Kitaab

HackingArtOfExploitation

1970-01-01 00:00

=### exploits =

Buffer Overflow

A buffer overflow happens when you place data into a variable that is larger than the memory that was allocated for the data. This leads to whatever was next in the memory being overwritten, possibly for malicious purposes.

memory

a program is made up of 5 segments, they are ordered in this way:

  • text -> code, fixed size
  • data -> global and static variables, fixed size
  • bss -> uninitialized variables, fixed size
  • heap -> stores whatever the programmer wants, variable size, grows downwards towards the stack
  • stack -> temporary scratch pad, variable size, grows upwards towards the heap

the stack is built of stack frames. the EBP also known as FP (frame pointer) refers to local function variables in the current stack frame. each frame contains context for the current function, and two pointers; the SFP (saved frame pointer) and return address. These pointers help put things back together. The SFP returns the EBP to it's previous value, and the return address changes the EIP to it's old value.

storing memory on the heap requires the system call 'malloc()'. it takes a single argument (size) and returns a void pointer to the address. in case it fails to allocate the memory, it will return a null pointer (0x0), so error checking is required! deallocating it is done through 'heap()', it takes a single argument (pointer) and frees that address

c lang

pointers -> are memory address that point to other memory addresses address of (&) -> takes a variable and tells you the memory location of it dereference (*) -> takes a pointer and tells you the value of the address it is pointing to

various format strings require either a variable or a pointer; be careful! %s -> string, needs a pointer %p -> pointer, short hand for 0x%08x (0x<0 padded 8 hexadecimal>), obviously for a pointer %d -> decimal, needs a variable etc...

scanf uses format strings to take input, but requires a pointer! (check input.c)

you can also take input through command line arguments: ./ this is a test int main(int argc, char *argv[]) { ... these are passed as strings (which are themselves just pointers) to the argv variable. argc holds the number of command line arguments passed ! warning ! if you try to access a command line argument that wasn't passed, you'll segmentation fault.

seg fault: when you try to access a memory segment that is outside the memory allocated to your program A good way to debug these is with gdb, because you can see which line tried to access which memory address that lead to the seg fault (for example, check the memory that is stored in argv, they're all pointers to other memory address)

scoping: be default all variables declared in a function are local to that function. a global variable must be defined outside of any function. if there is a clash, preference is given to local variables.

static: static variables will retain their value outside their scope and are only initiliazed once.

gdb

list -> show source code if compiled with -g command in gcc disassemble main (disass main) -> fairly obvious break main -> set break point to main run -> execute to break point info register -> show details of the register i r -> short hand for the above x/o -> examine the register displaying in octal nexti -> next instruction bt -> backtrace, print the stack trace bt full -> backtrace with all the stack frames printed too (shows variables)

gdb examine command

format letters for the examine (x) command: o: octal x: hexadecimal u: unsigned base-10 decimal t: binary i: instruction c: character s: string d: integer(?) &: address of -> returns the address of the variable rather than the variable itself *: dereference -> take the value of the pointer rather than the address it is pointing to

registers can be referenced using $ as listed below (the below is listed in the books intel flavor, my gdb uses a different intel flavour)

we can also choose to show more data around the register we are examining by adding a number before the format like so: x/12x

opening with gdb

compile: gcc -g -o .c run: gdb -q ./

Register names

EBP -> base pointer ESP -> stack pointer ESI -> source index EDI -> destination index EIP -> instruction pointer General purpose registers include EAX, ECX, EDX, EBX. Accumulator, Counter, Data and Base respectively