SlideShare a Scribd company logo

Buffer Overflows 101: Some Assembly Required

K
Kory Kyzar

Entry level overview of what a stack based overflow is.

Technology
1 of 44
Download to read offline
BUFFER OVERFLOWS 101 SOME ASSEMBLY REQUIRED KORY KYZAR
This talk is… Very high level Restricted to stack buffer overflows Restricted to x86 architecture
What’s a buffer? A buffer can be thought of as an allocated space in memory intended to hold a certain amount of data. char A[10]; Allocate 10 bytes for the variable A
Ok, and overflow? Storing more data in the buffer than it is designed to hold. t o o m u c h d a t a strcopy(A, “toomuchdata”); A Data is written to memory outside the region allocated to A. 
 We’ve overflowed the buffer.
So What Happens?
Crash
Score
So how do we score?
So how do we score? Slow down there Romeo.
So how do we score? Slow down there Romeo.
CPU REGISTERS
General Purpose Registers Small storage areas on the CPU that allow for very fast access. x86 CPUs have 8 general purpose registers. Basically, data from memory is loaded into a register, some form of processing is done, then the data is saved back to memory. Main ones we are concerned with are EBP and ESP. EIP is not considered a general purpose register, but we are interested in it as well.
EBP - The Base Pointer Used to track the base of the current frame (function). Can be used for other purposes
ESP - The Stack Pointer Used to track the top of the stack. As data is moved onto (PUSH) or off of (POP), the ESP register is incremented or decremented accordingly
EIP - Instruction Pointer Always points to the memory address of the next instruction to be executed by the CPU
EIP - Instruction Pointer Always points to the memory address of the next instruction to be executed by the CPU
THE STACK
What is the stack? Data structure that store values contiguously in memory Last In First Out structure ESP register marks the top of the stack
Assume the below program #include <string.h> void foo (char *bar) { char A[10]; strcpy(A, bar); // no bounds checking } int main (int argc, char **argv) { foo(argv[1]); } Program simply takes an argument on the command line and copies it into a variable that is allocated 10 bytes (A) https://en.wikipedia.org/wiki/Stack_buffer_overflow
Stack - Program Initializes main High Mem Address Low Mem Address EBP ESP
Stack - Foo Function Called ret address main High Mem Address Low Mem Address EBP ESP
Stack - Foo Function Called ret address main High Mem Address Low Mem Address EBP ESP
Stack - Foo Function Called saved EBP ret address main High Mem Address Low Mem Address EBP ESP
Stack - Foo Function Called saved EBP ret address main High Mem Address Low Mem Address EBPESP
Stack - Foo Function Called 10 bytes reserved for A saved EBP ret address main High Mem Address Low Mem Address EBP ESP
Stack - strcopy()
Assume we executed our program with an argument of “AAAAAAAAAA” AAAA
 AAAA
 AA saved EBP ret address main High Mem Address Low Mem Address EBP ESP
Stack - strcopy()
Now let’s put our attacker hat on and execute our program with the argument “AAAAAAAAAAAAAAAAAA” AAAA
 AAAA
 AA AAAA AAAA main High Mem Address Low Mem Address EBP ESP
Stack - strcopy()
Now let’s put our attacker hat on and execute our program with the argument “AAAAAAAAAAAAAAAAAA” AAAA
 AAAA
 AA AAAA AAAA main High Mem Address Low Mem Address EBP ESP
Stack - strcopy()
Now let’s put our attacker hat on and execute our program with the argument “AAAAAAAAAAAAAAAAAA” AAAA
 AAAA
 AA AAAA AAAA main High Mem Address Low Mem Address EBP ESP
Stack - strcopy()
Now let’s put our attacker hat on and execute our program with the argument “AAAAAAAAAAAAAAAAAA” AAAA
 AAAA
 AA AAAA AAAA main High Mem Address Low Mem Address EBP ESP We just overwrote the RET address,
 meaning we can tell the CPU
 which instruction to execute next.
CONGRATULATIONS!
 YOU CRASHED.
Buffer Overflow Shopping List We need….. The offset in the buffer at which EIP is overwritten. Code to perform the exploit. A way to direct EIP to the code we want to run.
The buffer you were trying to overflow was larger than 10 bytes? Let’s say we have a large buffer of an unknown size. We could write a fuzzer that submits an increasing number of “A”s and make note of the length that causes the crash. But how do we know which of the “A”’s overwrote EIP? What if…?
Finding the offset pattern_create.rb is a ruby script that creates a non repeating sequence of characters of a given length.
Finding the offset Using the string generated by pattern_create.rb as your input, you would analyze where the program crashed in a debugger. (i.e. Access violation when executing 30614239) Then you would check where that series of characters was in string with pattern_offset.rb Now you have the exact position in the buffer to place your return address
Shellcode Assembly code generated to execute the payload of the attackers choice Shellcode must be carefully crafted by hand…RIGHT?
Shellcode Assembly code generated to execute the payload of the attackers choice Shellcode must be carefully crafted by hand…RIGHT?
MSFVENOM MSFPAYLOAD AND MSFENCODE HAVE BEEN DEPRECATED IN FAVOR OF MSFVENOM
So where do we point EIP? We need to get the CPU to execute our shellcode “So just set EIP to the address at the beginning of your shellcode!?”
So where do we point EIP? We need to get the CPU to execute our shellcode “So just set EIP to the address at the beginning of your shellcode!?”
Setting the RET address You can’t hardcode the EIP address in since the program will be loaded into different places in memory at each execution. JMP ESP - one of the most common methods of getting back to your shellcode is to point EIP to a JMP ESP command. This can be used since its relative. This causes EIP to go to the address in the ESP register, which you should be able to use to access your shellcode.
Putting it all together Padding NOP Sled Shellcode EIP = JMP ESP Padding Our Crafted
 Buffer Overflow
DEMO? THIS WILL PROBABLY END IN FLAMES
@0XKTWO K2@KORROSIVESECURITY.COM

Recommended

Software Exploitation Techniques by Amit Malik
Software Exploitation Techniques by Amit MalikSoftware Exploitation Techniques by Amit Malik
Software Exploitation Techniques by Amit Malikn|u - The Open Security Community
 
Exploitation Crash Course
Exploitation Crash CourseExploitation Crash Course
Exploitation Crash CourseUTD Computer Security Group
 
Operating Systems - A Primer
Operating Systems - A PrimerOperating Systems - A Primer
Operating Systems - A PrimerSaumil Shah
 
Symfony live 2017_php7_performances
Symfony live 2017_php7_performancesSymfony live 2017_php7_performances
Symfony live 2017_php7_performancesjulien pauli
 
SymfonyCon 2017 php7 performances
SymfonyCon 2017 php7 performancesSymfonyCon 2017 php7 performances
SymfonyCon 2017 php7 performancesjulien pauli
 
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingDive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingSaumil Shah
 
New features in Ruby 2.5
New features in Ruby 2.5New features in Ruby 2.5
New features in Ruby 2.5Ireneusz Skrobiś
 
PHP 7 performances from PHP 5
PHP 7 performances from PHP 5PHP 7 performances from PHP 5
PHP 7 performances from PHP 5julien pauli
 

Recommended

Software Exploitation Techniques by Amit Malik
Software Exploitation Techniques by Amit MalikSoftware Exploitation Techniques by Amit Malik
Software Exploitation Techniques by Amit Malikn|u - The Open Security Community
 
Exploitation Crash Course
Exploitation Crash CourseExploitation Crash Course
Exploitation Crash CourseUTD Computer Security Group
 
Operating Systems - A Primer
Operating Systems - A PrimerOperating Systems - A Primer
Operating Systems - A PrimerSaumil Shah
 
Symfony live 2017_php7_performances
Symfony live 2017_php7_performancesSymfony live 2017_php7_performances
Symfony live 2017_php7_performancesjulien pauli
 
SymfonyCon 2017 php7 performances
SymfonyCon 2017 php7 performancesSymfonyCon 2017 php7 performances
SymfonyCon 2017 php7 performancesjulien pauli
 
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingDive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingSaumil Shah
 
New features in Ruby 2.5
New features in Ruby 2.5New features in Ruby 2.5
New features in Ruby 2.5Ireneusz Skrobiś
 
PHP 7 performances from PHP 5
PHP 7 performances from PHP 5PHP 7 performances from PHP 5
PHP 7 performances from PHP 5julien pauli
 
PL/Perl - New Features in PostgreSQL 9.0
PL/Perl - New Features in PostgreSQL 9.0PL/Perl - New Features in PostgreSQL 9.0
PL/Perl - New Features in PostgreSQL 9.0Tim Bunce
 
Php extensions workshop
Php extensions workshopPhp extensions workshop
Php extensions workshopjulien pauli
 
Ip Access Lists
Ip Access ListsIp Access Lists
Ip Access ListsCCNAResources
 
Drupal and Varnish Reverse Proxy
Drupal and Varnish Reverse ProxyDrupal and Varnish Reverse Proxy
Drupal and Varnish Reverse ProxyVFXCode
 
Exploiting stack overflow 101
Exploiting stack overflow 101Exploiting stack overflow 101
Exploiting stack overflow 101n|u - The Open Security Community
 
Exploiting 101
Exploiting 101Exploiting 101
Exploiting 101Ackcent
 
Devel::NYTProf 2009-07 (OUTDATED, see 201008)
Devel::NYTProf 2009-07 (OUTDATED, see 201008)Devel::NYTProf 2009-07 (OUTDATED, see 201008)
Devel::NYTProf 2009-07 (OUTDATED, see 201008)Tim Bunce
 
Return oriented programming (ROP)
Return oriented programming (ROP)Return oriented programming (ROP)
Return oriented programming (ROP)Pipat Methavanitpong
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談hackstuff
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen oneAlexandre Moneger
 
Ios i pv4_access_lists
Ios i pv4_access_listsIos i pv4_access_lists
Ios i pv4_access_listsMohamed Gamel
 
Shellcode mastering
Shellcode masteringShellcode mastering
Shellcode masteringPositive Hack Days
 
extending-php
extending-phpextending-php
extending-phptutorialsruby
 
Emu8086
Emu8086Emu8086
Emu8086rangarajb2005
 
Flask With Server-Sent Event
Flask With Server-Sent EventFlask With Server-Sent Event
Flask With Server-Sent EventTencent
 
Php and threads ZTS
Php and threads ZTSPhp and threads ZTS
Php and threads ZTSjulien pauli
 
DEP/ASLR bypass without ROP/JIT
DEP/ASLR bypass without ROP/JITDEP/ASLR bypass without ROP/JIT
DEP/ASLR bypass without ROP/JITArtem I. Baranov
 
Al2ed chapter7
Al2ed chapter7Al2ed chapter7
Al2ed chapter7Abdullelah Al-Fahad
 
2006 ssiai
2006 ssiai2006 ssiai
2006 ssiaiPioneer Natural Resources
 
test
testtest
testaaro11
 
Fuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 JuneFuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 Junenullowaspmumbai
 
Shellcode injection
Shellcode injectionShellcode injection
Shellcode injectionDhaval Kapil
 

More Related Content

What's hot

PL/Perl - New Features in PostgreSQL 9.0
PL/Perl - New Features in PostgreSQL 9.0PL/Perl - New Features in PostgreSQL 9.0
PL/Perl - New Features in PostgreSQL 9.0Tim Bunce
 
Php extensions workshop
Php extensions workshopPhp extensions workshop
Php extensions workshopjulien pauli
 
Drupal and Varnish Reverse Proxy
Drupal and Varnish Reverse ProxyDrupal and Varnish Reverse Proxy
Drupal and Varnish Reverse ProxyVFXCode
 
Exploiting 101
Exploiting 101Exploiting 101
Exploiting 101Ackcent
 
Devel::NYTProf 2009-07 (OUTDATED, see 201008)
Devel::NYTProf 2009-07 (OUTDATED, see 201008)Devel::NYTProf 2009-07 (OUTDATED, see 201008)
Devel::NYTProf 2009-07 (OUTDATED, see 201008)Tim Bunce
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談hackstuff
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen oneAlexandre Moneger
 
Ios i pv4_access_lists
Ios i pv4_access_listsIos i pv4_access_lists
Ios i pv4_access_listsMohamed Gamel
 
Flask With Server-Sent Event
Flask With Server-Sent EventFlask With Server-Sent Event
Flask With Server-Sent EventTencent
 
Php and threads ZTS
Php and threads ZTSPhp and threads ZTS
Php and threads ZTSjulien pauli
 

What's hot (16)

PL/Perl - New Features in PostgreSQL 9.0
PL/Perl - New Features in PostgreSQL 9.0PL/Perl - New Features in PostgreSQL 9.0
PL/Perl - New Features in PostgreSQL 9.0
 
Php extensions workshop
Php extensions workshopPhp extensions workshop
Php extensions workshop
 
Ip Access Lists
Ip Access ListsIp Access Lists
Ip Access Lists
 
Drupal and Varnish Reverse Proxy
Drupal and Varnish Reverse ProxyDrupal and Varnish Reverse Proxy
Drupal and Varnish Reverse Proxy
 
Exploiting stack overflow 101
Exploiting stack overflow 101Exploiting stack overflow 101
Exploiting stack overflow 101
 
Exploiting 101
Exploiting 101Exploiting 101
Exploiting 101
 
Devel::NYTProf 2009-07 (OUTDATED, see 201008)
Devel::NYTProf 2009-07 (OUTDATED, see 201008)Devel::NYTProf 2009-07 (OUTDATED, see 201008)
Devel::NYTProf 2009-07 (OUTDATED, see 201008)
 
Return oriented programming (ROP)
Return oriented programming (ROP)Return oriented programming (ROP)
Return oriented programming (ROP)
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
 
Ios i pv4_access_lists
Ios i pv4_access_listsIos i pv4_access_lists
Ios i pv4_access_lists
 
Shellcode mastering
Shellcode masteringShellcode mastering
Shellcode mastering
 
extending-php
extending-phpextending-php
extending-php
 
Emu8086
Emu8086Emu8086
Emu8086
 
Flask With Server-Sent Event
Flask With Server-Sent EventFlask With Server-Sent Event
Flask With Server-Sent Event
 
Php and threads ZTS
Php and threads ZTSPhp and threads ZTS
Php and threads ZTS
 

Viewers also liked

DEP/ASLR bypass without ROP/JIT
DEP/ASLR bypass without ROP/JITDEP/ASLR bypass without ROP/JIT
DEP/ASLR bypass without ROP/JITArtem I. Baranov
 
Fuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 JuneFuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 Junenullowaspmumbai
 
Shellcode injection
Shellcode injectionShellcode injection
Shellcode injectionDhaval Kapil
 
6 buffer overflows
6 buffer overflows6 buffer overflows
6 buffer overflowsdrewz lin
 
Exploit Development
Exploit DevelopmentExploit Development
Exploit Developmentkyaw thiha
 
APT(Advanced Persistent Threats) & strategies to counter APT
APT(Advanced Persistent Threats) & strategies to counter APTAPT(Advanced Persistent Threats) & strategies to counter APT
APT(Advanced Persistent Threats) & strategies to counter APTAvkash Kathiriya
 
Installation of Drupal on Windows XP with XAMPP
Installation of Drupal on Windows XP with XAMPPInstallation of Drupal on Windows XP with XAMPP
Installation of Drupal on Windows XP with XAMPPRupesh Kumar
 
Exploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null SingaporeExploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null SingaporeMohammed A. Imran
 
8086 addressing modes
8086 addressing modes8086 addressing modes
8086 addressing modesj4jiet
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksKapil Nagrale
 
11 instruction sets addressing modes
11 instruction sets addressing modes 11 instruction sets addressing modes
11 instruction sets addressing modes Sher Shah Merkhel
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksJoe McCarthy
 

Viewers also liked (20)

DEP/ASLR bypass without ROP/JIT
DEP/ASLR bypass without ROP/JITDEP/ASLR bypass without ROP/JIT
DEP/ASLR bypass without ROP/JIT
 
Al2ed chapter7
Al2ed chapter7Al2ed chapter7
Al2ed chapter7
 
2006 ssiai
2006 ssiai2006 ssiai
2006 ssiai
 
test
testtest
test
 
Fuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 JuneFuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 June
 
Shellcode injection
Shellcode injectionShellcode injection
Shellcode injection
 
Buffer Overflow
Buffer OverflowBuffer Overflow
Buffer Overflow
 
6 buffer overflows
6 buffer overflows6 buffer overflows
6 buffer overflows
 
Assembly 8086
Assembly 8086Assembly 8086
Assembly 8086
 
Exploit Development
Exploit DevelopmentExploit Development
Exploit Development
 
APT(Advanced Persistent Threats) & strategies to counter APT
APT(Advanced Persistent Threats) & strategies to counter APTAPT(Advanced Persistent Threats) & strategies to counter APT
APT(Advanced Persistent Threats) & strategies to counter APT
 
Installation of Drupal on Windows XP with XAMPP
Installation of Drupal on Windows XP with XAMPPInstallation of Drupal on Windows XP with XAMPP
Installation of Drupal on Windows XP with XAMPP
 
Smashing The Stack
Smashing The StackSmashing The Stack
Smashing The Stack
 
Exploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null SingaporeExploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null Singapore
 
8086 addressing modes
8086 addressing modes8086 addressing modes
8086 addressing modes
 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacks
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 
11 instruction sets addressing modes
11 instruction sets addressing modes 11 instruction sets addressing modes
11 instruction sets addressing modes
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 

Similar to Buffer Overflows 101: Some Assembly Required

Dive into exploit development
Dive into exploit developmentDive into exploit development
Dive into exploit developmentPayampardaz
 
Reversing malware analysis training part4 assembly programming basics
Reversing malware analysis training part4 assembly programming basicsReversing malware analysis training part4 assembly programming basics
Reversing malware analysis training part4 assembly programming basicsCysinfo Cyber Security Community
 
Buffer Overflows
Buffer OverflowsBuffer Overflows
Buffer OverflowsSumit Kumar
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploitshughpearse
 
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming BasicsReversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basicssecurityxploded
 
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsExploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsAjin Abraham
 
Creating a Fibonacci Generator in Assembly - by Willem van Ketwich
Creating a Fibonacci Generator in Assembly - by Willem van KetwichCreating a Fibonacci Generator in Assembly - by Willem van Ketwich
Creating a Fibonacci Generator in Assembly - by Willem van KetwichWillem van Ketwich
 
Open Source Compiler Construction for the JVM
Open Source Compiler Construction for the JVMOpen Source Compiler Construction for the JVM
Open Source Compiler Construction for the JVMTom Lee
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 
Reversing & malware analysis training part 4 assembly programming basics
Reversing & malware analysis training part 4 assembly programming basics Reversing & malware analysis training part 4 assembly programming basics
Reversing & malware analysis training part 4 assembly programming basics Abdulrahman Bassam
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksJapneet Singh
 

Similar to Buffer Overflows 101: Some Assembly Required (20)

Dive into exploit development
Dive into exploit developmentDive into exploit development
Dive into exploit development
 
Reversing malware analysis training part4 assembly programming basics
Reversing malware analysis training part4 assembly programming basicsReversing malware analysis training part4 assembly programming basics
Reversing malware analysis training part4 assembly programming basics
 
Buffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh SharmaBuffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh Sharma
 
Buffer Overflows
Buffer OverflowsBuffer Overflows
Buffer Overflows
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
 
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming BasicsReversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
 
null Pune meet - Application Security: Code injection
null Pune meet - Application Security: Code injectionnull Pune meet - Application Security: Code injection
null Pune meet - Application Security: Code injection
 
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsExploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
 
Creating a Fibonacci Generator in Assembly - by Willem van Ketwich
Creating a Fibonacci Generator in Assembly - by Willem van KetwichCreating a Fibonacci Generator in Assembly - by Willem van Ketwich
Creating a Fibonacci Generator in Assembly - by Willem van Ketwich
 
Assembly language part I
Assembly language part IAssembly language part I
Assembly language part I
 
Assembly language part I
Assembly language part IAssembly language part I
Assembly language part I
 
[ASM]Lab6
[ASM]Lab6[ASM]Lab6
[ASM]Lab6
 
Exploiting buffer overflows
Exploiting buffer overflowsExploiting buffer overflows
Exploiting buffer overflows
 
Open Source Compiler Construction for the JVM
Open Source Compiler Construction for the JVMOpen Source Compiler Construction for the JVM
Open Source Compiler Construction for the JVM
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
Reversing & malware analysis training part 4 assembly programming basics
Reversing & malware analysis training part 4 assembly programming basics Reversing & malware analysis training part 4 assembly programming basics
Reversing & malware analysis training part 4 assembly programming basics
 
Nethemba - Writing exploits
Nethemba - Writing exploitsNethemba - Writing exploits
Nethemba - Writing exploits
 
Writing exploits
Writing exploitsWriting exploits
Writing exploits
 
fg.workshop: Software vulnerability
fg.workshop: Software vulnerabilityfg.workshop: Software vulnerability
fg.workshop: Software vulnerability
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 

Recently uploaded

SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 

Recently uploaded (20)

DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 

Buffer Overflows 101: Some Assembly Required

  • 1. BUFFER OVERFLOWS 101 SOME ASSEMBLY REQUIRED KORY KYZAR
  • 2. This talk is… Very high level Restricted to stack buffer overflows Restricted to x86 architecture
  • 3. What’s a buffer? A buffer can be thought of as an allocated space in memory intended to hold a certain amount of data. char A[10]; Allocate 10 bytes for the variable A
  • 4. Ok, and overflow? Storing more data in the buffer than it is designed to hold. t o o m u c h d a t a strcopy(A, “toomuchdata”); A Data is written to memory outside the region allocated to A. 
 We’ve overflowed the buffer.
  • 8. So how do we score?
  • 9. So how do we score? Slow down there Romeo.
  • 10. So how do we score? Slow down there Romeo.
  • 12. General Purpose Registers Small storage areas on the CPU that allow for very fast access. x86 CPUs have 8 general purpose registers. Basically, data from memory is loaded into a register, some form of processing is done, then the data is saved back to memory. Main ones we are concerned with are EBP and ESP. EIP is not considered a general purpose register, but we are interested in it as well.
  • 13. EBP - The Base Pointer Used to track the base of the current frame (function). Can be used for other purposes
  • 14. ESP - The Stack Pointer Used to track the top of the stack. As data is moved onto (PUSH) or off of (POP), the ESP register is incremented or decremented accordingly
  • 15. EIP - Instruction Pointer Always points to the memory address of the next instruction to be executed by the CPU
  • 16. EIP - Instruction Pointer Always points to the memory address of the next instruction to be executed by the CPU
  • 18. What is the stack? Data structure that store values contiguously in memory Last In First Out structure ESP register marks the top of the stack
  • 19. Assume the below program #include <string.h> void foo (char *bar) { char A[10]; strcpy(A, bar); // no bounds checking } int main (int argc, char **argv) { foo(argv[1]); } Program simply takes an argument on the command line and copies it into a variable that is allocated 10 bytes (A) https://en.wikipedia.org/wiki/Stack_buffer_overflow
  • 20. Stack - Program Initializes main High Mem Address Low Mem Address EBP ESP
  • 21. Stack - Foo Function Called ret address main High Mem Address Low Mem Address EBP ESP
  • 22. Stack - Foo Function Called ret address main High Mem Address Low Mem Address EBP ESP
  • 23. Stack - Foo Function Called saved EBP ret address main High Mem Address Low Mem Address EBP ESP
  • 24. Stack - Foo Function Called saved EBP ret address main High Mem Address Low Mem Address EBPESP
  • 25. Stack - Foo Function Called 10 bytes reserved for A saved EBP ret address main High Mem Address Low Mem Address EBP ESP
  • 26. Stack - strcopy()
Assume we executed our program with an argument of “AAAAAAAAAA” AAAA
 AAAA
 AA saved EBP ret address main High Mem Address Low Mem Address EBP ESP
  • 27. Stack - strcopy()
Now let’s put our attacker hat on and execute our program with the argument “AAAAAAAAAAAAAAAAAA” AAAA
 AAAA
 AA AAAA AAAA main High Mem Address Low Mem Address EBP ESP
  • 28. Stack - strcopy()
Now let’s put our attacker hat on and execute our program with the argument “AAAAAAAAAAAAAAAAAA” AAAA
 AAAA
 AA AAAA AAAA main High Mem Address Low Mem Address EBP ESP
  • 29. Stack - strcopy()
Now let’s put our attacker hat on and execute our program with the argument “AAAAAAAAAAAAAAAAAA” AAAA
 AAAA
 AA AAAA AAAA main High Mem Address Low Mem Address EBP ESP
  • 30. Stack - strcopy()
Now let’s put our attacker hat on and execute our program with the argument “AAAAAAAAAAAAAAAAAA” AAAA
 AAAA
 AA AAAA AAAA main High Mem Address Low Mem Address EBP ESP We just overwrote the RET address,
 meaning we can tell the CPU
 which instruction to execute next.
  • 32. Buffer Overflow Shopping List We need….. The offset in the buffer at which EIP is overwritten. Code to perform the exploit. A way to direct EIP to the code we want to run.
  • 33. The buffer you were trying to overflow was larger than 10 bytes? Let’s say we have a large buffer of an unknown size. We could write a fuzzer that submits an increasing number of “A”s and make note of the length that causes the crash. But how do we know which of the “A”’s overwrote EIP? What if…?
  • 34. Finding the offset pattern_create.rb is a ruby script that creates a non repeating sequence of characters of a given length.
  • 35. Finding the offset Using the string generated by pattern_create.rb as your input, you would analyze where the program crashed in a debugger. (i.e. Access violation when executing 30614239) Then you would check where that series of characters was in string with pattern_offset.rb Now you have the exact position in the buffer to place your return address
  • 36. Shellcode Assembly code generated to execute the payload of the attackers choice Shellcode must be carefully crafted by hand…RIGHT?
  • 37. Shellcode Assembly code generated to execute the payload of the attackers choice Shellcode must be carefully crafted by hand…RIGHT?
  • 38. MSFVENOM MSFPAYLOAD AND MSFENCODE HAVE BEEN DEPRECATED IN FAVOR OF MSFVENOM
  • 39. So where do we point EIP? We need to get the CPU to execute our shellcode “So just set EIP to the address at the beginning of your shellcode!?”
  • 40. So where do we point EIP? We need to get the CPU to execute our shellcode “So just set EIP to the address at the beginning of your shellcode!?”
  • 41. Setting the RET address You can’t hardcode the EIP address in since the program will be loaded into different places in memory at each execution. JMP ESP - one of the most common methods of getting back to your shellcode is to point EIP to a JMP ESP command. This can be used since its relative. This causes EIP to go to the address in the ESP register, which you should be able to use to access your shellcode.
  • 42. Putting it all together Padding NOP Sled Shellcode EIP = JMP ESP Padding Our Crafted
 Buffer Overflow
  • 43. DEMO? THIS WILL PROBABLY END IN FLAMES