Binary Exploitation
Hello all, back again with a new topic which I’m currently focusing on.
Today we will be looking at
- How a Program runs
- Brief about Heap and Stack
- Segmentation Fault…
- Digging more into it…
Let’s begin with how a program runs…
when we write a program it is a worthless plain text until it is compiled. When we compiled it become executable and can able to run. While running a program it comes to memory and our program runs by one by one instructions.
The above picture explains how a typical compiled memory looks like. Generally Stack starts from Higher Memory Address to Lower Memory Address. There are two instructions are in stack which are push and pop.
Stack is a data structure where instructions takes place. It is in the order of LIFO (Last In First Out)
Heap is also a data structure where the memory allocation is random and manually allocated by us.
How Stack Grows ???
esp -extended Stack Pointer which points top of the stack when a value is added to stack the esp increases its size upward lower to higher memory and pops a value the assembler decreases value of esp hereby stack shrinks back into it.
ebp -Extended base Pointer
It is a 32-bit register is used to reference all the function parameters and local variables in the current stack frame. when a function is called When you call a function, a space is reserved on the stack for local variables. So EBP will point top of stack for this frame, and ESP will point next available byte on the stack.
eip -Extended Instruction Pointer
A poiner which points to the next instruction’s return(memory) address RET2WIN attacks are done by re-writing the eip’s address
What is Segmentation Fault???
In a word, A segmentation fault error can occur when we try to access the violated or out of bound memory address
#include <stdio.h>void func_call(){
printf("This is a function");
}int main(){
printf("The below string is from a function");
func_call()
return 0;
}
when we make a objdump looks as follows… (Note i took only the fun_call( ) and main function)
0000054d <func_call>:
54d: 55 push %ebp
54e: 89 e5 mov %esp,%ebp
550: 53 push %ebx
551: 83 ec 04 sub $0x4,%esp
554: e8 60 00 00 00 call 5b9 <__x86.get_pc_thunk.ax>
559: 05 7b 1a 00 00 add $0x1a7b,%eax
55e: 83 ec 0c sub $0xc,%esp
561: 8d 90 6c e6 ff ff lea -0x1994(%eax),%edx
567: 52 push %edx
568: 89 c3 mov %eax,%ebx
56a: e8 61 fe ff ff call 3d0 <printf@plt>
56f: 83 c4 10 add $0x10,%esp
572: 90 nop
573: 8b 5d fc mov -0x4(%ebp),%ebx
576: c9 leave
577: c3 ret
00000578 <main>:
578: 8d 4c 24 04 lea 0x4(%esp),%ecx
57c: 83 e4 f0 and $0xfffffff0,%esp
57f: ff 71 fc pushl -0x4(%ecx)
582: 55 push %ebp
583: 89 e5 mov %esp,%ebp
585: 53 push %ebx
586: 51 push %ecx
587: e8 2d 00 00 00 call 5b9 <__x86.get_pc_thunk.ax>
58c: 05 48 1a 00 00 add $0x1a48,%eax
591: 83 ec 0c sub $0xc,%esp
594: 8d 90 84 e6 ff ff lea -0x197c(%eax),%edx
59a: 52 push %edx
59b: 89 c3 mov %eax,%ebx
59d: e8 3e fe ff ff call 3e0 <puts@plt>
5a2: 83 c4 10 add $0x10,%esp
5a5: e8 a3 ff ff ff call 54d <func_call>
5aa: b8 00 00 00 00 mov $0x0,%eax
5af: 8d 65 f8 lea -0x8(%ebp),%esp
5b2: 59 pop %ecx
5b3: 5b pop %ebx
5b4: 5d pop %ebp
5b5: 8d 61 fc lea -0x4(%ecx),%esp
5b8: c3 ret- The middle part are the instructions in the assembly the very right portion are belongs to the parameters which are takes place during the execution
- When we have a look at the above dump It seems main doesnt push anything from it. So func_call() doesnt need any arguments.
- call instructions will save the return address very next to the instruction pointer so that it can’t visible on code
Hope you learnt new from this. If i left anything plz le me know…
