vault backup: 2025-01-30 09:27:31
This commit is contained in:
George Wilkinson
64
Penetration Testing/Week 15/Week 15 - Buffer Overflow.md
Normal file
64
Penetration Testing/Week 15/Week 15 - Buffer Overflow.md
Normal file
@@ -0,0 +1,64 @@
|
||||
# What is Buffer Overflow
|
||||
|
||||
- Buffer is a sequential allocated for anything from strings to integers
|
||||
- Buffer overflow is when more data is trying to be stored than what is allocated
|
||||
- Writing outside the bounds of a block can crash an application, corrupt data, or cause the ability to execute malicious code remotely
|
||||
- Languages such as Java provide automatic checking of buffer bounds, however C does not.
|
||||
|
||||
# How Are Overflow Bugs Found?
|
||||
|
||||
If source code is available:
|
||||
|
||||
- Source code audit / review
|
||||
|
||||
If source code not available:
|
||||
|
||||
- Reverse engineering
|
||||
- Fuzzing
|
||||
- Interactive debugger
|
||||
- Patience
|
||||
|
||||
# X86 Architecture
|
||||
|
||||
- CU gets instructions executed from RAM via Instruction Pointer (EP)
|
||||
- ALU executes instructions fetched from RAM by CU and stores results in Registers
|
||||
- Registers are the CPU's basic storage data units used to save time and needless RAM access.
|
||||
|
||||
## Registers
|
||||
|
||||
- EAX – Accumulator (stores function return values and used by addition and multiplication)
|
||||
- EBX - Base pointer to the data section
|
||||
- ECX - Counter for string and loop operations
|
||||
- EDX - I/O pointer
|
||||
- ESI - Source pointer for string operations
|
||||
- EDI - Destination pointer for string operations
|
||||
- ESP - Stack pointer (last item on the stack)
|
||||
- EBP - Stack frame base pointer and reference to arguments and local variables
|
||||
- EIP - Pointer to the next instruction to execute (“instruction pointer”)
|
||||
### Segment Registers
|
||||
- CS : Holds the address to the Code segment of the program
|
||||
- DS : Holds the address to the Data segment of the program
|
||||
- SS : Holds the address to the Stack segment of the program
|
||||
- ES,FS,GS : Hold the address to the extra segments
|
||||
|
||||
### Flags
|
||||
- Zero Flag (ZF) - Set if the result of some instruction is zero; cleared otherwise.
|
||||
- Sign Flag (SF) - Set equal to the most-significant bit of the result, which is the sign bit of a signed integer. (0 indicates a positive value and 1 indicates a negative value)
|
||||
- Carry Flag (CF): Set if an arithmetic operation generate a carry or a borrow out of the most significant bit of the result, cleared otherwise
|
||||
- Parity Flag (PF): Set if the least-significant byte of the result contains an even number of 1 bit, cleared otherwise.
|
||||
- Overflow Flag (OF): Set if the integer result is too large a positive number or too small a negative number, excluding the sign bit, to fit in the destination operand, cleared otherwise. This flag indicates an overflow condition for signed-integer that is two’s complement arithmetic.
|
||||
|
||||
- 
|
||||
|
||||
### Push / Pop
|
||||
PUSH src
|
||||
- src operand can be a register or immediate
|
||||
- In a DWORD scenario, the PUSH instruction automatically decrements the stack pointer by 4, i.e., sp <- sp-4
|
||||
POP src
|
||||
- Src operand can be a register
|
||||
- In a DWORD scenario, the POP instruction automatically takes a DWORD off the stack, puts in a register and increments the stack pointer by 4, i.e., sp <- sp+4
|
||||
|
||||
#### Examples of PUSH / POP
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user