The document discusses memory organization and buffer overflow exploits. It explains how the CPU and memory are organized, and how data is represented in binary, octal, decimal, and hexadecimal numbering systems. It then covers buffer overflow basics like stack operations, function calls and stack organization, and provides an example of a buffer overflow exploit that overwrites the EIP register to change the program flow.

1. Exploiting
Memory Overflows

2. Action Plan
System Organization Basics
Memory Organization Basics
Buffer Overflow Basics
Demo
Heap Overflow Basics
Demo

3. System Organization Basics
CPU
System Bus Memory
A/D/C
I/O Devices

4. Numbering Systems
Binary: 11011
Octal: 33
Decimal: 27
Hexadecimal: 1B

5. Data Representations
Bit: 1 bit (0/1)
Nibble: 4 bits (0-15)
Byte: 8 bits (0-255)
Word: 16 bits (0-65535)
Double Word(DWORD): 32 bits (0-4294967295)
Quad Word(QWORD): 64 bits
(0-18446744073709551615)
0 10110000 01001011101100 1 0 1 0 0 1 0 1 0
33,373 148 10
16bits WORD 8bits BYTE 4bits
NIBBLE
32bits DWORD
1,881,526,604

6. 15 Memory Organization
14 Basics
13
0 1 1 0 1 1 0 1 0 0 1 0 0 0 0 0
12
11 MSB LSB
10 Little Endian Big Endian
9 0x46 0x69
8 0x1D 0xAB
7 0xAB 0x1D
6 0x461DAB69
0x461DAB69 0x69 0x46
5
4 0x6D 0x20
3 0x6D20 0x20 0x6D
2
1 0x2A
0x2A 0x2A 0x2A
Intel x86, x86_64 Motorola

7. EAX – Accumulator, used for default operands and results
EBX – Base, used to store pointers to data
C
ECX – Counter, used to count up or down
P
EDX – Data, used as an I/O pointer
U
ESP – Stack Pointer, points to the top of the stack frame
EBP – Base Pointer, points to the base of the stack frame
R
ESI – Source Index, points to the source for data
E
EDI – Destination Index, points to the data destination
G
I Flag – Provides result for the latest operation
S
EIP – Instruction Pointer, points to the next instruction
T
E CS – Code Segment, points to the source of code segment
R DS – Data Segment, points to the source of data segment
S SS – Stack Segment, points to the source of stack segment
CS – Extra Segment, points to the source of extra segment

8. .
.HIGH
Segment Size: 0x100
S
E 0x400 EDX, EBX, ESI, EDI
ES
G 0x400
M
E
ESP, EBP
N SS 0x300
0x300
T
A
T 0x200 EDX, EBX, ESI, EDI
DS
I 0x200
O
N
0x100 EIP
CS 0x100
. LOW
.

9. 56
Buffer Overflow Basics
52
48
Stack Operations
44
40 PUSH – Subtract 4 from
36 1A EBP ESP ESP and put new value
at that address
32 CF
28 09
AC POP – Add 4 to ESP
24
direction...
Stack grows in this
20 OPER EBP ESP
16 PUSH 1A 36 36
12 PUSH CF 36 32
8 PUSH 09 36 28
4 POP 36 32
0 PUSH AC 36 28

10. Function Calls and Stack
HIGH
direction...
Stack grows in this
main() main() main() main() main()
fun1() fun1() fun1()
fun2()
LOW 1 2 3 4 5
main() -> fun1() -> fun2() > fun1() > main()

11. 56
Stack Organization for
52
Function Calls
48 local_var1 EBP
44 arg2
40 arg1 int fun (int arg1, int arg2){
36 RETN ADDR ESP int lvar1 = arg1 + arg2;
OLD EBP }
32
28 lvar1 int main () {
24 int local_var1;
20
fun (arg1, arg2);
}
16
12
8
4
0

12. 56
Stack Organization for
52
Function Calls
48 x=18 EBP
44 6
40 3
int add (int a, int b) {
36 RA=999 ESP int c = a + b;
32 OLD EBP=48 }
28 c=9
int main () {
24 int x = 18;
20 add (3, 6);
16
}
12
8
4
0

13. 220 Buffer Overflow Example
216
x=6
212
&argv[1]
208 int vuln (char *argv) {
RA=999 char buf[80];
204
OLD EBP=212 EBP int a = 9;
200
strcpy (buf, argv);
}
int main (int argc,
char **argv) {
int x = 6;
buf[80] vuln (argv[1]);
120
a=9 ESP }
116
112
108
104

14. 220 Buffer Overflow Example
216
x=6 int vuln (char *argv) {
212
&argv[1] char buf[80];
208 int a = 9;
RA=999 strcpy (buf, argv);
204
OLD EBP=212 EBP }
200
AAAA
int main (int argc,
char **argv) {
... int x = 6;
vuln (argv[1]);
}
AAAA
120
a=9 ESP
116
112
python -c 'print “A”*80'
108
104

15. 220 Buffer Overflow Example
216
x=6 int vuln (char *argv) {
212
&argv[1] char buf[80];
208 int a = 9;
RA=999 strcpy (buf, argv);
204
AAAA EBP }
200
AAAA
int main (int argc,
char **argv) {
... int x = 6;
vuln (argv[1]);
}
AAAA
120
a=9 ESP
116
112
python -c 'print “A”*84'
108
104

16. 220 Buffer Overflow Example
216
x=6 int vuln (char *argv) {
212
&argv[1] char buf[80];
208 int a = 9;
AAAA strcpy (buf, argv);
204
AAAA EBP }
200
AAAA
int main (int argc,
char **argv) {
... int x = 6;
vuln (argv[1]);
}
AAAA
120
a=9 ESP
116
112
python -c 'print “A”*88'
108
104

17. So, you can overflow a buffer...
now what?
Sky is the limit...!
Well, not really :)
Let's just dig deep and
see what exactly the scope of such
a vulnerability is

18. 220 EIP 220
216 41414141 216
x=6 SIGSEGV x=6
212 212
&argv[1] &argv[1]
208 208
41414141 RTN ADDR 00000120
204 204
41414141 90909090
200 EBP 200
41414141 6851C931
D0FF77C2
... 93C7B854
90909090
41414141 90909090
120 ESP 120
a=9 a=9
116 116
112 EIP 112
108 00000120 108
104
GAME OVER! 104

19. Finally, its time to witness
some live action...!

20. That’s all folks!!!
Ready with your questions?
Start firing them, now...