Embed Size (px)
DESCRIPTION
This slides describe the basic of exploitation.
Citation preview
Introduction to Exploitationth!nkh@ck-hackartist
Outline
• What is exploitation
• Study Points
• CPU Registers & Instructions
• Flow of Function
• Managing Memory
What is exploitation?
• The kind of exploitation is various For software, hardware, system and etc.
• What is the goal of the exploitation? The exploitation is getting actions you want it to do.
• What is needed?Skill of computer languages Knowledge of Operating System Understanding architecture.
Study Points
• We will focus on :CPU registers, Understanding stack of computer, A glance about assembly and C
• Why we study those Most of exploitations come from memory corruption.
CPU Registers & Instructions
• Cores of CPUCPU consists of registers, instructions.
• What does the different architecture of CPU means?It means that they have the different instructions each others.
• Are you hard to get assembly?Do not afraid to face it. Because assembly was made for us with human friendly representation of opcodes.
• Special instructionsEBP, ESP, EIP
CPU Registers & Instructions
• 16 bits data registers can be accessed to high and low half bits by AL&AH, BL&BH and etc.
16 Bits 32 Bits 64 Bits Description
AX EAX RAX Accumulator
BX EBX RBX Base Index
CX ECX RCX Counter
DX EDX RDX Data
BP EBP RBP Base Pointer
SP ESP RSP Stack Pointer
IP EIP RIP Instruction Pointer
SI ESI RSI Source Index Pointer
DI EDI RDI Destination Index Pointer
Composition of a Functionvoid func2(char *x) { printf(“You entered: %s\n", x); }
void func1(char *str) { char buffer[16]; strcpy(buffer, str); func2(buffer); }
int main(int argc, char *argv[]) { if (argc > 1) func1(argv[1]); else printf(“No arguments!\n"); }
Name
Parameters
Body
Return type
Variation of Stack memory
void func2(char *x) { printf(“You entered: %s\n", x); }
void func1(char *str) { char buffer[16]; strcpy(buffer, str); func2(buffer); }
int main(int argc, char *argv[]) { if (argc > 1) func1(argv[1]); else printf(“No arguments!\n"); }
Variation of Stack memory
void func2(char *x) { printf(“You entered: %s\n", x); }
void func1(char *str) { char buffer[16]; strcpy(buffer, str); func2(buffer); }
int main(int argc, char *argv[]) { if (argc > 1) func1(argv[1]); else printf(“No arguments!\n"); }
Variation of Stack memory
void func2(char *x) { printf(“You entered: %s\n", x); }
void func1(char *str) { char buffer[16]; strcpy(buffer, str); func2(buffer); }
int main(int argc, char *argv[]) { if (argc > 1) func1(argv[1]); else printf(“No arguments!\n"); }
Variation of Stack memory
void func2(char *x) { printf(“You entered: %s\n", x); }
void func1(char *str) { char buffer[16]; strcpy(buffer, str); func2(buffer); }
int main(int argc, char *argv[]) { if (argc > 1) func1(argv[1]); else printf(“No arguments!\n"); }
Variation of Stack memory
void func2(char *x) { printf(“You entered: %s\n", x); }
void func1(char *str) { char buffer[16]; strcpy(buffer, str); func2(buffer); }
int main(int argc, char *argv[]) { if (argc > 1) func1(argv[1]); else printf(“No arguments!\n"); }
Variation of Stack memory
void func2(char *x) { printf(“You entered: %s\n", x); }
void func1(char *str) { char buffer[16]; strcpy(buffer, str); func2(buffer); }
int main(int argc, char *argv[]) { if (argc > 1) func1(argv[1]); else printf(“No arguments!\n"); }
func1(argv[1]);
Variation of Stack memory
void func2(char *x) { printf(“You entered: %s\n", x); }
void func1(char *str) { char buffer[16]; strcpy(buffer, str); func2(buffer); }
int main(int argc, char *argv[]) { if (argc > 1) func1(argv[1]); else printf(“No arguments!\n"); }
func1(argv[1]);
Variation of Stack memory
void func2(char *x) { printf(“You entered: %s\n", x); }
void func1(char *str) { char buffer[16]; strcpy(buffer, str); func2(buffer); }
int main(int argc, char *argv[]) { if (argc > 1) func1(argv[1]); else printf(“No arguments!\n"); }
func1(argv[1]);
Variation of Stack memory
void func2(char *x) { printf(“You entered: %s\n", x); }
void func1(char *str) { char buffer[16]; strcpy(buffer, str); func2(buffer); }
int main(int argc, char *argv[]) { if (argc > 1) func1(argv[1]); else printf(“No arguments!\n"); }
func1(argv[1]);
Variation of Stack memory
void func2(char *x) { printf(“You entered: %s\n", x); }
void func1(char *str) { char buffer[16]; strcpy(buffer, str); func2(buffer); }
int main(int argc, char *argv[]) { if (argc > 1) func1(argv[1]); else printf(“No arguments!\n"); }
func1(argv[1]);
Variation of Stack memory
void func2(char *x) { printf(“You entered: %s\n", x); }
void func1(char *str) { char buffer[16]; strcpy(buffer, str); func2(buffer); }
int main(int argc, char *argv[]) { if (argc > 1) func1(argv[1]); else printf(“No arguments!\n"); }
func1(argv[1]);
Variation of Stack memory
void func2(char *x) { printf(“You entered: %s\n", x); }
void func1(char *str) { char buffer[16]; strcpy(buffer, str); func2(buffer); }
int main(int argc, char *argv[]) { if (argc > 1) func1(argv[1]); else printf(“No arguments!\n"); }
func1(argv[1]);
func2(buffer);
Variation of Stack memory
void func2(char *x) { printf(“You entered: %s\n", x); }
void func1(char *str) { char buffer[16]; strcpy(buffer, str); func2(buffer); }
int main(int argc, char *argv[]) { if (argc > 1) func1(argv[1]); else printf(“No arguments!\n"); }
func1(argv[1]);
func2(buffer);
Variation of Stack memory
void func2(char *x) { printf(“You entered: %s\n", x); }
void func1(char *str) { char buffer[16]; strcpy(buffer, str); func2(buffer); }
int main(int argc, char *argv[]) { if (argc > 1) func1(argv[1]); else printf(“No arguments!\n"); }
func1(argv[1]);
func2(buffer);
Variation of Stack memory
void func2(char *x) { printf(“You entered: %s\n", x); }
void func1(char *str) { char buffer[16]; strcpy(buffer, str); func2(buffer); }
int main(int argc, char *argv[]) { if (argc > 1) func1(argv[1]); else printf(“No arguments!\n"); }
func1(argv[1]);
func2(buffer);
Variation of Stack memory
void func2(char *x) { printf(“You entered: %s\n", x); }
void func1(char *str) { char buffer[16]; strcpy(buffer, str); func2(buffer); }
int main(int argc, char *argv[]) { if (argc > 1) func1(argv[1]); else printf(“No arguments!\n"); }
func1(argv[1]);
func2(buffer);
Variation of Stack memory
void func2(char *x) { printf(“You entered: %s\n", x); }
void func1(char *str) { char buffer[16]; strcpy(buffer, str); func2(buffer); }
int main(int argc, char *argv[]) { if (argc > 1) func1(argv[1]); else printf(“No arguments!\n"); }
func1(argv[1]);
func2(buffer);
Variation of Stack memory
void func2(char *x) { printf(“You entered: %s\n", x); }
void func1(char *str) { char buffer[16]; strcpy(buffer, str); func2(buffer); }
int main(int argc, char *argv[]) { if (argc > 1) func1(argv[1]); else printf(“No arguments!\n"); }
func1(argv[1]);
Variation of Stack memory
void func2(char *x) { printf(“You entered: %s\n", x); }
void func1(char *str) { char buffer[16]; strcpy(buffer, str); func2(buffer); }
int main(int argc, char *argv[]) { if (argc > 1) func1(argv[1]); else printf(“No arguments!\n"); }
func1(argv[1]);
Variation of Stack memory
void func2(char *x) { printf(“You entered: %s\n", x); }
void func1(char *str) { char buffer[16]; strcpy(buffer, str); func2(buffer); }
int main(int argc, char *argv[]) { if (argc > 1) func1(argv[1]); else printf(“No arguments!\n"); }
func1(argv[1]);
Variation of Stack memory
void func2(char *x) { printf(“You entered: %s\n", x); }
void func1(char *str) { char buffer[16]; strcpy(buffer, str); func2(buffer); }
int main(int argc, char *argv[]) { if (argc > 1) func1(argv[1]); else printf(“No arguments!\n"); }
func1(argv[1]);
Variation of Stack memory
void func2(char *x) { printf(“You entered: %s\n", x); }
void func1(char *str) { char buffer[16]; strcpy(buffer, str); func2(buffer); }
int main(int argc, char *argv[]) { if (argc > 1) func1(argv[1]); else printf(“No arguments!\n"); }
Variation of Stack memory
void func2(char *x) { printf(“You entered: %s\n", x); }
void func1(char *str) { char buffer[16]; strcpy(buffer, str); func2(buffer); }
int main(int argc, char *argv[]) { if (argc > 1) func1(argv[1]); else printf(“No arguments!\n"); }
Variation of Stack memory
void func2(char *x) { printf(“You entered: %s\n", x); }
void func1(char *str) { char buffer[16]; strcpy(buffer, str); func2(buffer); }
int main(int argc, char *argv[]) { if (argc > 1) func1(argv[1]); else printf(“No arguments!\n"); }
What is Stack?
• Stack is one of data structure. LIFO - Last In First Out
• Imagine reading book and stacking them. After reading them, we simply take over the top of books. In the circumstances, it is difficult to get a book in middle of the tower.
Managing Memory
• One of role of Operating System is managing memory. In order to manage memory, the memory is segmented into several parts. The way memory is segmented is depends on OS. However, main memory is existed and important in all OS.
• Main memory is represented to “logical” structure and consists of several stack frames.
• Stack frame is a significantly important part. The stack frame is represented by two pointers:Base pointer(EBP or RBP) indicates start of current stack frame.Stack pointer(ESP or RSP) indicates end of current stack frame.
Back to Previous Position
Empty memory
Top of memory
Start of memory
Newer stack frame
EBP
ESP
Back to Previous Position
Empty memory
Top of memory
Start of memory
Newer stack frame
EBPESP
Back to Previous Position
Empty memory
Top of memory
Start of memory
Newer stack frame
EBPESP
Back to Previous Position
Empty memory
Top of memory
Start of memory
Newer stack frame
EBP
ESP
Back to Previous Position
Empty memory
Top of memory
Start of memory
Newer stack frame
EBPESP
Back to Previous Position
Empty memory
Top of memory
Start of memory
Newer stack frame
EBPESP
Back to Previous Position
Empty memory
Top of memory
Start of memory
Newer stack frame
EBP ESP
Back to Previous Position
Empty memory
Top of memory
Start of memory
Newer stack frame
EBP ESP?
Back to Previous Position
Empty memory
Saved EBP
Top of memory
Start of memory
Newer stack frame
EBP
ESP
Back to Previous Position
Empty memory
Saved EBP
Top of memory
Start of memory
Newer stack frame
EBPESP
Back to Previous Position
Empty memory
Saved EBP
Top of memory
Start of memory
Newer stack frame
EBP
ESP
Back to Previous Position
Empty memory
Saved EBP
Top of memory
Start of memory
Newer stack frame
EBP
ESP
Back to Previous Position
Empty memory
Saved EBP
Top of memory
Start of memory
Newer stack frame
EBP
ESP
Back to Previous Position
Empty memory
Saved EBP
Top of memory
Start of memory
Newer stack frame
EBP
ESP
Back to Previous Position
Empty memory
Saved EBP
Top of memory
Start of memory
Newer stack frame
EBP
ESP
x86 calling conventions
• There are three types for calling function. stdcall : The default call type of WinAPI32. A callee is responsible for cleaning stack frame for arguments.cdecl : The default call type of C. A caller is responsible for cleaning stack frame.
• There are many call types.
Difference between thempush <arg2>push <arg1>
call <callee>
push ebpmov ebp esppush <local variables>
pop ebpret <args size>
push <arg2>push <arg1>
call <callee>
push ebpmov ebp esppush <local variables>
pop ebpret 0
add esp <args size>
Caller
Callee
Caller
cdecl stdcall
Thank you for listening.
