Intel Architecture Memory Layout C Arrays · Buffer Overflow Attack - Computerphile . Title:...

20

Transcript of Intel Architecture Memory Layout C Arrays · Buffer Overflow Attack - Computerphile . Title:...

Page 1: Intel Architecture Memory Layout C Arrays · Buffer Overflow Attack - Computerphile . Title: PowerPoint Presentation Author: Dobin Rutishauser Created Date: 3/9/2017 9:26:22 PM ...
Page 2: Intel Architecture Memory Layout C Arrays · Buffer Overflow Attack - Computerphile . Title: PowerPoint Presentation Author: Dobin Rutishauser Created Date: 3/9/2017 9:26:22 PM ...

Intel Architecture

Shellcode

Debugging

Memory Layout

Remote Exploit

Function Calls

C Arrays

Assembler

Page 3: Intel Architecture Memory Layout C Arrays · Buffer Overflow Attack - Computerphile . Title: PowerPoint Presentation Author: Dobin Rutishauser Created Date: 3/9/2017 9:26:22 PM ...
Page 4: Intel Architecture Memory Layout C Arrays · Buffer Overflow Attack - Computerphile . Title: PowerPoint Presentation Author: Dobin Rutishauser Created Date: 3/9/2017 9:26:22 PM ...
Page 5: Intel Architecture Memory Layout C Arrays · Buffer Overflow Attack - Computerphile . Title: PowerPoint Presentation Author: Dobin Rutishauser Created Date: 3/9/2017 9:26:22 PM ...

# ./challenge10 <username> <password>

# ./challenge10 someusername somepassword

You are not admin.

Lame.

Page 6: Intel Architecture Memory Layout C Arrays · Buffer Overflow Attack - Computerphile . Title: PowerPoint Presentation Author: Dobin Rutishauser Created Date: 3/9/2017 9:26:22 PM ...

void handleData(char *username, char *password) {

int isAdmin = 0;

char firstname[16];

isAdmin = checkPassword(password);

strcpy(firstname, username);

if(isAdmin > 0) {

printf("You ARE admin!");

} else {

printf("You are not admin.\nLame.\n");

}

}

Page 7: Intel Architecture Memory Layout C Arrays · Buffer Overflow Attack - Computerphile . Title: PowerPoint Presentation Author: Dobin Rutishauser Created Date: 3/9/2017 9:26:22 PM ...

const char *adminHash = "$6$saaaaalty$cjw9qyA..";

int checkPassword(char *password) {

char *hash;

hash = crypt(password, "$6$saaaaalty");

if (strcmp(hash, adminHash) == 0) {

return 1;

} else {

return 0;

}

}

Page 8: Intel Architecture Memory Layout C Arrays · Buffer Overflow Attack - Computerphile . Title: PowerPoint Presentation Author: Dobin Rutishauser Created Date: 3/9/2017 9:26:22 PM ...

&username

SIP

SFP

isAdmin

pop push

Stack Frame

<handleData>

&password

firstname[16]

Page 9: Intel Architecture Memory Layout C Arrays · Buffer Overflow Attack - Computerphile . Title: PowerPoint Presentation Author: Dobin Rutishauser Created Date: 3/9/2017 9:26:22 PM ...

char firstname[16] isAdmin

AAAA AAAA AAAA AAAA 0

Write up

Page 10: Intel Architecture Memory Layout C Arrays · Buffer Overflow Attack - Computerphile . Title: PowerPoint Presentation Author: Dobin Rutishauser Created Date: 3/9/2017 9:26:22 PM ...

char firstname[16] isAdmin

AAAA AAAA AAAA AAAA B

Write up

Page 11: Intel Architecture Memory Layout C Arrays · Buffer Overflow Attack - Computerphile . Title: PowerPoint Presentation Author: Dobin Rutishauser Created Date: 3/9/2017 9:26:22 PM ...

void handleData(char *username, char *password) {

int isAdmin = 0;

char firstname[16];

(0)

isAdmin = checkPassword(password);

(1)

strcpy(firstname, username);

(2)

if(isAdmin > 0) {

printf("You ARE admin!");

} else {

printf("You are not admin.\nLame.\n");

}

}

Page 12: Intel Architecture Memory Layout C Arrays · Buffer Overflow Attack - Computerphile . Title: PowerPoint Presentation Author: Dobin Rutishauser Created Date: 3/9/2017 9:26:22 PM ...

char firstname[16] isAdmin

<undefined> <undef> 0

<undefined> 0x00000000 1

AAAAAAAAAAAAAAAAAAAAA 0x00000000 2

AAAAAAAAAAAAAAAAAAAAA 0x00000041 2

Page 13: Intel Architecture Memory Layout C Arrays · Buffer Overflow Attack - Computerphile . Title: PowerPoint Presentation Author: Dobin Rutishauser Created Date: 3/9/2017 9:26:22 PM ...

AAAAAAAAAAAAAAA 0x00 0x00 0x00 0x00 2

AAAAAAAAAAAAAAA A 0 0 0 2

AAAAAAAAAAAAAAA 0x41 0x00 0x00 0x00 2

Page 14: Intel Architecture Memory Layout C Arrays · Buffer Overflow Attack - Computerphile . Title: PowerPoint Presentation Author: Dobin Rutishauser Created Date: 3/9/2017 9:26:22 PM ...

./challenge1 compass superpassword

You are not admin.

./challenge1 0123456789012345679012345678 test

You are not admin.

./challenge1 0123456789012345679012345678A test

You ARE admin!

isAdmin: 0x41

./challenge1 0123456789012345679012345678AB test

You ARE admin!

isAdmin: 0x4241

Page 15: Intel Architecture Memory Layout C Arrays · Buffer Overflow Attack - Computerphile . Title: PowerPoint Presentation Author: Dobin Rutishauser Created Date: 3/9/2017 9:26:22 PM ...
Page 16: Intel Architecture Memory Layout C Arrays · Buffer Overflow Attack - Computerphile . Title: PowerPoint Presentation Author: Dobin Rutishauser Created Date: 3/9/2017 9:26:22 PM ...

buf = malloc(1024);

strcpy(buf, user_supplied)

buf = (char **) malloc(BUF_SIZE);

while (user_buf[i] != 0) {

buf[i] = malloc(strlen(user_buf[i]) + 1);

i++

}

Page 17: Intel Architecture Memory Layout C Arrays · Buffer Overflow Attack - Computerphile . Title: PowerPoint Presentation Author: Dobin Rutishauser Created Date: 3/9/2017 9:26:22 PM ...

memcpy(

array[user_supplied_int],

user_supplied_buffer,

user_supplied_int2)

buf = malloc(strlen(user_buf + 5));

strcpy(buf, user_buf);

Page 18: Intel Architecture Memory Layout C Arrays · Buffer Overflow Attack - Computerphile . Title: PowerPoint Presentation Author: Dobin Rutishauser Created Date: 3/9/2017 9:26:22 PM ...
Page 19: Intel Architecture Memory Layout C Arrays · Buffer Overflow Attack - Computerphile . Title: PowerPoint Presentation Author: Dobin Rutishauser Created Date: 3/9/2017 9:26:22 PM ...
Page 20: Intel Architecture Memory Layout C Arrays · Buffer Overflow Attack - Computerphile . Title: PowerPoint Presentation Author: Dobin Rutishauser Created Date: 3/9/2017 9:26:22 PM ...

Buffer Overflow Attack - Computerphile

https://www.uperesia.com/buffer-overflow-explained
https://www.uperesia.com/buffer-overflow-explained
https://www.uperesia.com/buffer-overflow-explained
https://www.uperesia.com/buffer-overflow-explained
https://www.uperesia.com/buffer-overflow-explained
https://www.uperesia.com/buffer-overflow-explained
https://www.youtube.com/watch?v=1S0aBV-Waeo
https://www.youtube.com/watch?v=1S0aBV-Waeo
https://www.youtube.com/watch?v=1S0aBV-Waeo
https://www.youtube.com/watch?v=1S0aBV-Waeo
https://www.youtube.com/user/Computerphile

Experiencing Overflow

Experiencing Overflow

campus.ara.ac.nz€¦  · Web viewPavel Dobin. pad0430@arastudent.ac.nz. Callie Dando. cad0438@arastudent.ac.nz. Tyler Goodall . tyg0010@arastudent.ac.nz. Siobhan O’Brien Sao0287@arastudent.ac.nz

campus.ara.ac.nz€¦  · Web viewPavel Dobin. [email protected]. Callie Dando. [email protected]. Tyler Goodall . [email protected]. Siobhan O’Brien [email protected]

Buffer Overflow Exploits

Buffer Overflow Exploits

Community overflow

Community overflow

A Guidance Law for a Mobile Robot for Coverage ...asinha/pdfdocs/twinkle-acods14.pdf · from sensors. Rutishauser et al. Rutishauser et al. (2009) solve the problem of collaborative

A Guidance Law for a Mobile Robot for Coverage ...asinha/pdfdocs/twinkle-acods14.pdf · from sensors. Rutishauser et al. Rutishauser et al. (2009) solve the problem of collaborative

Overflow Designs

Overflow Designs

STAR manual 2.7 - GitHubSTAR manual 2.7.5a Alexander Dobin dobin@cshl.edu June 16, 2020 Contents 1 Getting started. 4 1.1 Installation ...

STAR manual 2.7 - GitHubSTAR manual 2.7.5a Alexander Dobin [email protected] June 16, 2020 Contents 1 Getting started. 4 1.1 Installation ...

Overflow. Part 3 Overflowing Gratitude Overflow – perisseia “Superabundance”

Overflow. Part 3 Overflowing Gratitude Overflow – perisseia “Superabundance”

SCIENTIFIC ABSTRACT YE. S. DOBIN - B.M. DOBKINA...Title: SCIENTIFIC ABSTRACT YE. S. DOBIN - B.M. DOBKINA : Subject: SCIENTIFIC ABSTRACT YE. S. DOBIN - B.M. DOBKINA : Keywords: DOBIN,

SCIENTIFIC ABSTRACT YE. S. DOBIN - B.M. DOBKINA...Title: SCIENTIFIC ABSTRACT YE. S. DOBIN - B.M. DOBKINA : Subject: SCIENTIFIC ABSTRACT YE. S. DOBIN - B.M. DOBKINA : Keywords: DOBIN,

Stack Overflow Attacks

Stack Overflow Attacks

Dwelling Ecologies in Harrison, NJ (Dobin, Jaewoo)

Dwelling Ecologies in Harrison, NJ (Dobin, Jaewoo)

Stereoscopic Overflow

Stereoscopic Overflow

Overflow (1Q-2014)

Overflow (1Q-2014)

OVERFLOW CHARTS

OVERFLOW CHARTS

Overflow E Coli

Overflow E Coli

Mattias Rutishauser Architecture Portfolio

Mattias Rutishauser Architecture Portfolio

Module04 Buffer Overflow

Module04 Buffer Overflow

Buffer Overflow Attack

Buffer Overflow Attack

Buffer Overflow

Buffer Overflow

Instructor: Khaled Diab › sp20 › lectures › ... · •overflow function return address •overflow function base pointer •Overflow (dynamically allocated) memory region on

Instructor: Khaled Diab › sp20 › lectures › ... · •overflow function return address •overflow function base pointer •Overflow (dynamically allocated) memory region on