Local Exploits
0 likes339 views
The document discusses computer memory layout and calling conventions. It explains that programs are stored in segments like text, data, bss, heap and stack. The stack grows downward while the heap grows upward. When a function is called, parameters are pushed onto the stack and the instruction pointer is saved. The function then saves the base pointer and allocates space for local variables below it on the stack. A buffer overflow occurs when a program writes more data to a buffer than it was allocated to hold. Shellcode is program code designed to be injected and executed from the stack.
Local Exploits
- 1. Seguretat Local exploits v2011/01 Carles Mateu i Ramon Bèjar Departament d'Informàtica i Enginyeria Industrial Universitat de Lleida
- 2. Exploits Programs and tools that, take profit from a vulnerability (usually a programming error) to gain access, scalate privileges, etc.
- 3. Programming 101 Computer memory (executing programs)
- 7. Segments
- 8. Stacks
- 9. Computer memory basics Endianness: Byte order when storing multibyte data in memory.
- 10. Little endian: L1 L2 H1 H2 Big endian: H1 H2 L1 L2 Intel: little endian. Motorola: big endian. Network: big endian.
- 11. Computer memory: Segments .text : Executable code. RO and Fixed Size.
- 12. .data : Global initialized variables. Fixed Size.
- 13. .bss : (below stack section). Global NON -initialized variables. Fixed Size.
- 14. Heap: Dynamic allocated space. Grows from low -> high. (malloc, free).
- 15. Stack: Dynamic. Grows from high -> low. Keeps calling stack and local variables.
- 16. Env: System environment variables and program arguments.
- 17. Computer memory: Segment layout.
- 18. Segment layout example. int index = 5; // data (initialized) char * str; // bss (uninitialized) int nothing; // bss (uninitialized) void fun(int c) // stack { int i=c; // stack region str = (char*)malloc(10*sizeof (char)); // heap strncpy(str, "abcde", 5); } void main () { fun(1); }
- 19. Buffer overflow Situation where an allocated buffer gets more data that it can handle.
- 20. If we can fill stack we can disrupt program function. <demo overflow>
- 21. Stack operation LIFO (FILO) operation.
- 22. Controlled by 2 reg: ebp, esp.
- 23. Calling convention. How a program keeps state and variables when jumping to a function (and returns back)?
- 24. Calling code: Calling code places parameters on stack.
- 25. Calling code saves EIP on stack.
- 26. Call is executed. Called code: Save EBP in stack
- 27. ESP -> EBP
- 28. ESP - = Local variables space
- 29. Calling convention. void fun(int c, int d) { int i; .... } void main () { Fun(1,3); }
- 30. Calling convention. void fun(int c, int d) { int i; .... } void main () { Fun(1,3); }
- 31. Calling convention. void fun(int c, int d) { int i; .... } void main () { Fun(1,3); }
- 32. Calling convention. void fun(int c, int d) { int i; .... } void main () { Fun(1,3); }
- 33. Calling convention. void fun(int c, int d) { int i; .... } void main () { Fun(1,3); }
- 34. Shellcode Program code (assembly) that calls/executes designed to be injected as data and run from stack.
- 35. Many available on the web.
- 36. Demo