SlideShare a Scribd company logo

02 - Introduction to the cdecl ABI and the x86 stack

A
Alexandre Moneger

* Brief description of the x86 ASI and cdecl ABI * Data and code segregation * Into cdecl * The stack frame

Engineering
1 of 18
The almighty stack Introduction to the cdecl ABI and the x86 stack Alex Moneger Security Engineer
Chapter structure © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Chapter structure  Brief description of the x86 ASI and cdecl ABI  Data and code segregation  Into cdecl  The stack frame (holy noises)  Exercise © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Bytes and AAAAAAhhhhhSM © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
All starts with ISA  ISA stands for Instruction Set Architecture  Specified by the CPU : 1. Registers (ie: eax, ebp, esp…) 2. Instruction set (ie: add, sub, mov, call)  Specifies the CPU capabilities © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
The ABI  ABI stands for Application Binary Interface  Specified by each OS  Can have multiple ABIs per OS  Specifies:  How the OS expects programs to use the ISA  What standard binaries must adhere to to run on the OS  How compilers need to compile programs to enable them to run © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
The x86 cdecl ABI  Used by Linux  Dictates how function calls are made:  eax holds the return value of the function  Function parameters are pushed on the stack by the caller  The callee is in charge of reserving space on the stack  The callee is in charge of freeing the reserved space on the stack  More on this later… © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Code vs Data  In a binary, code (machine instructions) is segregated from data (values manipulated)  In short, code is RE, data is RW  Code (.text section, dynlibs, …) has it’s own space  Data (.data section, …) has it’s own space  Data and code are never mixed together: cisco@kali:~/src/seccon$ readelf -l ch2 | egrep -i "LOAD|Addr" Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align LOAD 0x000000 0x08048000 0x08048000 0x00588 0x00588 R E 0x1000 LOAD 0x000588 0x08049588 0x08049588 0x0011c 0x00120 RW 0x1000 © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
What about “dynamic” data?  What about runtime dynamic data?  Introduce the 2 dynamic memory sections: 1. The stack, contains data for which size is known at compile time. It is tracked by the compiler. 2. The heap, contains data which size is know at runtime. It is tracked by the libc.  Dynamic data is marked as RW: cisco@kali:~/src/seccon$ readelf -l ch2 | egrep -i "STACK|Addr" Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x4 © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Introducing the stack  Stack is a LIFO structure. It grows towards lower addresses  Stack holds the return address (where the program needs to ret following a call)  Each function gets a space where it can store it’s local data => The stack frame  The amount of local storage a function needs determines the size of the stack frame  When function exits, the stack frame is removed (popped) from the stack © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Stack: the high level view  Pseudocode:  Stack cisco@kali:~/src/seccon$ pygmentize -g ch2-pc.c void func3(void) { } void func2(void) { } void func1(void) { func2(); func3(); } int main(void) { func1(); } Top of stack (High address) ie: 0xbfffffff int main(void) void func1(void) void func3(func2(void) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
I’m ESP, I’m really special  By convention, special registers are used to manage the stack: 1. EBP, the stack base pointer:  Used to index function parameters and local variables  Does not move during the life of the stack frame 2. ESP, always indexes the top of the stack  Controlled by pop, push instructions  Shifted down the stack at function entry to reserve space for local variables void func1(void) EBP ESP 0x01020304 0xffffffff ESP ESP cisco@kali:~/src/seccon$ pygmentize -g ch2-ex.asm push 0x01020304 push 0xffffffff pop eax pop ebx © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Unwinding the frame  On function exit, the stack frame is removed  But how much space to remove?  But how does the code know where to return?  Enter Saved EBP and mostly Saved EIP  Saved EBP remembers where the previous frame pointer was  Saved EIP tells the ret instruction where to return:  Ret = pop eip; jmp eip © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Unwinding the frame - 2  On function return:  esp = ebp => remove all local storage  pop ebp => Set the base stack pointer to the previous frame  leave = mov ebp, esp; pop ebp  Called function epilogue: mov esp,ebp pop ebp ret leave ret © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Example: Winding the stack  Stack cisco@kali:~/src/seccon$ pygmentize -g ch2-pc.c void func1(int a) { // 0x080483dc char c = 'A'; } int main(void) { // 0x080483e8 func1(0x1234); } Top of stack (High address) ie: 0xbfffffff Saved EIP of main Saved EBP – (stack frame -1) 0x1234 0x080483e8 EBP=0xbffff6b4 0xbffff6b4 0x00000000 dahtah@kali:~/src/seccon$ objdump -d -j .text -M intel ch2-pc2 | grep 'func1>:' -A 15 080483dc <func1>: 80483dc: 55 push ebp 80483dd: 89 e5 mov ebp,esp 80483df: 83 ec 10 sub esp,0x10 80483e2: c6 45 ff 41 mov DWORD PTR [ebp-0x4],0x41 80483e6: c9 leave 80483e7: c3 ret 080483e8 <main>: 80483e8: 55 push ebp 80483e9: 89 e5 mov ebp,esp 80483eb: 83 ec 04 sub esp,0x4 80483ee: c7 04 24 34 12 00 00 mov DWORD PTR [esp],0x1234 80483f5: e8 e2 ff ff ff call 80483dc <func1> 80483fa: c9 leave 80483fb: c3 ret EBP=0xbffff6c4 ESP 0x00000041 0x00000000 0x00000000 0x00000000 © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Example: Unwinding the stack  Stack cisco@kali:~/src/seccon$ pygmentize -g ch2-pc.c void func1(int a) { // 0x080483dc char c = 'A'; } int main(void) { // 0x080483e8 func1(0x1234); } Top of stack (High address) ie: 0xbfffffff Saved EIP of main Saved EBP – (stack frame -1) 0x1234 0x080483e8 EBP=0xbffff6b4 0xbffff6b4 dahtah@kali:~/src/seccon$ objdump -d -j .text -M intel ch2-pc2 | grep 'func1>:' -A 15 080483dc <func1>: 80483dc: 55 push ebp 80483dd: 89 e5 mov ebp,esp 80483df: 83 ec 10 sub esp,0x10 80483e2: c6 45 ff 41 mov DWORD PTR [ebp-0x4],0x41 80483e6: c9 leave 80483e7: c3 ret 080483e8 <main>: 80483e8: 55 push ebp 80483e9: 89 e5 mov ebp,esp 80483eb: 83 ec 04 sub esp,0x4 80483ee: c7 04 24 34 12 00 00 mov DWORD PTR [esp],0x1234 80483f5: e8 e2 ff ff ff call 80483dc <func1> 80483fa: c9 leave 80483fb: c3 ret ESP ESP EBP=0xbffff6c4 ESP ESP 0x00000041 0x00000000 0x00000000 0x00000000 © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Enough theory  Noticed something juicy in the stack process?  If an attacker controls saved EIP, he controls the program flow  Buffer overflow = saved EIP control. That’s it.  Go play! © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
When I get to rest  Compile the following program: cisco@kali:~/src/seccon$ pygmentize -g ch2.c #include <stdio.h> int callee(int a, int b, int c) { char local_buf[0x20] = {0x01}; unsigned int local_int = 0xffffffff; return 0x12345678; } int main(int argc, char **argv) { int ret = callee(0x1, 0x2, 0x3); return 0; }  Disassemble it  Understand the objdump output  Draw out the stack movement on paper  Fire up gdb and set a breakpoint on callee entry and exit. Inspect the stack. Follow ebp, esp.  Make sure you understand the output from “info frame”. Get the output manually  Overwrite callee’s saved EIP. What happens when callee exits?  Add a function called by callee. Follow the stack cisco@kali:~/src/seccon$ objdump -d -j .text -M intel ch2 | grep 'callee>:' -A 40 © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18

Recommended

07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W mattersAlexandre Moneger
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)Alexandre Moneger
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodesAmr Ali
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR mattersAlexandre Moneger
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?Alexandre Moneger
 
Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingCourse lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingJonathan Salwan
 
深入淺出C語言
深入淺出C語言深入淺出C語言
深入淺出C語言Simen Li
 
[嵌入式系統] MCS-51 實驗 - 使用 IAR (3)
[嵌入式系統] MCS-51 實驗 - 使用 IAR (3)[嵌入式系統] MCS-51 實驗 - 使用 IAR (3)
[嵌入式系統] MCS-51 實驗 - 使用 IAR (3)Simen Li
 

Recommended

07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W mattersAlexandre Moneger
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)Alexandre Moneger
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodesAmr Ali
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR mattersAlexandre Moneger
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?Alexandre Moneger
 
Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingCourse lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingJonathan Salwan
 
深入淺出C語言
深入淺出C語言深入淺出C語言
深入淺出C語言Simen Li
 
[嵌入式系統] MCS-51 實驗 - 使用 IAR (3)
[嵌入式系統] MCS-51 實驗 - 使用 IAR (3)[嵌入式系統] MCS-51 實驗 - 使用 IAR (3)
[嵌入式系統] MCS-51 實驗 - 使用 IAR (3)Simen Li
 
Rust LDN 24 7 19 Oxidising the Command Line
Rust LDN 24 7 19 Oxidising the Command LineRust LDN 24 7 19 Oxidising the Command Line
Rust LDN 24 7 19 Oxidising the Command LineMatt Provost
 
Implementation of the ZigBee ZCL Reporting Configuration Features
Implementation of the ZigBee ZCL Reporting Configuration FeaturesImplementation of the ZigBee ZCL Reporting Configuration Features
Implementation of the ZigBee ZCL Reporting Configuration FeaturesSimen Li
 
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이GangSeok Lee
 
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack FirmwareSimen Li
 
[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)
[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)
[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)Simen Li
 
Return Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part IReturn Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part In|u - The Open Security Community
 
Seh based attack
Seh based attackSeh based attack
Seh based attackMihir Shah
 
Network security Lab manual
Network security Lab manual Network security Lab manual
Network security Lab manual Vivek Kumar Sinha
 
ESUG15: SS7 Update
ESUG15: SS7 UpdateESUG15: SS7 Update
ESUG15: SS7 UpdateZWEIDENKER GmbH
 
Show Us: SS7 Update
Show Us: SS7 UpdateShow Us: SS7 Update
Show Us: SS7 UpdateESUG
 
CompilersAndLibraries
CompilersAndLibrariesCompilersAndLibraries
CompilersAndLibrariesStaffan Tjernström
 
An introduction to ROP
An introduction to ROPAn introduction to ROP
An introduction to ROPSaumil Shah
 
03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old daysAlexandre Moneger
 
Advance ROP Attacks
Advance ROP AttacksAdvance ROP Attacks
Advance ROP Attacksn|u - The Open Security Community
 
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)Pixie Labs
 
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingDive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingSaumil Shah
 
Dsd lab Practical File
Dsd lab Practical FileDsd lab Practical File
Dsd lab Practical FileSoumya Behera
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen oneAlexandre Moneger
 
Network security mannual (2)
Network security mannual (2)Network security mannual (2)
Network security mannual (2)Vivek Kumar Sinha
 
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]RootedCON
 
Linux Kernel Booting Process (2) - For NLKB
Linux Kernel Booting Process (2) - For NLKBLinux Kernel Booting Process (2) - For NLKB
Linux Kernel Booting Process (2) - For NLKBshimosawa
 
Numbers and Values in Objective-C and C Programming
Numbers and Values in Objective-C and C ProgrammingNumbers and Values in Objective-C and C Programming
Numbers and Values in Objective-C and C ProgrammingPaul Solt
 

More Related Content

What's hot

Rust LDN 24 7 19 Oxidising the Command Line
Rust LDN 24 7 19 Oxidising the Command LineRust LDN 24 7 19 Oxidising the Command Line
Rust LDN 24 7 19 Oxidising the Command LineMatt Provost
 
Implementation of the ZigBee ZCL Reporting Configuration Features
Implementation of the ZigBee ZCL Reporting Configuration FeaturesImplementation of the ZigBee ZCL Reporting Configuration Features
Implementation of the ZigBee ZCL Reporting Configuration FeaturesSimen Li
 
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이GangSeok Lee
 
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack FirmwareSimen Li
 
[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)
[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)
[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)Simen Li
 
Seh based attack
Seh based attackSeh based attack
Seh based attackMihir Shah
 
Network security Lab manual
Network security Lab manual Network security Lab manual
Network security Lab manual Vivek Kumar Sinha
 
Show Us: SS7 Update
Show Us: SS7 UpdateShow Us: SS7 Update
Show Us: SS7 UpdateESUG
 
An introduction to ROP
An introduction to ROPAn introduction to ROP
An introduction to ROPSaumil Shah
 
03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old daysAlexandre Moneger
 
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)Pixie Labs
 
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingDive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingSaumil Shah
 
Dsd lab Practical File
Dsd lab Practical FileDsd lab Practical File
Dsd lab Practical FileSoumya Behera
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen oneAlexandre Moneger
 
Network security mannual (2)
Network security mannual (2)Network security mannual (2)
Network security mannual (2)Vivek Kumar Sinha
 
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]RootedCON
 

What's hot (20)

Rust LDN 24 7 19 Oxidising the Command Line
Rust LDN 24 7 19 Oxidising the Command LineRust LDN 24 7 19 Oxidising the Command Line
Rust LDN 24 7 19 Oxidising the Command Line
 
Implementation of the ZigBee ZCL Reporting Configuration Features
Implementation of the ZigBee ZCL Reporting Configuration FeaturesImplementation of the ZigBee ZCL Reporting Configuration Features
Implementation of the ZigBee ZCL Reporting Configuration Features
 
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
 
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
 
[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)
[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)
[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)
 
Return Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part IReturn Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part I
 
Seh based attack
Seh based attackSeh based attack
Seh based attack
 
Network security Lab manual
Network security Lab manual Network security Lab manual
Network security Lab manual
 
ESUG15: SS7 Update
ESUG15: SS7 UpdateESUG15: SS7 Update
ESUG15: SS7 Update
 
Show Us: SS7 Update
Show Us: SS7 UpdateShow Us: SS7 Update
Show Us: SS7 Update
 
CompilersAndLibraries
CompilersAndLibrariesCompilersAndLibraries
CompilersAndLibraries
 
An introduction to ROP
An introduction to ROPAn introduction to ROP
An introduction to ROP
 
03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days
 
Advance ROP Attacks
Advance ROP AttacksAdvance ROP Attacks
Advance ROP Attacks
 
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
 
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingDive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented Programming
 
Dsd lab Practical File
Dsd lab Practical FileDsd lab Practical File
Dsd lab Practical File
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
 
Network security mannual (2)
Network security mannual (2)Network security mannual (2)
Network security mannual (2)
 
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
 

Viewers also liked

Linux Kernel Booting Process (2) - For NLKB
Linux Kernel Booting Process (2) - For NLKBLinux Kernel Booting Process (2) - For NLKB
Linux Kernel Booting Process (2) - For NLKBshimosawa
 
Numbers and Values in Objective-C and C Programming
Numbers and Values in Objective-C and C ProgrammingNumbers and Values in Objective-C and C Programming
Numbers and Values in Objective-C and C ProgrammingPaul Solt
 
Cpu cycle
Cpu cycleCpu cycle
Cpu cyclemaciakl
 
Authoring tools worksheet
Authoring tools worksheetAuthoring tools worksheet
Authoring tools worksheetFarid Diah
 
Python Yield
Python YieldPython Yield
Python Yieldyangjuven
 
2장. Runtime Data Areas
2장. Runtime Data Areas2장. Runtime Data Areas
2장. Runtime Data Areas김 한도
 
Functions in Objective-C and C Programming
Functions in Objective-C and C ProgrammingFunctions in Objective-C and C Programming
Functions in Objective-C and C ProgrammingPaul Solt
 
Introduction to Linux Exploit Development
Introduction to Linux Exploit DevelopmentIntroduction to Linux Exploit Development
Introduction to Linux Exploit Developmentjohndegruyter
 
Exploit techniques and mitigation
Exploit techniques and mitigationExploit techniques and mitigation
Exploit techniques and mitigationYaniv Shani
 
Introduction to pointers and memory management in C
Introduction to pointers and memory management in CIntroduction to pointers and memory management in C
Introduction to pointers and memory management in CUri Dekel
 
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming BasicsReversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basicssecurityxploded
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploitshughpearse
 
Debugging Applications with GNU Debugger
Debugging Applications with GNU DebuggerDebugging Applications with GNU Debugger
Debugging Applications with GNU DebuggerPriyank Kapadia
 
Advanced exploit development
Advanced exploit developmentAdvanced exploit development
Advanced exploit developmentDan H
 

Viewers also liked (20)

Linux Kernel Booting Process (2) - For NLKB
Linux Kernel Booting Process (2) - For NLKBLinux Kernel Booting Process (2) - For NLKB
Linux Kernel Booting Process (2) - For NLKB
 
Numbers and Values in Objective-C and C Programming
Numbers and Values in Objective-C and C ProgrammingNumbers and Values in Objective-C and C Programming
Numbers and Values in Objective-C and C Programming
 
Cpu cycle
Cpu cycleCpu cycle
Cpu cycle
 
Authoring tools worksheet
Authoring tools worksheetAuthoring tools worksheet
Authoring tools worksheet
 
Wk1to4
Wk1to4Wk1to4
Wk1to4
 
Python Yield
Python YieldPython Yield
Python Yield
 
Stack Frame Protection
Stack Frame ProtectionStack Frame Protection
Stack Frame Protection
 
2장. Runtime Data Areas
2장. Runtime Data Areas2장. Runtime Data Areas
2장. Runtime Data Areas
 
Functions in Objective-C and C Programming
Functions in Objective-C and C ProgrammingFunctions in Objective-C and C Programming
Functions in Objective-C and C Programming
 
Smashing The Stack
Smashing The StackSmashing The Stack
Smashing The Stack
 
Introduction to Linux Exploit Development
Introduction to Linux Exploit DevelopmentIntroduction to Linux Exploit Development
Introduction to Linux Exploit Development
 
Exploit techniques and mitigation
Exploit techniques and mitigationExploit techniques and mitigation
Exploit techniques and mitigation
 
Introduction to pointers and memory management in C
Introduction to pointers and memory management in CIntroduction to pointers and memory management in C
Introduction to pointers and memory management in C
 
Addressing
Addressing Addressing
Addressing
 
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming BasicsReversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
 
Debugging Applications with GNU Debugger
Debugging Applications with GNU DebuggerDebugging Applications with GNU Debugger
Debugging Applications with GNU Debugger
 
Virtual Machine Constructions for Dummies
Virtual Machine Constructions for DummiesVirtual Machine Constructions for Dummies
Virtual Machine Constructions for Dummies
 
The Stack Frame
The Stack FrameThe Stack Frame
The Stack Frame
 
Advanced exploit development
Advanced exploit developmentAdvanced exploit development
Advanced exploit development
 

Similar to 02 - Introduction to the cdecl ABI and the x86 stack

06 - ELF format, knowing your friend
06 - ELF format, knowing your friend06 - ELF format, knowing your friend
06 - ELF format, knowing your friendAlexandre Moneger
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionDavide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionlinuxlab_conf
 
DPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet ProcessingDPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet ProcessingMichelle Holley
 
EMBEDDED SYSTEMS 4&5
EMBEDDED SYSTEMS 4&5EMBEDDED SYSTEMS 4&5
EMBEDDED SYSTEMS 4&5PRADEEP
 
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersAlexandre Moneger
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Vincenzo Iozzo
 
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)Gavin Guo
 
Reverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading SkillsReverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading SkillsAsuka Nakajima
 
Reversing malware analysis training part4 assembly programming basics
Reversing malware analysis training part4 assembly programming basicsReversing malware analysis training part4 assembly programming basics
Reversing malware analysis training part4 assembly programming basicsCysinfo Cyber Security Community
 
The n00bs guide to ovs dpdk
The n00bs guide to ovs dpdkThe n00bs guide to ovs dpdk
The n00bs guide to ovs dpdkmarkdgray
 
Pragmatic Optimization in Modern Programming - Demystifying the Compiler
Pragmatic Optimization in Modern Programming - Demystifying the CompilerPragmatic Optimization in Modern Programming - Demystifying the Compiler
Pragmatic Optimization in Modern Programming - Demystifying the CompilerMarina Kolpakova
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
The true story_of_hello_world
The true story_of_hello_worldThe true story_of_hello_world
The true story_of_hello_worldfantasy zheng
 
Crash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenCrash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenLex Yu
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016Mikhail Sosonkin
 
AllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW SecurityAllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW SecurityAllBits BVBA (freelancer)
 
Reversing & malware analysis training part 4 assembly programming basics
Reversing & malware analysis training part 4 assembly programming basics Reversing & malware analysis training part 4 assembly programming basics
Reversing & malware analysis training part 4 assembly programming basics Abdulrahman Bassam
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linuxAjin Abraham
 
Automated reduction of attack surface using call graph enumeration
Automated reduction of attack surface using call graph enumerationAutomated reduction of attack surface using call graph enumeration
Automated reduction of attack surface using call graph enumerationRuo Ando
 

Similar to 02 - Introduction to the cdecl ABI and the x86 stack (20)

06 - ELF format, knowing your friend
06 - ELF format, knowing your friend06 - ELF format, knowing your friend
06 - ELF format, knowing your friend
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionDavide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruption
 
DPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet ProcessingDPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet Processing
 
EMBEDDED SYSTEMS 4&5
EMBEDDED SYSTEMS 4&5EMBEDDED SYSTEMS 4&5
EMBEDDED SYSTEMS 4&5
 
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
 
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
 
Reverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading SkillsReverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading Skills
 
Reversing malware analysis training part4 assembly programming basics
Reversing malware analysis training part4 assembly programming basicsReversing malware analysis training part4 assembly programming basics
Reversing malware analysis training part4 assembly programming basics
 
The n00bs guide to ovs dpdk
The n00bs guide to ovs dpdkThe n00bs guide to ovs dpdk
The n00bs guide to ovs dpdk
 
Pragmatic Optimization in Modern Programming - Demystifying the Compiler
Pragmatic Optimization in Modern Programming - Demystifying the CompilerPragmatic Optimization in Modern Programming - Demystifying the Compiler
Pragmatic Optimization in Modern Programming - Demystifying the Compiler
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
The true story_of_hello_world
The true story_of_hello_worldThe true story_of_hello_world
The true story_of_hello_world
 
Crash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenCrash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_Tizen
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016
 
AllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW SecurityAllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW Security
 
Reversing & malware analysis training part 4 assembly programming basics
Reversing & malware analysis training part 4 assembly programming basics Reversing & malware analysis training part 4 assembly programming basics
Reversing & malware analysis training part 4 assembly programming basics
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
 
Automated reduction of attack surface using call graph enumeration
Automated reduction of attack surface using call graph enumerationAutomated reduction of attack surface using call graph enumeration
Automated reduction of attack surface using call graph enumeration
 

More from Alexandre Moneger

Scapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackScapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackAlexandre Moneger
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...Alexandre Moneger
 
Pentesting custom TLS stacks
Pentesting custom TLS stacksPentesting custom TLS stacks
Pentesting custom TLS stacksAlexandre Moneger
 
NBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then iceNBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then iceAlexandre Moneger
 
Practical rsa padding oracle attacks
Practical rsa padding oracle attacksPractical rsa padding oracle attacks
Practical rsa padding oracle attacksAlexandre Moneger
 
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsAlexandre Moneger
 

More from Alexandre Moneger (6)

Scapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackScapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stack
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
 
Pentesting custom TLS stacks
Pentesting custom TLS stacksPentesting custom TLS stacks
Pentesting custom TLS stacks
 
NBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then iceNBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then ice
 
Practical rsa padding oracle attacks
Practical rsa padding oracle attacksPractical rsa padding oracle attacks
Practical rsa padding oracle attacks
 
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploits
 

Recently uploaded

Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort servicejennyeacort
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...VICTOR MAESTRE RAMIREZ
 
Biology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxBiology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxDeepakSakkari2
 
main PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidmain PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidNikhilNagaraju
 
Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...121011101441
 
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)dollysharma2066
 
complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...asadnawaz62
 
Concrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxConcrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxKartikeyaDwivedi3
 
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdfCCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdfAsst.prof M.Gokilavani
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxJoão Esperancinha
 
computer application and construction management
computer application and construction managementcomputer application and construction management
computer application and construction managementMariconPadriquez1
 
Electronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdfElectronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdfme23b1001
 
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor CatchersTechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catcherssdickerson1
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girlsssuser7cb4ff
 
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...srsj9000
 

Recently uploaded (20)

Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
 
POWER SYSTEMS-1 Complete notes examples
POWER SYSTEMS-1 Complete notes examplesPOWER SYSTEMS-1 Complete notes examples
POWER SYSTEMS-1 Complete notes examples
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...
 
Design and analysis of solar grass cutter.pdf
Design and analysis of solar grass cutter.pdfDesign and analysis of solar grass cutter.pdf
Design and analysis of solar grass cutter.pdf
 
Biology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxBiology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptx
 
main PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidmain PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfid
 
Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...
 
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
 
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCRCall Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
 
complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...
 
Concrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxConcrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptx
 
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdfCCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
 
computer application and construction management
computer application and construction managementcomputer application and construction management
computer application and construction management
 
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptxExploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
 
Electronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdfElectronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdf
 
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor CatchersTechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girls
 
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
 
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
 

02 - Introduction to the cdecl ABI and the x86 stack

  • 1. The almighty stack Introduction to the cdecl ABI and the x86 stack Alex Moneger Security Engineer
  • 2. Chapter structure © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
  • 3. Chapter structure  Brief description of the x86 ASI and cdecl ABI  Data and code segregation  Into cdecl  The stack frame (holy noises)  Exercise © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
  • 4. Bytes and AAAAAAhhhhhSM © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
  • 5. All starts with ISA  ISA stands for Instruction Set Architecture  Specified by the CPU : 1. Registers (ie: eax, ebp, esp…) 2. Instruction set (ie: add, sub, mov, call)  Specifies the CPU capabilities © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
  • 6. The ABI  ABI stands for Application Binary Interface  Specified by each OS  Can have multiple ABIs per OS  Specifies:  How the OS expects programs to use the ISA  What standard binaries must adhere to to run on the OS  How compilers need to compile programs to enable them to run © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
  • 7. The x86 cdecl ABI  Used by Linux  Dictates how function calls are made:  eax holds the return value of the function  Function parameters are pushed on the stack by the caller  The callee is in charge of reserving space on the stack  The callee is in charge of freeing the reserved space on the stack  More on this later… © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
  • 8. Code vs Data  In a binary, code (machine instructions) is segregated from data (values manipulated)  In short, code is RE, data is RW  Code (.text section, dynlibs, …) has it’s own space  Data (.data section, …) has it’s own space  Data and code are never mixed together: cisco@kali:~/src/seccon$ readelf -l ch2 | egrep -i "LOAD|Addr" Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align LOAD 0x000000 0x08048000 0x08048000 0x00588 0x00588 R E 0x1000 LOAD 0x000588 0x08049588 0x08049588 0x0011c 0x00120 RW 0x1000 © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
  • 9. What about “dynamic” data?  What about runtime dynamic data?  Introduce the 2 dynamic memory sections: 1. The stack, contains data for which size is known at compile time. It is tracked by the compiler. 2. The heap, contains data which size is know at runtime. It is tracked by the libc.  Dynamic data is marked as RW: cisco@kali:~/src/seccon$ readelf -l ch2 | egrep -i "STACK|Addr" Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x4 © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
  • 10. Introducing the stack  Stack is a LIFO structure. It grows towards lower addresses  Stack holds the return address (where the program needs to ret following a call)  Each function gets a space where it can store it’s local data => The stack frame  The amount of local storage a function needs determines the size of the stack frame  When function exits, the stack frame is removed (popped) from the stack © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
  • 11. Stack: the high level view  Pseudocode:  Stack cisco@kali:~/src/seccon$ pygmentize -g ch2-pc.c void func3(void) { } void func2(void) { } void func1(void) { func2(); func3(); } int main(void) { func1(); } Top of stack (High address) ie: 0xbfffffff int main(void) void func1(void) void func3(func2(void) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
  • 12. I’m ESP, I’m really special  By convention, special registers are used to manage the stack: 1. EBP, the stack base pointer:  Used to index function parameters and local variables  Does not move during the life of the stack frame 2. ESP, always indexes the top of the stack  Controlled by pop, push instructions  Shifted down the stack at function entry to reserve space for local variables void func1(void) EBP ESP 0x01020304 0xffffffff ESP ESP cisco@kali:~/src/seccon$ pygmentize -g ch2-ex.asm push 0x01020304 push 0xffffffff pop eax pop ebx © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
  • 13. Unwinding the frame  On function exit, the stack frame is removed  But how much space to remove?  But how does the code know where to return?  Enter Saved EBP and mostly Saved EIP  Saved EBP remembers where the previous frame pointer was  Saved EIP tells the ret instruction where to return:  Ret = pop eip; jmp eip © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
  • 14. Unwinding the frame - 2  On function return:  esp = ebp => remove all local storage  pop ebp => Set the base stack pointer to the previous frame  leave = mov ebp, esp; pop ebp  Called function epilogue: mov esp,ebp pop ebp ret leave ret © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
  • 15. Example: Winding the stack  Stack cisco@kali:~/src/seccon$ pygmentize -g ch2-pc.c void func1(int a) { // 0x080483dc char c = 'A'; } int main(void) { // 0x080483e8 func1(0x1234); } Top of stack (High address) ie: 0xbfffffff Saved EIP of main Saved EBP – (stack frame -1) 0x1234 0x080483e8 EBP=0xbffff6b4 0xbffff6b4 0x00000000 dahtah@kali:~/src/seccon$ objdump -d -j .text -M intel ch2-pc2 | grep 'func1>:' -A 15 080483dc <func1>: 80483dc: 55 push ebp 80483dd: 89 e5 mov ebp,esp 80483df: 83 ec 10 sub esp,0x10 80483e2: c6 45 ff 41 mov DWORD PTR [ebp-0x4],0x41 80483e6: c9 leave 80483e7: c3 ret 080483e8 <main>: 80483e8: 55 push ebp 80483e9: 89 e5 mov ebp,esp 80483eb: 83 ec 04 sub esp,0x4 80483ee: c7 04 24 34 12 00 00 mov DWORD PTR [esp],0x1234 80483f5: e8 e2 ff ff ff call 80483dc <func1> 80483fa: c9 leave 80483fb: c3 ret EBP=0xbffff6c4 ESP 0x00000041 0x00000000 0x00000000 0x00000000 © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
  • 16. Example: Unwinding the stack  Stack cisco@kali:~/src/seccon$ pygmentize -g ch2-pc.c void func1(int a) { // 0x080483dc char c = 'A'; } int main(void) { // 0x080483e8 func1(0x1234); } Top of stack (High address) ie: 0xbfffffff Saved EIP of main Saved EBP – (stack frame -1) 0x1234 0x080483e8 EBP=0xbffff6b4 0xbffff6b4 dahtah@kali:~/src/seccon$ objdump -d -j .text -M intel ch2-pc2 | grep 'func1>:' -A 15 080483dc <func1>: 80483dc: 55 push ebp 80483dd: 89 e5 mov ebp,esp 80483df: 83 ec 10 sub esp,0x10 80483e2: c6 45 ff 41 mov DWORD PTR [ebp-0x4],0x41 80483e6: c9 leave 80483e7: c3 ret 080483e8 <main>: 80483e8: 55 push ebp 80483e9: 89 e5 mov ebp,esp 80483eb: 83 ec 04 sub esp,0x4 80483ee: c7 04 24 34 12 00 00 mov DWORD PTR [esp],0x1234 80483f5: e8 e2 ff ff ff call 80483dc <func1> 80483fa: c9 leave 80483fb: c3 ret ESP ESP EBP=0xbffff6c4 ESP ESP 0x00000041 0x00000000 0x00000000 0x00000000 © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
  • 17. Enough theory  Noticed something juicy in the stack process?  If an attacker controls saved EIP, he controls the program flow  Buffer overflow = saved EIP control. That’s it.  Go play! © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
  • 18. When I get to rest  Compile the following program: cisco@kali:~/src/seccon$ pygmentize -g ch2.c #include <stdio.h> int callee(int a, int b, int c) { char local_buf[0x20] = {0x01}; unsigned int local_int = 0xffffffff; return 0x12345678; } int main(int argc, char **argv) { int ret = callee(0x1, 0x2, 0x3); return 0; }  Disassemble it  Understand the objdump output  Draw out the stack movement on paper  Fire up gdb and set a breakpoint on callee entry and exit. Inspect the stack. Follow ebp, esp.  Make sure you understand the output from “info frame”. Get the output manually  Overwrite callee’s saved EIP. What happens when callee exits?  Add a function called by callee. Follow the stack cisco@kali:~/src/seccon$ objdump -d -j .text -M intel ch2 | grep 'callee>:' -A 40 © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18