hlogin2

0x02. Stack Corruption

off-limit Kernel Stack libc Heap BSS Data Code

off-limit Kernel Kernel : OS Stack libc Heap BSS Data Code Stack : libc : Heap : BSS, Data : bss Code :

off-limit Kernel Kernel : OS Stack libc Heap BSS Data Code Stack : libc : Heap : BSS, Data : bss Code :

* 1.. 2.. Stack libc Heap

Stack Corruption

ret2 0xbffffa26 parameter buf[] sfp ret parameter 0xbffff4c0.

ret2 0xbffffa26 parameter buf[] sfp ret parameter Saved Frame Pointer : EBP Return EBP SFP 0xbffff4c0.

ret2 0xbffffa26 parameter buf[] sfp ret parameter Saved Frame Pointer : EBP Return EBP SFP 0xbffff4c0.

Basic Stack corruption buf[20] sfp[4] ret[4] parameter 20byte 1234 4 byte 4 byte 4 byte 4 byte scanf( %s, buf); input buf = 1234

Basic Stack corruption sfp[4] ret[4] buf[20] ABCD HEHE parameter eip = 0x45484548 1234 1234 1234 1234 1234 scanf( %s, buf); input buf = 1234 * 5 + ABCD + HEHE buffer overflow

DEMO

Big Endian IBM SPARC Motorola Little Endian Intel x86 AMD DEC CPU Big Endian, Littie Endian, Big Endian, Little Endian.

Push EBP Mov EBP, ESP

Push EBP Mov EBP, ESP Stack Frame

Push EBP Mov EBP, ESP Stack Frame Stack Frame

Mov ESP, EBP Pop EBP

Mov ESP, EBP Pop EBP Stack pointer Caller function stack frame

Mov ESP, EBP Pop EBP Stack pointer Caller function stack frame EBP

Leave Mov ESP, EBP Pop EBP Ret Pop EIP Jmp EIP

cdecl stdcall fastcall

EIP Extend instruction pointer. EBP Extend Base pointer. ESP Extend Stack pointer.

A BB TEST BB ESP BB ESP A A A ESP PUSH A PUSH BB POP TEST Stack TEST = BB

ESP EBP push EBP call Function() Mov ebx, eax

ESP EBP push EBP call Function() Mov ebx, eax Push EBP Mov EBP, ESP

EBP push EBP call Function() - 4 ESP Mov ebx, eax Push EBP Mov EBP, ESP

EBP push EBP call Function() - 4 ESP Mov ebx, eax Push EBP Mov EBP, ESP Push A

EBP push EBP call Function() - 4 A Mov ebx, eax - 4 ESP Push EBP Mov EBP, ESP Push A

EBP push EBP call Function() - 4 A Mov ebx, eax - 4 ESP Push EBP Mov EBP, ESP Push A Push B Push 1234

EBP push EBP call Function() - 4 A Mov ebx, eax - 4-4 ESP B 1234 Push EBP Mov EBP, ESP Push A Push B Push 1234

EBP push EBP call Function() - 4 A Mov ebx, eax - 4-4 ESP B 1234 Push EBP Mov EBP, ESP Pop eax Push A Push B Push 1234

EBP push EBP call Function() - 4 A Mov ebx, eax + 4-4 - 4 ESP B 1234 Push EBP Mov EBP, ESP eax = 1234 Pop eax Push A Push B Push 1234

EBP push EBP call Function() - 4 ESP A Mov ebx, eax + 4 + 4-4 - 4 B 1234 Push EBP Mov EBP, ESP eax = 1234 Pop eax Pop ebx Push A Push B Push 1234

EBP push EBP call Function() - 4 ESP A Mov ebx, eax + 4 + 4-4 - 4 B 1234 Push EBP Mov EBP, ESP eax = 1234 ebx = B Pop eax Pop ebx Push A Push B Push 1234

ESP EBP push EBP call Function() + 4-4 A Mov ebx, eax + 4 + 4-4 - 4 B 1234 Push EBP Mov EBP, ESP eax = 1234 ebx = B ecx = A Pop eax Pop ebx Pop ecx Push A Push B Push 1234

EAX Extend Accumulator,. EBX Extend Base index. ECX Extend Counter,. EDX Extend Data, Eax. ESI / EDI Extend Source, Extend Destination cpu 32bit

.

1 Mov Eax, Ebx == Eax = Ebx 2 Add Eax, 1 == Eax = Eax + 1

.

gdb gdb -q [binary] gdb (?). run (r). continue (c). quit (q). disassemble (disas) [ ]

gdb info function break reg info break, delete (del) delete [number] (del [number])

gdb break (b) function. skip. b* function.. b* [address] break.

gdb stepi (si).. nexti (ni).,.

gdb print [function] (p) p $reg p/[ ] [ ] d x 10 16

gdb x/[ ][ ][ ] [ ] x/[ ]i [address] x/[ ]s [address] x/[ ]wx [address] 16 4byte

gdb set {type}[address] ex) set {int}0x8048300 = 100 set $[reg] ex) set $eip = 0x41414141

gdb set disassembly-flavor intel set disassembly-flavor att at&t

gdb set follow-fork-mode child gdb. set follow-exec-mode new exec gdb.

gdb finish u disas [address] [address]

DEP (Data Execution Prevention) ASLR (Address Space Layout Randomization) Stack Canary == SSP (Stack Smashing Protector) Ascii Armor