Lernkarten

Karten 9 Karten
Lernende 0 Lernende
Sprache English
Stufe Universität
Erstellt / Aktualisiert 21.06.2019 / 21.06.2019
Lizenzierung Keine Angabe
Weblink
Einbinden
0 Exakte Antworten 9 Text Antworten 0 Multiple Choice Antworten
Fenster schliessen
Lizenzierung: Keine Angabe

-

Fenster schliessen

What is needed to create a buffer overflow exploit?

  • The Shellcode
  • The distance to SIP (stored instruction pointer)
  • The address of the shellcode (in memory of the process)
Fenster schliessen

What makes the creation of an overflow exploit possible?

Program execution is HIGHLY perdictable/deterministic

  • which is kind of suprising

Stack, Heap, Code all start at the same address

Same functions get called in the same order

  • And allocate the same sized buffers

Error/Overfloww in function X, every time has:

  • Same call stack
  • Same variables
  • Same registers
Fenster schliessen

How can we find the address of buffer with the shellcode?

Debug the program.

Fenster schliessen
Lizenzierung: Keine Angabe

What is the offset?

Offset:

  • distance between start of buffer (firstname)
  • Till SIP (Stored instruction pointer)

What is the stuff:

  • Other local variables (isAdmin)
  • SBP (Stored Base Pointer)
  • Padding
Fenster schliessen

How can you get the distance from your buffer to the SIP (Stored Instruction Pointer)?

How to get the distance to the SIP (Stored Instruction Pointer):

  1. Create overflow string
  2. Run the program in gdb (gnu debugger) with the string as an argument
  3. Check if RIP is modified (segmentation faultt?)
  4. If no crash:
    1. Increase overflow string length
    2. Goto 2
  5. If crash:
    1. Check if RIP is based on overflow string
    2. Check at which location in the string RIP is
    3. Modify overflow string at that location

RIP (64 bit) = EIP (32 bit)

Fenster schliessen

How is the data that is written into the buffer structured to execute our shellcode?

Lizenzierung: Keine Angabe
  • Fill buffer_len with NOP 
    • | NOP NOP |
    • exploit = "\x90" * (buf_size -len(shellcode))          "\x90" = NOP
  • add shellcode
    • | NOP NOP | shellcode |
    • exploit += shellcode
  • Fill with garbage till we reach the SIP
    • | NOP NOP | shellcode | fill |
    • exploit += "A" * (offset -len(exploit))
  • Last: put in the return address
    • | NOP NOP | shellcode | fill | ret_addr |
    • exploit += ret_addr

 

Fenster schliessen

What is a nop sled and what is it good for?

Lizenzierung: Keine Angabe

NOP Sled:

  • NOP = No Operation "0x90" on 32 bit

"A set of instructions which ultimately do not affect code execution. 
Does nothing except incrementing EIP"

 

The NOP sled is usefull so the SIP does not have to point EXACTLY at the beginning of the shellcode
just somewhere in the NOP sled.