CNIT 127 Ch 5: Introduction to heap overflows
•
1 like•1,930 views
Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q. Instructor: Sam Bowne Class website: https://samsclass.info/127/127_S17.shtml
Report
Share
Report
Share
Download to read offline
Recommended
CNIT 127 Ch 4: Introduction to format string bugs
This document discusses format string vulnerabilities. It explains that format strings can be used to read arbitrary memory locations on the stack, allowing information disclosure. It also describes how uncontrolled format strings can be exploited to write to arbitrary memory addresses, enabling denial of service attacks or potentially remote code execution. The key steps of a format string exploit are outlined: controlling a write operation, finding a target memory location like the return address or GOT, writing shellcode to memory, and changing the target location to point to the shellcode.
Ch 6: The Wild World of Windows
This chapter discusses various topics related to exploiting Windows including the Win32 API, DLLs, PE files, heaps, threading, DCOM, exception handling, and debuggers. It covers how the Windows API is implemented using DLLs, the structure and sections of PE files, how DLLs are loaded and relocated in memory, and how processes use multiple heaps and threads. It also explains how DCOM and DCE-RPC enable remote procedure calls and the security implications of this. The chapter concludes with an overview of debuggers like SoftICE, WinDbg, OllyDbg, and Immunity Debugger that are useful for exploit development.
CNIT 127 Ch 3: Shellcode
This document discusses shellcode and system calls. It provides an overview of protection rings, syscalls, assembler, and other topics needed to understand writing shellcode. It then demonstrates how to write simple shellcode that uses the exit syscall to terminate a program. More complex shellcode is discussed that uses fork and execve syscalls to spawn a shell process upon execution, allowing an attacker to gain an interactive shell. The key steps of writing shellcode are outlined.
CNIT 127 Ch 8: Windows overflows (Part 1)
This document discusses Windows stack-based buffer overflow exploitation techniques and defenses. It covers the Thread Environment Block (TEB) and Process Environment Block (PEB), which store thread and process-level data. Stack-based overflows are explained, including overwriting return addresses and structured exception handlers (SEH). Methods to defeat Address Space Layout Randomization (ASLR) are provided. Windows Server 2003 introduced protections, while Windows Server 2008 added further defenses like SEHOP and SAFESEH.
CNIT 127: L9: Web Templates and .NET
For a college course at City College San Francisco.
Instructor: Sam Bowne
Class website: https://samsclass.info/127/127_F19.shtml
CNIT 127: 8: Windows overflows (Part 2)
Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q.
Instructor: Sam Bowne
Class website: https://samsclass.info/127/127_F18.shtml
127 Ch 2: Stack overflows on Linux
This chapter discusses stack overflows in Linux. It explains buffers, the stack, functions and how the stack is used. It shows how a stack buffer overflow can be exploited by overwriting the return address on the stack to redirect program flow. The document demonstrates this by having a program read user input into a buffer without bounds checking, allowing input longer than the buffer to overwrite the return address and cause a crash. gdb is used to debug the program and examine the stack.
Introduction to Assembly Language Programming
This presentation provides a basic idea about Assembly Language Programming using NASM ( Netwide Assembler ).
Recommended
CNIT 127 Ch 4: Introduction to format string bugs
This document discusses format string vulnerabilities. It explains that format strings can be used to read arbitrary memory locations on the stack, allowing information disclosure. It also describes how uncontrolled format strings can be exploited to write to arbitrary memory addresses, enabling denial of service attacks or potentially remote code execution. The key steps of a format string exploit are outlined: controlling a write operation, finding a target memory location like the return address or GOT, writing shellcode to memory, and changing the target location to point to the shellcode.
Ch 6: The Wild World of Windows
This chapter discusses various topics related to exploiting Windows including the Win32 API, DLLs, PE files, heaps, threading, DCOM, exception handling, and debuggers. It covers how the Windows API is implemented using DLLs, the structure and sections of PE files, how DLLs are loaded and relocated in memory, and how processes use multiple heaps and threads. It also explains how DCOM and DCE-RPC enable remote procedure calls and the security implications of this. The chapter concludes with an overview of debuggers like SoftICE, WinDbg, OllyDbg, and Immunity Debugger that are useful for exploit development.
CNIT 127 Ch 3: Shellcode
This document discusses shellcode and system calls. It provides an overview of protection rings, syscalls, assembler, and other topics needed to understand writing shellcode. It then demonstrates how to write simple shellcode that uses the exit syscall to terminate a program. More complex shellcode is discussed that uses fork and execve syscalls to spawn a shell process upon execution, allowing an attacker to gain an interactive shell. The key steps of writing shellcode are outlined.
CNIT 127 Ch 8: Windows overflows (Part 1)
This document discusses Windows stack-based buffer overflow exploitation techniques and defenses. It covers the Thread Environment Block (TEB) and Process Environment Block (PEB), which store thread and process-level data. Stack-based overflows are explained, including overwriting return addresses and structured exception handlers (SEH). Methods to defeat Address Space Layout Randomization (ASLR) are provided. Windows Server 2003 introduced protections, while Windows Server 2008 added further defenses like SEHOP and SAFESEH.
CNIT 127: L9: Web Templates and .NET
For a college course at City College San Francisco.
Instructor: Sam Bowne
Class website: https://samsclass.info/127/127_F19.shtml
CNIT 127: 8: Windows overflows (Part 2)
Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q.
Instructor: Sam Bowne
Class website: https://samsclass.info/127/127_F18.shtml
127 Ch 2: Stack overflows on Linux
This chapter discusses stack overflows in Linux. It explains buffers, the stack, functions and how the stack is used. It shows how a stack buffer overflow can be exploited by overwriting the return address on the stack to redirect program flow. The document demonstrates this by having a program read user input into a buffer without bounds checking, allowing input longer than the buffer to overwrite the return address and cause a crash. gdb is used to debug the program and examine the stack.
Introduction to Assembly Language Programming
This presentation provides a basic idea about Assembly Language Programming using NASM ( Netwide Assembler ).
Intermediate code generator
The document discusses different representations of intermediate code in compilers, including high-level and low-level intermediate languages. High-level representations like syntax trees and DAGs depict the structure of the source program, while low-level representations like three-address code are closer to the target machine. Common intermediate code representations discussed are postfix notation, three-address code using quadruples/triples, and syntax trees.
Windows 10 Nt Heap Exploitation (English version)
The document discusses the Windows memory allocator and heap exploitation. It describes the core components and data structures of the NT heap, including the _HEAP structure, _HEAP_ENTRY chunks, BlocksIndex structure, and FreeLists. It also explains the differences between the backend and frontend allocators as well as how chunks of different sizes are managed.
CNIT 127 14: Protection Mechanisms
Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q.
Instructor: Sam Bowne
Class website: https://samsclass.info/127/127_F18.shtml
04 coms 525 tcpip - arp and rarp
The document discusses Address Resolution Protocol (ARP) and Reverse Address Resolution Protocol (RARP). It explains that ARP is used to dynamically map between IP addresses and MAC addresses on local area networks. ARP broadcasts a request to map an IP to MAC, and the host with that IP responds with its MAC. This mapping is stored in an ARP cache for future lookups to avoid broadcasting for every packet. RARP is the reverse process for a host to learn its IP from a server based on its MAC.
Assembly and Machine Code
Computer Science - Assembly and Machine Code
This presentation explains the 2 types of programming languages such as assembly and machine code.
Instruction Set Architecture
The document discusses different instruction set architectures including stack, accumulator, memory-memory, register-memory, and load-store architectures. It compares the pros and cons of each in terms of hardware requirements, parallelism, pipelining, and compiler optimization. Instruction formats are classified based on the number of operands and addresses. Code size and number of required memory accesses are compared for 4-address, 3-address, 2-address, 1-address, and 0-address instructions.
Compiler Construction
The document provides an introduction to compiler construction including:
1. The objectives of understanding how to build a compiler, use compiler construction tools, understand assembly code and virtual machines, and define grammars.
2. An overview of compilers and interpreters including the analysis-synthesis model of compilation where analysis determines operations from the source program and synthesis translates those operations into the target program.
3. An outline of the phases of compilation including preprocessing, compiling, assembling, and linking source code into absolute machine code using tools like scanners, parsers, syntax-directed translation, and code generators.
LLVM Instruction Selection
Instruction selection in LLVM maps the compiler intermediate representation (IR) to target instructions by matching nodes in a selection DAG. It performs this mapping greedily by choosing instructions with higher complexity that can cover more operations. The selection DAG is legalized to ensure operations are supported by the target before instruction matching using patterns defined in tablegen files.
Assemblers
This document discusses assembly language and assemblers. It begins by explaining that assembly language provides a more readable and convenient way to program compared to machine language. It then describes how an assembler works, translating assembly language programs into machine code. The elements of assembly language are defined, including mnemonic operation codes, symbolic operands, and data declarations. The document also covers instruction formats, sample assembly language programs, and the processing an assembler performs to generate machine code from assembly code.
CNIT 127: 4: Format string bugs
Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q.
Instructor: Sam Bowne
Class website: https://samsclass.info/127/127_F18.shtml
BIRA recent.pptx
This document proposes an efficient memory design for error tolerant applications using built-in self-repair (BISR). It uses built-in self-test (BIST) to test memories for faults and sends that information to built-in redundancy analysis (BIRA) to determine repair solutions. Memories are serially tested and repaired to reduce testing time and switching activities. The proposed approach uses multiple single input change (MSIC) vectors to test memories concurrently, reducing area and performance overhead compared to traditional BISR systems.
Linux System Programming - File I/O
This document discusses various concepts related to file input/output (I/O) in Linux system programming. It covers opening, reading from, writing to, closing, seeking within, and truncating files using system calls like open(), read(), write(), close(), lseek(), ftruncate(). It also discusses related topics like file descriptors, blocking vs non-blocking I/O, synchronized I/O, direct I/O, and positional reads/writes.
Assembler - System Programming
One pass assembler, Two pass assembler,
Advanced Assembler Directives
Index
------
One-pass assembler
Forward Reference
Two-pass assembler using variant-I
Two-pass assembler using variant-II
Advanced Assembler Directives
Design of two pass assembler
Message Signaled Interrupts
1) The document discusses Message Signaled Interrupts (MSI), an improvement over the traditional interrupt handling method. MSI allows interrupt information to be delivered in one step from a device directly to the CPU.
2) MSI was introduced in PCI 2.2 and improved in PCI 3.0 with MSI-X, which supports more interrupts per device. MSI uses a memory write to trigger an interrupt, while traditional interrupts use dedicated pins.
3) The benefits of MSI include faster response, less hardware requirements, guarantee of unique interrupts, and ability to send data with the interrupt. MSI also avoids ordering issues with traditional interrupts.
Compiler design syntax analysis
This document discusses syntax analysis in compiler design. It begins by explaining that the lexer takes a string of characters as input and produces a string of tokens as output, which is then input to the parser. The parser takes the string of tokens and produces a parse tree of the program. Context-free grammars are introduced as a natural way to describe the recursive structure of programming languages. Derivations and parse trees are discussed as ways to parse strings based on a grammar. Issues like ambiguity and left recursion in grammars are covered, along with techniques like left factoring that can be used to transform grammars.
Cache memory principles
This document discusses cache memory principles and provides details about cache operation, structure, organization, and design considerations. The key points covered are:
- Cache is a small, fast memory located between the CPU and main memory that stores frequently used data.
- During a cache read operation, the CPU first checks the cache for the requested data. If present, it is retrieved from the fast cache. If not, the data is read from main memory into cache.
- Cache design considerations include size, mapping function, replacement algorithm, write policy, line size, and number of cache levels.
- Modern CPUs use hierarchical cache designs with multiple levels (L1, L2, etc.) to improve performance.
Control Flow Graphs
Intermediate representations are used in compilers to represent programs between the source and target languages. Control flow graphs (CFG) are a common intermediate representation that represent a program as a directed graph with basic blocks as nodes and edges showing possible control transfers. CFGs are useful for optimizations and analyzing unreachable code. They are built by dividing a program into basic blocks - sections with no jumps in or out - and connecting them based on the control flow.
Unit 4 sp macro
Introduction, Macro Definition and Call, Macro Expansion, Nested Macro Calls, Advanced Macro Facilities, Design Of a Macro Preprocessor, Design of a Macro Assembler, Functions of a Macro Processor, Basic Tasks of a Macro Processor, Design Issues of Macro Processors, Features, Macro Processor Design Options, Two-Pass Macro Processors, One-Pass Macro Processors
Two pass Assembler
Its an complete presentation of how two pass assembler works,two pass assembler program,comparison between one pass and two pass.
Three address code In Compiler Design
Three Address code Is an intermediate code used by optimizing compilers to aid in the implementation of code-improving transformations
CNIT 127 Ch Ch 1: Before you Begin
The document discusses basic concepts related to exploit development such as vulnerabilities, exploits, fuzzers, memory management, assembly language, and stack-based overflows. It provides definitions and explanations of these key terms, how programs are laid out in memory, basic assembly instructions, register usage, and how to recognize common C language constructs when viewing assembly code.
CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)
This document discusses 64-bit assembly programming. It covers 64-bit registers used in 64-bit assembly like RIP and RSP. It also discusses limitations of 64-bit addressing in different versions of Windows and how the operating system separates memory used by the OS and user programs. Common opcodes, syscalls, and using sections like .data and .text are described. Examples shown include simple programs, reading and writing data, and encoding text using Caesar cipher and XOR encryption.
More Related Content
What's hot
Intermediate code generator
The document discusses different representations of intermediate code in compilers, including high-level and low-level intermediate languages. High-level representations like syntax trees and DAGs depict the structure of the source program, while low-level representations like three-address code are closer to the target machine. Common intermediate code representations discussed are postfix notation, three-address code using quadruples/triples, and syntax trees.
Windows 10 Nt Heap Exploitation (English version)
The document discusses the Windows memory allocator and heap exploitation. It describes the core components and data structures of the NT heap, including the _HEAP structure, _HEAP_ENTRY chunks, BlocksIndex structure, and FreeLists. It also explains the differences between the backend and frontend allocators as well as how chunks of different sizes are managed.
CNIT 127 14: Protection Mechanisms
Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q.
Instructor: Sam Bowne
Class website: https://samsclass.info/127/127_F18.shtml
04 coms 525 tcpip - arp and rarp
The document discusses Address Resolution Protocol (ARP) and Reverse Address Resolution Protocol (RARP). It explains that ARP is used to dynamically map between IP addresses and MAC addresses on local area networks. ARP broadcasts a request to map an IP to MAC, and the host with that IP responds with its MAC. This mapping is stored in an ARP cache for future lookups to avoid broadcasting for every packet. RARP is the reverse process for a host to learn its IP from a server based on its MAC.
Assembly and Machine Code
Computer Science - Assembly and Machine Code
This presentation explains the 2 types of programming languages such as assembly and machine code.
Instruction Set Architecture
The document discusses different instruction set architectures including stack, accumulator, memory-memory, register-memory, and load-store architectures. It compares the pros and cons of each in terms of hardware requirements, parallelism, pipelining, and compiler optimization. Instruction formats are classified based on the number of operands and addresses. Code size and number of required memory accesses are compared for 4-address, 3-address, 2-address, 1-address, and 0-address instructions.
Compiler Construction
The document provides an introduction to compiler construction including:
1. The objectives of understanding how to build a compiler, use compiler construction tools, understand assembly code and virtual machines, and define grammars.
2. An overview of compilers and interpreters including the analysis-synthesis model of compilation where analysis determines operations from the source program and synthesis translates those operations into the target program.
3. An outline of the phases of compilation including preprocessing, compiling, assembling, and linking source code into absolute machine code using tools like scanners, parsers, syntax-directed translation, and code generators.
LLVM Instruction Selection
Instruction selection in LLVM maps the compiler intermediate representation (IR) to target instructions by matching nodes in a selection DAG. It performs this mapping greedily by choosing instructions with higher complexity that can cover more operations. The selection DAG is legalized to ensure operations are supported by the target before instruction matching using patterns defined in tablegen files.
Assemblers
This document discusses assembly language and assemblers. It begins by explaining that assembly language provides a more readable and convenient way to program compared to machine language. It then describes how an assembler works, translating assembly language programs into machine code. The elements of assembly language are defined, including mnemonic operation codes, symbolic operands, and data declarations. The document also covers instruction formats, sample assembly language programs, and the processing an assembler performs to generate machine code from assembly code.
CNIT 127: 4: Format string bugs
Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q.
Instructor: Sam Bowne
Class website: https://samsclass.info/127/127_F18.shtml
BIRA recent.pptx
This document proposes an efficient memory design for error tolerant applications using built-in self-repair (BISR). It uses built-in self-test (BIST) to test memories for faults and sends that information to built-in redundancy analysis (BIRA) to determine repair solutions. Memories are serially tested and repaired to reduce testing time and switching activities. The proposed approach uses multiple single input change (MSIC) vectors to test memories concurrently, reducing area and performance overhead compared to traditional BISR systems.
Linux System Programming - File I/O
This document discusses various concepts related to file input/output (I/O) in Linux system programming. It covers opening, reading from, writing to, closing, seeking within, and truncating files using system calls like open(), read(), write(), close(), lseek(), ftruncate(). It also discusses related topics like file descriptors, blocking vs non-blocking I/O, synchronized I/O, direct I/O, and positional reads/writes.
Assembler - System Programming
One pass assembler, Two pass assembler,
Advanced Assembler Directives
Index
------
One-pass assembler
Forward Reference
Two-pass assembler using variant-I
Two-pass assembler using variant-II
Advanced Assembler Directives
Design of two pass assembler
Message Signaled Interrupts
1) The document discusses Message Signaled Interrupts (MSI), an improvement over the traditional interrupt handling method. MSI allows interrupt information to be delivered in one step from a device directly to the CPU.
2) MSI was introduced in PCI 2.2 and improved in PCI 3.0 with MSI-X, which supports more interrupts per device. MSI uses a memory write to trigger an interrupt, while traditional interrupts use dedicated pins.
3) The benefits of MSI include faster response, less hardware requirements, guarantee of unique interrupts, and ability to send data with the interrupt. MSI also avoids ordering issues with traditional interrupts.
Compiler design syntax analysis
This document discusses syntax analysis in compiler design. It begins by explaining that the lexer takes a string of characters as input and produces a string of tokens as output, which is then input to the parser. The parser takes the string of tokens and produces a parse tree of the program. Context-free grammars are introduced as a natural way to describe the recursive structure of programming languages. Derivations and parse trees are discussed as ways to parse strings based on a grammar. Issues like ambiguity and left recursion in grammars are covered, along with techniques like left factoring that can be used to transform grammars.
Cache memory principles
This document discusses cache memory principles and provides details about cache operation, structure, organization, and design considerations. The key points covered are:
- Cache is a small, fast memory located between the CPU and main memory that stores frequently used data.
- During a cache read operation, the CPU first checks the cache for the requested data. If present, it is retrieved from the fast cache. If not, the data is read from main memory into cache.
- Cache design considerations include size, mapping function, replacement algorithm, write policy, line size, and number of cache levels.
- Modern CPUs use hierarchical cache designs with multiple levels (L1, L2, etc.) to improve performance.
Control Flow Graphs
Intermediate representations are used in compilers to represent programs between the source and target languages. Control flow graphs (CFG) are a common intermediate representation that represent a program as a directed graph with basic blocks as nodes and edges showing possible control transfers. CFGs are useful for optimizations and analyzing unreachable code. They are built by dividing a program into basic blocks - sections with no jumps in or out - and connecting them based on the control flow.
Unit 4 sp macro
Introduction, Macro Definition and Call, Macro Expansion, Nested Macro Calls, Advanced Macro Facilities, Design Of a Macro Preprocessor, Design of a Macro Assembler, Functions of a Macro Processor, Basic Tasks of a Macro Processor, Design Issues of Macro Processors, Features, Macro Processor Design Options, Two-Pass Macro Processors, One-Pass Macro Processors
Two pass Assembler
Its an complete presentation of how two pass assembler works,two pass assembler program,comparison between one pass and two pass.
Three address code In Compiler Design
Three Address code Is an intermediate code used by optimizing compilers to aid in the implementation of code-improving transformations
What's hot (20)
Viewers also liked
CNIT 127 Ch Ch 1: Before you Begin
The document discusses basic concepts related to exploit development such as vulnerabilities, exploits, fuzzers, memory management, assembly language, and stack-based overflows. It provides definitions and explanations of these key terms, how programs are laid out in memory, basic assembly instructions, register usage, and how to recognize common C language constructs when viewing assembly code.
CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)
This document discusses 64-bit assembly programming. It covers 64-bit registers used in 64-bit assembly like RIP and RSP. It also discusses limitations of 64-bit addressing in different versions of Windows and how the operating system separates memory used by the OS and user programs. Common opcodes, syscalls, and using sections like .data and .text are described. Examples shown include simple programs, reading and writing data, and encoding text using Caesar cipher and XOR encryption.
CNIT 129S: Ch 3: Web Application Technologies
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Website: https://samsclass.info/129S/129S_F16.shtml
CNIT 129S: Ch 5: Bypassing Client-Side Controls
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
CNIT 121: 11 Analysis Methodology
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
CNIT 129S: Ch 6: Attacking Authentication
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
CNIT 121: 12 Investigating Windows Systems (Part 3)
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 40: 6: DNSSEC and beyond
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
CNIT 129S: 8: Attacking Access Controls
This document discusses common vulnerabilities in access controls for web applications and best practices for securing them. It covers different types of privilege escalation like vertical, horizontal, and context-dependent escalation. It also discusses vulnerabilities like unprotected functionality that can be accessed without authentication, identifier-based functions where access is based on predictable IDs, and multistage functions where access is not re-validated at each step. The document provides recommendations for testing access controls and securing them through measures like centralizing control checks and restricting access based on sessions rather than request parameters.
CNIT 129S: Securing Web Applications Ch 1-2
This document discusses securing web applications. It describes how modern web apps allow two-way information flow and user login/content submission, which introduces security risks if user input is not properly validated. It emphasizes that the core security problem is that users can submit arbitrary input, and outlines common attacks like modifying prices or session tokens. The document then covers core defense mechanisms like authentication, session management, access control, input validation at boundaries, and handling errors and attacks through logging, alerts and responses.
CNIT 121: 2 IR Management Handbook
This document discusses the roles and responsibilities involved in incident response (IR). It describes the incident manager who leads the investigation team, and the remediation team leader who coordinates remediation activities. It outlines the IR process including initial response, investigation, and remediation phases. It provides guidance on hiring IR talent, preserving evidence, analyzing data, developing indicators of compromise, and creating reports.
CNIT 129S: Ch 4: Mapping the Application
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Website: https://samsclass.info/129S/129S_F16.shtml
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 121: Computer Forensics Ch 1
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia".
Ch 1: Real-World Incidents
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
Request forgery techniques like on-site request forgery (OSRF) and cross-site request forgery (CSRF) allow attackers to trick a user's browser into making requests without the user's consent. OSRF uses stored XSS to inject links that trigger requests when clicked, while CSRF embeds requests directly on malicious sites. Defenses include anti-CSRF tokens and preventing sensitive actions via GET. The same-origin policy does not fully prevent cross-domain data theft using techniques like JavaScript hijacking, Flash, and relaxed HTML5 CORS policies.
CNIT 121: 3 Pre-Incident Preparation
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 40: 3: DNS vulnerabilities
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
Viewers also liked (20)
CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)
CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 3)
CNIT 121: 12 Investigating Windows Systems (Part 3)
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
Similar to CNIT 127 Ch 5: Introduction to heap overflows
CNIT 127 Ch 5: Introduction to heap overflows
This document discusses heap overflows and exploit development. It explains that the heap is an area of memory used to dynamically allocate data at runtime using functions like malloc() and free(). While the stack stores return addresses that can be controlled in a buffer overflow, the heap does not directly store EIP. However, it contains pointers that are written to when freeing memory chunks, which can be exploited if a chunk overflow is used to control those writes and modify arbitrary memory locations. Potential targets include return addresses on the stack, the global offset table, destructors table, and function pointers.
Ch 5: Introduction to heap overflows
This document discusses heap overflows and exploit development. It explains that the heap is an area of memory used for dynamic allocation via malloc() and freed via free(). When free() is called, it must write to forward and backward pointers, allowing overflow data to potentially control those writes. This makes it possible to write to arbitrary RAM locations, such as the stack return address, global offset table, destructors table, or function pointers, in order to execute code and crash or exploit the program.
(Berkeley CS186 guest lecture) Big Data Analytics Systems: What Goes Around C...
(Berkeley CS186 guest lecture)
Big Data Analytics Systems: What Goes Around Comes Around
Introduction to MapReduce, GFS, HDFS, Spark, and differences between "Big Data" and database systems.
Move from C to Go
This document discusses moving from C to Go and compares various aspects of memory allocation between the two languages. It covers how arrays are values in Go rather than pointers, stack allocation versus heap allocation, and Go's garbage collector. It also provides an overview of the Go toolchain including supported architectures and compares performance of GCCGO versus the standard Go compiler. Finally, it explains Go's M:N user-space scheduler model and how goroutines are scheduled across logical processors.
CNIT 127: Ch 2: Stack overflows on Linux
Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q.
Instructor: Sam Bowne
Class website: https://samsclass.info/127/127_F19.shtml
127 Ch 2: Stack overflows on Linux
For a college course at City College San Francisco.
Instructor: Sam Bowne
Class website: https://samsclass.info/127/127_S18.shtml
CNIT 127 Ch 2: Stack overflows on Linux
A college lecture at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q.
Instructor: Sam Bowne
Class website: https://samsclass.info/127/127_S17.shtml
Hadoop performance optimization tips
This document provides performance optimization tips for Hadoop jobs, including recommendations around compression, speculative execution, number of maps/reducers, block size, sort size, JVM tuning, and more. It suggests how to configure properties like mapred.compress.map.output, mapred.map/reduce.tasks.speculative.execution, and dfs.block.size based on factors like cluster size, job characteristics, and data size. It also identifies antipatterns to avoid like processing thousands of small files or using many maps with very short runtimes.
sysprog2 Part2
This document covers several key topics in C programming for Linux including preprocessing, compilation and linking; processes and process address spaces; stacks and scope; libraries; makefiles; gdb basics; and pointers. It discusses concepts like static and dynamic libraries, the stack and call stack, variables and scopes, linking to shared objects, makefile rules and variables, using gdb for debugging, and common pointer issues. The document appears to be notes for a training session on C programming fundamentals in Linux.
19-7960-07-notes.pptx
The document summarizes the Eyeriss architecture for accelerating convolutional neural networks. Eyeriss uses a spatial architecture with an array of processing elements connected by a mesh network. It employs various dataflow optimizations to reduce data movement and energy costs. A key optimization is exploiting data reuse by loading inputs and weights into local register files within each processing element. Eyeriss decomposes convolutions into smaller "primitives" that are processed sequentially by each PE to maximize reuse. It also pipelines computations across the PE array to improve parallelism.
CNIT 127 Ch 2: Stack overflows on Linux
Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q.
Instructor: Sam Bowne
Class website: https://samsclass.info/127/127_S18.shtml
PraveenBOUT++
The document discusses performance analysis of the BOUT++ code. It notes that improving HPC performance has economic and scientific benefits. The goals of performance analysis are to identify bottlenecks and suggest improvements to optimize code performance. Profilers are used to measure performance and identify issues such as poor scaling, load imbalance, communication overhead, and memory bandwidth sensitivity. Analysis of BOUT++ shows good scaling up to 8,192 cores but decreased performance at higher concurrencies potentially due to increased computational work in ghost cells as the grid points per processor decrease with increasing concurrency.
Optimizing Performance - Clojure Remote - Nikola Peric
When a project approaches production questions about performance always surface. This talk tackles several real-world problems that have occurred while bringing a data-driven project to production, and walks through the problem solving approach to each.
ASE2010
This document reports on scaling tools for mining software repositories (MSR) studies using MapReduce. It finds that MapReduce can effectively scale three large MSR studies - a software evolution study, code clone detection, and log analysis - to larger datasets and clusters of up to 28 machines. The main challenges in migrating MSR studies to MapReduce are the locality and granularity of the analysis, locating a suitable cluster, managing large datasets, and handling errors.
Thorny path to the Large-Scale Graph Processing (Highload++, 2014)
Alexey Zinoviev presented this paper on the Highload++ conference http://www.highload.ru/2014/abstracts/1516.html
This paper covers next topics: Pregel, Graph Theory, Giraph, Okapi, GraphX, GraphChi, Spark, Shrotest Path Problem, Road Network, Road Graph
Thorny Path to the Large Scale Graph Processing, Алексей Зиновьев (Тамтэк)
The document discusses large-scale graph processing and summarizes several graph processing tools and techniques. It describes Google's Pregel framework, which introduced the bulk synchronous parallel computation model. It also discusses Apache Giraph, an open-source implementation of Pregel, and how it uses Hadoop and ZooKeeper. Finally, it summarizes more recent tools like Spark and GraphX that can perform graph analytics in-memory at faster speeds.
Perl at SkyCon'12
Slides for my talk at SkyCon'12 in Limerick.
Here I've squeezed four talks into one, covering a lot of ground quickly, so I've included links to more detailed presentations and other resources.
HadoopThe Hadoop Java Software Framework
Storage and computation is getting cheaper AND easily accessible on demand in the cloud. We now collect and store some really large data sets Eg: user activity logs, genome sequencing, sensory data etc. Hadoop and the ecosystem of projects built around it present simple and easy to use tools for storing and analyzing such large data collections on commodity hardware.
Topics Covered
* The Hadoop architecture.
* Thinking in MapReduce.
* Run some sample MapReduce Jobs (using Hadoop Streaming).
* Introduce PigLatin, a easy to use data processing language.
Speaker Profile: Mahesh Reddy is an Entrepreneur, chasing dreams. Works on large scale crawl and extraction of structured data from the web. He is a graduate frm IIT Kanpur(2000-05) and previously worked at Yahoo! Labs as Research Engineer/Tech Lead on Search and Advertising products.
Accelerate Reed-Solomon coding for Fault-Tolerance in RAID-like system
The document discusses accelerating Reed-Solomon erasure codes on GPUs. It aims to accelerate two main computation bottlenecks: arithmetic operations in Galois fields and matrix multiplication. For Galois field operations, it evaluates loop-based and table-based methods and chooses a log-exponential table approach. It also proposes tiling algorithms to optimize matrix multiplication on GPUs by reducing data transfers and improving memory access patterns. The goal is to make Reed-Solomon encoding and decoding faster for cloud storage systems using erasure codes.
CNIT 127: Ch 2: Stack Overflows in Linux
The document discusses stack buffer overflows in Linux. It explains how functions use the stack, with arguments and return addresses pushed onto the stack. A stack buffer overflow occurs when a program writes past the end of a fixed-length buffer on the stack. This can overwrite the return address, allowing arbitrary code execution. The document demonstrates this by having a program read user input into a buffer without bounds checking. Entering more data than the buffer size crashes the program by overwriting the return address. This vulnerability can be exploited to gain control of a program's execution flow.
Similar to CNIT 127 Ch 5: Introduction to heap overflows (20)
(Berkeley CS186 guest lecture) Big Data Analytics Systems: What Goes Around C...
(Berkeley CS186 guest lecture) Big Data Analytics Systems: What Goes Around C...
Optimizing Performance - Clojure Remote - Nikola Peric
Optimizing Performance - Clojure Remote - Nikola Peric
Thorny path to the Large-Scale Graph Processing (Highload++, 2014)
Thorny path to the Large-Scale Graph Processing (Highload++, 2014)
Thorny Path to the Large Scale Graph Processing, Алексей Зиновьев (Тамтэк)
Thorny Path to the Large Scale Graph Processing, Алексей Зиновьев (Тамтэк)
Accelerate Reed-Solomon coding for Fault-Tolerance in RAID-like system
Accelerate Reed-Solomon coding for Fault-Tolerance in RAID-like system
More from Sam Bowne
Cyberwar
The document discusses various topics related to cyberwar including Mastodon, Lockheed-Martin's kill chain model, and Mitre's ATT&CK framework. It notes that China, Russia, Iran, and North Korea pose major cyber threats according to the FBI and CISA. China is described as the broadest cyber espionage threat. Russia conducts destructive malware and ransomware operations. Iran's growing cyber expertise makes it a threat. North Korea's program poses an espionage, cybercrime, and attack threat and continues cryptocurrency heists.
3: DNS vulnerabilities
- DNS vulnerabilities can arise from configuration errors, architecture mistakes, vulnerable software implementations, protocol weaknesses, and failure to use security extensions.
- Common mistakes include single points of failure, exposure of internal information, leakage of internal queries, unnecessary recursiveness, failure to restrict access, and unprotected zone transfers.
- Software vulnerabilities have included buffer overflows and flaws in randomization of source ports, transaction IDs, and domain name ordering that enable cache poisoning and man-in-the-middle attacks.
8. Software Development Security
This chapter discusses software development security. It covers topics like programming concepts, compilers and interpreters, procedural vs object-oriented languages, application development methods like waterfall vs agile models, databases, object-oriented design, assessing software vulnerabilities, and artificial intelligence techniques. The key aspects are securing the entire software development lifecycle from initial planning through operation and disposal, using secure coding practices, testing for vulnerabilities, and continually improving processes.
4 Mapping the Application
For a Securing Web Applications class at college.
More info: https://samsclass.info/129S/129S_S23.shtml
3. Attacking iOS Applications (Part 2)
This document discusses attacking iOS applications by exploiting vulnerabilities in the iOS runtime, interprocess communication, and through injection attacks. Specifically, it covers instrumenting the iOS runtime using method swizzling, attacking applications using interprocess communication techniques like application extensions, and exploiting entry points like UIWebViews, client-side data stores, and file handling routines to perform injection attacks on iOS apps.
12 Elliptic Curves
This document provides an overview of elliptic curve cryptography including what an elliptic curve is, the elliptic curve discrete logarithm problem (ECDLP), Diffie-Hellman key agreement and digital signatures using elliptic curves. It discusses NIST standard curves like P-256 and Curve25519 as well as choosing appropriate curves and potential issues like attacks if randomness is not properly implemented or an invalid curve is used.
11. Diffie-Hellman
The document discusses the Diffie-Hellman key exchange protocol. It describes how Diffie-Hellman works by having two parties agree on a shared secret over an insecure channel without transmitting the secret itself. It also covers potential issues like using proper cryptographic techniques to derive keys from the shared secret and using safe prime numbers to prevent attacks.
2a Analyzing iOS Apps Part 1
This document provides an overview of analyzing iOS apps, including jailbreaking mobile devices. It discusses iOS security features like code signing and sandboxing. It explains how to set up a test environment for analyzing apps by jailbreaking a device and using Unix tools. Key files like property lists and databases that can be explored are also outlined.
9 Writing Secure Android Applications
This document discusses various techniques for writing secure Android apps, including minimizing unnecessary permissions and exposure, securing data storage and communication, and making apps difficult to reverse engineer. It provides examples of implementing essential security mechanisms like permission protection and securing activities, content providers, and web views. It also covers more advanced techniques such as protection level downgrades, obfuscation, and tamper detection.
12 Investigating Windows Systems (Part 2 of 3)
The document discusses investigating Windows systems by analyzing the Windows Registry. It describes the purpose and structure of the Registry, including the main hive files and user-specific hives. It provides an overview of important Registry keys that can contain forensic artifacts, such as system configuration keys, network information keys, user and security information keys, and auto-run keys that can indicate malware persistence. Specific Registry keys and values are highlighted that are most useful for analyzing evidence on a compromised system, including ShellBags, UserAssist, MRU lists, and Internet Explorer TypedURLs and TypedPaths. Tools for Registry analysis like RegRipper, AutoRuns, and Nirsoft utilities are also mentioned.
10 RSA
This document provides an overview of the RSA cryptosystem. It begins with the mathematical foundations of RSA, including the group ZN* and Euler's totient function. It then covers the RSA trapdoor permutation using modular exponentiation and key generation. The document discusses encrypting and signing with RSA, as well as implementations using libraries and algorithms like square-and-multiply. It concludes with topics like side-channel attacks, optimizations for speed, and ways implementations can fail like the Bellcore attack on RSA-CRT.
12 Investigating Windows Systems (Part 1 of 3
This document provides an overview of analyzing the Windows file system, NTFS metadata, and logs to investigate security incidents and recover deleted files. It discusses the Master File Table (MFT) structure, timestamps, alternate data streams, prefetch files, event logs, and scheduled tasks. The MFT stores file metadata including attributes, timestamps, and data runs. File deletion only marks the MFT entry inactive, allowing recovery of deleted file contents and metadata. Event and security logs can reveal lateral movement and suspicious processes. Prefetch files indicate program execution history. Scheduled tasks configure automated programs through .job files logged by Task Scheduler.
9. Hard Problems
This document discusses computational hardness and complexity classes related to cryptography. It covers the computational complexity of problems like factoring large numbers and the discrete logarithm problem. These problems are assumed to be hard, even for quantum computers, and form the basis for cryptographic techniques. The document also discusses how cryptography could be broken if faster algorithms were found for these problems or if the key sizes used were too small.
8 Android Implementation Issues (Part 1)
This document discusses exploiting vulnerabilities in Android devices. It covers identifying pre-installed apps that could provide access, techniques for remotely or locally exploiting devices, and the different privilege levels an attacker may obtain including non-system app access, installed package access, ADB shell access, system user access, and root user access. Specific exploitation techniques mentioned include exploiting update mechanisms, remote code loading, webviews, listening services, and messaging apps. Tools discussed include Drozer, Ettercap, and Burp.
11 Analysis Methodology
This document provides an overview of the incident response analysis methodology process. It discusses defining objectives, understanding the situation and available resources, identifying leadership, avoiding impossible tasks like proving a negative, asking why to define scope, knowing where data is stored, accessing raw data, selecting analysis methods like searching for malware or using tools like VirusTotal, manual review, filtering data, statistical analysis using tools like Sawmill, string searching, analyzing unallocated space, and file carving. It stresses periodically evaluating results to ensure progress and only making definitive statements if supported by evidence.
8. Authenticated Encryption
This document discusses authenticated encryption, which both encrypts messages and authenticates them with a tag. It covers several authenticated encryption schemes:
1. Authenticated Encryption with Associated Data (AEAD) which encrypts a plaintext and authenticates additional associated data with a tag.
2. AES-GCM, the standard authenticated cipher, which uses AES in Galois/Counter Mode. It has two layers - encryption then authentication.
3. OCB, faster than GCM but limited by licensing. It blends encryption and authentication into one layer.
4. SIV, considered the safest as it is secure even if nonces are reused, but it is not streamable.
7. Attacking Android Applications (Part 2)
This document summarizes part 2 of a course on attacking Android applications. It discusses how application components like activities and services can be exploited if not properly protected. Specific vulnerabilities in the Sieve password manager application are demonstrated, including insecure content providers, SQL injection, and an insecure file-backed content provider. The document also covers how services and broadcast receivers can be abused if not protected correctly.
7. Attacking Android Applications (Part 1)
This document discusses attacking Android applications through their components. It covers exploiting vulnerabilities in an app's security model, intercepting communications, and compromising application containers or internet servers that apps rely on. Specific attacks examined include bypassing the lock screen, tapjacking, accessing private app data through recently used screenshots, and changing a PIN without knowing the old one using fragment injection. The document provides examples of how to interact with an app's activities, services, content providers and permissions through intents and other techniques.
5. Stream Ciphers
The document discusses stream ciphers and how they can be implemented in either hardware or software. It describes how stream ciphers work by generating a pseudorandom bitstream from a key and nonce that is XOR'd with the plaintext. Hardware-oriented stream ciphers were initially more efficient to implement than block ciphers using dedicated circuits like LFSRs. However, LFSR-based designs are insecure and modern software-oriented stream ciphers like Salsa20 are more efficient on CPUs. The document cautions that stream ciphers can be broken if the key and nonce are reused or if there are flaws in the implementation.
6 Scope & 7 Live Data Collection
Live data collection on Windows systems can be done using prebuilt kits like Mandiant Redline or Velociraptor, by creating your own scripted toolkit using built-in and free tools to collect processes, network connections, system logs and other volatile data, while following best practices like testing your methods first and being cautious of malware on investigated systems.
More from Sam Bowne (20)
Recently uploaded
Level 3 NCEA - NZ: A Nation In the Making 1872 - 1900 SML.ppt
The History of NZ 1870-1900.
Making of a Nation.
From the NZ Wars to Liberals,
Richard Seddon, George Grey,
Social Laboratory, New Zealand,
Confiscations, Kotahitanga, Kingitanga, Parliament, Suffrage, Repudiation, Economic Change, Agriculture, Gold Mining, Timber, Flax, Sheep, Dairying,
Benner "Expanding Pathways to Publishing Careers"
This presentation was provided by Rebecca Benner, Ph.D., of the American Society of Anesthesiologists, for the second session of NISO's 2024 Training Series "DEIA in the Scholarly Landscape." Session Two: 'Expanding Pathways to Publishing Careers,' was held June 13, 2024.
Leveraging Generative AI to Drive Nonprofit Innovation
In this webinar, participants learned how to utilize Generative AI to streamline operations and elevate member engagement. Amazon Web Service experts provided a customer specific use cases and dived into low/no-code tools that are quick and easy to deploy through Amazon Web Service (AWS.)
HYPERTENSION - SLIDE SHARE PRESENTATION.
IT WILL BE HELPFULL FOR THE NUSING STUDENTS
IT FOCUSED ON MEDICAL MANAGEMENT AND NURSING MANAGEMENT.
HIGHLIGHTS ON HEALTH EDUCATION.
How to Predict Vendor Bill Product in Odoo 17
This slide will guide us through the process of predicting vendor bill products based on previous purchases from the vendor in Odoo 17.
Accounting for Restricted Grants When and How To Record Properly
In this webinar, member learned how to stay in compliance with generally accepted accounting principles (GAAP) for restricted grants.
How to Download & Install Module From the Odoo App Store in Odoo 17
Custom modules offer the flexibility to extend Odoo's capabilities, address unique requirements, and optimize workflows to align seamlessly with your organization's processes. By leveraging custom modules, businesses can unlock greater efficiency, productivity, and innovation, empowering them to stay competitive in today's dynamic market landscape. In this tutorial, we'll guide you step by step on how to easily download and install modules from the Odoo App Store.
Geography as a Discipline Chapter 1 __ Class 11 Geography NCERT _ Class Notes...
Geography as discipline
Gender and Mental Health - Counselling and Family Therapy Applications and In...
A proprietary approach developed by bringing together the best of learning theories from Psychology, design principles from the world of visualization, and pedagogical methods from over a decade of training experience, that enables you to: Learn better, faster!
A Visual Guide to 1 Samuel | A Tale of Two Hearts
These slides walk through the story of 1 Samuel. Samuel is the last judge of Israel. The people reject God and want a king. Saul is anointed as the first king, but he is not a good king. David, the shepherd boy is anointed and Saul is envious of him. David shows honor while Saul continues to self destruct.
How to Fix [Errno 98] address already in use
This slide will represent the cause of the error “[Errno 98] address already in use” and the troubleshooting steps to resolve this error in Odoo.
BIOLOGY NATIONAL EXAMINATION COUNCIL (NECO) 2024 PRACTICAL MANUAL.pptx
Practical manual for National Examination Council, Nigeria.
Contains guides on answering questions on the specimens provided
Recently uploaded (20)
NEWSPAPERS - QUESTION 1 - REVISION POWERPOINT.pptx
NEWSPAPERS - QUESTION 1 - REVISION POWERPOINT.pptx
Juneteenth Freedom Day 2024 David Douglas School District
Juneteenth Freedom Day 2024 David Douglas School District
Level 3 NCEA - NZ: A Nation In the Making 1872 - 1900 SML.ppt
Level 3 NCEA - NZ: A Nation In the Making 1872 - 1900 SML.ppt
REASIGNACION 2024 UGEL CHUPACA 2024 UGEL CHUPACA.pdf
REASIGNACION 2024 UGEL CHUPACA 2024 UGEL CHUPACA.pdf
Leveraging Generative AI to Drive Nonprofit Innovation
Leveraging Generative AI to Drive Nonprofit Innovation
Accounting for Restricted Grants When and How To Record Properly
Accounting for Restricted Grants When and How To Record Properly
How to Download & Install Module From the Odoo App Store in Odoo 17
How to Download & Install Module From the Odoo App Store in Odoo 17
Geography as a Discipline Chapter 1 __ Class 11 Geography NCERT _ Class Notes...
Geography as a Discipline Chapter 1 __ Class 11 Geography NCERT _ Class Notes...
Gender and Mental Health - Counselling and Family Therapy Applications and In...
Gender and Mental Health - Counselling and Family Therapy Applications and In...
BIOLOGY NATIONAL EXAMINATION COUNCIL (NECO) 2024 PRACTICAL MANUAL.pptx
BIOLOGY NATIONAL EXAMINATION COUNCIL (NECO) 2024 PRACTICAL MANUAL.pptx
CNIT 127 Ch 5: Introduction to heap overflows
- 1. CNIT 127: Exploit Development Ch 5: Introduction to Heap Overflows Updated 2-14-17
- 2. What is a Heap?
- 3. Memory Map • In gdb, the "info proc map" command shows how memory is used • Programs have a stack, one or more heaps, and other segments • malloc() allocates space on the heap • free() frees the space
- 5. Heap Structure Size of previous chunk Size of this chunk Pointer to next chunk Pointer to previous chunk Data Size of previous chunk Size of this chunk Pointer to next chunk Pointer to previous chunk Data Size of previous chunk Size of this chunk Pointer to next chunk Pointer to previous chunk Data
- 8. Viewing the Heap in gdb
- 10. Crash in gdb
- 11. Targeted Exploit
- 12. The Problem With the Heap
- 13. EIP is Hard to Control • The Stack contains stored EIP values • The Heap usually does not • However, it has addresses that are used for writes – To fill in heap data – To rearrange chunks when free() is called
- 14. Action of Free() • Must write to the forward and reverse pointers • If we can overflow a chunk, we can control those writes • Write to arbitrary RAM – Image from mathyvanhoef.com, link Ch 5b
- 15. Target RAM Options • Saved return address on the Stack – Like the Buffer Overflows we did previously • Global Offset Table – Used to find shared library functions • Destructors table (DTORS) – Called when a program exits • C Library Hooks
- 16. Target RAM Options • "atexit" structure (link Ch 4n) • Any function pointer • In Windows, the default unhandled exception handler is easy to find and exploit
- 17. Project Walkthroughs • Proj 8 – Exploiting a write to a heap value • Proj 8x – Taking over a remote server • Proj 5x – Buffer overflow with a canary