introduction to infosec – recitation 2 · o once we have a search string to find the binary code,...
TRANSCRIPT
![Page 1: Introduction to InfoSec – Recitation 2 · o Once we have a search string to find the binary code, we can modify it • Other common tools for linuxdebugging: o ltrace–library](https://reader030.vdocument.in/reader030/viewer/2022040505/5e3a344101219e0ef71b9a4d/html5/thumbnails/1.jpg)
Introduction to
InfoSec –
Recitation 2Nir Krakowski (nirkrako at post.tau.ac.il)
Itamar Gilad (itamargi at post.tau.ac.il)
![Page 2: Introduction to InfoSec – Recitation 2 · o Once we have a search string to find the binary code, we can modify it • Other common tools for linuxdebugging: o ltrace–library](https://reader030.vdocument.in/reader030/viewer/2022040505/5e3a344101219e0ef71b9a4d/html5/thumbnails/2.jpg)
Today• More assembly tips
• Review of the stack
• Stack overflows
• Implementationo Tools
![Page 3: Introduction to InfoSec – Recitation 2 · o Once we have a search string to find the binary code, we can modify it • Other common tools for linuxdebugging: o ltrace–library](https://reader030.vdocument.in/reader030/viewer/2022040505/5e3a344101219e0ef71b9a4d/html5/thumbnails/3.jpg)
• Endian-ity is the definition of how numbers are represented in memory (or on a data bus)
• In the x86 architecture 0x11223344 would be represented in memory:o 44 33 22 11
• Intel Architecture is little endian. (we are using little)
• However the same number in Big Endian would be:o 11 22 33 44
• (we don’t see the bit reordering because our minimum working unit is a byte)
Little vs Big Endian
![Page 4: Introduction to InfoSec – Recitation 2 · o Once we have a search string to find the binary code, we can modify it • Other common tools for linuxdebugging: o ltrace–library](https://reader030.vdocument.in/reader030/viewer/2022040505/5e3a344101219e0ef71b9a4d/html5/thumbnails/4.jpg)
Registers• Common uses:
• eax – used usually for fast calculations / system call numbers /used to pass the return value
• ecx – used as a counter frequently / as self class in c++.
• ebp – used to store the stack frame pointer
• esp – used to store the stack pointer
• edi/esi – used for string/buffer manipulations
• ip – used to store the current instruction pointer –can not be accessed directly!
![Page 5: Introduction to InfoSec – Recitation 2 · o Once we have a search string to find the binary code, we can modify it • Other common tools for linuxdebugging: o ltrace–library](https://reader030.vdocument.in/reader030/viewer/2022040505/5e3a344101219e0ef71b9a4d/html5/thumbnails/5.jpg)
More on register functionality
• Most registers can be (CPU-wise) variably be used for different purposes.
• However, Some register can not be used with certain commands.
• Example:o mov eip, 0xaddress ; this command is impossible.
o loop some_label ;works only with ecx.
• EIP specifically can’t be manipulated directly at all. instead we use: jmp, call, retto manipulate it.
![Page 6: Introduction to InfoSec – Recitation 2 · o Once we have a search string to find the binary code, we can modify it • Other common tools for linuxdebugging: o ltrace–library](https://reader030.vdocument.in/reader030/viewer/2022040505/5e3a344101219e0ef71b9a4d/html5/thumbnails/6.jpg)
x86 stack manipulation• The x86 stack location is noted by ESP (EBP has no direct role).
• There are two commands to manipulate the stack:o push 0ximmediate
push reg
push [from memory]
o pop reg
• However the stack can also be manipulated directly, eg.:o mov [esp+10h], 4
o mov [ebp-15h], 0
![Page 7: Introduction to InfoSec – Recitation 2 · o Once we have a search string to find the binary code, we can modify it • Other common tools for linuxdebugging: o ltrace–library](https://reader030.vdocument.in/reader030/viewer/2022040505/5e3a344101219e0ef71b9a4d/html5/thumbnails/7.jpg)
x86 alternative instructions
• There are lots of assembly instructions with varying sizes, and they can be used alternatively to fit certain constraints.
• Compilers use alternative ways for optimization purposes:o Some opcodes take up less space in memory.
o Some code shortcuts can be made.
• Examples:o add esp,4
push eax
o Alternatively:
o mov [esp-4], eax
o mov eax, 0
o Alternatively:
o xor eax,eax
• There are also 8 bit commands to access partial registerso mov al, 5
• There are 16 bit commandso mov ax, 65535
![Page 8: Introduction to InfoSec – Recitation 2 · o Once we have a search string to find the binary code, we can modify it • Other common tools for linuxdebugging: o ltrace–library](https://reader030.vdocument.in/reader030/viewer/2022040505/5e3a344101219e0ef71b9a4d/html5/thumbnails/8.jpg)
Buffer’Os• History:
o First documented buffer overflows were thought of in 1972 COMPUTER
SECURITY TECHNOLOGY PLANNING STUDY (Page 61)
o The first buffer overflows known in the wild were Stack’Os
o Stack Overflows were widely introduced by Aleph One
• Phrack Magazine Issue 49 on November 8, 1996
o Title: Smashing the stack for fun and profit
o http://www.phrack.org/issues.html?issue=49&id=14#article
• Purpose:o Like when patching, we re-route the code to new code which adds new
functionality.
o We modify the behavior of a program without modifying the binary, and
only by controlling the input!
o Therefore we can subvert the original functionality of the code to any
purpose.
![Page 9: Introduction to InfoSec – Recitation 2 · o Once we have a search string to find the binary code, we can modify it • Other common tools for linuxdebugging: o ltrace–library](https://reader030.vdocument.in/reader030/viewer/2022040505/5e3a344101219e0ef71b9a4d/html5/thumbnails/9.jpg)
Where does it get reallyinteresting
• When the program input is from a remote connectiono Example: telnet
• When the program has higher privilegeso Example: su
![Page 10: Introduction to InfoSec – Recitation 2 · o Once we have a search string to find the binary code, we can modify it • Other common tools for linuxdebugging: o ltrace–library](https://reader030.vdocument.in/reader030/viewer/2022040505/5e3a344101219e0ef71b9a4d/html5/thumbnails/10.jpg)
Executable in Disk• This is how the program
appears on disk.
• The operating system loaderloads the file and maps itinto program memory.
• Loader maps the file tomemory according toinstructions defined in theELF file.
• Loader creates new memorysection such as the ‘Stack’.
• Loader calls the start of the program
![Page 11: Introduction to InfoSec – Recitation 2 · o Once we have a search string to find the binary code, we can modify it • Other common tools for linuxdebugging: o ltrace–library](https://reader030.vdocument.in/reader030/viewer/2022040505/5e3a344101219e0ef71b9a4d/html5/thumbnails/11.jpg)
Process Memory Abstract• /------------------\ lower
• | | memory
• | Text | addresses
• | |
• |------------------|
• | (Initialized) |
• | Data |
• | (Uninitialized) |
• |------------------|
• | |
• | Stack | higher
• | | memory
• \------------------/ addresses
![Page 12: Introduction to InfoSec – Recitation 2 · o Once we have a search string to find the binary code, we can modify it • Other common tools for linuxdebugging: o ltrace–library](https://reader030.vdocument.in/reader030/viewer/2022040505/5e3a344101219e0ef71b9a4d/html5/thumbnails/12.jpg)
Example1.c• void function(int a, int b, int c) {
• char buffer1[5];
• char buffer2[10];
• }
• void main() {
• function(1,2,3);
• }
![Page 13: Introduction to InfoSec – Recitation 2 · o Once we have a search string to find the binary code, we can modify it • Other common tools for linuxdebugging: o ltrace–library](https://reader030.vdocument.in/reader030/viewer/2022040505/5e3a344101219e0ef71b9a4d/html5/thumbnails/13.jpg)
Stack Structure• bottom of top of
• memory memory
• buffer2 buffer1 sfp ret a b c
• <------ [ ][ ][ ][ ][ ][ ][ ]
•
• top of bottom of
• stack stack
• Our purpose is to overflow from buffer2 until we reach “ret” so that we point EIP
to an arbitrary location of our choosing.
![Page 14: Introduction to InfoSec – Recitation 2 · o Once we have a search string to find the binary code, we can modify it • Other common tools for linuxdebugging: o ltrace–library](https://reader030.vdocument.in/reader030/viewer/2022040505/5e3a344101219e0ef71b9a4d/html5/thumbnails/14.jpg)
shellcode example made simple
• allocate “/bin/sh”
• call execv(“/bin/sh”, NULL);
• call exit(exit_code);
• We will use system calls (interrupt 0x80)
• Unlike call interrupt arguments are passed via the registers:o mov eax, 0xb ; execv system call
o mov ebx, [addr to “/bin/sh” ]
o mov ecx, 0 ; NULL
o Int 0x80
![Page 15: Introduction to InfoSec – Recitation 2 · o Once we have a search string to find the binary code, we can modify it • Other common tools for linuxdebugging: o ltrace–library](https://reader030.vdocument.in/reader030/viewer/2022040505/5e3a344101219e0ef71b9a4d/html5/thumbnails/15.jpg)
Allocating “/bin/sh”• Not knowing where our code is located presents a challenge, since we know its is located somewhere near EIP, but we can read EIP directly instead we use the following “trick”:
jmp end
end:
pop ebx ; Now ebx will hold the address to “/bin/sh”
call beginning
.string “/bin/sh”
![Page 16: Introduction to InfoSec – Recitation 2 · o Once we have a search string to find the binary code, we can modify it • Other common tools for linuxdebugging: o ltrace–library](https://reader030.vdocument.in/reader030/viewer/2022040505/5e3a344101219e0ef71b9a4d/html5/thumbnails/16.jpg)
shellcode example with interrupt calls
• jmp call_start # jump to the end of the code to /bin/sh
• start_shellcode: # label to jump back
• pop ebx # put point to /bin/sh in ebx
• xor eax,eax # zero eax, but dont use mov, because it include \x00
• mov al, 0xb # system call 0xb, - execve
• xor ecx, ecx # clear pointer to envp
• int 0x80 # call a system call!
• xor eax,eax # ignore return and reset to zero.
• mov al, 0x1 # call exit system call
• int 0x80
• call_start:
• call start_shellcode
• .string "/bin/sh"
![Page 17: Introduction to InfoSec – Recitation 2 · o Once we have a search string to find the binary code, we can modify it • Other common tools for linuxdebugging: o ltrace–library](https://reader030.vdocument.in/reader030/viewer/2022040505/5e3a344101219e0ef71b9a4d/html5/thumbnails/17.jpg)
Shellcode• In the exercise, shellcode will be provided for you, there is no need to compile it, simply use it “as is”.
![Page 18: Introduction to InfoSec – Recitation 2 · o Once we have a search string to find the binary code, we can modify it • Other common tools for linuxdebugging: o ltrace–library](https://reader030.vdocument.in/reader030/viewer/2022040505/5e3a344101219e0ef71b9a4d/html5/thumbnails/18.jpg)
NOP Slide• Slides EIP tobeginning ofcode.
• Avoids fromIllegal Instruction
• Protects againststack differences
CPU/EIP
NOP
Start
Shellcode
Start
![Page 19: Introduction to InfoSec – Recitation 2 · o Once we have a search string to find the binary code, we can modify it • Other common tools for linuxdebugging: o ltrace–library](https://reader030.vdocument.in/reader030/viewer/2022040505/5e3a344101219e0ef71b9a4d/html5/thumbnails/19.jpg)
Stack’o Example• Demo
![Page 20: Introduction to InfoSec – Recitation 2 · o Once we have a search string to find the binary code, we can modify it • Other common tools for linuxdebugging: o ltrace–library](https://reader030.vdocument.in/reader030/viewer/2022040505/5e3a344101219e0ef71b9a4d/html5/thumbnails/20.jpg)
Tools List• gdb – GNU Debugger
o Core dump analysis: gdb –core=core.dump
o Ollydbg – (for windows) which we will not cover in the course.
• IDAo va_to_offset.py – easy program to get offset of code in orig file.
• ghex – can be used to patch the binary :o Once we have a search string to find the binary code, we can modify it
• Other common tools for linux debugging:o ltrace – library tracing
o strace – system call tracing
o objdump – dump elf file and symbol information
o strings – can be used to view strings inside a binary.
• shellcode
![Page 21: Introduction to InfoSec – Recitation 2 · o Once we have a search string to find the binary code, we can modify it • Other common tools for linuxdebugging: o ltrace–library](https://reader030.vdocument.in/reader030/viewer/2022040505/5e3a344101219e0ef71b9a4d/html5/thumbnails/21.jpg)
GDB Quick browse• Running gdb:
o gdb ./executable
o gdb –args=“./executable [params]”
o gdb –core=[core_file_name]
• r arg1 arg2 – runs the file with the specified arguments
• si, ni – step instruction
• s, n – step
• info reg – print all registers
• dump memory filename startaddress stopaddress
• x/i address – disassemble at this address
• p (char *) 0x234234 – print at this address as if it was a c-string.
• x/bx address – print hex starting from this address
• c – continue
• b somefunction – sets a breakpoint
![Page 22: Introduction to InfoSec – Recitation 2 · o Once we have a search string to find the binary code, we can modify it • Other common tools for linuxdebugging: o ltrace–library](https://reader030.vdocument.in/reader030/viewer/2022040505/5e3a344101219e0ef71b9a4d/html5/thumbnails/22.jpg)
• The end