CS代写

15-213 Recitation: Attack Lab
Jenna Mac 5: 28 Sep 2015

Copyright By PowCoder代写 加微信 powcoder

■ Bomb lab is due tomorrow!
■ Attack lab is released tomorrow!!

■ Stack review
■ Attack lab overview
■ Phases 1-3: Buffer overflow attacks ■ Phases 4-5: ROP attacks

x86-64: Register Conventions
■ Arguments passed in registers:
%rdi, %rsi, %rdx, %rcx, %r8, %r9
■ Return value: %rax
■ Callee-saved: %rbx, %r12, %r13, %r14,
%rbp, %rsp
■ Caller-saved: %rdi, %rsi, %rdx, %rcx,
%r8, %r9, %rax, %r10, %r11
■ Stack pointer: %rsp
■ Instruction pointer: %rip

x86-64: The Stack
■ Grows downward towards lower memory addresses
■ %rsp points to top of stack
■ push%reg:subtract 8from%rsp,put val in %reg at (%rsp)
■ pop%reg:putvalat(%rsp)in%reg, add 8 to %rsp
0x7fffffffffff

x86-64: Stack Frames
■ Every function call has its own stack frame.
■ Think of a frame as a workspace for each call.
■ Local variables
■ Callee & Caller-saved
■ Optional arguments for a
function call

x86-64: Function Call Setup
■ Allocates stack frame large enough for saved registers,
optional arguments
■ Save any caller-saved registers in frame
■ Save any optional arguments (in reverse order) in frame
■ call foo: push %rip to stack, jump to label foo
■ Push any callee-saved registers, decrease %rsp to make
room for new frame

x86-64: Function Call Return
■ Increase %rsp, pop any callee-saved registers (in
reverse order), execute ret: pop %rip

Attack Lab Overview: Phases 1-3
■ Exploit x86-64 by overwriting the stack
■ Overflow a buffer, overwrite return address
■ Execute injected code
Key Advice
■ Brush up on your x86-64 conventions!
■ Use objdump –d to determine relevant offsets
■ Use GDB to determine stack addresses

Buffer Overflows
■ Exploit strcpy vulnerability to overwrite important info on stack
0xAABBCCDD
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF
■ When this function returns, where will it begin executing?
ret:pop %rip
Old Return address
■ What if we want to inject new code to execute?

Demonstration: Generating Byte Codes
■ Use gcc and objdump to generate byte codes for assembly instruction sequences

Attack Lab Overview: Phases 4-5
■ Utilize return-oriented programming to execute
arbitrary code
■ Useful when stack is non-executable or
randomized
■ Find gadgets, string together to form injected code
Key Advice
■ Use mixture of pop & mov instructions + constants to
perform specific task

ROP Example
■ Draw a stack diagram and ROP exploit to pop a value 0xBBBBBBBB into %rbx and move it into %rax
address1: mov %rbx, %rax; ret address2: pop %rbx; ret
Inspired by content created by Professor David Brumley
void foo(char *input){ char buf[32];
strcpy (buf, input); return;

ROP Example: Solution
Address 1: mov %rbx, %rax; ret Address 2: pop %rbx; ret
Old Return address
Next address in ROP chain….
0xBBBBBBBB
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF (filler…..)
void foo(char *input){ char buf[32];
strcpy (buf, input); return;

ROP Demonstration: Looking for Gadgets ■ How to identify useful gadgets in your code

■ objdump –d
■ View byte code and assembly instructions,
determine stack offsets
■ ./hex2raw
■ Pass raw ASCII strings to targets
■ Step through execution, determine stack
■ Generate object file from assembly language file

■ Draw stack diagrams
■ Be careful of byte ordering (little endian)

Questions?

程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com