2. OUTLINE
NEXT 45 MIN
▸ In the next 45 min
▸ Learn the Mach-O binary format
▸ X86-64 Assembly Language / Machine Code
▸ Trivial Binary Bugs
▸ Order by DESC
4. BUG TO VULNERABILITY
SIGNAL
▸ There are so~ many SIGNAL in *nix-like system
▸ Some is helpful
▸ Some is bug prevention
▸ Understand the bug will find the vulnerabilities
▸ SIGFPE - devision-by-zero
▸ SIGILL - illegal instruction
▸ SIGSEGV - invalid virtual memory reference
5. BUG TO VULNERABILITY
SIGNAL
▸ There are so~ many SIGNAL in *nix-like system
▸ Some is helpful
▸ Some is bug prevention
▸ Understand the bug will find the vulnerabilities
▸ SIGFPE - devision-by-zero
▸ SIGILL - illegal instruction
▸ SIGSEGV - invalid virtual memory reference
6. BUG TO VULNERABILITY
ILLEGAL & INVALID
▸ Caused by compiler, library, logical
▸ Compiler - replace a newer compiler
▸ Run-time library - replace a newer library
▸ Run-time logical - replace a correct input
▸ 都是 They 的錯
7. BUG TO VULNERABILITY
ILLEGAL & INVALID
▸ Caused by compiler, library, logical
▸ Compiler - replace a newer compiler
▸ Run-time library - replace a newer library
▸ Run-time logical - replace a correct input
▸ 都是 They 的錯
8. VULNERABILITY
INPUT
▸ User Input
▸ User-Name, Age, email-address, Gender
▸ Store the user input into memory space
▸ ISSUE
A. How
B. What
C. Where
10. CPU
X86-64
▸ Register - extend to 64-bits
▸ 8 / 16 / 32 / 64 bits
▸ 128 bits (SSE)
▸ NX (No-Execute) bit
▸ Register is limited
▸ limited to 16 general registers
▸ 16 SSE registers
11. CPU
X86-64
▸ Von Neumann model
▸ Code / Data are put together (memory)
▸ When data need to be stored / loaded
▸ from register to memory
▸ from memory to register
12. STORAGE
SOMETHING IN MEMORY
▸ Code vs Data vs BSS vs Stack vs Heap
▸ Code is used to read-execute
▸ Data is used to read-write
▸ BSS is used to store Non-Initial data
▸ Stack is used to store template (local) data
▸ Heap is used to store dynamic data
▸ All of these are stored in the memory
13. HOPE YOU HAVE …
DATA IN PROGRAM
▸ Data
▸ Gender - one letter or full description
▸ Age - possible integer or impossible integer
▸ Name - alphabet or unicode
▸ All data in register / memory are integer-like
▸ 8-bit (0~255) to SSE (0 ~ 3.4e38)
▸ sign or unsigned is a question
14. HOPE YOU HAVE …
DATA IN PROGRAM
▸ Can simply put age into register
▸ Gender could be
▸ one letter - to ASCII and put in register
▸ Fix-length - store in memory
▸ Name should be
▸ store in memory
15. MEMORY
WHERE TO STORE
▸ Memory
▸ Sequently store user input
▸ decode by program / programmer
▸ ISSUE
▸ size
▸ permission
16. MEMORY
WHERE TO STORE
▸ Data vs BSS vs Stack vs Heap stack
▸ Fit the scenario (assumption)
▸ data is
1. temporary
2. global view
3. variable size
18. ⽂字
MOV
▸ In x86-64 opcodes
▸ lots of opcodes are MOV
▸ move from/to memory are frequently used actions
▸ mov ch, dl
▸ mov rax, [rax-0x10]
▸ mov [r8], rsp
▸ lea cx, [rbx]
▸ But there are difference opcode!
19. AGE
SAVE DATA
▸ Save 18 as age into program
▸ mov rax, 18 ; save as register
▸ mov [rax], 18 ; save into memory
▸ push 18 ; save into stack
20. GENDER
SAVE DATA
▸ Save ‘F’ (0x46) as gender into program
▸ mov rax, 0x46 ; save as register
▸ mov [rax], 0x46 ; save into memory
▸ push 0x46 ; save into stack
21. GENDER
SAVE DATA
▸ Save ‘Female’ as gender into program
▸ mov [rax], 0x46656D61
▸ mov [rax+0x04], 0x6C650000
▸ push 0x46
▸ push 0x65
▸ push …
22. MEMORY
SIZE IS MATTER
▸ Step to store data in memory
1. decide the size of memory
2. how to encode/decode data
3. decide the location of memory
4. put into / get from memory
24. MEMORY
▸ move to memory space
▸ Where is the space? BSS or Data or Heap
▸ Compile-time or Run-time
▸ fix-length or variable-length
▸ Save into Stack
▸ Push stack is not unlimited
25. IN C LANGUAGE
ASSUMPTION
▸ Struct in C
struct foo {
int age;
char gender[8];
char email[128];
};
‣ What happen if overflow in gender
‣ email is corrupt / age is corrupt
age
gender
email
0x1230
0x12B9
30. LEGACY
CODE/DATA BOTH IN MEMORY
▸ First: call is combined from push and jump
▸ call 0x400035
1. push rip
2. jump 0x400035
‣ ret
1. pop rip
2. jump rip
‣ And more
▸ call rax
▸ call [rax]
36. INSTRUCTION
X86-64 MACHINE CODE
▸ X86-64 machine code layout
▸ [prefix] [opcode] [MOD] [SIB] [Displacement] [Immediate]
▸ Max to 15-bytes peer each instruction
▸ Displacement + Immediate max to 8-bytes (64-bit address)
▸ R(educed)ISC vs C(omplex)ISC
37. STFW
OPCODE
▸ X86-64 opcode
▸ Intel Manual[0]
▸ Web Resource[1]
▸ OPCODE possible 00 ~ FF
▸ Each one has possible usage or invalid
[0]: https://software.intel.com/sites/default/files/managed/ad/01/253666-sdm-vol-2a.pdf
[1]: http://ref.x86asm.net/coder64.html
39. X86-64
SLIGHTLY COMPLICATED
▸ Extension OPCODE
▸ add (01) support 16 / 32 / 64 operand
▸ add r/m16/32/64 r16/32/64
▸ One opcode do multiple thing?
▸ prefix 48 ~ 4F extend the size to 64-bit
7 3 2 1 0
+—————————+———+———+———+———+
| 0 1 0 0 | W | R | X | B |
+—————————+———+———+———+———+
40. X86-64
REGISTER EXTENSION
▸ Extension
▸ Size (32-bits to 64-bits)
▸ register (general to extension)
▸ mov eax, 0xdeadbeef B8 EF BE AD DE
▸ mov rax, 0xdeadbeef 48 B8 EF BE AD DE
▸ mov r8, 0xdeadbeef 49 B8 EF BE AD DE