Scribd
Upload
34 views

Intro Binary Exploitation

This document discusses binary exploitation and assembly language. It covers basic assembly instructions and concepts like registers, data movement instructions, arithmetic instructions, and control flow instructions. It also discusses tools for binary analysis like file, strings, objdump, and the GNU debugger GDB.

Uploaded by

Taha Marweni
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
34 views

Intro Binary Exploitation

This document discusses binary exploitation and assembly language. It covers basic assembly instructions and concepts like registers, data movement instructions, arithmetic instructions, and control flow instructions. It also discusses tools for binary analysis like file, strings, objdump, and the GNU debugger GDB.

Uploaded by

Taha Marweni
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 34

Binary Exploitation

Jake Smith and Mariah Kenny


University of Virginia
Assembly
Credit: Most slides taken from Collin Berman and Cyrus Malekpour’s
Modern Security Topics class at UVA in Spring 2017
Basics
• Lowest level programming
language
• Step by step instructions for
CPU
• Results of compiled program
• Types: Intel and AT&T
(Data Movement) Instructions

Credit: Modern Security Topics, Spring 2017 at UVA


Levels of Abstraction
Registers
● EAX, EBX, ECX, EDX
○ Common general purpose registers
● ESP
○ Points to the “top” of the current stack frame
● EBP
○ Stack base pointer, points to the “bottom” of the
current stack frame
● EIP
○ Points to the location of the current instruction in
memory
● EFLAGS
○ Contains flag bits (zero flag, carry flag, sign flag, etc)
Credit: Modern Security Topics, Spring 2017 at UVA
Registers
(Arithmetic) Instructions

Credit: Modern Security Topics, Spring 2017 at UVA


(Control Flow) Instructions

Credit: Modern Security Topics, Spring 2017 at UVA


Credit: Modern Security Topics, Spring 2017 at UVA
Your First Program
Run: gcc -m32 -o simple simple.s
#compiles program

Run: ./simple
1
#runs program

Credit: Modern Security Topics, Spring 2017 at UVA


Your Second Program
Run: gcc -m32 -o arg arg.s
#compiles program

Run: ./arg stuff


stuff
#runs program

Credit: Modern Security Topics, Spring 2017 at UVA


Basic Binary
Analysis
file
• Looks at “magic bytes” - first few bytes of file
• Compares byte sequence to see what type of file it is
• ELF = Executable and Linking Format
• Executable/ELF file:
○ Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00
00 00 00
• Syntax: file <filename>
file: CTF Problem

• Run file on crackme1


• What information can we deduce about the
program?
strings

• Outputs all strings in the program


• Useful to see what you can deduce about
program / its contents
• Syntax: strings <filename>
strings: CTF Problem

• You are given the executable: crackme1


• Use strings to find out what the flag probably is.
objdump
• Outputs information from “object files”
• objdump -d: prints disassembly of program
• objdump -t: Prints out symbol table (headers,
function names, etc)
• Example Syntax: objdump -d <filename>
objdump: CTF Problem

• Run objdump -d and objdump -t on game


• What are some interesting function calls?
• What can we infer from these?
GDB
Basics
• Command-line debugger
• Specifically the GNU debugger
○ “GNU” is the compiler framework that contains
a lot of things including the debugger gdb
• It allows you to see what is going on ‘inside’ the
program while it executes
Basics
• Allows us to control the execution of the program
• Ability to pause, resume, determine the values of
variables, reset variable values, etc.
• If the program crashes, the debugger can tell you
exactly where the program crashed
Commands
• To open a file in gdb: gdb <filename>
• Once in gdb, to run the program: run or r
• To see current and surrounding lines: list
• To see list of function calls that led to current point
in program: backtrace or bt (important command!)
Frames

• To move to a higher frame: up


• To move down a frame: down
• ^these let you move up and down the calling stack
(of nested function calls)
Breakpoints
• Pausing the program at a specific place (specific
line or start of a function)
• These locations in a program where execution
pauses are called “breakpoints”
• You must use code that executes, cannot be a
comment, etc.
Breakpoints
• break or b followed by what you want to pause
○ function name: b my_function
○ Line number: b 13
• To see info about breakpoints: info breakpoints or
info break
Breakpoints

• To remove a breakpoint: delete or d


• To remove a specific breakpoint: d 2 or d my_func
• Temp breakpoint: tbreak
Controlling Execution
• Execute line by line
• step command steps into a function; moves into
called function (s)
• next command passes over the function call and
brings you to the line after the function call (n)
• continue command resumes execution until next
breakpoint (c)
Variables
• To see the value of a variable or expression: print or
p followed by variable name
• If var is a pointer or address: print *<var> which
will print the value that the address references
• To see all args and local variables: info locals
Display

• To auto display variable values: display <var>


• If see all variables on display: display
• To remove a variable from display: undisplay
<display var #>
GDB PEDA

• Python Exploit Development Assistance for GDB


(more colorful and helpful)
• To download:
○ git clone https://github.com/longld/peda.git ~/peda
○ echo “source ~/peda/peda.py” >> ~/.gdbinit
Practice
• Goal: find the flag
• Open program in gdb: gdb animal1.exe
• Set breakpoints at main or any interesting
functions (b main, etc) or use disas main
• Run program (run)
• Use step (s) and next (n) to move through program
Questions?

You might also like