lec04 writing exploits
play

Lec04: Writing Exploits Taesoo Kim 2 Scoreboard 3 Administrivia - PowerPoint PPT Presentation

Dec 21, 2023 •519 likes •698 views

1 Lec04: Writing Exploits Taesoo Kim 2 Scoreboard 3 Administrivia Join Piazza! An optional recitation on every Wed 5:00-6:00pm (in Klaus 1447) 6:00-6:30pm ( in Klaus 3126 ) Due: Lab03 (stack overflow) on Sept 22

  1. 1 Lec04: Writing Exploits Taesoo Kim

  2. 2 Scoreboard

  3. 3 Administrivia • Join Piazza! • An optional recitation on every Wed • 5:00-6:00pm (in Klaus 1447) • 6:00-6:30pm ( in Klaus 3126 ) • Due: Lab03 (stack overflow) on Sept 22 at midnight • NSA Codebreaker Challenge → New due: Oct 13

  4. 4 Course Grading (Expectation for A/B) 1. Game: • 40% → A • 30-40% → B 2. Self competition as well: • 8 on average → A • 6 on average → B 3. Currently, ~10 (Lab1), ~9.5 (Lab2), so all A! 4. Please don't give up! Here we are to help you succeed!

  5. 5 Survival Guide for CS6260 1. Work as a group/team (find the best one around you!) • NOT each member tackles different problems • All members tackle the same problem (and discuss) 2. Ask questions wisely • Explain your assumption first • Explain your problem second 3. Take advantage of four TAs standing next you to help! • World-class (literally) hackers give a private tutoring for you! • But, remember! only when you ask ..

  6. 6 NSA Codebreaker Challenges

  7. 7 NSA Codebreaker Challenges Tasks • Task 1: Compute a hash and identify IED network ports • Task 2: Refine IED network traffic signature • Task 3: Decrypt IED key file • Task 4: Disarm an IED with the key • Task 5: Disarm any IED without a key • Task 6: Permanently disable any IED

  8. 8 Lab04: Stack overflow!

  9. 9 Lab04: Stack overflow! • It's time to write real exploits (i.e., control hijacking) • TONS of interesting challenges! • e.g., lack-of-four, frobnicated, upside-down ..

  10. 10 Today's Tutorial • Example: exploit crackme0x00 to get a flag! • Explore a template exploit code • In-class tutorial • IDA (how many people are using?) • Extending the exploit template

  11. 11 Reminder: crackme0x00 $ objdump -d crackme0x00 ... 8048414: 55 push %ebp 8048415: 89 e5 mov %esp,%ebp 8048417: 83 ec 28 sub $0x28,%esp +--- ebp top v [ ][fp][ra] |<--- 0x28 ------->|

  12. 12 Reminder: crackme0x00 $ objdump -d crackme0x00 ... 8048448: 8d 45 e8 lea -0x18(%ebp),%eax 804844b: 89 44 24 04 mov %eax,0x4(%esp) 804844f: c7 04 24 8c 85 04 08 movl $0x804858c,(%esp) 8048456: e8 d5 fe ff ff call 8048330 <scanf@plt> |<-- 0x18-->|+--- ebp top v [ [~~~~> ] ][fp][ra] |<---- 0x28 ------->|

  13. 13 Reminder: crackme0x00 |<-- 0x18-->|+--- ebp top v [ [~~~~> ] ][fp][ra] |<---- 0x28 ------->| AAAABBBB.....GGGGHHHH

  14. 14 Example: Injecting Shellcode |<-- 0x18-->|+--- ebp top v [ [~~~~> ] ][fp][ra] .... [SHELLCODE=...] |<---- 0x28 ------->| ^ AAAABBBB.....GGGG[ ] | + | +-------------------+ 1) How to decide the address of an environment variable? (changing!) 2) How to inject (or manipulate) environment variables?

  15. 15 DEMO: Exploiting crackme0x00! • core dump • ulimit -c unlimited • gdb -c core • shell commands/tools • env • export • hexedit • dmesg

  16. 16 In-class Tutorial • Step 1: Bruteforcing • Step 2: Play with your first exploit! $ git git@clone tc.gtisc.gatech.edu:seclab-pub cs6265 or $ git pull $ cd cs6265/lab04 $ ./init.sh $ cd tut $ cat README

  17. 17 References • IDA Demo • Phrack #49-14

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lec04: Writing Exploits Taesoo Kim 2 Scoreboard 3 Administrivia Join Piazza! An

Lec04: Writing Exploits Taesoo Kim 2 Scoreboard 3 Administrivia Join Piazza! An

1 Lec04: Writing Exploits Taesoo Kim 2 Scoreboard 3 Administrivia Join Piazza! An optional recitation at 4:30-5:30pm on Wed (in CBC 104A) Due: Lab03 (stack overflow) on Sept 21 at midnight NSA Codebreaker Challenge

423 views • 20 slides
Lec03: Writing Exploits Taesoo Kim 2 Scoreboard 3 Administrivia Survey: how many hours

Lec03: Writing Exploits Taesoo Kim 2 Scoreboard 3 Administrivia Survey: how many hours

1 Lec03: Writing Exploits Taesoo Kim 2 Scoreboard 3 Administrivia Survey: how many hours did you spend? (&lt;3h, 6h, 10h, &gt;20h) Join Piazza! An optional recitation on every Wed 5:00-6:00pm (in Klaus 1447)

617 views • 34 slides
Lec03: Writing Exploits Taesoo Kim 2 Scoreboard 3 Administrivia Survey: how many hours

Lec03: Writing Exploits Taesoo Kim 2 Scoreboard 3 Administrivia Survey: how many hours

1 Lec03: Writing Exploits Taesoo Kim 2 Scoreboard 3 Administrivia Survey: how many hours did you spend? (&lt;3h, 6h, 10h, 15h, &gt;20h) Please join Piazza An optional recitation at 5-7pm on every Wed (in CoC 052 ) Lab02:

603 views • 14 slides
Escaping chroot jails Why? Chroot jails come up in writing exploits, CtF competitions, etc.

Escaping chroot jails Why? Chroot jails come up in writing exploits, CtF competitions, etc.

Escaping chroot jails Why? Chroot jails come up in writing exploits, CtF competitions, etc. In the context of this class, a good intro to basic UNIX concepts UNIX 101 man man man 2 chroot Users (UID 0 is root)

370 views • 11 slides
11-823 Conlanging Writing Writing Systems Different Writing Systems What makes a writing

11-823 Conlanging Writing Writing Systems Different Writing Systems What makes a writing

11-823 Conlanging Writing Writing Systems Different Writing Systems What makes a writing system Standardization vs Historical artifacts Constructed Writing Systems Computing and its influence on writing Types of Writing

528 views • 24 slides
FROM PRINTED FROM PRINTED CIRCUIT BOARDS TO CIRCUIT BOARDS TO EXPLOITS EXPLOITS (PWNING IOT

FROM PRINTED FROM PRINTED CIRCUIT BOARDS TO CIRCUIT BOARDS TO EXPLOITS EXPLOITS (PWNING IOT

FROM PRINTED FROM PRINTED CIRCUIT BOARDS TO CIRCUIT BOARDS TO EXPLOITS EXPLOITS (PWNING IOT DEVICES LIKE A BOSS) (PWNING IOT DEVICES LIKE A BOSS) @virtualabs | Hack in Paris '18 ABOUT ME ABOUT ME Head of Research @ Econocom Digital

1.73k views • 83 slides
Buffer Overflow Vulnerabilities Exploits and Defensive Techniques Adam Butcher and Peter

Buffer Overflow Vulnerabilities Exploits and Defensive Techniques Adam Butcher and Peter

Buffer Overflow Vulnerabilities Exploits and Defensive Techniques Adam Butcher and Peter Buchlovsky 8. March 2004 University of Birmingham 1 Contents 1. Call-stacks, shellcode, gets 2. Exploits stack-based, heap-based 3. Defensive

1.56k views • 123 slides
Writing Home 8: Formal and Informal Writing We We use formal language for: Writing to

Writing Home 8: Formal and Informal Writing We We use formal language for: Writing to

Writing Home 8: Formal and Informal Writing We We use formal language for: Writing to someone we dont know Writing for a large audience such as in a newspaper article Writing non-fiction such as instructions, explanations or

209 views • 6 slides
Looking and Writing: Teaching Writing in the Discipline Teaching Writing in the Discipline of

Looking and Writing: Teaching Writing in the Discipline Teaching Writing in the Discipline of

ProVisions Writing in the Disciplines October 11, 2011 Looking and Writing: Teaching Writing in the Discipline Teaching Writing in the Discipline of Art History Robert R. Shane, Ph.D. Art Department John C Bean Engaging Ideas: The John C.

436 views • 10 slides
Writing for Funding Part 1: General Writing and Writing for Specific Review Alicia J. Knoedler,

Writing for Funding Part 1: General Writing and Writing for Specific Review Alicia J. Knoedler,

Writing for Funding Part 1: General Writing and Writing for Specific Review Alicia J. Knoedler, Ph.D. Grant Writing for the Social Sciences Summer, 2003 Writing Discussions Part 1: Getting Started General writing comments and

809 views • 13 slides
Payload Already Inside: Payload Already Inside: Data re-use for ROP Exploits Data re-use for ROP

Payload Already Inside: Payload Already Inside: Data re-use for ROP Exploits Data re-use for ROP

Payload Already Inside: Payload Already Inside: Data re-use for ROP Exploits Data re-use for ROP Exploits Long Le longld@vnsecurity.net BLACKHAT USA 2010 BLACKHAT USA 2010 1 Who am I? VNSECURITY founding member Capture-The-Flag

759 views • 43 slides
writing bat paper accounting service cv writing thesis nps graduate writing

writing bat paper accounting service cv writing thesis nps graduate writing

Why homework, assignment photoshop, price natural gas thesis, homework helper mymathlab. Austin writing tx resume service, paper research android, writing internships sydney creative, bristol creative groups writing. Help mayans facts homework,

287 views • 5 slides
Industrial Bug Mining Industrial Bug Mining Extracting, Grading and Enriching the Ore of Exploits

Industrial Bug Mining Industrial Bug Mining Extracting, Grading and Enriching the Ore of Exploits

Industrial Bug Mining Industrial Bug Mining Extracting, Grading and Enriching the Ore of Exploits the Ore of Exploits Private &amp; Confidential Property of COSEINC The Bug Mining Analogy The Bug Mining Analogy Phase 1: Extraction Phase 2:

591 views • 37 slides
Writing for Funding Part 3: Writing Catch-All Discussion Alicia J. Knoedler, Ph.D. Grant

Writing for Funding Part 3: Writing Catch-All Discussion Alicia J. Knoedler, Ph.D. Grant

Writing for Funding Part 3: Writing Catch-All Discussion Alicia J. Knoedler, Ph.D. Grant Writing for the Social Sciences Summer, 2003 Writing Discussions Part 1: Getting Started General writing comments and suggestions Knowing

552 views • 7 slides
BUSINESS WRITING NEAR EAST UNIVERSITY 1 2 Business Writing Business Writing Follow these

BUSINESS WRITING NEAR EAST UNIVERSITY 1 2 Business Writing Business Writing Follow these

BUSINESS WRITING NEAR EAST UNIVERSITY 1 2 Business Writing Business Writing Follow these rules Topics to cover Business letters State your purpose Envelopes Be straightforward, clear, concise, objective and courteous Job

449 views • 8 slides
&gt;&gt;&gt;CLICK HERE&lt;&lt;&lt; Report writing and presentation Buckinghamshire. vehicle

&gt;&gt;&gt;CLICK HERE&lt;&lt;&lt; Report writing and presentation Buckinghamshire. vehicle

Report Writing And Presentation Report writing and presentation Hartford help with homework westminster english essays sri lanka essay character building need of the day. Report writing and presentation Wisconsin writing assignment 8 the game's

83 views • 4 slides
Systema(cally exploring control programs (Lecture I) Ratul

Systema(cally exploring control programs (Lecture I) Ratul

Systema(cally exploring control programs (Lecture I) Ratul Mahajan Microso' Research Joint work with Jason Cro3, Ma5 Caesar, and Madan Musuvathi

718 views • 67 slides
List of Slides 3 The charged gas in Quantum Mechanics 4 The Instability of the charged Bose Gas

List of Slides 3 The charged gas in Quantum Mechanics 4 The Instability of the charged Bose Gas

The Matter of Instability a Jan Philip Solovej Department of Mathematics University of Copenhagen STABILITY MATTERS Erwin Schr odinger Institute, Vienna, 2002 On the occasion of the 70th Birthday of Elliott H. Lieb a Joint work with Elliott

339 views • 11 slides
Lecture 4.3: Self-adjoint linear operators Matthew Macauley Department of Mathematical Sciences

Lecture 4.3: Self-adjoint linear operators Matthew Macauley Department of Mathematical Sciences

Lecture 4.3: Self-adjoint linear operators Matthew Macauley Department of Mathematical Sciences Clemson University http://www.math.clemson.edu/~macaule/ Math 4340, Advanced Engineering Mathematics M. Macauley (Clemson) Lecture 4.3:

85 views • 7 slides
A variant of the large sieve inequality with explicit constants Maciej Grzekowiak Adam

A variant of the large sieve inequality with explicit constants Maciej Grzekowiak Adam

A variant of the large sieve inequality with explicit constants Maciej Grzekowiak Adam Mickiewicz University Pozna, Poland Number Theoretic Methods in Cryptology Paris 2019 MG (UAM Pozna) Sieve NutMic 2019 1 / 25 Outline 1 The large

1.04k views • 90 slides
Lusteral Uniform and Modular Composition of Data-flow &amp; Control-flow in the Lazy

Lusteral Uniform and Modular Composition of Data-flow &amp; Control-flow in the Lazy

Lusteral Uniform and Modular Composition of Data-flow &amp; Control-flow in the Lazy -Calculus joint work with Marc Pouzet M. Mendler, University of Bamberg Synchron 2008 CPL Aussois Synchron 2008 CPL Aussois 1 Constructive Data

491 views • 48 slides
Colossians Series Lesson #45 February 5, 2012 Dean Bible Ministries www.deanbible.org Dr.

Colossians Series Lesson #45 February 5, 2012 Dean Bible Ministries www.deanbible.org Dr.

Colossians Series Lesson #45 February 5, 2012 Dean Bible Ministries www.deanbible.org Dr. Robert L. Dean, Jr. C OLOSSIANS : Jesus Christ is All-Sufficient Christs Triumph Over Sin, Satan, and the Demons Colossians 2:15 Col. 2:11,

161 views • 12 slides
SOCI 210: Sociological Perspectives Nov. 10 1. Relational sociology 2. Network relations 3.

SOCI 210: Sociological Perspectives Nov. 10 1. Relational sociology 2. Network relations 3.

SOCI 210: Sociological Perspectives Nov. 10 1. Relational sociology 2. Network relations 3. Position and juxtaposition 4. Networks and mobilization 1 Networks and Mobilization Gould (1991) 2 Paris Commune Radical socialist government

388 views • 18 slides
Medusa A disassembler and something more... Angelin Njakasoa BOOZ LSE Summer Week 2016

Medusa A disassembler and something more... Angelin Njakasoa BOOZ LSE Summer Week 2016

Medusa A disassembler and something more... Angelin Njakasoa BOOZ LSE Summer Week 2016 Quarkslab Angelin Njakasoa BOOZ (LSE Summer Week 2016) Medusa LSE Week 2016 1 / 20 Presentation Whoami? Where do I work? What do I do? Angelin

453 views • 20 slides

More recommend