c arrays and pointers - exploit.courses · tel +41 55 214 41 60 fax +41 55 214 41 61 [email protected]...
TRANSCRIPT
![Page 1: C Arrays and Pointers - exploit.courses · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona C Arrays and](https://reader034.vdocuments.mx/reader034/viewer/2022052611/5f0773107e708231d41d09ef/html5/thumbnails/1.jpg)
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security Schweiz AGWerkstrasse 20Postfach 2038CH-8645 Jona
C Arrays and Pointers
![Page 2: C Arrays and Pointers - exploit.courses · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona C Arrays and](https://reader034.vdocuments.mx/reader034/viewer/2022052611/5f0773107e708231d41d09ef/html5/thumbnails/2.jpg)
© Compass Security Schweiz AG Slide 2www.csnc.ch
Content
Intel Architecture
Shellcode
Buffer Overflow
BoF Exploit
Debugging
Memory Layout
Remote Exploit
Exploit Mitigations
Defeat Exploit Mitigations
Function Calls
C Arrays
Assembler
![Page 3: C Arrays and Pointers - exploit.courses · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona C Arrays and](https://reader034.vdocuments.mx/reader034/viewer/2022052611/5f0773107e708231d41d09ef/html5/thumbnails/3.jpg)
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security Schweiz AGWerkstrasse 20Postfach 2038CH-8645 Jona
C Arrays & Pointers
![Page 4: C Arrays and Pointers - exploit.courses · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona C Arrays and](https://reader034.vdocuments.mx/reader034/viewer/2022052611/5f0773107e708231d41d09ef/html5/thumbnails/4.jpg)
© Compass Security Schweiz AG Slide 4www.csnc.ch
C Arrays & Pointers
Valid C code:
int array[5] = {1, 2, 3, 4, 5};
array[0] = 0;
array[4] = 0;
![Page 5: C Arrays and Pointers - exploit.courses · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona C Arrays and](https://reader034.vdocuments.mx/reader034/viewer/2022052611/5f0773107e708231d41d09ef/html5/thumbnails/5.jpg)
© Compass Security Schweiz AG Slide 5www.csnc.ch
C Arrays & Pointers
Valid C code:
int array[5] = {1, 2, 3, 4, 5};
array[0] = 0;
array[4] = 0;
array[5] = 0;
array[-1] = 0;
array[100] = 0;
printf(“%i”, array[1024]);
“Valid”!
![Page 6: C Arrays and Pointers - exploit.courses · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona C Arrays and](https://reader034.vdocuments.mx/reader034/viewer/2022052611/5f0773107e708231d41d09ef/html5/thumbnails/6.jpg)
© Compass Security Schweiz AG Slide 6www.csnc.ch
C Arrays & Pointers
Valid C code:
int array[5] = {1, 2, 3, 4, 5};
int *a = array;
a += 100;
*a = 0;
array = a = 0x1000array[2] = a + 2 * 4 = 0x1008array[100] = a + 2 * 100 = 0x10C8
(int is 32 bit = 4 bytes)
![Page 7: C Arrays and Pointers - exploit.courses · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona C Arrays and](https://reader034.vdocuments.mx/reader034/viewer/2022052611/5f0773107e708231d41d09ef/html5/thumbnails/7.jpg)
© Compass Security Schweiz AG Slide 7www.csnc.ch
C Arrays & Pointers
Valid C code:
int array[5] = {1, 2, 3, 4, 5};
int *a = array;
*array = *a = 1
1 2 3 4 5
![Page 8: C Arrays and Pointers - exploit.courses · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona C Arrays and](https://reader034.vdocuments.mx/reader034/viewer/2022052611/5f0773107e708231d41d09ef/html5/thumbnails/8.jpg)
© Compass Security Schweiz AG Slide 8www.csnc.ch
C Arrays & Pointers
Valid C code:
int array[5] = {1, 2, 3, 4, 5};
int *a = array[5];
*array[5] = *a = ?
1 2 3 4 5
![Page 9: C Arrays and Pointers - exploit.courses · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona C Arrays and](https://reader034.vdocuments.mx/reader034/viewer/2022052611/5f0773107e708231d41d09ef/html5/thumbnails/9.jpg)
© Compass Security Schweiz AG Slide 9www.csnc.ch
C Arrays & Pointers
Other c code:
int a = 42;
int *b = &a;
printf(“%i”, a); // 42
printf(“%i”, *b); // 42
b++;
printf(“%i”, *b); // ??
![Page 10: C Arrays and Pointers - exploit.courses · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona C Arrays and](https://reader034.vdocuments.mx/reader034/viewer/2022052611/5f0773107e708231d41d09ef/html5/thumbnails/10.jpg)
© Compass Security Schweiz AG Slide 10www.csnc.ch
C Arrays & Pointers
Other c code:
int a = 42;
int *b = &a;
printf(“%i”, a); // 42
printf(“%i”, &a); // 0x1000
printf(“%i”, b); // 0x1000
printf(“%i”, *b); // 42
b++;
printf(“%i”, b); // 0x1004
printf(“%i”, *b); // ??
![Page 11: C Arrays and Pointers - exploit.courses · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona C Arrays and](https://reader034.vdocuments.mx/reader034/viewer/2022052611/5f0773107e708231d41d09ef/html5/thumbnails/11.jpg)
© Compass Security Schweiz AG Slide 11www.csnc.ch
C Arrays & Pointers
Other c code:
int a = 42;
int *b = &a;
printf(“%i”, a); // 42
printf(“%i”, &a); // 0x1000
printf(“%i”, b); // 0x1000
printf(“%i”, *b); // 42
b++;
printf(“%i”, b); // 0x1004
printf(“%i”, *b); // ??
42
??
a
*b0x1000
0x1004
![Page 12: C Arrays and Pointers - exploit.courses · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona C Arrays and](https://reader034.vdocuments.mx/reader034/viewer/2022052611/5f0773107e708231d41d09ef/html5/thumbnails/12.jpg)
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security Schweiz AGWerkstrasse 20Postfach 2038CH-8645 Jona
strcpy()
![Page 13: C Arrays and Pointers - exploit.courses · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona C Arrays and](https://reader034.vdocuments.mx/reader034/viewer/2022052611/5f0773107e708231d41d09ef/html5/thumbnails/13.jpg)
© Compass Security Schweiz AG Slide 13www.csnc.ch
Exploitation Basics
What is a common vulnerability?
strcpy(destination, source);
strcpy(d, “Hallo”);
![Page 14: C Arrays and Pointers - exploit.courses · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona C Arrays and](https://reader034.vdocuments.mx/reader034/viewer/2022052611/5f0773107e708231d41d09ef/html5/thumbnails/14.jpg)
© Compass Security Schweiz AG Slide 14www.csnc.ch
Exploitation Basics
What is a common vulnerability?
strcpy(destination, source);
strcpy(d, “Hallo”);
How much does strcpy() actually copy? Until source “ends”
Where is the end?
0 byte \x00
“Hallo\x00”
![Page 15: C Arrays and Pointers - exploit.courses · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona C Arrays and](https://reader034.vdocuments.mx/reader034/viewer/2022052611/5f0773107e708231d41d09ef/html5/thumbnails/15.jpg)
© Compass Security Schweiz AG Slide 15www.csnc.ch
Exploitation Basics
strcpy() does not care about destination size
At all…
char destination[8];
char source[16] = “1234567890123456”
strcpy(destination, source);
![Page 16: C Arrays and Pointers - exploit.courses · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona C Arrays and](https://reader034.vdocuments.mx/reader034/viewer/2022052611/5f0773107e708231d41d09ef/html5/thumbnails/16.jpg)
© Compass Security Schweiz AG Slide 16www.csnc.ch
Exploitation Basics
strcpy() does not care about destination size
At all, because:
char destination[8];
char *d = &destination;
char source[16] = “1234567890123456”
strcpy(d, source);
![Page 17: C Arrays and Pointers - exploit.courses · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona C Arrays and](https://reader034.vdocuments.mx/reader034/viewer/2022052611/5f0773107e708231d41d09ef/html5/thumbnails/17.jpg)
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security Schweiz AGWerkstrasse 20Postfach 2038CH-8645 Jona
Non-Arrays in C
![Page 18: C Arrays and Pointers - exploit.courses · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona C Arrays and](https://reader034.vdocuments.mx/reader034/viewer/2022052611/5f0773107e708231d41d09ef/html5/thumbnails/18.jpg)
© Compass Security Schweiz AG Slide 18www.csnc.ch
Non-Arrays
C has: Basic Types (int, float)
Enumerated Types
Void Type (void)
Derived Types
Derived types: Pointers
Arrays
Structure
Union
Function
![Page 19: C Arrays and Pointers - exploit.courses · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona C Arrays and](https://reader034.vdocuments.mx/reader034/viewer/2022052611/5f0773107e708231d41d09ef/html5/thumbnails/19.jpg)
© Compass Security Schweiz AG Slide 19www.csnc.ch
Non-Arrays
Arrays: Multiple elements of the same type behind each other
XXX var[3]:
Structs: Multiple elements of different types behind each other
struct var {
short x;
long y;
char z[3];
}
Enum is a special case of integer
Union is a special case of struct
var[0] var[1] var[2]
var.yvar.x …var.z…
![Page 20: C Arrays and Pointers - exploit.courses · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona C Arrays and](https://reader034.vdocuments.mx/reader034/viewer/2022052611/5f0773107e708231d41d09ef/html5/thumbnails/20.jpg)
© Compass Security Schweiz AG Slide 20www.csnc.ch
Non-arrays
Remember:
Basic types are stored in memory, and can be loaded into registers Pointers are a bit special basic type (they can be dereferenced), but are otherwise
identical
Derived types are stored in memory, and contain basic types They cannot be loaded into a register, only some of their content can
Both are stored somewhere in memory, and therefore have an address.
Basic types are modified in registers Load from memory to register, modify, store into memory
![Page 21: C Arrays and Pointers - exploit.courses · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona C Arrays and](https://reader034.vdocuments.mx/reader034/viewer/2022052611/5f0773107e708231d41d09ef/html5/thumbnails/21.jpg)
© Compass Security Schweiz AG Slide 21www.csnc.ch
Non-arrays
Developers: The memory holds some variables of mine, which hold my data
Hackers: The memory contains data, which is associated with some variables
…0x01 0x00 0x02 0x00 0x00 0x00…
…short a = 0x1;int b = 0x2;…
![Page 22: C Arrays and Pointers - exploit.courses · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona C Arrays and](https://reader034.vdocuments.mx/reader034/viewer/2022052611/5f0773107e708231d41d09ef/html5/thumbnails/22.jpg)
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security Schweiz AGWerkstrasse 20Postfach 2038CH-8645 Jona
Conclusion
![Page 23: C Arrays and Pointers - exploit.courses · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona C Arrays and](https://reader034.vdocuments.mx/reader034/viewer/2022052611/5f0773107e708231d41d09ef/html5/thumbnails/23.jpg)
© Compass Security Schweiz AG Slide 23www.csnc.ch
Exploitation Basics
Recap: C does not care about buffer boundaries
strcpy() does not care about size of destination buffer (only 0-byte in source buffer)
One buffer can overflow into another buffer
Local variables/buffers are adjoin to each other
Pointer can point to any memory address