SlideShare ist ein Scribd-Unternehmen logo
1 von 20
Downloaden Sie, um offline zu lesen
Exploiting Memory Overflows
Action Plan ,[object Object]
Memory Organization Basics
Buffer Overflow Basics
Demo
Heap Overflow Basics
Demo
System Organization Basics CPU System Bus A/D/C
[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object]
Byte:  8 bits (0-255)
Word:  16 bits (0-65535)
Double Word(DWORD):   32 bits (0-4294967295) ,[object Object],32bits DWORD 16bits WORD 8bits BYTE 4bits NIBBLE 10 148 33,373 1,881,526,604
MSB LSB 12 11 10 9 8 7 6 5 4 3 2 1 13 14 15 Little Endian Big Endian Motorola Intel x86, x86_64 Memory Organization Basics 0x2A 0x2A 0x2A 0x6D20 0x20 0x6D 0x6D 0x20 0x461DAB69 0x69 0xAB 0x1D 0x46 0x69 0xAB 0x1D 0x46
EAX –  Accumulator, used for default operands and results EBX –  Base, used to store pointers to data ECX –  Counter, used to count up or down EDX –  Data, used as an I/O pointer EIP –  Instruction Pointer, points to the next instruction Flag –  Provides result for the latest operation CS –  Code Segment, points to the source of code segment CS –  Extra Segment, points to the source of extra segment SS –  Stack Segment, points to the source of stack segment DS –  Data Segment, points to the source of data segment EBP –  Base Pointer, points to the base of the stack frame ESP –  Stack Pointer, points to the top of the stack frame EDI –  Destination Index, points to the data destination ESI –  Source Index, points to the source for data C P U R E G I S T E R S
0x100 0x200 0x300 0x400 . LOW . . .HIGH ES SS DS CS ESP, EBP EIP EDX, EBX, ESI, EDI EDX, EBX, ESI, EDI Segment Size: 0x100 S E G M EN T A T I O N
Buffer Overflow Basics 44 40 36 32 28 24 20 16 12 8 4 0 48 52 56 EBP ESP Stack Operations PUSH –  Subtract 4 from ESP and put new value at that address POP –  Add 4 to ESP 1A AC 09 CF PUSH 1A P USH CF PUSH 09 POP PUSH AC OPER EBP ESP 36 36 32 28 32 28 36 36 36 36 Stack grows in this direction...
main() main() main() main() main() main() fun1() fun1() fun1() fun2() LOW HIGH 1 5 4 3 2 -> fun1()  -> fun2() -> fun1() -> main() Stack grows in this direction... Function Calls and Stack
int fun (int arg1, int arg2){ int lvar1 = arg1 + arg2; } int main () { int local_var1; fun (arg1, arg2); } 44 40 36 32 28 24 20 16 12 8 4 0 48 52 56 EBP ESP OLD EBP lvar1 local_var1 arg2 arg1 RETN ADDR Stack Organization for Function Calls
int add (int a, int b) { int c = a + b; } int main () { int x = 18; add (3, 6); } 44 40 36 32 28 24 20 16 12 8 4 0 48 52 56 EBP ESP x=18 6 3 RA=999 OLD EBP=48 c=9 Stack Organization for Function Calls

Weitere ähnliche Inhalte

Was ist angesagt?

computer notes - Data Structures - 9
computer notes - Data Structures - 9computer notes - Data Structures - 9
computer notes - Data Structures - 9ecomputernotes
 
OREO - Hack.lu CTF 2014
OREO - Hack.lu CTF 2014OREO - Hack.lu CTF 2014
OREO - Hack.lu CTF 2014YOKARO-MON
 
A Speculative Technique for Auto-Memoization Processor with Multithreading
A Speculative Technique for Auto-Memoization Processor with MultithreadingA Speculative Technique for Auto-Memoization Processor with Multithreading
A Speculative Technique for Auto-Memoization Processor with MultithreadingMatsuo and Tsumura lab.
 
«Отладка в Python 3.6: Быстрее, Выше, Сильнее» Елизавета Шашкова, JetBrains
«Отладка в Python 3.6: Быстрее, Выше, Сильнее» Елизавета Шашкова, JetBrains«Отладка в Python 3.6: Быстрее, Выше, Сильнее» Елизавета Шашкова, JetBrains
«Отладка в Python 3.6: Быстрее, Выше, Сильнее» Елизавета Шашкова, JetBrainsit-people
 
FEAL - CSAW CTF 2014 Quals Crypto300
FEAL - CSAW CTF 2014 Quals Crypto300FEAL - CSAW CTF 2014 Quals Crypto300
FEAL - CSAW CTF 2014 Quals Crypto300YOKARO-MON
 
StackOverflow
StackOverflowStackOverflow
StackOverflowSusam Pal
 
computer notes - Data Structures - 8
computer notes - Data Structures - 8computer notes - Data Structures - 8
computer notes - Data Structures - 8ecomputernotes
 
FSB: TreeWalker - SECCON 2015 Online CTF
FSB: TreeWalker - SECCON 2015 Online CTFFSB: TreeWalker - SECCON 2015 Online CTF
FSB: TreeWalker - SECCON 2015 Online CTFYOKARO-MON
 
All I know about rsc.io/c2go
All I know about rsc.io/c2goAll I know about rsc.io/c2go
All I know about rsc.io/c2goMoriyoshi Koizumi
 
Memory efficient pytorch
Memory efficient pytorchMemory efficient pytorch
Memory efficient pytorchHyungjoo Cho
 
Phil Bartie QGIS PLPython
Phil Bartie QGIS PLPythonPhil Bartie QGIS PLPython
Phil Bartie QGIS PLPythonRoss McDonald
 
When RV Meets CEP (RV 2016 Tutorial)
When RV Meets CEP (RV 2016 Tutorial)When RV Meets CEP (RV 2016 Tutorial)
When RV Meets CEP (RV 2016 Tutorial)Sylvain Hallé
 
Wap to implement bitwise operators
Wap to implement bitwise operatorsWap to implement bitwise operators
Wap to implement bitwise operatorsHarleen Sodhi
 

Was ist angesagt? (20)

computer notes - Data Structures - 9
computer notes - Data Structures - 9computer notes - Data Structures - 9
computer notes - Data Structures - 9
 
OREO - Hack.lu CTF 2014
OREO - Hack.lu CTF 2014OREO - Hack.lu CTF 2014
OREO - Hack.lu CTF 2014
 
A Speculative Technique for Auto-Memoization Processor with Multithreading
A Speculative Technique for Auto-Memoization Processor with MultithreadingA Speculative Technique for Auto-Memoization Processor with Multithreading
A Speculative Technique for Auto-Memoization Processor with Multithreading
 
Stack
StackStack
Stack
 
6. binary tree
6. binary tree6. binary tree
6. binary tree
 
Stack queue
Stack queueStack queue
Stack queue
 
«Отладка в Python 3.6: Быстрее, Выше, Сильнее» Елизавета Шашкова, JetBrains
«Отладка в Python 3.6: Быстрее, Выше, Сильнее» Елизавета Шашкова, JetBrains«Отладка в Python 3.6: Быстрее, Выше, Сильнее» Елизавета Шашкова, JetBrains
«Отладка в Python 3.6: Быстрее, Выше, Сильнее» Елизавета Шашкова, JetBrains
 
Lec06
Lec06Lec06
Lec06
 
FEAL - CSAW CTF 2014 Quals Crypto300
FEAL - CSAW CTF 2014 Quals Crypto300FEAL - CSAW CTF 2014 Quals Crypto300
FEAL - CSAW CTF 2014 Quals Crypto300
 
StackOverflow
StackOverflowStackOverflow
StackOverflow
 
computer notes - Data Structures - 8
computer notes - Data Structures - 8computer notes - Data Structures - 8
computer notes - Data Structures - 8
 
FSB: TreeWalker - SECCON 2015 Online CTF
FSB: TreeWalker - SECCON 2015 Online CTFFSB: TreeWalker - SECCON 2015 Online CTF
FSB: TreeWalker - SECCON 2015 Online CTF
 
All I know about rsc.io/c2go
All I know about rsc.io/c2goAll I know about rsc.io/c2go
All I know about rsc.io/c2go
 
Memory efficient pytorch
Memory efficient pytorchMemory efficient pytorch
Memory efficient pytorch
 
ROP
ROPROP
ROP
 
Computer hw1
Computer hw1Computer hw1
Computer hw1
 
Phil Bartie QGIS PLPython
Phil Bartie QGIS PLPythonPhil Bartie QGIS PLPython
Phil Bartie QGIS PLPython
 
Queue oop
Queue   oopQueue   oop
Queue oop
 
When RV Meets CEP (RV 2016 Tutorial)
When RV Meets CEP (RV 2016 Tutorial)When RV Meets CEP (RV 2016 Tutorial)
When RV Meets CEP (RV 2016 Tutorial)
 
Wap to implement bitwise operators
Wap to implement bitwise operatorsWap to implement bitwise operators
Wap to implement bitwise operators
 

Andere mochten auch

Evaluation of Web Application Vulnerability Scanners
Evaluation of  Web Application Vulnerability ScannersEvaluation of  Web Application Vulnerability Scanners
Evaluation of Web Application Vulnerability Scannersyuliana_mar
 
E-Commerce Security - Application attacks - Server Attacks
E-Commerce Security - Application attacks - Server AttacksE-Commerce Security - Application attacks - Server Attacks
E-Commerce Security - Application attacks - Server Attacksphanleson
 
Stopping zero day threats
Stopping zero day threatsStopping zero day threats
Stopping zero day threatsZscaler
 
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)Sophos Benelux
 
CNIT 127 Ch 5: Introduction to heap overflows
CNIT 127 Ch 5: Introduction to heap overflowsCNIT 127 Ch 5: Introduction to heap overflows
CNIT 127 Ch 5: Introduction to heap overflowsSam Bowne
 
Security Threats to Electronic Commerce
Security Threats to Electronic CommerceSecurity Threats to Electronic Commerce
Security Threats to Electronic CommerceDarlene Enderez
 
6. Security Threats with E-Commerce
6. Security Threats with E-Commerce6. Security Threats with E-Commerce
6. Security Threats with E-CommerceJitendra Tomar
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
Network Security Threats and Solutions
Network Security Threats and SolutionsNetwork Security Threats and Solutions
Network Security Threats and SolutionsColin058
 

Andere mochten auch (10)

Evaluation of Web Application Vulnerability Scanners
Evaluation of  Web Application Vulnerability ScannersEvaluation of  Web Application Vulnerability Scanners
Evaluation of Web Application Vulnerability Scanners
 
Heaps
HeapsHeaps
Heaps
 
E-Commerce Security - Application attacks - Server Attacks
E-Commerce Security - Application attacks - Server AttacksE-Commerce Security - Application attacks - Server Attacks
E-Commerce Security - Application attacks - Server Attacks
 
Stopping zero day threats
Stopping zero day threatsStopping zero day threats
Stopping zero day threats
 
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)
 
CNIT 127 Ch 5: Introduction to heap overflows
CNIT 127 Ch 5: Introduction to heap overflowsCNIT 127 Ch 5: Introduction to heap overflows
CNIT 127 Ch 5: Introduction to heap overflows
 
Security Threats to Electronic Commerce
Security Threats to Electronic CommerceSecurity Threats to Electronic Commerce
Security Threats to Electronic Commerce
 
6. Security Threats with E-Commerce
6. Security Threats with E-Commerce6. Security Threats with E-Commerce
6. Security Threats with E-Commerce
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
Network Security Threats and Solutions
Network Security Threats and SolutionsNetwork Security Threats and Solutions
Network Security Threats and Solutions
 

Ähnlich wie Exploiting Memory Overflows

Emo-Exploitation
Emo-ExploitationEmo-Exploitation
Emo-Exploitationw0nd
 
Reverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading SkillsReverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading SkillsAsuka Nakajima
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughterQuinn Wilton
 
第二回 冬のスイッチ大勉強会 - FullColorLED & MPU-6050編 -
第二回 冬のスイッチ大勉強会 - FullColorLED & MPU-6050編 -第二回 冬のスイッチ大勉強会 - FullColorLED & MPU-6050編 -
第二回 冬のスイッチ大勉強会 - FullColorLED & MPU-6050編 -Wataru Kani
 
Load-time Hacking using LD_PRELOAD
Load-time Hacking using LD_PRELOADLoad-time Hacking using LD_PRELOAD
Load-time Hacking using LD_PRELOADDharmalingam Ganesan
 
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練Sheng-Hao Ma
 
Getting Started with Raspberry Pi - DCC 2013.1
Getting Started with Raspberry Pi - DCC 2013.1Getting Started with Raspberry Pi - DCC 2013.1
Getting Started with Raspberry Pi - DCC 2013.1Tom Paulus
 
EMBEDDED SYSTEMS 4&5
EMBEDDED SYSTEMS 4&5EMBEDDED SYSTEMS 4&5
EMBEDDED SYSTEMS 4&5PRADEEP
 
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321Teddy Hsiung
 
Chapter Eight(3)
Chapter Eight(3)Chapter Eight(3)
Chapter Eight(3)bolovv
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 
X86 assembly & GDB
X86 assembly & GDBX86 assembly & GDB
X86 assembly & GDBJian-Yu Li
 
[FT-11][suhorng] “Poor Man's” Undergraduate Compilers
[FT-11][suhorng] “Poor Man's” Undergraduate Compilers[FT-11][suhorng] “Poor Man's” Undergraduate Compilers
[FT-11][suhorng] “Poor Man's” Undergraduate CompilersFunctional Thursday
 
Devirtualizing FinSpy
Devirtualizing FinSpyDevirtualizing FinSpy
Devirtualizing FinSpyjduart
 
Exploring the x64
Exploring the x64Exploring the x64
Exploring the x64FFRI, Inc.
 
Advanced procedures in assembly language Full chapter ppt
Advanced procedures in assembly language Full chapter pptAdvanced procedures in assembly language Full chapter ppt
Advanced procedures in assembly language Full chapter pptMuhammad Sikandar Mustafa
 

Ähnlich wie Exploiting Memory Overflows (20)

Emo-Exploitation
Emo-ExploitationEmo-Exploitation
Emo-Exploitation
 
Reverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading SkillsReverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading Skills
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughter
 
Mona cheatsheet
Mona cheatsheetMona cheatsheet
Mona cheatsheet
 
The Stack and Buffer Overflows
The Stack and Buffer OverflowsThe Stack and Buffer Overflows
The Stack and Buffer Overflows
 
第二回 冬のスイッチ大勉強会 - FullColorLED & MPU-6050編 -
第二回 冬のスイッチ大勉強会 - FullColorLED & MPU-6050編 -第二回 冬のスイッチ大勉強会 - FullColorLED & MPU-6050編 -
第二回 冬のスイッチ大勉強会 - FullColorLED & MPU-6050編 -
 
Load-time Hacking using LD_PRELOAD
Load-time Hacking using LD_PRELOADLoad-time Hacking using LD_PRELOAD
Load-time Hacking using LD_PRELOAD
 
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
 
Getting Started with Raspberry Pi - DCC 2013.1
Getting Started with Raspberry Pi - DCC 2013.1Getting Started with Raspberry Pi - DCC 2013.1
Getting Started with Raspberry Pi - DCC 2013.1
 
EMBEDDED SYSTEMS 4&5
EMBEDDED SYSTEMS 4&5EMBEDDED SYSTEMS 4&5
EMBEDDED SYSTEMS 4&5
 
Exploitation Crash Course
Exploitation Crash CourseExploitation Crash Course
Exploitation Crash Course
 
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
 
Chapter Eight(3)
Chapter Eight(3)Chapter Eight(3)
Chapter Eight(3)
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
X86 assembly & GDB
X86 assembly & GDBX86 assembly & GDB
X86 assembly & GDB
 
[FT-11][suhorng] “Poor Man's” Undergraduate Compilers
[FT-11][suhorng] “Poor Man's” Undergraduate Compilers[FT-11][suhorng] “Poor Man's” Undergraduate Compilers
[FT-11][suhorng] “Poor Man's” Undergraduate Compilers
 
Devirtualizing FinSpy
Devirtualizing FinSpyDevirtualizing FinSpy
Devirtualizing FinSpy
 
Exploring the x64
Exploring the x64Exploring the x64
Exploring the x64
 
Advanced procedures in assembly language Full chapter ppt
Advanced procedures in assembly language Full chapter pptAdvanced procedures in assembly language Full chapter ppt
Advanced procedures in assembly language Full chapter ppt
 
Stack
StackStack
Stack
 

Kürzlich hochgeladen

How to Create a Toggle Button in Odoo 17
How to Create a Toggle Button in Odoo 17How to Create a Toggle Button in Odoo 17
How to Create a Toggle Button in Odoo 17Celine George
 
Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.EnglishCEIPdeSigeiro
 
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptxClinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptxraviapr7
 
Work Experience for psp3 portfolio sasha
Work Experience for psp3 portfolio sashaWork Experience for psp3 portfolio sasha
Work Experience for psp3 portfolio sashasashalaycock03
 
SOLIDE WASTE in Cameroon,,,,,,,,,,,,,,,,,,,,,,,,,,,.pptx
SOLIDE WASTE in Cameroon,,,,,,,,,,,,,,,,,,,,,,,,,,,.pptxSOLIDE WASTE in Cameroon,,,,,,,,,,,,,,,,,,,,,,,,,,,.pptx
SOLIDE WASTE in Cameroon,,,,,,,,,,,,,,,,,,,,,,,,,,,.pptxSyedNadeemGillANi
 
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptxSandy Millin
 
CapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptxCapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptxCapitolTechU
 
Department of Health Compounder Question ‍Solution 2022.pdf
Department of Health Compounder Question ‍Solution 2022.pdfDepartment of Health Compounder Question ‍Solution 2022.pdf
Department of Health Compounder Question ‍Solution 2022.pdfMohonDas
 
The basics of sentences session 10pptx.pptx
The basics of sentences session 10pptx.pptxThe basics of sentences session 10pptx.pptx
The basics of sentences session 10pptx.pptxheathfieldcps1
 
In - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptxIn - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptxAditiChauhan701637
 
HED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfHED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfMohonDas
 
Slides CapTechTalks Webinar March 2024 Joshua Sinai.pptx
Slides CapTechTalks Webinar March 2024 Joshua Sinai.pptxSlides CapTechTalks Webinar March 2024 Joshua Sinai.pptx
Slides CapTechTalks Webinar March 2024 Joshua Sinai.pptxCapitolTechU
 
Prescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxPrescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxraviapr7
 
Riddhi Kevadiya. WILLIAM SHAKESPEARE....
Riddhi Kevadiya. WILLIAM SHAKESPEARE....Riddhi Kevadiya. WILLIAM SHAKESPEARE....
Riddhi Kevadiya. WILLIAM SHAKESPEARE....Riddhi Kevadiya
 
How to Add Existing Field in One2Many Tree View in Odoo 17
How to Add Existing Field in One2Many Tree View in Odoo 17How to Add Existing Field in One2Many Tree View in Odoo 17
How to Add Existing Field in One2Many Tree View in Odoo 17Celine George
 
AUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptxAUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptxiammrhaywood
 
How to Solve Singleton Error in the Odoo 17
How to Solve Singleton Error in the  Odoo 17How to Solve Singleton Error in the  Odoo 17
How to Solve Singleton Error in the Odoo 17Celine George
 
Quality Assurance_GOOD LABORATORY PRACTICE
Quality Assurance_GOOD LABORATORY PRACTICEQuality Assurance_GOOD LABORATORY PRACTICE
Quality Assurance_GOOD LABORATORY PRACTICESayali Powar
 

Kürzlich hochgeladen (20)

How to Create a Toggle Button in Odoo 17
How to Create a Toggle Button in Odoo 17How to Create a Toggle Button in Odoo 17
How to Create a Toggle Button in Odoo 17
 
Prelims of Kant get Marx 2.0: a general politics quiz
Prelims of Kant get Marx 2.0: a general politics quizPrelims of Kant get Marx 2.0: a general politics quiz
Prelims of Kant get Marx 2.0: a general politics quiz
 
Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.
 
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptxClinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptx
 
Work Experience for psp3 portfolio sasha
Work Experience for psp3 portfolio sashaWork Experience for psp3 portfolio sasha
Work Experience for psp3 portfolio sasha
 
SOLIDE WASTE in Cameroon,,,,,,,,,,,,,,,,,,,,,,,,,,,.pptx
SOLIDE WASTE in Cameroon,,,,,,,,,,,,,,,,,,,,,,,,,,,.pptxSOLIDE WASTE in Cameroon,,,,,,,,,,,,,,,,,,,,,,,,,,,.pptx
SOLIDE WASTE in Cameroon,,,,,,,,,,,,,,,,,,,,,,,,,,,.pptx
 
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
 
CapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptxCapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptx
 
Department of Health Compounder Question ‍Solution 2022.pdf
Department of Health Compounder Question ‍Solution 2022.pdfDepartment of Health Compounder Question ‍Solution 2022.pdf
Department of Health Compounder Question ‍Solution 2022.pdf
 
The basics of sentences session 10pptx.pptx
The basics of sentences session 10pptx.pptxThe basics of sentences session 10pptx.pptx
The basics of sentences session 10pptx.pptx
 
In - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptxIn - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptx
 
HED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfHED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdf
 
Slides CapTechTalks Webinar March 2024 Joshua Sinai.pptx
Slides CapTechTalks Webinar March 2024 Joshua Sinai.pptxSlides CapTechTalks Webinar March 2024 Joshua Sinai.pptx
Slides CapTechTalks Webinar March 2024 Joshua Sinai.pptx
 
Prescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxPrescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptx
 
Riddhi Kevadiya. WILLIAM SHAKESPEARE....
Riddhi Kevadiya. WILLIAM SHAKESPEARE....Riddhi Kevadiya. WILLIAM SHAKESPEARE....
Riddhi Kevadiya. WILLIAM SHAKESPEARE....
 
How to Add Existing Field in One2Many Tree View in Odoo 17
How to Add Existing Field in One2Many Tree View in Odoo 17How to Add Existing Field in One2Many Tree View in Odoo 17
How to Add Existing Field in One2Many Tree View in Odoo 17
 
AUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptxAUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptx
 
Finals of Kant get Marx 2.0 : a general politics quiz
Finals of Kant get Marx 2.0 : a general politics quizFinals of Kant get Marx 2.0 : a general politics quiz
Finals of Kant get Marx 2.0 : a general politics quiz
 
How to Solve Singleton Error in the Odoo 17
How to Solve Singleton Error in the  Odoo 17How to Solve Singleton Error in the  Odoo 17
How to Solve Singleton Error in the Odoo 17
 
Quality Assurance_GOOD LABORATORY PRACTICE
Quality Assurance_GOOD LABORATORY PRACTICEQuality Assurance_GOOD LABORATORY PRACTICE
Quality Assurance_GOOD LABORATORY PRACTICE
 

Exploiting Memory Overflows

  • 2.
  • 8. System Organization Basics CPU System Bus A/D/C
  • 9.
  • 10.
  • 11. Byte: 8 bits (0-255)
  • 12. Word: 16 bits (0-65535)
  • 13.
  • 14. MSB LSB 12 11 10 9 8 7 6 5 4 3 2 1 13 14 15 Little Endian Big Endian Motorola Intel x86, x86_64 Memory Organization Basics 0x2A 0x2A 0x2A 0x6D20 0x20 0x6D 0x6D 0x20 0x461DAB69 0x69 0xAB 0x1D 0x46 0x69 0xAB 0x1D 0x46
  • 15. EAX – Accumulator, used for default operands and results EBX – Base, used to store pointers to data ECX – Counter, used to count up or down EDX – Data, used as an I/O pointer EIP – Instruction Pointer, points to the next instruction Flag – Provides result for the latest operation CS – Code Segment, points to the source of code segment CS – Extra Segment, points to the source of extra segment SS – Stack Segment, points to the source of stack segment DS – Data Segment, points to the source of data segment EBP – Base Pointer, points to the base of the stack frame ESP – Stack Pointer, points to the top of the stack frame EDI – Destination Index, points to the data destination ESI – Source Index, points to the source for data C P U R E G I S T E R S
  • 16. 0x100 0x200 0x300 0x400 . LOW . . .HIGH ES SS DS CS ESP, EBP EIP EDX, EBX, ESI, EDI EDX, EBX, ESI, EDI Segment Size: 0x100 S E G M EN T A T I O N
  • 17. Buffer Overflow Basics 44 40 36 32 28 24 20 16 12 8 4 0 48 52 56 EBP ESP Stack Operations PUSH – Subtract 4 from ESP and put new value at that address POP – Add 4 to ESP 1A AC 09 CF PUSH 1A P USH CF PUSH 09 POP PUSH AC OPER EBP ESP 36 36 32 28 32 28 36 36 36 36 Stack grows in this direction...
  • 18. main() main() main() main() main() main() fun1() fun1() fun1() fun2() LOW HIGH 1 5 4 3 2 -> fun1() -> fun2() -> fun1() -> main() Stack grows in this direction... Function Calls and Stack
  • 19. int fun (int arg1, int arg2){ int lvar1 = arg1 + arg2; } int main () { int local_var1; fun (arg1, arg2); } 44 40 36 32 28 24 20 16 12 8 4 0 48 52 56 EBP ESP OLD EBP lvar1 local_var1 arg2 arg1 RETN ADDR Stack Organization for Function Calls
  • 20. int add (int a, int b) { int c = a + b; } int main () { int x = 18; add (3, 6); } 44 40 36 32 28 24 20 16 12 8 4 0 48 52 56 EBP ESP x=18 6 3 RA=999 OLD EBP=48 c=9 Stack Organization for Function Calls
  • 21. int vuln (char *argv) { char buf[80]; int a = 9; strcpy (buf, argv); } int main (int argc, char **argv) { int x = 6; vuln (argv[1]); } 120 116 112 108 104 204 EBP ESP 200 220 216 212 208 Buffer Overflow Example
  • 22. int vuln (char *argv) { char buf[80]; int a = 9; strcpy (buf, argv); } int main (int argc, char **argv) { int x = 6; vuln (argv[1]); } 120 116 112 108 104 204 200 220 216 212 208 python -c 'print “A”*80' EBP ESP Buffer Overflow Example
  • 23. int vuln (char *argv) { char buf[80]; int a = 9; strcpy (buf, argv); } int main (int argc, char **argv) { int x = 6; vuln (argv[1]); } 120 116 112 108 104 204 200 220 216 212 208 EBP ESP Buffer Overflow Example python -c 'print “A”*84'
  • 24. int vuln (char *argv) { char buf[80]; int a = 9; strcpy (buf, argv); } int main (int argc, char **argv) { int x = 6; vuln (argv[1]); } 120 116 112 108 104 204 200 220 216 212 208 EBP ESP Buffer Overflow Example python -c 'print “A”*88'
  • 25. So, you can overflow a buffer... now what? Sky is the limit...! Well, not really :) Let's just dig deep and see what exactly the scope of such a vulnerability is
  • 26. 120 116 112 108 104 204 200 220 216 212 208 EBP ESP 120 116 112 108 104 204 200 220 216 212 208 RTN ADDR EIP 41414141 EIP 00000120 GAME OVER! SIGSEGV
  • 27. Finally, its time to witness some live action...!
  • 28. That’s all folks!!! Ready with your questions? Start firing them, now...