO and Fixed Size.
  12. 12. .data : Global initialized variables. Fixed Size.
  13. 13. .bss : (below stack section). Global NON -initialized variables. Fixed Size.
  14. 14. Heap: Dynamic allocated space. Grows from low -> high. (malloc, free).
  15. 15. Stack: Dynamic. Grows from high -> low. Keeps calling stack and local variables.
  16. 16. Env: System environment variables and program arguments. </li></ul>
  17. 17. Computer memory: Segment layout.
  18. 18. Segment layout example. int index = 5; // data (initialized) char * str; // bss (uninitialized) int nothing; // bss (uninitialized) void fun(int c) // stack { int i=c; // stack region str = (char*)malloc(10*sizeof (char)); // heap strncpy(str, &quot;abcde&quot;, 5); } void main () { fun(1); }
  19. 19. Buffer overflow <ul><li>Situation where an allocated buffer gets more data that it can handle.
  20. 20. If we can fill stack we can disrupt program function. </li><ul><li><demo overflow> </li></ul></ul>
  21. 21. Stack operation <ul><li>LIFO (FILO) operation.
  22. 22. Controlled by 2 reg: ebp, esp. </li></ul>
  23. 23. Calling convention. <ul><li>How a program keeps state and variables when jumping to a function (and returns back)?
  24. 24. Calling code: </li><ul><li>Calling code places parameters on stack.
  25. 25. Calling code saves EIP on stack.
  26. 26. Call is executed. </li></ul><li>Called code: </li><ul><li>Save EBP in stack
  27. 27. ESP -> EBP
  28. 28. ESP - = Local variables space </li></ul></ul>
  29. 29. Calling convention. void fun(int c, int d) { int i; .... } void main () { Fun(1,3); }
  30. 30. Calling convention. void fun(int c, int d) { int i; .... } void main () { Fun(1,3); }
  31. 31. Calling convention. void fun(int c, int d) { int i; .... } void main () { Fun(1,3); }
  32. 32. Calling convention. void fun(int c, int d) { int i; .... } void main () { Fun(1,3); }
  33. 33. Calling convention. void fun(int c, int d) { int i; .... } void main () { Fun(1,3); }
  34. 34. Shellcode <ul><li>Program code (assembly) that calls/executes designed to be injected as data and run from stack.
  35. 35. Many available on the web. </li></ul>
  36. 36. Demo

×