Transcript Hacking - Korea University

HACKING
The art of exploitation
CONTENTS
 0x250 – Getting your hands dirty 
 The Bigger Picture (0x251)
 The x86 Processor (0x252)
 Assembly Language (0x253)
 0x260 – Back to basics
 0x270 – Memory segmentation
0X250 – GETTING YOUR HANDS DIRTY 
 Environment
 Language- C
 OS - Linux (live cd)
 just put the usb, and reboot your computer
 compiler – GCC(GNU Compiler Collection)
 Translate c into machine language
 CPU - x86
 Virtual Machine: Virtual Box
FIRSTPROG.C
 gcc firstprog.c
 Result: a.out
 Main execution begins in main
 #include <stdio.h>
 Adds header file to the program when compiled
 ‘printf’ is in /usr/include/stdio.h
0X251 – BIGGER PICTURE
 C code can’t actually do anything
 until it’s compiled into an executable binary file.
 Binary file is what actually gets executed in the real world
 CPU(x86) can read a.out
TO EXAMINE COMPILED BINARIES
 “objdump”
Memory Address
Machine Language
Assembly language (Intel syntax)
GDB
 Debugger included in GNU
 “A programmer who has never used a debugger to look at the inner workings of a program
is like a seventeenth-century doctor who has never used a microscope.”
 Debugger can view the execution from all angles, pause it, and change anything along the
way
GDB CONFIGURATION & OPTION
 Disassembly syntax can be set to intel
 gcc with –g flag
 To include extra debugging information
 Give gdb access to the source code
INTEL SYNTAX
 Operation <destination>, <source>
 ex. Move ebp, esp
 <destination>
 Will either be a register, a memory, address, or a value
IN LECTURE SLIDES (CH01)
 GDB command summary
 (gdb) help (gdb) help disass
 (gdb) list (gdb) list 1,20
 (gdb) disass main (gdb) disass /mr main
 (gdb) info registers (or i r) ; display x86 registers
 Examples: (gdb) i r (gdb) i r $eip
 (gdb) x
; examine
 (gdb) x/10i $eip ; display 10 instructions from eip
 (gdb) x/2x $eip ; display 2 words (4 bytes) in hex. B (byte), h (halfword), w (word, 4B), g (8B)




(gdb) nexti
(gdb) stepi
(gdb) next
(gdb) step
; execute 1 machine instruction. Will step into subfunctions
; execute 1 machine instruction. Will not enter subfunctions
; step program
; step program until it reaches a different source line
0X252 THE X86 PROCESSOR
 X86 processor has several
registers
 Internal variables for the
processor
REGISTERS
 X86 processor has several
registers
 Internal variables for the
processor
 EAX, ECX, EDX, and EBX
 General purpose registers
 Accumulator, Counter, Data, Base
 Mainly, act as Temporary variables for the
CPU
 ESP, EBP, ESI, and EDI
 General purpose registers
 Stack Pointer, Base Pointer, Source Index,
Destination Index
 EIP – Instruction pointer
 EFLAGS consists of several bit flags
 Used for comparison and memory
segments
0X253 ASSEMBLY LANGUAGE
 Firstprog.c
Functional prologue
gen by the compiler
to set up mem for the rest of the main’s local variable
Runnig Example with
List
Break
x/
Ir
Nexti
Print
cont
X/?
 O : octal
 X: hexadecimal
 U: unsigned int
 T: binary
 I: instruction
 S:String
 B: single byte
 W: word, 4bytes in size
SOMETHING ODD
 GDB is smart enough to know how value are stored
SOMETHING ODD (2)
0x8048374
0x55
+4
0x89
+8
0xE5
+12
0x83
BACK TO BASICS
0x260
LOW-LEVEL PROGRAMMING CONCEPTS
 String
 Signed, Unsigned, Long, and Shot
 Pointers
 Format Strings
 Typecasting
 Command-line arguments
 Variable Scoping
STRING
I
a[i]
0
H
1
E
2
L
3
L
4
O
5
W
6
,
7
W
8
O
9
R
0
L
11
D
12
!
13
\n
14
0
 To store “Hello, world!\n”
 Char str_a[20];
 1. str_a[0] = ‘H’;
 2. strcpy(str_a, "Hello, world!\n");
SIGNED, UNSIGNED
 All numerical values must be stored in binary
 Unsigned value make the most sense
 1001 -> 9
 Two’s complement
 0100 -> 4
 1100 -> -4
SIGNED, UNSIGNED, LONG, SHORT
 Variables can be declared as
unsigned by prepending the
keyword ‘unsigned’
 unsigned int foo
 In addition,
 Size of variables can be extended
or shortened
reader@hacking:~/booksrc $ ./a.out
The 'int' data type is 4 bytes
The 'unsigned int' data type is 4 bytes
The 'short int' data type is 2 bytes
The 'long int' data type is 4 bytes
The 'long long int' data type is 8 bytes
The 'float' data type is 4 bytes
The 'char' data type is 1 bytes
POINTER
 The EIP register is a pointer that “points” to the current instruction
 This Idea is used in C
 Pointers in C can be defined and used like any other variable type.
 4byte size
 *! (asterisk) &(empersand)
ADDRESSOF.C
#include <stdio.h>
int main() {
int int_var = 5;
int *int_ptr;
int_ptr = &int_var; // put the address of int_var into
int_ptr
}
ADDRESSOR.C WITH GDB
FORMAT STRINGS
 A format string is just a character string with special parameter
Prarmeter
Output Type
%d
Decimal
%u
Unsigned Decimal
%x
Hexadecimal
%s
String
…
…
PRINTF
printf("[A] Dec: %d, Hex: %x, Unsigned: %u\n", A, A, A);
printf("[B] Dec: %d, Hex: %x, Unsigned: %u\n", B, B, B);
printf("[field width on B] 3: '%3u', 10: '%10u', '%08u'\n", B, B, B);
printf("[string] %s Address %08x\n", string, string);
printf("variable A is at address: %08x\n", &A);
[A] Dec: -73, Hex: ffffffb7, Unsigned: 4294967223
[B] Dec: 31337, Hex: 7a69, Unsigned: 31337
[field width on B] 3: '31337', 10: ' 31337', '00031337'
[string] sample Address bffff870
variable A is at address: bffff86c
TYPECASTING
 Temporarily change a variable’s data type
 (typecast_data_type) variable
#include <stdio.h>
int main() {
int a, b;
float c, d;
a = 13;
b = 5;
c = a / b; // Divide using integers.
d = (float) a / (float) b; // Divide integers typecast as floats.
printf("[integers]\t a = %d\t b = %d\n", a, b);
printf("[floats]\t c = %f\t d = %f\n", c, d);
}
reader@hacking:~/booksrc $ gcc
typecasting.c
reader@hacking:~/booksrc $ ./a.out
[integers] a = 13 b = 5
[floats] c = 2.000000 d = 2.600000
COMMAND-LINE ARGUMENTS
 don’t require user interaction after the program has begun execution
#include <stdio.h>
int main(int arg_count, char *arg_list[]) {
int i;
printf("There were %d arguments provided:\n", arg_count);
for(i=0; i < arg_count; i++)
printf("argument #%d\t-\t%s\n", i, arg_list[i]);
}
MEMORY SEGMENTATION
0x270
MEMORY SEGMENTATION
 A compiled program’s memory is divided into
 Text
 Where the assembled machine language instructions of the program are located
 Data & Bss
 To store global and static program
 Heap
 Unfixed segment
 Stack
 Temporary scratch pad to store local function
TEXT SEGMENTATION
 Contains assembled machine language instructions
 The processor read the instruction (which EIP points to), executes it.
 doesn’t care about the change of EIP (caused by jump, branch…)
 Read-Only, Fixed size
 Prevents people from modifying the code
 program will be killed with the warning msg
 Code can be shared among different copies of the program
EXECUTION LOOP
CPU
Address
Value
0x804837a
83
0x804837b
e4
0x804837c
f0
1. Reads the instruction that EIP is pointing to
0x804837d
b8
2. Adds the byte length of the instruction to EIP
…
…
0x804837d
0x804837a
3. Executes the instruction that was read in step 1
4. Goes back to step 1
DATA AND BSS SEGMENTATION
 To store global and static program
 Data segment
 Initialized global and static variables
 Bss segment
 Uninitialized global and static variables
 Writable, Fixed size
 Global and static variables are able to persist
 Stored in their own mem seg
HEAP
 Writable, unfixed size
 Programmer can directly control
 Can grow larger or smaller as needed
 Malloc, free
 The growth?
Address
0x80497ec
Global_ini_var
0x80497ec+4
Static_ini_var
0x80497ec+12
Static var
0x80497ec+16
Global var
0x80497+28
Heap_var
…
…
STACK
 Writable, unfixed size
 Temporary scratch pad
 to store local function variables and context during function calls
 In fact, a Stack data structure (FILO)
 Push
 Pop
 Contains many ‘Stack frames’
 The growth?
Address
…
…
0xbffff834 - 32
Func’s_st_var
0xbffff834
Stack_var
STACK FRAME
 Frame pointer
 EBP register : used to reference local function variables in the current stack frame
 Contains
 the parameters to the functions
 Local variables
 2 pointers
 Saved frame pointer
 Used to restore EBP value to its previous value
 Return address (function caller)
RUNNING EXAMPLE
 Stack_example.c
 Function prologue
 save the frame pointer on the stack
 Save stack memory for the local function variables
STACK FRAME(2)
 Frame pointer
 EBP register : used to reference local function variables in the current stack frame
 Contains
 the parameters to the functions
 Local variables
 2 pointers
 Saved frame pointer
 Used to restore EBP value to its previous value
 Return address (function caller)
BACKUP SLIDES
0x270~
MEMORY_SEGMENTS.C
MEMORY_SEGMENTS.C (RESULT)
global_initialized_var is at address 0x080497ec
Address
static_initialized_var is at address 0x080497f0
0x80497ec
Global_ini_var
0x80497ec+4
Static_ini_var
0x80497ec+12
Static var
global_var is at address 0x080497fc
0x80497ec+16
Global var
heap_var is at address 0x0804a008
0x80497+28
Heap_var
stack_var is at address 0xbffff834
…
…
static_var is at address 0x080497f8
the function's stack_var is at address 0xbffff814
Address
…
…
0xbffff834 - 32
Func’s_st_var
0xbffff834
Stack_var
HEAP_EXAMPLE.C
char_ptr = (char *) malloc(mem_size); // Allocating heap memory
if(char_ptr == NULL) { // Error checking, in case malloc() fails
fprintf(stderr, "Error: could not allocate heap memory.\n");
exit(-1);
}
strcpy(char_ptr, "This is memory is located on the heap.");
printf("char_ptr (%p) --> '%s'\n", char_ptr, char_ptr);
printf("\t[-] freeing char_ptr's heap memory...\n");
free(char_ptr); // Freeing heap memory
Address
0x80497ec
Global_ini_var
0x80497ec+4
Static_ini_var
0x80497ec+12
Static var
0x80497ec+16
Global var
0x80497+28
Heap_var
…
…
HEAP_EXAMPLE.C (RESULT)
reader@hacking:~/booksrc $ ./heap_example 100
[+] allocating 100 bytes of memory on the heap for char_ptr
char_ptr (0x804a008) --> 'This is memory is located on the heap.'
[+] allocating 12 bytes of memory on the heap for int_ptr
int_ptr (0x804a070) --> 31337
[-] freeing char_ptr's heap memory...
[+] allocating another 15 bytes for char_ptr
char_ptr (0x804a008) --> 'new memory'
[-] freeing int_ptr's heap memory...
[-] freeing char_ptr's heap memory...
reader@hacking:~/booksrc $