introduction to infosec – recitation 2
DESCRIPTION
Introduction to InfoSec – Recitation 2. Nir Krakowski ( nirkrako at post.tau.ac.il) Itamar Gilad ( itamargi at post.tau.ac.il). Today. More assembly tips Review of the stack Stack overflows Implementation Tools. Little vs Big Endian. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Introduction to InfoSec – Recitation 2](https://reader036.vdocument.in/reader036/viewer/2022081421/5681676c550346895ddc54b8/html5/thumbnails/1.jpg)
Introduction to InfoSec – Recitation 2Nir Krakowski (nirkrako at post.tau.ac.il)Itamar Gilad (itamargi at post.tau.ac.il)
![Page 2: Introduction to InfoSec – Recitation 2](https://reader036.vdocument.in/reader036/viewer/2022081421/5681676c550346895ddc54b8/html5/thumbnails/2.jpg)
Today• More assembly tips• Review of the stack• Stack overflows• Implementation
o Tools
![Page 3: Introduction to InfoSec – Recitation 2](https://reader036.vdocument.in/reader036/viewer/2022081421/5681676c550346895ddc54b8/html5/thumbnails/3.jpg)
• Endian-ity is the definition of how numbers are represented in memory (or on a data bus)
• In the x86 architecture 0x11223344 would be represented in memory:o 44 33 22 11
• Intel Architecture is little endian. (we are using little)
• However the same number in Big Endian would be:o 11 22 33 44
• (we don’t see the bit reordering because our minimum working unit is a byte)
Little vs Big Endian
![Page 4: Introduction to InfoSec – Recitation 2](https://reader036.vdocument.in/reader036/viewer/2022081421/5681676c550346895ddc54b8/html5/thumbnails/4.jpg)
Registers• Common uses:• eax – used usually for fast calculations / system
call numbers /used to pass the return value or self class in c++.
• ecx – used as a counter frequently.• ebp – used to store the stack frame pointer• esp – used to store the stack pointer• edi/esi – used for string/buffer manipulations• ip – used to store the current instruction pointer –
can not be accessed directly!
![Page 5: Introduction to InfoSec – Recitation 2](https://reader036.vdocument.in/reader036/viewer/2022081421/5681676c550346895ddc54b8/html5/thumbnails/5.jpg)
More on register functionality
• Most registers can be (CPU-wise) variably be used for different purposes.
• However, Some register can not be used with certain commands.
• Example:o mov eip, 0xaddress ; this command is impossible.o loop some_label ;works only with ecx.
• EIP specifically can’t be manipulated directly at all. instead we use: jmp, call, retto manipulate it.
![Page 6: Introduction to InfoSec – Recitation 2](https://reader036.vdocument.in/reader036/viewer/2022081421/5681676c550346895ddc54b8/html5/thumbnails/6.jpg)
x86 stack manipulation
• The x86 stack location is noted by ESP (EBP has no direct role).
• There are two commands to manipulate the stack:o push 0ximmediate
push regpush [from memory]
o pop reg• However the stack can also be manipulated
directly, eg.:o mov [esp+10h], 4o mov [ebp-15h], 0
![Page 7: Introduction to InfoSec – Recitation 2](https://reader036.vdocument.in/reader036/viewer/2022081421/5681676c550346895ddc54b8/html5/thumbnails/7.jpg)
x86 alternative instructions
• There are lots of assembly instructions with varying sizes, and they can be used alternatively to fit certain constraints.
• Compilers use alternative ways for optimization purposes:o Some opcodes take up less space in memory.o Some code shortcuts can be made.
• Examples:o add esp,4
push eaxo Alternatively:o mov [esp-4], eax
o mov eax, 0o Alternatively:o xor eax,eax
• There are also 8 bit commands to access partial registerso mov al, 5
• There are 16 bit commandso mov ax, 65535
![Page 8: Introduction to InfoSec – Recitation 2](https://reader036.vdocument.in/reader036/viewer/2022081421/5681676c550346895ddc54b8/html5/thumbnails/8.jpg)
Buffer’Os• History:
o First documented buffer overflows were thought of in 1972 COMPUTER SECURITY TECHNOLOGY PLANNING STUDY (Page 61)
o The first buffer overflows known in the wild were Stack’Oso Stack Overflows were widely introduced by Aleph One
• Phrack Magazine Issue 49 on November 8, 1996o Title: Smashing the stack for fun and profito http://www.phrack.org/issues.html?issue=49&id=14#article
• Purpose:o Like when patching, we re-route the code to new code which adds new
functionality.o We modify the behavior of a program without modifying the binary,
and only by controlling the input!o Therefore we can subvert the original functionality of the code to any
purpose.
![Page 9: Introduction to InfoSec – Recitation 2](https://reader036.vdocument.in/reader036/viewer/2022081421/5681676c550346895ddc54b8/html5/thumbnails/9.jpg)
Where does it get really
interesting• When the program input is from a remote
connectiono Example: telnet
• When the program has higher privilegeso Example: su
![Page 10: Introduction to InfoSec – Recitation 2](https://reader036.vdocument.in/reader036/viewer/2022081421/5681676c550346895ddc54b8/html5/thumbnails/10.jpg)
Executable in Disk• This is how the program
appears on disk.• The operating system loader
loads the file and maps itinto program memory.
• Loader maps the file tomemory according toinstructions defined in theELF file.
• Loader creates new memorysection such as the ‘Stack’.
• Loader calls the start of the program
![Page 11: Introduction to InfoSec – Recitation 2](https://reader036.vdocument.in/reader036/viewer/2022081421/5681676c550346895ddc54b8/html5/thumbnails/11.jpg)
Process Memory Abstract
• /------------------\ lower• | | memory• | Text | addresses• | |• |------------------|• | (Initialized) |• | Data |• | (Uninitialized) |• |------------------|• | |• | Stack | higher• | | memory• \------------------/ addresses
![Page 12: Introduction to InfoSec – Recitation 2](https://reader036.vdocument.in/reader036/viewer/2022081421/5681676c550346895ddc54b8/html5/thumbnails/12.jpg)
Example1.c• void function(int a, int b, int c) {• char buffer1[5];• char buffer2[10];• }
• void main() {• function(1,2,3);• }
![Page 13: Introduction to InfoSec – Recitation 2](https://reader036.vdocument.in/reader036/viewer/2022081421/5681676c550346895ddc54b8/html5/thumbnails/13.jpg)
Stack Structure• bottom of top of• memory memory• buffer2 buffer1 sfp ret a b c• <------ [ ][ ][ ][ ][ ][ ][ ]• • top of bottom of• stack stack
• Our purpose is to overflow from buffer2 until we reach “ret” so that we point EIP to an arbitrary location of our choosing.
![Page 14: Introduction to InfoSec – Recitation 2](https://reader036.vdocument.in/reader036/viewer/2022081421/5681676c550346895ddc54b8/html5/thumbnails/14.jpg)
shellcode example made simple
• allocate “/bin/sh”• call execv(“/bin/sh”, NULL);• call exit(exit_code);
• We will use system calls (interrupt 0x80)• Unlike call interrupt arguments are passed via the
registers:o mov eax, 0xb ; execv system call o mov ebx, [addr to “/bin/sh” ]o mov ecx, 0 ; NULLo Int 0x80
![Page 15: Introduction to InfoSec – Recitation 2](https://reader036.vdocument.in/reader036/viewer/2022081421/5681676c550346895ddc54b8/html5/thumbnails/15.jpg)
Allocating “/bin/sh”• Not knowing where our code is located presents a
challenge, since we know its is located somewhere near EIP, but we can read EIP directly instead we use the following “trick”:
jmp endend:pop ebx ; Now ebx will hold the address to “/bin/sh”call beginning.string “/bin/sh”
![Page 16: Introduction to InfoSec – Recitation 2](https://reader036.vdocument.in/reader036/viewer/2022081421/5681676c550346895ddc54b8/html5/thumbnails/16.jpg)
shellcode example with interrupt calls
• jmp call_start # jump to the end of the code to /bin/sh• start_shellcode: # label to jump back• pop ebx # put point to /bin/sh in ebx• xor eax,eax # zero eax, but dont use mov, because it include \x00• mov al, 0xb # system call 0xb, - execve• xor ecx, ecx # clear pointer to envp• int 0x80 # call a system call!• xor eax,eax # ignore return and reset to zero.• mov al, 0x1 # call exit system call• int 0x80• call_start:• call start_shellcode• .string "/bin/sh"
![Page 17: Introduction to InfoSec – Recitation 2](https://reader036.vdocument.in/reader036/viewer/2022081421/5681676c550346895ddc54b8/html5/thumbnails/17.jpg)
Shellcode• In the exercise, shellcode will be provided for you,
there is no need to compile it, simply use it “as is”.
![Page 18: Introduction to InfoSec – Recitation 2](https://reader036.vdocument.in/reader036/viewer/2022081421/5681676c550346895ddc54b8/html5/thumbnails/18.jpg)
NOP Slide• Slides EIP to
beginning ofcode.
• Avoids fromIllegal Instruction
• Protects againststack differences
CPU/EIP
NOP Start
Shellcode Start
![Page 19: Introduction to InfoSec – Recitation 2](https://reader036.vdocument.in/reader036/viewer/2022081421/5681676c550346895ddc54b8/html5/thumbnails/19.jpg)
Stack’o Example• Demo
![Page 20: Introduction to InfoSec – Recitation 2](https://reader036.vdocument.in/reader036/viewer/2022081421/5681676c550346895ddc54b8/html5/thumbnails/20.jpg)
Tools List• gdb – GNU Debugger
o Core dump analysis: gdb –core=core.dumpo Ollydbg – (for windows) which we will not cover in the course.
• IDAo va_to_offset.py – easy program to get offset of code in orig file.
• ghex – can be used to patch the binary :o Once we have a search string to find the binary code, we can modify it
• Other common tools for linux debugging:o ltrace – library tracingo strace – system call tracingo objdump – dump elf file and symbol informationo strings – can be used to view strings inside a binary.
• shellcode
![Page 21: Introduction to InfoSec – Recitation 2](https://reader036.vdocument.in/reader036/viewer/2022081421/5681676c550346895ddc54b8/html5/thumbnails/21.jpg)
GDB Quick browse• Running gdb:
o gdb ./executableo gdb –args=“./executable [params]”o gdb –core=[core_file_name]
• r arg1 arg2 – runs the file with the specified arguments• si, ni – step instruction• s, n – step• info reg – print all registers• dump memory filename startaddress stopaddress• x/i address – disassemble at this address• p (char *) 0x234234 – print at this address as if it was a c-string.• x/bx address – print hex starting from this address• c – continue• b somefunction – sets a breakpoint
![Page 22: Introduction to InfoSec – Recitation 2](https://reader036.vdocument.in/reader036/viewer/2022081421/5681676c550346895ddc54b8/html5/thumbnails/22.jpg)
• The end