Doing well in COMP6447, according to Andrew
FYI
If you don't know the function parameters, open up the man page for that function / command
Function calls often "return" their results by setting EAX to the result
- You might not see any sort of
mov eax, ___operation, this might be done in the function
- You might not see any sort of
Ye average stacc
calling >| | $ebp $esp
function >| | + +
| | | |
|- - - - - - - - - -| | |
+------var_0-> | RETURN ADDR | <-ebp+0x4------------+ |
+------var_4-> | OLD EBP | <-ebp----------------+ |
+------var_8-> | VARS | <-ebp-0x4------------+ |
+------var_c-> | VARS | <-ebp-0x8------------+ |
| ... | <=========================/- The
ebpregister points to an address that contains the previous EBP- This register (should) only changes when a function enters/exits
- The
espregister points to the current position - When a function exits (
retinstruction), it automatically pops the stack
Note: esp points to the last used stack address. In x86, it is the responsibility of the user/compiler to move the stack pointer before adding data.
Buffer Overflows
Variables defined in a function are allocated in the reverse order
- A local variable is only buffer overflowable if the buffer is defined BEFORE
Find the number of bytes needed to pad by subtracting the two memory offsets together
Binary Ninja
var_XXX(Binary Ninja) is in HEXADECIMAL.var_20is 0x20 (32)
Be consistent when working with offsets
- There are offsets to ebp (i.e.
ebp-...) - And offsets to the return address (i.e.
var_...) - Make sure not to mix the two, else you might be off by a few bytes :)
- There are offsets to ebp (i.e.
pwntools
Some useful functions
p = process(path) / remote(host, port).interactive()- give user control of the process.pause()- useful if you need to attach to the process before anything happens
p32(value)- Convert a value to 32-bit little-endian formatELF(path).symbols[functionName]- Find the address of a function
Also, if you add DEBUG as a script argument (i.e. python script.py DEBUG) you'll see some extra stuff!
Try Hard, Then Try Harder
This course can be tricky.
Looking at assembly code sucks, and the added pressure of finding the vulnerability to a binary during an exam can be daunting.
If you can't identify the vulnerability, try again.
Maybe it looks like a certain vulnerability but it's actually a different vulnerability, maybe you're looking at the wrong spot, maybe you have a bug in your tooling?
Make sure to start your labs / wargames early to account for these things
Find Your Pattern
As you do each set of wargames, you'll probably realise that you're searching for certain 'signatures' / cOdE sMeLls.
If you think more abstract from that,
Know Your Tools
Get acquainted with the tools that you most frequently use.
These are probably
- Binary Ninja - i.e. How can I annotate this file?
pwndbg- i.e. How can I dump this memory address / variable as a series of bytes?pwntools- i.e. What functions and commands are available?checksec,objdump,strings
In this course you're allowed to use whatever tool you can find online - as long as it's a tool and not the entire solution.
These are the tools I used during the course: Useful Tools
Make Your Own Tools
You may find yourself typing in the same command and options, or perhaps writing the same chunk of code in your pwntools exploit chain, over and over again.
Why not make a shortcut/alias to do that, or use some of mine
Cheat Sheets!
make your own.
Be Involved
Take part in class and course discussions; one way to consolidate your understanding is to help others!
Join the #cs6447 channel on the SECedu Slack, and also your class channel!
EDIT: With COVID-19 as well, studying from home can be lonely.
Find some people to study with, and if you can't physically do that, try be as digitally connected as you can!
Be Keen, Keen Bean
Another way to learn to is further the stuff you're learning!
Take part in Capture The Flag competitions, go to some security conferences; maybe break some of your old COMP1511 programs?