Introduction to InfoSec – Recitation 2Nir Krakowski (nirkrako at post.tau.ac.il)Itamar Gilad (itamargi at post.tau.ac.il)

Today• More assembly tips• Binary Patching

o Tools

• Review of the stack• Stack overflows• Implementation

o Tools

Little vs Big Endian• Endian-ity is the definition of how numbers are

represented in memory (or on a data bus)• In the x86 architecture 0x11223344 would be

represented in memory:o 44 33 22 11

• Intel Architecture is little endian. (we are using little)

• However the same number in Big Endian would be:o 11 22 33 44

• (we don’t see the bit reordering because our minimum working unit is a byte)

Registers• Common uses:• Eax – used usually for fast calculations / system

call numbers /used to pass the return value or self class in c++.

• Ecx – used as a counter frequently.• Ebp – used to store the stack frame pointer• Esp – used to store the stack pointer• edi/esi – used for string/buffer manipulations• Ip – used to store the current instruction pointer –

can not be accessed directly!

x86• There are lots of assembly instructions with

varying sizes, and they can be used alternative to fit certain constraints.

• Examples:o MOV EAX, 0o Alternatively:o XOR EAX,EAX

• There are also 8 bit commands to access partial registerso MOV AL, 5

• There are 16 bit commandso Mov ax, 65535

Binary Patching• Motivation:

o Change the behavior of a programo Disable software protections for further analysis

• Examples:o Bypass checks in the programo Adding new functionalityo Blocking weak/vulnerable functionality

• Process:o Find relevant code to modifyo Understand code using reverse engineeringo Find hook point in the codeo Find location to insert new code without damaging the original operation or

file structure as much as possible.o Divert flow from the hook point to the inserted codeo Write the needed new functionalityo Return the point of origin, or other appropriate point in the original code.

Example 1• Pre patched code:

o Load input strings to compare to existingo CALL strcmpo ADD ESP,8o TEST EAX,EAXo JZ end_of_functiono LEA EBX, [address to user input command ]o PUSH EBXo LEA EBX, [address to user parameter]o CALL execvo ADD ESP,4end_of_function:o LEAVEo RET

Example 1-Identify• Pre patched code:

o Load input strings to compare to existingo CALL strcmpo ADD ESP,8o TEST EAX,EAXo JZ end_of_functiono LEA EBX, [address to user input command ]o PUSH EBXo LEA EBX, [address to user parameter]o CALL execvo ADD ESP,4end_of_function:o LEAVEo RET

Example 1-Patched• Patched code:

o Load input strings to compare to existingo CALL strcmpo ADD ESP,8o TEST EAX,EAXo NOPo NOPo LEA EBX, [address to user input command ]o PUSH EBXo LEA EBX, [address to user parameter]o CALL execvo ADD ESP,4end_of_function:o LEAVEo RET

• Why 2 NOPs ?

patch_util_gcc.py• Compiles assembly and patches input binary into

output binary.• Parameters:

o Original binary that will be patchedo Output binary, this will be patcho Address.patch – code in assembly that will be compiled by gcc and put

in the new binary in address which is the same as the patch.o Address2.patch – another patch

• Don’t forget to “chmod +x [output binary]” after creation.

• Running “patch_util_gcc.py empty.bin shellcode.bin 0.patch” – can be used to write shellcode.

va_to_offset.py• Reads the FL structure and converts virtual

addresses given at process startup (as shown in IDA). To the actual location in the file.

• An alternative solution is to search for the original code with ghex and patch it with the hex editor.

Example 2• Binary_patching_example_verify• We will override the verification of the login, by

seeking the appropriate point, which will be most easy.

• Create a patch and apply, verify that everything is well with IDA.

• Run and test and hope for the best.

Buffer’Os• History:

o First documented buffer overflows were thought of in 1972 COMPUTER SECURITY TECHNOLOGY PLANNING STUDY (Page 61)

o The first buffer overflows known in the wild were Stack’Oso Stack Overflows were widely introduced by Aleph One

• Phrack Magazine Issue 49 on November 8, 1996o Title: Smashing the stack for fun and profito http://www.phrack.org/issues.html?issue=49&id=14#article

• Purpose:o Like when patching, we re-route the code to new code which adds new

functionility.o We modify the behavior of a program without modifying the binary,

and only by controlling the input!o Therefore we can subvert the original functionality of the code to any

purpose.

Where does it get really

interesting• When the program input is from a remote

connectiono Example: telnet

• When the program has higher privilegeso Example: su

Process Memory Abstract

• /------------------\ lower• | | memory• | Text | addresses• | |• |------------------|• | (Initialized) |• | Data |• | (Uninitialized) |• |------------------|• | |• | Stack | higher• | | memory• \------------------/ addresses

Example1.c• void function(int a, int b, int c) {• char buffer1[5];• char buffer2[10];• }

• void main() {• function(1,2,3);• }

Stack Structure• bottom of top of• memory memory• buffer2 buffer1 sfp ret a b c• <------ [ ][ ][ ][ ][ ][ ][ ]• • top of bottom of• stack stack

Tools List• gdb – GNU Debugger

o Core dumping: gdb –core=core.dumpo Ollydbg – (for windows) which we will not cover in the course.

• IDAo va_to_offset.py – easy program to get offset of code in orig file.

• gcc – the gnu compilero For the course we have prepared an easy utility for compiling small assembly

bits: patch_util_gcc.py

• ghex – can be used to patch the binary :o Once we have a search string to find the binary code, we can modify it

• Other common tools for linux debugging:o ltrace – library tracingo strace – system call tracingo Objdump – dump elf file and symbol information

• shellcode

shellcode example with interrupt calls

• jmp call_start # jump to the end of the code to /bin/sh• start_shellcode: # label to jump back• pop ebx # put point to /bin/sh in ebx• xor eax,eax # zero eax, but dont use mov, because it include \

x00• mov al, 0xb # system call 0xb, - execve• xor ecx, ecx # clear pointer to envp• int 0x80 # call a system call!• xor eax,eax # ignore return and reset to zero.• mov al, 0x1 # call exit system call• int 0x80• call_start:• call start_shellcode• .string "/bin/sh"

GDB Quick browse• si, ni – step instruction• s, n – step• info reg – print all registers• dump memory filename startaddress stopaddress• x/i address – disassemble at this address• p (char *) 0x234234 – print at this address as if it was

a c-string.• x/bx address – print hex starting from this address• c – continue• r arg1 arg2 – runs the file with the specified

arguments• b somefunction – sets a breakpoint

• The end