lec02 x86 64 shellcode tools
play

Lec02: x86_64 / Shellcode / Tools Taesoo Kim 2 Administrivia - PowerPoint PPT Presentation

Oct 04, 2023 •123 likes •394 views

1 Lec02: x86_64 / Shellcode / Tools Taesoo Kim 2 Administrivia Survey: how many hours did you spend? (<3h, 6h, 10h, >20h) Please join Piazza An optional recitation at 5-7pm on every Wed (in CoC 052 ) Lab02 is already

  1. 1 Lec02: x86_64 / Shellcode / Tools Taesoo Kim

  2. 2 Administrivia • Survey: how many hours did you spend? (<3h, 6h, 10h, >20h) • Please join Piazza • An optional recitation at 5-7pm on every Wed (in CoC 052 ) • Lab02 is already out! (8pm every Thursday) • Due : Sept 6th at midnight

  3. 3 About Write-up 1) Write-up: In this problem, ebp and ret value are protected by gsstack. while debugging, you can see all ebp and ret values are keep tracking and storing somewhere. However, when you make an input large enough, you will see that a function pointer will be overwritten. And the overwritten value will be store in EAX and make it jump at <main+96>. I put my shellcode as env, get the address, and put it. In my case, the function pointer(0x08048b0a at 0xbffff654) was overwritten. So we could learn, we could jump using the weakpoint even though the stackshiled is working on. 2) Exploit: $(python -c 'print "\x90"*108+"\x90"*44+"\x87\xf8\xff\xbf"+"\x90"*50')

  4. 4 Scoreboard

  5. 5 Best Write-ups for Lab01 • bomblab1_01: nhicks6, burak • bomblab1_02: nhicks6, gkamuzora3 • bomblab1_03: seulbae, riya • bomblab1_04: nhicks6, riya • bomblab1_05: ibtehaj, easdar • bomblab1_06: seulbae, riya • bomblab1_07: mlanden, gkamuzora3 • bomblab1_08: nhicks6, gkamuzora3 • bomblab1_09: burak, seulbae • bomblab1_10: nhicks6, fsang

  6. 6 Bomb Stats • Bombs exploded ?? times in total? • in ?? phases? • ?? people exploded at least once?

  7. 7 Bomb Stats • Bombs exploded 68 times in total (68 x -5 = -340 pts) • in 9 phases! • 15 people exploded at least once! (so how many alive?) • Each lab: 39/39/39/39/39/38/38/37/36/32/36 people • Each lab: 00/26/14/04/08/01/04/01/04/01/05 times

  8. 8 Discussion 0 1. How does the bomb notify the explosion to the server?

  9. 9 Discussion 1 1. How did you prevent bombs from explosion?

  10. 10 Discussion 2 1. What made your bombs exploded?

  11. 11 Discussion 2 1. What was the most difficult/annoying phase?

  12. 12 Discussion 3 1. How did you find ‘secret_phrase’?

  13. 13 Discussion 4 1. Any tricky assembly?

  14. 14 ASMs that you read in Lab1 • function calls (phase_funcall) • switch: jump table (phase_jump) • for/while loops (phase_quick) • recursion (phase_binary) • data structure: array/list/tree • etc

  15. 15 ASM Show Case 1: funcall push 0x804b96b ; -> "scissors" push 0x804b974 ; -> "paper" push 0x804b97a ; -> "rock" push DWORD PTR [ebp+0x8] ; -> ???? call 8049d0b <func_game>

  16. 16 ASM Show Case 2: switch (jump table) cmp eax,0x7 ; ??? ja 0x8049e09 <phase_jump+147> ------+ ; ??? mov eax,DWORD PTR [eax*4+0x804b948] | ; ??? ** jmp eax | | <+75>: mov DWORD PTR [ebp-0xc],0x25b | jmp 0x8049e0e <phase_jump+152> | <+84>: mov DWORD PTR [ebp-0xc],0x232 | jmp 0x8049e0e <phase_jump+152> | ... | <+147>: call 0x8049a3f <explode_bomb> <-----+ mov eax,DWORD PTR [ebp-0x18]

  17. 17 ASM Show Case 2: switch (jump table) > telescope 0x804b948 00│ 0x804b948→ phase_jump+75 ←mov dword ptr [ebp - 0xc], 0x25b 04│ 0x804b94c→ phase_jump+84 ←mov dword ptr [ebp - 0xc], 0x232 08│ 0x804b950→ phase_jump+93 ←mov dword ptr [ebp - 0xc], 0x282 0c│ 0x804b954→ phase_jump+102 ←mov dword ptr [ebp - 0xc], 0x16c 10│ 0x804b958→ phase_jump+111 ←mov dword ptr [ebp - 0xc], 0x2af ...

  18. 18 ASM Show Case 2: switch (jump table) switch(index) { case 0: ... case 1: ... case 7: ... default ... }

  19. 19 ASM Show Case 3: for/while loops mov DWORD PTR [ebp-0x18],eax ; p mov DWORD PTR [ebp-0xc],0x0 ; i = 0 jmp 0x8049f7c <phase_array+92> ----+ ; | <+69>: add DWORD PTR [ebp-0xc],0x1 <----|--+ ; i ++ mov eax,DWORD PTR [ebp-0x18] | | ; mov eax,DWORD PTR [eax*4+0x804e5a0]| | ; p = ((int *)0x804e5a0)[p mov DWORD PTR [ebp-0x18],eax | | mov eax,DWORD PTR [ebp-0x18] | | ... | | <+92>: mov eax,DWORD PTR [ebp-0x18] <--+ | ; p cmp eax,0xf | ; jne 0x8049f65 <phase_array+69> -------+ ; while (p != 15)

  20. 20 Lab02: Bomb Lab2 / Shellcode • Another Bomblab (be extra careful this time)! • Writing five different shellcodes • x86, x86_64, both!, ascii, minimal size (competition) • Bonus : the smallest shellcode gets extra 10 pts !

  21. 21 Today’s Tutorial • x86 shellcode overview • In-class tutorial • pwndbg (modernizing gdb for reverse engineering) • IDA (interactive disassembler) • Walk over x86 shellcode (+ excercise!) and various tools

  22. 22 DEMO: pwndbg commands • vmmap • procinfo/elfheader • telescope/hexdump • context/stack/regs • nearpc • pdisass • search

  23. 23 shellcode (in C) #include <stdio.h> #include <unistd.h> int main() { char *sh = "/bin/sh"; char *argv[] = {sh, NULL}; char *envp[] = {NULL}; execve(sh, argv, envp); return 0; }

  24. 24 DEMO: shellcode.S • explain: asm, structure • man syscall (about convention) • execve() • debugging shellcode/target • tutorial: /bin/sh to /bin/cat /proc/flag

  25. 25 In-class Tutorial • Step 1: Install pwdbg/IDA • Step 2: Play with shellcode! $ ssh lab02@cyclonus.gtisc.gatech.edu -p 9002 or $ ssh lab02@computron.gtisc.gatech.edu -p 9002 Password: lab02 $ cd tut02-shellcode $ cat README

  26. 26 References • Assembly • x86 • x86_64 • pwndbg

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lec02: x86_64 / Shellcode / Tools Taesoo Kim 2 Scoreboard 3 Administrivia Survey: how

Lec02: x86_64 / Shellcode / Tools Taesoo Kim 2 Scoreboard 3 Administrivia Survey: how

1 Lec02: x86_64 / Shellcode / Tools Taesoo Kim 2 Scoreboard 3 Administrivia Survey: how many hours did you spend? (&lt;3h, 6h, 10h, &gt;20h) Join Piazza An optional recitation at 5-6pm on every Wed (in Klaus 1447) Lab02

794 views • 25 slides
Shellcode Shellcode A set of instructions injected and

Shellcode Shellcode A set of instructions injected and

Shellcode Shellcode A set of instructions injected and executed by exploited software Also called a payload Denoted as shellcode because

606 views • 49 slides
Go to http://workshop.DidierStevens.com Unzip shellcode-workshop.zip to C:\ Password is workshop

Go to http://workshop.DidierStevens.com Unzip shellcode-workshop.zip to C:\ Password is workshop

White Hat Shellcode Workshop Didier Stevens Go to http://workshop.DidierStevens.com Unzip shellcode-workshop.zip to C:\ Password is workshop . First example: loading/unloading a DLL Start calc.exe Start procexp.exe (Process Explorer) and

471 views • 23 slides
ShellNoob Because writing shellcode is fun, but sometimes painful Black Hat USA Yanick

ShellNoob Because writing shellcode is fun, but sometimes painful Black Hat USA Yanick

ShellNoob Because writing shellcode is fun, but sometimes painful Black Hat USA Yanick Fratantonio Arsenal 2013 UC Santa Barbara Who am I? PhD Student at UC Santa Barbara I play with the ShellPhish team What I do I like

506 views • 31 slides
Network-level Polymorphic Shellcode Detection using Emulation Michalis Polychronakis, Kostas

Network-level Polymorphic Shellcode Detection using Emulation Michalis Polychronakis, Kostas

Network-level Polymorphic Shellcode Detection using Emulation Michalis Polychronakis, Kostas Anagnostakis, and Evangelos Markatos Institute of Computer Science Foundation for Research and Technology Hellas Crete, Greece DIMVA06 - 13

771 views • 54 slides
Waiter, theres a compiler in my shellcode! Not so loud, or everybody will want one! Josh

Waiter, theres a compiler in my shellcode! Not so loud, or everybody will want one! Josh

Waiter, theres a compiler in my shellcode! Not so loud, or everybody will want one! Josh Stone NolaCon, 2019 Waiter by Adrien Coquet from the Noun Project Introduction: Josh Stone 30 years programmer 19 years infosec 15 years married

742 views • 49 slides
Teaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr Cest Moi US Marine

Teaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr Cest Moi US Marine

Teaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr Cest Moi US Marine (out in 2001) Wrote BDF/BDFProxy Co-Authored Ebowla Found OnionDuke Work @ Okta Twitter: @midnite_runr Why This Talk Its

1.36k views • 105 slides
Outline Threat modeling, contd Shellcode techniques CSci 4271W Development of Secure

Outline Threat modeling, contd Shellcode techniques CSci 4271W Development of Secure

Outline Threat modeling, contd Shellcode techniques CSci 4271W Development of Secure Software Systems Binary-level GDB commands and demo Day 5: Memory safety attacks In-person lab logistics reminders Stephen McCamant Project 1 bcimgview

1.17k views • 6 slides
ss 4 Cl Class CSC 472/583 Software Security System Call, Shellcode Dr. Si Chen

ss 4 Cl Class CSC 472/583 Software Security System Call, Shellcode Dr. Si Chen

ss 4 Cl Class CSC 472/583 Software Security System Call, Shellcode Dr. Si Chen (schen@wcupa.edu) System Call Page 2 System Call User code can be arbitrary User code cannot modify kernel memory The call mechanism switches code to

840 views • 17 slides
Tools Google, et. al. Also, Ive tended to focus on Windows-based tools (with some mention

Tools Google, et. al. Also, Ive tended to focus on Windows-based tools (with some mention

Tools Here is a list of potentially useful tools and utilities with Computer Security which to fight the onslaught of viruses, worms, Trojan horses, and other malware. Dont consider it in any way a complete list! There are lots of

1.16k views • 9 slides
Understanding applications with Paraver tools@bsc.es 2018 Our Tools Since 1991 Based

Understanding applications with Paraver tools@bsc.es 2018 Our Tools Since 1991 Based

Understanding applications with Paraver tools@bsc.es 2018 Our Tools Since 1991 Based on traces Open Source http://tools.bsc.es Core tools: Paraver (paramedir) offline trace analysis Dimemas message passing

707 views • 42 slides
Sustainability Rating Tools for Existing Neighborhoods Rating tools overview 3 tools -

Sustainability Rating Tools for Existing Neighborhoods Rating tools overview 3 tools -

S ustainability R ating T ools for Existing Neighborhoods March 11, 2015 Eliot Allen, LEED AP-ND , TransformativeTools .org Sustainability Rating Tools for Existing Neighborhoods Rating tools overview 3 tools - Living Community Challenge

700 views • 30 slides
Tools integrate Tools work together Tools work together Models Specs Code Traces Profiles

Tools integrate Tools work together Tools work together Models Specs Code Traces Profiles

Programming Environments The Future of Programming Environments Past of Andreas Zeller programming environments Saarland University A Tool Set Tools evolve Tools integrate Tools work together Tools work together Models Specs Code

517 views • 19 slides
Tools git: Theory git: Use Git and (other) Tools for Cooperation git: Tools Project

Tools git: Theory git: Use Git and (other) Tools for Cooperation git: Tools Project

Tools git: Theory git: Use Git and (other) Tools for Cooperation git: Tools Project References Jrg Cassens, Rebekah Wegener, Jens Rademacher, Bastian Stender SoSe 2019 Lab Course Media Informatics SoSe 2019 Jrg Cassens, Rebekah

1.06k views • 89 slides
Tools for investigating THDM models Henning Bahl 14.11.2019, Hamburg Intro Tools Conclusions

Tools for investigating THDM models Henning Bahl 14.11.2019, Hamburg Intro Tools Conclusions

Tools for investigating THDM models Henning Bahl 14.11.2019, Hamburg Intro Tools Conclusions Using tools in HEP Advantages of using tools: Using tools saves you time, avoids redoing stuff, avoids careless mistakes. Typical

672 views • 12 slides
a single gadget weird machine Framing Signals a return to portable shellcode Erik Bosman and

a single gadget weird machine Framing Signals a return to portable shellcode Erik Bosman and

a single gadget weird machine Framing Signals a return to portable shellcode Erik Bosman and Herbert Bos stack buffer overflow stack return addr buffer sp 1 stack buffer overflow stack return addr buffer sp 1 stack buffer overflow

1.65k views • 89 slides
V I S U A L I Z A T I O N F O R I T - S E C U R I T Y L . A a r o n K a p l a n (

V I S U A L I Z A T I O N F O R I T - S E C U R I T Y L . A a r o n K a p l a n (

V I S U A L I Z A T I O N F O R I T - S E C U R I T Y L . A a r o n K a p l a n ( k a p l a n @ c e r t . a t ) h t t p : / / C E R T . A T OVERVIEW Motivation Target Group 5 Minutes of design background for techies

855 views • 66 slides
Water tershed ed p plan anning from a g from a water ut er utili ility ty per perspecti

Water tershed ed p plan anning from a g from a water ut er utili ility ty per perspecti

Water tershed ed p plan anning from a g from a water ut er utili ility ty per perspecti ective Jo John hn Kounts Water Program Director Washington Public Utility Districts Association Wh Why ut utili iliti ties need eed water

644 views • 8 slides
International developments in public/private financial information- sharing partnerships

International developments in public/private financial information- sharing partnerships

KEYNOTE ADDRESS: International developments in public/private financial information- sharing partnerships Southern Africa Anti-Money Laundering &amp; Financial Crime Conference 23 &amp; 24 October 2019 at the Indaba Hotel, Johannesburg Nick

453 views • 23 slides
for Security and Services Antonio Rizzo, Alessandro Rossi, Francesco Montefoschi, Giovanni

for Security and Services Antonio Rizzo, Alessandro Rossi, Francesco Montefoschi, Giovanni

CyberPhysical systems for Security and Services Antonio Rizzo, Alessandro Rossi, Francesco Montefoschi, Giovanni Burresi Carlo Festucci, Maurizio Caporali Siena, 14 Sett 2018 Case of study: ATM-Sense TREND Rapine vs Attacchi ATM - Fonte

275 views • 27 slides
Probabilistic Computation Lecture 15 Computing with Less Randomness, or with Imperfect

Probabilistic Computation Lecture 15 Computing with Less Randomness, or with Imperfect

Probabilistic Computation Lecture 15 Computing with Less Randomness, or with Imperfect Randomness 1 Soundness Amplification for BPP 2 Soundness Amplification for BPP Repeat M(x) t times and take majority 2 Soundness Amplification for

1.78k views • 125 slides
Logistics Project IOStreams III Part 2 (water) due Sunday, Oct 16 th Feedback by

Logistics Project IOStreams III Part 2 (water) due Sunday, Oct 16 th Feedback by

Logistics Project IOStreams III Part 2 (water) due Sunday, Oct 16 th Feedback by Monday Part 3 (block) due Sunday, Oct 30 Inserters and Extractors, Questions? Manipulators, and friends Exam Exam 2 Exam 2 What

368 views • 8 slides
Disclosures High Bleeding Risk Patient with AF Research support VA, NIH, AHA, Janssen,

Disclosures High Bleeding Risk Patient with AF Research support VA, NIH, AHA, Janssen,

12/3/17 Treatment of the Low Stroke Risk or Disclosures High Bleeding Risk Patient with AF Research support VA, NIH, AHA, Janssen, Medtronic, iRhythm, Cardiva, MINTU TURAKHIA, MD MAS AstraZeneca, Boehringer Ingelheim Associate Professor

298 views • 15 slides
Privacy Aspects of Social Graphs Joseph Bonneau Stanford Security Seminar, July 14 2009

Privacy Aspects of Social Graphs Joseph Bonneau Stanford Security Seminar, July 14 2009

Privacy Aspects of Social Graphs Joseph Bonneau Stanford Security Seminar, July 14 2009 University of Cambridge Computer Laboratory Social Context And The Web Everything's Better With Friends... Hyper-presence of friends

1.02k views • 89 slides

More recommend