Syssec 10K Basic BO

Part IThe Basic Ideasoftware sequence of instructions in memory logically divided in functions that call each other function IE calls function getURL to read the corresponding page in CPU, the program counter contains the address in memory of the next instruction to execute normally this is the next address (instruction 100 is followed by instruction 101, etc) not so with function call200201202203204100101102103IEgetURL104call getURLreturn resultsoftware sequence of instructions in memory logically divided in functions that call each other function IE calls function getURL to read the corresponding page in CPU, the program counter contains the address in memory of the next instruction to execute normally this is the next address (instruction 100 is followed by instruction 101, etc) not so with function callreturn resultcall getURL200201202203204100101102103104PCPCPCPCPCPCPCPCPCPCIEgetURL10201021102210231024software so how does our CPU know where to return? it keeps administration on a stack200201202203204100101102103104stackPCPCcall getURLreturn result103PCPCPCPCPCPCPCIEgetURLreal functions variablesgetURL (){char buf[10]; read(keyboard,buf,64);get_webpage (buf);}IE (){getURL ();}real functions variablesgetURL (){char buf[10]; read(keyboard,buf,64);get_webpage (buf);}IE (){getURL ();}call read200201202203100101102103IEgetURL104call getURLreturn resultreal functions variablescall read200201202203100101102103IEgetURL104call getURLreturn resultgetURL (){char buf[10]; read(keyboard,buf,64);get_webpage (buf);}IE (){getURL ();}stack103102210231024101910211020old FP101810171016101510141013101210111010real functions variablescall read200201202203100101102103IEgetURL104call getURLreturn resultgetURL (){char buf[10]; read(keyboard,buf,64);get_webpage (buf);}IE (){getURL ();}stack103102210231024101910211020old FP101810171016101510141013101210111010real functions variables old FPcall read200201202203100101102103IE104call getURLreturn resultstack1031022102310241019102110201018buf10171016101510141013101210111010getURL (){char buf[10]; read(keyboard,buf,64);get_webpage (buf);}IE (){getURL ();}100910081007getURL300301302303 returnreadreal functions variablescall read200201202203100101102103IE104call getURLreturn resultstack1031022102310241019102110201018101710161015getURL (){char buf[10]; read(keyboard,buf,64);get_webpage (buf);}IE (){getURL ();}1014101310121011101064(buf)fdold FP100910081007bufgetURLstack300301302303 returnreadreal functions variablescall read200201202203100101102103IE104call getURLreturn resultstack1031022102310241019102110201018101710161015getURL (){char buf[10]; read(keyboard,buf,64);get_webpage (buf);}IE (){getURL ();}10141013101210111010old FP10091008100764(buf)fdbufgetURL202300301302303 returnreadreal functions variablescall read200201202203100101102103IE104call getURLreturn resultstack1031022102310241019102110201018101710161015getURL (){char buf[10]; read(keyboard,buf,64);get_webpage (buf);}IE (){getURL ();}10141013101210111010old FP202102310091008100764(buf)fdgetURL300301302303 returnreadreal functions variablescall read200201202203100101102103IE104call getURLreturn resultstack1031022102310241019102110201018101710161015getURL (){char buf[10]; read(keyboard,buf,64);get_webpage (buf);}IE (){getURL ();}10141013101210111010old FP202102310091008100764(buf)fdgetURL300301302303 returnreadreal functions variablescall read200201202203100101102103IE104call getURLreturn resultstack1031022102310241019102110201018101710161015getURL (){char buf[10]; read(keyboard,buf,64);get_webpage (buf);}IE (){getURL ();}10141013101210111010old FP202102310091008100764(buf)fdgetURL300301302303 returnreadreal functions variablescall read200201202203100101102103IE104call getURLreturn resultstack1031022102310241019102110201018101710161015getURL (){char buf[10]; read(keyboard,buf,64);get_webpage (buf);}IE (){getURL ();}10141013101210111010old FP202102310091008100764(buf)fdgetURL300301302303 returnreadreal functions variablescall read200201202203100101102103IE104call getURLreturn resultstack1031022102310241019102110201018101710161015getURL (){char buf[10]; read(keyboard,buf,64);get_webpage (buf);}IE (){getURL ();}10141013101210111010old FP202102310091008100764(buf)fdgetURL300301302303 returnreadreal functions variablescall read200201202203100101102103IE104call getURLreturn resultstack1031022102310241019102110201018101710161015getURL (){char buf[10]; read(keyboard,buf,64);get_webpage (buf);}IE (){getURL ();}10141013101210111010old FP202102310091008100764(buf)fdgetURL300301302303 returnreadWhere is the vulnerability?Exploit1031022102310241019102110201018buf10171016101510141013101210111010getURL (){char buf[10]; read(keyboard, buf, 64);get_webpage (buf);}IE (){getURL ();}1013You may also overwrite other things For instance: Other variables that are also on the stack Other addresses Etc.Memory CorruptionFinal words Part I We have sketched only the most common memory corruption attack many variations, e.g.: heap stack more complex overflows off-by-one But there are others also integer overflows format string attacks double free etc. Not now, perhaps later*different kinds

Syssec 10K Basic BO

Documents

Transcript of Syssec 10K Basic BO