Introduction to

InfoSec –

Recitation 2Nir Krakowski (nirkrako at post.tau.ac.il)

Itamar Gilad (itamargi at post.tau.ac.il)

Today• More assembly tips

• Review of the stack

• Stack overflows

• Implementationo Tools

• Endian-ity is the definition of how numbers are represented in memory (or on a data bus)

• In the x86 architecture 0x11223344 would be represented in memory:o 44 33 22 11

• Intel Architecture is little endian. (we are using little)

• However the same number in Big Endian would be:o 11 22 33 44

• (we don’t see the bit reordering because our minimum working unit is a byte)

Little vs Big Endian

Registers• Common uses:

• eax – used usually for fast calculations / system call numbers /used to pass the return value

• ecx – used as a counter frequently / as self class in c++.

• ebp – used to store the stack frame pointer

• esp – used to store the stack pointer

• edi/esi – used for string/buffer manipulations

• ip – used to store the current instruction pointer –can not be accessed directly!

More on register functionality

• Most registers can be (CPU-wise) variably be used for different purposes.

• However, Some register can not be used with certain commands.

• Example:o mov eip, 0xaddress ; this command is impossible.

o loop some_label ;works only with ecx.

• EIP specifically can’t be manipulated directly at all. instead we use: jmp, call, retto manipulate it.

x86 stack manipulation• The x86 stack location is noted by ESP (EBP has no direct role).

• There are two commands to manipulate the stack:o push 0ximmediate

push reg

push [from memory]

o pop reg

• However the stack can also be manipulated directly, eg.:o mov [esp+10h], 4

o mov [ebp-15h], 0

x86 alternative instructions

• There are lots of assembly instructions with varying sizes, and they can be used alternatively to fit certain constraints.

• Compilers use alternative ways for optimization purposes:o Some opcodes take up less space in memory.

o Some code shortcuts can be made.

• Examples:o add esp,4

push eax

o Alternatively:

o mov [esp-4], eax

o mov eax, 0

o Alternatively:

o xor eax,eax

• There are also 8 bit commands to access partial registerso mov al, 5

• There are 16 bit commandso mov ax, 65535

Buffer’Os• History:

o First documented buffer overflows were thought of in 1972 COMPUTER

SECURITY TECHNOLOGY PLANNING STUDY (Page 61)

o The first buffer overflows known in the wild were Stack’Os

o Stack Overflows were widely introduced by Aleph One

• Phrack Magazine Issue 49 on November 8, 1996

o Title: Smashing the stack for fun and profit

o http://www.phrack.org/issues.html?issue=49&id=14#article

• Purpose:o Like when patching, we re-route the code to new code which adds new

functionality.

o We modify the behavior of a program without modifying the binary, and

only by controlling the input!

o Therefore we can subvert the original functionality of the code to any

purpose.

Where does it get reallyinteresting

• When the program input is from a remote connectiono Example: telnet

• When the program has higher privilegeso Example: su

Executable in Disk• This is how the program

appears on disk.

• The operating system loaderloads the file and maps itinto program memory.

• Loader maps the file tomemory according toinstructions defined in theELF file.

• Loader creates new memorysection such as the ‘Stack’.

• Loader calls the start of the program

Process Memory Abstract• /------------------\ lower

• | | memory

• | Text | addresses

• | |

• |------------------|

• | (Initialized) |

• | Data |

• | (Uninitialized) |

• |------------------|

• | |

• | Stack | higher

• | | memory

• \------------------/ addresses

Example1.c• void function(int a, int b, int c) {

• char buffer1[5];

• char buffer2[10];

• }

• void main() {

• function(1,2,3);

• }

Stack Structure• bottom of top of

• memory memory

• buffer2 buffer1 sfp ret a b c

• <------ [ ][ ][ ][ ][ ][ ][ ]

•

• top of bottom of

• stack stack

• Our purpose is to overflow from buffer2 until we reach “ret” so that we point EIP

to an arbitrary location of our choosing.

shellcode example made simple

• allocate “/bin/sh”

• call execv(“/bin/sh”, NULL);

• call exit(exit_code);

• We will use system calls (interrupt 0x80)

• Unlike call interrupt arguments are passed via the registers:o mov eax, 0xb ; execv system call

o mov ebx, [addr to “/bin/sh” ]

o mov ecx, 0 ; NULL

o Int 0x80

Allocating “/bin/sh”• Not knowing where our code is located presents a challenge, since we know its is located somewhere near EIP, but we can read EIP directly instead we use the following “trick”:

jmp end

end:

pop ebx ; Now ebx will hold the address to “/bin/sh”

call beginning

.string “/bin/sh”

shellcode example with interrupt calls

• jmp call_start # jump to the end of the code to /bin/sh

• start_shellcode: # label to jump back

• pop ebx # put point to /bin/sh in ebx

• xor eax,eax # zero eax, but dont use mov, because it include \x00

• mov al, 0xb # system call 0xb, - execve

• xor ecx, ecx # clear pointer to envp

• int 0x80 # call a system call!

• xor eax,eax # ignore return and reset to zero.

• mov al, 0x1 # call exit system call

• int 0x80

• call_start:

• call start_shellcode

• .string "/bin/sh"

Shellcode• In the exercise, shellcode will be provided for you, there is no need to compile it, simply use it “as is”.

NOP Slide• Slides EIP tobeginning ofcode.

• Avoids fromIllegal Instruction

• Protects againststack differences

CPU/EIP

NOP

Start

Shellcode

Start

Stack’o Example• Demo

Tools List• gdb – GNU Debugger

o Core dump analysis: gdb –core=core.dump

o Ollydbg – (for windows) which we will not cover in the course.

• IDAo va_to_offset.py – easy program to get offset of code in orig file.

• ghex – can be used to patch the binary :o Once we have a search string to find the binary code, we can modify it

• Other common tools for linux debugging:o ltrace – library tracing

o strace – system call tracing

o objdump – dump elf file and symbol information

o strings – can be used to view strings inside a binary.

• shellcode

GDB Quick browse• Running gdb:

o gdb ./executable

o gdb –args=“./executable [params]”

o gdb –core=[core_file_name]

• r arg1 arg2 – runs the file with the specified arguments

• si, ni – step instruction

• s, n – step

• info reg – print all registers

• dump memory filename startaddress stopaddress

• x/i address – disassemble at this address

• p (char *) 0x234234 – print at this address as if it was a c-string.

• x/bx address – print hex starting from this address

• c – continue

• b somefunction – sets a breakpoint

• The end