rpisec.org/2013/09-13-2013/exploitation.zip for the lazy – rpisec.org/2013/ windows & linux...
TRANSCRIPT
Intro to Memory Corruption 1
Downloads
• rpisec.org/2013/09-13-2013/exploitation.zip• For the lazy – rpisec.org/2013/
• Windows & Linux Binaries!• … macs?
RPISEC - 09/13/2013
Intro to Memory Corruption 3
Memory Corruption
• The simplest definition – To change data the program uses in ways that were not intended by the programmer
• So what does this actually mean? And what can we do with it?
• Let’s take a look at exercise one
RPISEC - 09/13/2013
Intro to Memory Corruption 5
Uhm… what even just happened?
• You just overflowed your first buffer! But in a controlled manner
• A more reckless overflow would probably result in the program segfaulting
• segfault: An error reading/writing to memory
RPISEC - 09/13/2013
Intro to Memory Corruption 6
The technical explanation
• The stack is how a program maintains variables and their data during execution
• This is main()’s stack -------->
• Omg wut have we done• Is_zero == ‘U’ == 85
RPISEC - 09/13/2013
Intro to Memory Corruption 8
Now let’s take it a bit further…
• What if we overwrote the return address that’s stored further down the stack?
• The return address tells the program where to go after a completing a function call
• In this case, we’d segfault… but what if we set it to something more meaningful than AAAA?
RPISEC - 09/13/2013
Intro to Memory Corruption 10
“If your program simply segfaulted, consider yourself lucky.”
-Chuck Stewart
RPISEC - 09/13/2013
Intro to Memory Corruption 11
Security
• What we just did was take control of the program’s execution flow, and bend it the way of our will
• What if this program was running on a server? Or perhaps running under an admin user?
• Security – To ensure and maintain complete control of the execution flow of your program
RPISEC - 09/13/2013
Intro to Memory Corruption 12
Recap of ‘easy’
• This time, we overwrote the return address, effectively telling the program where it should go next
• What if we could insert our OWN code into the program, and point the return address towards that? - ‘shellcode’
• … Next time ;)
RPISEC - 09/13/2013
Intro to Memory Corruption 13
Some final words
• To really become good at exploitation, you need to have a solid grasp on the low level stuff
• This means knowing x86 assembly, how the stack works, and how data is typically laid out in memory
RPISEC - 09/13/2013