Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Software Exploitation Techniques by Amit Malik
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
Hinweis der Redaktion
The first three instructions (123,124,125) are known as prologue. And last three instructions(127,128,129) are know as epologue. When main call the the sum it push the address of next instruction on stack..means 127 on stack and then create its stack. See next slides.
Here main is preparing its stack. EBP (base pointer) register is used to track the variables. So we need to push parent function ebp on the stack so that when function return to parent function it can start normally.
The instruction mov ebp,esp setting the stack for main(or setting the ebp for main to track variables). And sub esp, val is creating the space for local variables of main function. Although in e.g. we have no local variable but this is for illustrative purpose. NOTE: As we can see in the above pic that stack grows downward (from higher memory address to lower memory address) means something [ebp+val] point to parameters for function (can be pass by value or pass by reference) and everything [ebp-val] point to the local variable for that function. *val- can be any value in hex..like 3,4,a,b etc. etc. Note: ret (startup) address is the address of next instruction in startup function. Explanation of startup function is beyond the scope of this presentation. But main function return 0 or 1 to startup function. Means process successfully completed or error.
Now main is calling sum. The first task is to push the address of next instruction means address 127 on stack. So that when function sum return it returns to 127 so that program execution continue in a normal way. Please note that no (another) instruction is required to push ret(127) on stack because call sum will do it for us.. Similar to like main, sum will creates its stack with similar instructions and also destroy stack its stack with similar instructions (127,128,129). Note: The instructions to create stack and destroy stack.. may vary with compiler to complier and are the issues of compiler optimization..for eg. Some compilers user push reg. instead of sub esp,val for integers.
I think it should be clear now. Note that I am showing you jmp esp (this can be call esp, push esp,ret – all have same meaning). this should be the address because EIP only understand addresses. Visit previous slides for better clarification.
Note that [eba+8] and [ebp+c] are the parameter for this function. (visit previous slides for more clarification). Rep movs instruction cause problem because it copy the data from [esi] to [edi] with ecx as a counter. During analysis I found that value of ecx can be maximum 41. multiply it with 4 and then we have 104 bytes..(260 bytes in dec.) and that is enough to overwrite saved EIP. Do some debugging you can easily understand it.
Calculate offset for EIP means after how many bytes saved EIP overwrite takes place. We can calculate it with metasploit pattern create and pattern offset scripts. but we have very limited space on the stack. So check other registers.. And ecx is pointing to our buffer but not directaly.
Ok what we do.. We first use stack limited space to increase ecx and to jump to ecx. But first we need to jump to esp. because EIP only accept address so we can’t use instruction like jmp esp. we need to have to find out the address. We search the address in dll.
And on stack add instructions that will increase the ecx. And jump to ecx.
The 152 etc is in Hex. In decimal it is 152 338. ok.