Scribd Logo
Upload

Welcome to Scribd!

  • Syssec 10K Basic BO

    Uploaded by

    24.kapil
    13 views22 pages
    Memory Hacking

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Memory Hacking

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    13 views22 pages

    Syssec 10K Basic BO

    Uploaded by

    24.kapil
    Memory Hacking

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 22

    Part I

    The Basic Idea

    software
    sequence of instructions in memory
    logically divided in functions that call
    each other

    normally this is the next address


    (instruction 100 is followed by instruction
    101, etc)
    not so with function call

    getURL

    in CPU, the program counter contains


    the address in memory of the next
    instruction to execute

    return result

    203
    202
    201
    200

    104
    103

    IE

    function IE calls function getURL to read


    the corresponding page

    204

    102
    101
    100

    call getURL

    software
    204

    PC

    203

    function IE calls function getURL to read


    PC
    the corresponding page

    in CPU, the program counter contains


    the address in memory of the next
    instruction to execute

    PC

    getURL

    PC

    PC

    normally this is the next address


    (instruction 100 is followed by instruction PC
    101, etc)
    PC
    not so with function call
    PC

    return result

    202
    201
    200

    104
    103

    IE

    sequence of instructions in memory


    logically divided in functions that call
    each other

    102

    PC

    101

    PC

    100

    call getURL

    1024

    1022
    1021
    1020
    204 return result

    PC

    203

    PC
    PC

    getURL

    it keeps administration
    on a stack

    1023

    PC

    PC

    202
    201
    200

    104

    PC

    103

    PC

    102 call getURL

    IE

    so how does our CPU know


    where to return?

    stack

    software

    103

    PC

    101

    PC

    100

    real functions
    variables
    getURL ()
    {
    char buf[10];
    read(keyboard,buf,64);
    get_webpage (buf);
    }
    IE ()
    {
    getURL ();
    }

    real functions
    variables

    getURL

    203 return result


    202
    201

    call read

    200

    104
    103
    102 call getURL

    IE

    getURL ()
    {
    char buf[10];
    read(keyboard,buf,64);
    get_webpage (buf);
    }
    IE ()
    {
    getURL ();
    }

    101
    100

    stack

    real functions
    variables

    1024

    103

    1023

    old FP

    1022
    1021
    1020
    1019
    1017
    1016

    203 return result

    getURL

    1018

    202
    201

    call read

    200

    1015
    1014
    1013

    1012

    104

    1011

    103

    1010

    102 call getURL

    IE

    getURL ()
    {
    char buf[10];
    read(keyboard,buf,64);
    get_webpage (buf);
    }
    IE ()
    {
    getURL ();
    }

    101
    100

    stack

    real functions
    variables

    1024

    103

    1023

    old FP

    1022
    1021
    1020
    1019
    1017
    1016

    203 return result

    getURL

    1018

    202
    201

    call read

    200

    1015
    1014
    1013

    1012

    104

    1011

    103

    1010

    102 call getURL

    IE

    getURL ()
    {
    char buf[10];
    read(keyboard,buf,64);
    get_webpage (buf);
    }
    IE ()
    {
    getURL ();
    }

    101
    100

    103

    303

    1023

    old FP

    302

    1022
    1021

    return

    301
    300

    1020
    1019
    1017
    1016

    203 return result

    getURL

    1018

    buf

    getURL ()
    {
    char buf[10];
    read(keyboard,buf,64);
    get_webpage (buf);
    }
    IE ()
    {
    getURL ();
    }

    read

    1024

    202
    201

    call read

    200

    1015
    1014
    1013

    1012

    104

    1011

    103

    1010

    102 call getURL

    1009

    101

    1008
    1007

    IE

    stack

    real functions
    variables

    100

    103

    303

    1023

    old FP

    302

    1022
    1021

    return

    301
    300

    1020
    1019
    1017
    1016

    203 return result

    getURL

    1018

    buf

    getURL ()
    {
    char buf[10];
    read(keyboard,buf,64);
    get_webpage (buf);
    }
    IE ()
    {
    getURL ();
    }

    read

    1024

    202
    201

    call read

    200

    1015
    1014
    1013

    1012

    64

    104

    1011

    (buf)

    103

    1010

    fd

    1009
    1008
    1007

    102 call getURL

    IE

    stack

    real functions
    variables

    101
    100

    103

    303

    1023

    old FP

    302

    1022
    1021

    return

    301
    300

    1020
    1019
    1017
    1016

    203 return result

    getURL

    1018

    buf

    getURL ()
    {
    char buf[10];
    read(keyboard,buf,64);
    get_webpage (buf);
    }
    IE ()
    {
    getURL ();
    }

    read

    1024

    202
    201

    call read

    200

    1015
    1014
    1013

    1012

    64

    104

    1011

    (buf)

    103

    1010

    fd

    102 call getURL

    1009

    202

    101

    1008
    1007

    IE

    stack

    real functions
    variables

    100

    103

    303

    1023

    old FP

    302

    1022
    1021

    return

    301
    300

    1020
    1019

    203 return result

    1018

    getURL

    getURL ()
    {
    char buf[10];
    read(keyboard,buf,64);
    get_webpage (buf);
    }
    IE ()
    {
    getURL ();
    }

    read

    1024

    1017
    1016

    202
    201

    call read

    200

    1015
    1014
    1013

    1012

    64

    104

    1011

    (buf)

    103

    1010

    fd

    1009

    202

    1008

    1023

    1007

    102 call getURL

    IE

    stack

    real functions
    variables

    101
    100

    103

    303

    1023

    old FP

    302

    1022
    1021

    return

    301
    300

    1020
    1019

    203 return result

    1018

    getURL

    getURL ()
    {
    char buf[10];
    read(keyboard,buf,64);
    get_webpage (buf);
    }
    IE ()
    {
    getURL ();
    }

    read

    1024

    1017
    1016

    202
    201

    call read

    200

    1015
    1014
    1013

    1012

    64

    104

    1011

    (buf)

    103

    1010

    fd

    1009

    202

    1008

    1023

    1007

    102 call getURL

    IE

    stack

    real functions
    variables

    101
    100

    103

    303

    1023

    old FP

    302

    1022
    1021

    return

    301
    300

    1020
    1019

    203 return result

    1018

    getURL

    getURL ()
    {
    char buf[10];
    read(keyboard,buf,64);
    get_webpage (buf);
    }
    IE ()
    {
    getURL ();
    }

    read

    1024

    1017
    1016

    202
    201

    call read

    200

    1015
    1014
    1013

    1012

    64

    104

    1011

    (buf)

    103

    1010

    fd

    1009

    202

    1008

    1023

    1007

    102 call getURL

    IE

    stack

    real functions
    variables

    101
    100

    103

    303

    1023

    old FP

    302

    1022
    1021

    return

    301
    300

    1020
    1019

    203 return result

    1018

    getURL

    getURL ()
    {
    char buf[10];
    read(keyboard,buf,64);
    get_webpage (buf);
    }
    IE ()
    {
    getURL ();
    }

    read

    1024

    1017
    1016

    202
    201

    call read

    200

    1015
    1014
    1013

    1012

    64

    104

    1011

    (buf)

    103

    1010

    fd

    1009

    202

    1008

    1023

    1007

    102 call getURL

    IE

    stack

    real functions
    variables

    101
    100

    103

    303

    1023

    old FP

    302

    1022
    1021

    return

    301
    300

    1020
    1019

    203 return result

    1018

    getURL

    getURL ()
    {
    char buf[10];
    read(keyboard,buf,64);
    get_webpage (buf);
    }
    IE ()
    {
    getURL ();
    }

    read

    1024

    1017
    1016

    202
    201

    call read

    200

    1015
    1014
    1013

    1012

    64

    104

    1011

    (buf)

    103

    1010

    fd

    1009

    202

    1008

    1023

    1007

    102 call getURL

    IE

    stack

    real functions
    variables

    101
    100

    103

    303

    1023

    old FP

    302

    1022
    1021

    return

    301
    300

    1020
    1019

    203 return result

    1018

    getURL

    getURL ()
    {
    char buf[10];
    read(keyboard,buf,64);
    get_webpage (buf);
    }
    IE ()
    {
    getURL ();
    }

    read

    1024

    1017
    1016

    202
    201

    call read

    200

    1015
    1014
    1013

    1012

    64

    104

    1011

    (buf)

    103

    1010

    fd

    1009

    202

    1008

    1023

    1007

    102 call getURL

    IE

    stack

    real functions
    variables

    101
    100

    Where is the vulnerability?

    Exploit

    1024

    1013
    103

    1023

    1021
    1020
    1019
    1018

    1017
    1016
    1015
    1014
    1013
    1012
    1011
    1010

    buf

    getURL ()
    {
    char buf[10];
    read(keyboard, buf, 64);
    get_webpage (buf);
    }
    IE ()
    {
    getURL ();
    }

    1022

    You may also overwrite other things


    For instance:
    Other variables that are also on the stack
    Other addresses
    Etc.

    Memory Corruption
    Final words Part I
    We have sketched only the most common memory
    corruption attack
    many variations, e.g.:
    heap stack
    more complex overflows
    off-by-one

    But there are others also

    integer overflows
    format string attacks
    double free
    etc.

    Not now, perhaps later


    *different kinds

    You might also like