Cartes-fiches

Cartes-fiches 9 Cartes-fiches
Utilisateurs 0 Utilisateurs
Sprache English
Niveau Université
Crée / Actualisé 21.06.2019 / 21.06.2019
Attribution de licence Non précisé
Lien de web
Intégrer
0 Réponses exactes 9 Réponses textes 0 Réponses à choix multiple
Fermer la fenêtre
Attribution de licence: Non précisé

-

Fermer la fenêtre

What is needed to create a buffer overflow exploit?

  • The Shellcode
  • The distance to SIP (stored instruction pointer)
  • The address of the shellcode (in memory of the process)
Fermer la fenêtre

What makes the creation of an overflow exploit possible?

Program execution is HIGHLY perdictable/deterministic

  • which is kind of suprising

Stack, Heap, Code all start at the same address

Same functions get called in the same order

  • And allocate the same sized buffers

Error/Overfloww in function X, every time has:

  • Same call stack
  • Same variables
  • Same registers
Fermer la fenêtre

How can we find the address of buffer with the shellcode?

Debug the program.

Fermer la fenêtre
Attribution de licence: Non précisé

What is the offset?

Offset:

  • distance between start of buffer (firstname)
  • Till SIP (Stored instruction pointer)

What is the stuff:

  • Other local variables (isAdmin)
  • SBP (Stored Base Pointer)
  • Padding
Fermer la fenêtre

How can you get the distance from your buffer to the SIP (Stored Instruction Pointer)?

How to get the distance to the SIP (Stored Instruction Pointer):

  1. Create overflow string
  2. Run the program in gdb (gnu debugger) with the string as an argument
  3. Check if RIP is modified (segmentation faultt?)
  4. If no crash:
    1. Increase overflow string length
    2. Goto 2
  5. If crash:
    1. Check if RIP is based on overflow string
    2. Check at which location in the string RIP is
    3. Modify overflow string at that location

RIP (64 bit) = EIP (32 bit)

Fermer la fenêtre

How is the data that is written into the buffer structured to execute our shellcode?

Attribution de licence: Non précisé
  • Fill buffer_len with NOP 
    • | NOP NOP |
    • exploit = "\x90" * (buf_size -len(shellcode))          "\x90" = NOP
  • add shellcode
    • | NOP NOP | shellcode |
    • exploit += shellcode
  • Fill with garbage till we reach the SIP
    • | NOP NOP | shellcode | fill |
    • exploit += "A" * (offset -len(exploit))
  • Last: put in the return address
    • | NOP NOP | shellcode | fill | ret_addr |
    • exploit += ret_addr

 

Fermer la fenêtre

What is a nop sled and what is it good for?

Attribution de licence: Non précisé

NOP Sled:

  • NOP = No Operation "0x90" on 32 bit

"A set of instructions which ultimately do not affect code execution. 
Does nothing except incrementing EIP"

 

The NOP sled is usefull so the SIP does not have to point EXACTLY at the beginning of the shellcode
just somewhere in the NOP sled.