Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
ExploitingMemory Overflows
Action PlanSystem Organization BasicsMemory Organization BasicsBuffer Overflow BasicsDemoHeap Overflow BasicsDemo
System Organization Basics   CPU  System Bus          Memory    A/D/CI/O Devices
Numbering Systems      Binary: 11011       Octal: 33    Decimal: 27 Hexadecimal: 1B
Data Representations                 Bit: 1 bit (0/1)             Nibble: 4 bits (0-15)                Byte: 8 bits (0-255...
15                Memory Organization14                       Basics13                   0 1 1 0 1 1 0 1    0 0 1 0 0 0 0 ...
EAX – Accumulator, used for default operands and results    EBX – Base, used to store pointers to dataC    ECX – Counter, ...
.                                              .HIGH                   Segment Size: 0x100SE        0x400   EDX, EBX, ESI,...
56                                  Buffer Overflow Basics5248                                            Stack Operations...
Function Calls and StackHIGH                                                       direction...                           ...
56                        Stack Organization for52                            Function Calls48   local_var1   EBP44      a...
56                        Stack Organization for52                            Function Calls48     x=18       EBP44      6...
220                       Buffer Overflow Example216           x=6212        &argv[1]208                          int vuln...
220                       Buffer Overflow Example216          x=6                int vuln (char *argv) {212       &argv[1]...
220                    Buffer Overflow Example216        x=6               int vuln (char *argv) {212      &argv[1]       ...
220                    Buffer Overflow Example216        x=6               int vuln (char *argv) {212      &argv[1]       ...
So, you can overflow a buffer...             now what?      Sky is the limit...!       Well, not really :)     Lets just d...
220                 EIP                  220216              41414141                216        x=6      SIGSEGV         x...
Finally, its time to witness    some live action...!
That’s all folks!!!Ready with your questions? Start firing them, now...
Upcoming SlideShare
Loading in …5
×

Emo-Exploitation

741 views

Published on

Published in: Education, Technology, Business
  • Be the first to comment

  • Be the first to like this

Emo-Exploitation

  1. 1. ExploitingMemory Overflows
  2. 2. Action PlanSystem Organization BasicsMemory Organization BasicsBuffer Overflow BasicsDemoHeap Overflow BasicsDemo
  3. 3. System Organization Basics CPU System Bus Memory A/D/CI/O Devices
  4. 4. Numbering Systems Binary: 11011 Octal: 33 Decimal: 27 Hexadecimal: 1B
  5. 5. Data Representations Bit: 1 bit (0/1) Nibble: 4 bits (0-15) Byte: 8 bits (0-255) Word: 16 bits (0-65535)Double Word(DWORD): 32 bits (0-4294967295) Quad Word(QWORD): 64 bits (0-18446744073709551615) 0 10110000 01001011101100 1 0 1 0 0 1 0 1 0 33,373 148 10 16bits WORD 8bits BYTE 4bits NIBBLE 32bits DWORD 1,881,526,604
  6. 6. 15 Memory Organization14 Basics13 0 1 1 0 1 1 0 1 0 0 1 0 0 0 0 01211 MSB LSB10 Little Endian Big Endian 9 0x46 0x69 8 0x1D 0xAB 7 0xAB 0x1D 6 0x461DAB69 0x461DAB69 0x69 0x46 5 4 0x6D 0x20 3 0x6D20 0x20 0x6D 2 1 0x2A 0x2A 0x2A 0x2A Intel x86, x86_64 Motorola
  7. 7. EAX – Accumulator, used for default operands and results EBX – Base, used to store pointers to dataC ECX – Counter, used to count up or downP EDX – Data, used as an I/O pointerU ESP – Stack Pointer, points to the top of the stack frame EBP – Base Pointer, points to the base of the stack frameR ESI – Source Index, points to the source for dataE EDI – Destination Index, points to the data destinationGI Flag – Provides result for the latest operationS EIP – Instruction Pointer, points to the next instructionTE CS – Code Segment, points to the source of code segmentR DS – Data Segment, points to the source of data segmentS SS – Stack Segment, points to the source of stack segment CS – Extra Segment, points to the source of extra segment
  8. 8. . .HIGH Segment Size: 0x100SE 0x400 EDX, EBX, ESI, EDI ESG 0x400ME ESP, EBPN SS 0x300 0x300TAT 0x200 EDX, EBX, ESI, EDI DSI 0x200ON 0x100 EIP CS 0x100 . LOW .
  9. 9. 56 Buffer Overflow Basics5248 Stack Operations4440 PUSH – Subtract 4 from36 1A EBP ESP ESP and put new value at that address32 CF28 09 AC POP – Add 4 to ESP24 direction... Stack grows in this20 OPER EBP ESP16 PUSH 1A 36 3612 PUSH CF 36 32 8 PUSH 09 36 28 4 POP 36 32 0 PUSH AC 36 28
  10. 10. Function Calls and StackHIGH direction... Stack grows in this main() main() main() main() main() fun1() fun1() fun1() fun2()LOW 1 2 3 4 5 main() -> fun1() -> fun2() > fun1() > main()
  11. 11. 56 Stack Organization for52 Function Calls48 local_var1 EBP44 arg240 arg1 int fun (int arg1, int arg2){36 RETN ADDR ESP int lvar1 = arg1 + arg2; OLD EBP }3228 lvar1 int main () {24 int local_var1;20 fun (arg1, arg2); }1612 8 4 0
  12. 12. 56 Stack Organization for52 Function Calls48 x=18 EBP44 640 3 int add (int a, int b) {36 RA=999 ESP int c = a + b;32 OLD EBP=48 }28 c=9 int main () {24 int x = 18;20 add (3, 6);16 }12 8 4 0
  13. 13. 220 Buffer Overflow Example216 x=6212 &argv[1]208 int vuln (char *argv) { RA=999 char buf[80];204 OLD EBP=212 EBP int a = 9;200 strcpy (buf, argv); } int main (int argc, char **argv) { int x = 6; buf[80] vuln (argv[1]);120 a=9 ESP }116112108104
  14. 14. 220 Buffer Overflow Example216 x=6 int vuln (char *argv) {212 &argv[1] char buf[80];208 int a = 9; RA=999 strcpy (buf, argv);204 OLD EBP=212 EBP }200 AAAA int main (int argc, char **argv) { ... int x = 6; vuln (argv[1]); } AAAA120 a=9 ESP116112 python -c print “A”*80108104
  15. 15. 220 Buffer Overflow Example216 x=6 int vuln (char *argv) {212 &argv[1] char buf[80];208 int a = 9; RA=999 strcpy (buf, argv);204 AAAA EBP }200 AAAA int main (int argc, char **argv) { ... int x = 6; vuln (argv[1]); } AAAA120 a=9 ESP116112 python -c print “A”*84108104
  16. 16. 220 Buffer Overflow Example216 x=6 int vuln (char *argv) {212 &argv[1] char buf[80];208 int a = 9; AAAA strcpy (buf, argv);204 AAAA EBP }200 AAAA int main (int argc, char **argv) { ... int x = 6; vuln (argv[1]); } AAAA120 a=9 ESP116112 python -c print “A”*88108104
  17. 17. So, you can overflow a buffer... now what? Sky is the limit...! Well, not really :) Lets just dig deep andsee what exactly the scope of such a vulnerability is
  18. 18. 220 EIP 220216 41414141 216 x=6 SIGSEGV x=6212 212 &argv[1] &argv[1]208 208 41414141 RTN ADDR 00000120204 204 41414141 90909090200 EBP 200 41414141 6851C931 D0FF77C2 ... 93C7B854 90909090 41414141 90909090120 ESP 120 a=9 a=9116 116112 EIP 112108 00000120 108104 GAME OVER! 104
  19. 19. Finally, its time to witness some live action...!
  20. 20. That’s all folks!!!Ready with your questions? Start firing them, now...

×