Upload File

cnit 127: exploit development lecture 7: 64-bit assembler not in textbook

  • Home
  • Documents
  • CNIT 127: Exploit Development Lecture 7: 64-bit Assembler Not in textbook
31
CNIT 127: Exploit Development Lecture 7: 64-bit Assembler Not in textbook

Upload: sydney-golden

Post on 18-Jan-2018

222 views

Category:

Documents


0 download

Report

DESCRIPTION

OS Limitations OS uses top half User programs use lower half

TRANSCRIPT

Page 1: CNIT 127: Exploit Development Lecture 7: 64-bit Assembler Not in textbook

CNIT 127: Exploit Development

Lecture 7: 64-bit Assembler

Not in textbook

Page 2: CNIT 127: Exploit Development Lecture 7: 64-bit Assembler Not in textbook

64-bit Registers

• rip = Instruction pointer• rsp = top of stack

Page 3: CNIT 127: Exploit Development Lecture 7: 64-bit Assembler Not in textbook

OS Limitations

• OS uses top half

• User programs use lower half

Page 4: CNIT 127: Exploit Development Lecture 7: 64-bit Assembler Not in textbook
Page 5: CNIT 127: Exploit Development Lecture 7: 64-bit Assembler Not in textbook

Windows Limitations

• Windows 2008 Server uses 44 bits– Max. 16 TB RAM

• Windows 8.1, 2015 revision, uses 48 bits– Max. 256 MB RAM

• Links Ch L7d, L7e

Page 6: CNIT 127: Exploit Development Lecture 7: 64-bit Assembler Not in textbook
Page 7: CNIT 127: Exploit Development Lecture 7: 64-bit Assembler Not in textbook

System Calls

• syscall replaces INT 80

Page 8: CNIT 127: Exploit Development Lecture 7: 64-bit Assembler Not in textbook

L7h: Searchable Linux Syscall Table

Page 9: CNIT 127: Exploit Development Lecture 7: 64-bit Assembler Not in textbook

L7c: Introduction to x64 Assembly | Intel Developer Zone

• More details about registers

Page 10: CNIT 127: Exploit Development Lecture 7: 64-bit Assembler Not in textbook
Page 11: CNIT 127: Exploit Development Lecture 7: 64-bit Assembler Not in textbook

Syscall 1: Write

Page 12: CNIT 127: Exploit Development Lecture 7: 64-bit Assembler Not in textbook

Simplest Program: ABC

Page 13: CNIT 127: Exploit Development Lecture 7: 64-bit Assembler Not in textbook

Works, then Crashes

Page 14: CNIT 127: Exploit Development Lecture 7: 64-bit Assembler Not in textbook

Exit

Page 15: CNIT 127: Exploit Development Lecture 7: 64-bit Assembler Not in textbook

Works Without Crashing

Page 16: CNIT 127: Exploit Development Lecture 7: 64-bit Assembler Not in textbook

Using a .data section

Page 17: CNIT 127: Exploit Development Lecture 7: 64-bit Assembler Not in textbook

Objdump

Page 18: CNIT 127: Exploit Development Lecture 7: 64-bit Assembler Not in textbook

Using gdb

• .data and .text sections appear the same

Page 19: CNIT 127: Exploit Development Lecture 7: 64-bit Assembler Not in textbook

.text and .data Sections

Page 20: CNIT 127: Exploit Development Lecture 7: 64-bit Assembler Not in textbook

info registers

Page 21: CNIT 127: Exploit Development Lecture 7: 64-bit Assembler Not in textbook

Using read

Page 22: CNIT 127: Exploit Development Lecture 7: 64-bit Assembler Not in textbook

"echo" with a .data section

Page 23: CNIT 127: Exploit Development Lecture 7: 64-bit Assembler Not in textbook

Works with Junk at End

Page 24: CNIT 127: Exploit Development Lecture 7: 64-bit Assembler Not in textbook

Caesar Cipher

Page 25: CNIT 127: Exploit Development Lecture 7: 64-bit Assembler Not in textbook

Works for 4 Bytes Only

Page 26: CNIT 127: Exploit Development Lecture 7: 64-bit Assembler Not in textbook

Objdump Shows a 32-bit Value

Page 27: CNIT 127: Exploit Development Lecture 7: 64-bit Assembler Not in textbook

Must use a Register

Page 28: CNIT 127: Exploit Development Lecture 7: 64-bit Assembler Not in textbook

Now it Works

Page 29: CNIT 127: Exploit Development Lecture 7: 64-bit Assembler Not in textbook

Challenge 1"Hello from YOURNAME"

Page 30: CNIT 127: Exploit Development Lecture 7: 64-bit Assembler Not in textbook

Challenge 2Caesar (3 steps back)

Page 31: CNIT 127: Exploit Development Lecture 7: 64-bit Assembler Not in textbook

Challenge 3: XOR Encryption


CNIT 132 – Week 3

CNIT 121: 10 Enterprise Services

CNIT 127: Exploit Development Ch 1: Before you begin

CNIT 127 14: Protection Mechanisms

Der Assembler-Befehlssatz · Assembler-Befehlssatz 2

CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs

CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux2019/08/28  · CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Updated 8-28-19 Topics • Buffers in C •

G.Umamaheswari Lect/IT R.M.D.EC system software Assembler Assembler Definition Assembler functions Assembler Design Algorithms for two passes Example Program

CNIT 132 – Week 6

Cnit final presentation

CNIT 160: Cybersecurity Responsibilities

cnit - Unigereti.dist.unige.it/reti/Reti2/Scheduling.pdf · cnit CNIT-University of Genoa Research Unit D.I.S.T. Department of Communications, Computer and Systems Science University

CNIT 121: 14 Investigating Applications

CNIT 127: Exploit Development Ch 3: Shellcode. Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object

CNIT 123: Ch 6: Enumeration

CNIT 40: 3: DNS vulnerabilities

CNIT 126 5: IDA Pro

CNIT 126 9: OllyDbg

CNIT 128 Ch 4: Android

CNIT 128 5: Mobile malware

CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)

CNIT 127: Exploit Development Ch 3: Shellcode · 9/4/2019  · • ld GNU Linker • objdump to see contents of object files • strace System Call Tracer ... • Any illegal instruction

CNIT 121: Computer Forensics - samsclass.info · CNIT 121: Computer Forensics 14 Investigating Applications. Applications ... • CNIT 126 • Next semester

CNIT 121: 9 Network Evidence

CNIT 127: Exploit Development Ch 8: Windows Overflows Part 2

CNIT 121: 11 Analysis Methodology

CNIT 127: Exploit Development Ch 3: Shellcode · • ld GNU Linker • objdump to see contents of object files • strace System Call Tracer ... instruction can make the program crash

OPENING Enzo Dalle Mese CNIT – Lab RaSS. What is CNIT? CNIT (National Interuniversity Consortium for Telecommunications) is a no-profit organization of

CNIT 140: Flashing Firmware

CNIT 127: Exploit Development Ch 14: Protection Mechanisms · distributions, OpenBSD, Mac OS X, and Windows • Bypass techniques involve executing code elsewhere, not on the stack

CNIT 140: Networking Review

Graphics Interface '85graphicsinterface.org/wp-content/uploads/gi1985-33.pdf ·  · 2015-05-12the IBM PC/ES series of personal computers with fixed ... assembler language could exploit

CNIT 127 Ch 3: Shellcode

CNIT 127: Exploit Development Ch 16: Fault Injection

CNIT 276 Module 1