14 hours 26 minutes

Video Description

This lesson covers the general service registers:

  1. EIP: instruction pointer
  2. ESP: Base pointer
  3. ESI: Source Index
  4. EDI: Destination Index
  5. EAX: Accumulator
  6. EBX: Base
  7. ECX: Counter
  8. EDX: Data

General Service Registers help programmers keep track of where they are in the memory stack frame. This lesson also covers calling another function.

Video Transcription

you may have noticed that typically in this class, I've just left the slides for you for reference. We haven't really looked at them too much, but in this case, when you exploit development, there is a little bit of background I need to give you from the flies. Have plenty more slides for the section other than the ones we're going to look at.
So by all means do you take a look at them for your reference? And she worked through it.
Those take a look at a few little reference lives before we begin the hands on portion of exploit development
here on the 1st 1 We do have a somewhat dumbed down version of what a program looks like in memory.
You're familiar with this already? You'll notice some of the sections actually, aren't there like there's a B s s section for non initialized data that's not shown here in the pictures. That is not a complete picture. But what we're interested in, particularly is the stack. That's where we're going to be doing our
actually development. We're going to stick to stack based buffer overflows.
There are certainly other kinds of memory corruption exploits but we're just going to look at the basics of stack ways, but for overflows. So we are particularly interested in the section here stack
Modus. That stack starts at high memory and grows towards lower memory so you can think about it. It was kind of upside down, and if you forget that when we actually look at memory will be reminded of that. But
hi, I'm Emory. To low memory
is the stack.
Also, we need to know a little bit about our registers. You think of registers is just a place to store data in the sea for you, for us to use it on. The registers are going to depend on your platform here working with mobile phones and you have an arm chip you're registered will be a bit different than what we see here.
These are X 86
register, So he i p e s p e v p So on and so forth. E e is for extended basically took me
16 bit registers and put me on the front of them and made them extended for a 32 bit.
And we actually really only have two for this section.
No the 1st 3 e i p E S, P and E v p. We will see an exercise that uses S I
on dhe. If you continue an exploit development, you'll certainly end up using the others. But our most important ones are E I P S P and E V P v. I. P is our sort of holy grail for exploit development. The i p the extended instruction pointer.
It holds the memory address of the next instruction to be executed by the CPU.
If our goal is to take control of the CPU and make it execute code on our behalf, having control of the I p. Seems like exactly what we should be after that. Indeed it is.
ESPN e v v extended stack pointer and extended base pointer. Those are the top and the bottom of the stack, respectively. S P pointing to the currents, back frames,
top or Louis memory address. Remember, the stack is basically upside down an EVP. The base is the bottom
with highest memory address. So keeps track of where we are in the stack in memory, where stack frame is
again, there will be an exercise uses e sa
and you know, we'll see the other ones those We look at memory and look at what's in the registers. But really the only three that are very important to us. And we need to know what they do are the top three E I. P S P and E V p.
So the stack give This is the one that we are looking at here. We're going to do stack baseball for overflows.
So it is a last in first out. Or I guess, if we were going to get technical with computer science, Jared and I believe they say
first in last out or
last in first out. I'm not sure whichever you think of it both ways,
but you can just think of it as a stack of one. Strange in the last one that is put on by a cafeteria worker that's clean is the 1st 1 that is picked up by a patron. You have to kind of jumble things around if you want to do it any other way and same way with the stack. If you want to take something off a stack, you only have one choice. It being
the thing is currently on the top
and likewise, if you want to put something on to the stack, you have to put it on at the top. You can't dis insert it wherever you feel like. Certainly there are ways of addressing other parts of memory. But using the push and pop instructions,
push, Push is something onto the stack onto the top and pop pops off the top of Saxon again. I like the analogy of the one strays, but whatever
makes you understand it well,
all right, here is an example of a stack frame of memory. You BP is kind of like, written up a little bit here. It should be down in the bottom. Really? Sure how that happened.
But again, hi. Memory at the bottom. Blue memory at the top.
And, yes, Piot the top E V V at the bottom.
But when things really get interesting
is when we call another function. Typically, when you work with a program, it is going to have more than one function. Would you proper programming? We should definitely use lots of functions. We shouldn't just open May Unversity program and then just write everything we're gonna do in there
But even if we do, chances are we're going to call some built in function of some kind, like to make it print to the screen. For instance, we would call Something is built into sees that we would be calling another function. Even if we don't make a second function ourselves, it would be fairly difficult to do anything useful without
calling some function of some kind.
So chances are we're going to have our man function call another function. At some point when that function finishes, it may even call other ones. So you end up with lots of functions called. But when our function finishes, it needs to return back to Maine.
So we need some way of keeping track of
where it should return to. It shouldn't just start at the beginning of Maine again. It needs to pick up where it left off. So we need Thio store that somewhere, and that is the meat of what we're going to be doing is we're going to take that saved the return address, and we're going to manipulate it.
So how this works the next 86 they're gonna it varies like arm does it a little bit differently that ultimate logically, it comes out about the same, but there's really no like that way You have to do this. But for our X 86. How this is done is when another function is called
before the stack frame for the new function is pushed onto the stack. Well, it's wound onto the stack. It's a little bit different than just push, push, push, push. We can actually look at the assembly for that. It's basically it adds, or rather subtract, because we want to move to lower memory E S p
to make some new space. We'll see that
getting a little ahead of myself. But anyways, before we do that, we actually saved the return address. So we take the next instruction to be executed in Maine, are currently executing function and push it onto the stack. So we just say what? They're right on top of me in stock frame
on. Then we create a stack frame for our new function on top of that
on, then, when the function finishes, its stack frame pops off
and or is unwound again. It's not this pop pop, pop pop
popping off data, so a little bit more complicated, will see that we look at the assembly,
but then we get rid of that stack frame ESPN e v P. That will need to move back into May and stack frame
from the function. And we take that safe return address That's right on top of main Stack frame and we load in T i p So it returns as though we never left main at all. We just pick up right where we left off.
So here's a
the little example here of what it looks like in memory. So we have main stack frame again. We have that return address. So that is the memory address to return to in Mainz and next instruction we want to execute when our function finishes. This case I've called our function function one
and we have e S P wall function. One is executing SP will be at the lowest memory, duress or top
of function one stack frame you see again, yeah, looks like it's going up a little bit, but it is pointing at the bottom of the current stack frame, and it also has in this case, the saved E v P. from Maine that we basically at the bottom of function one stack frame have are shaved E v p.
What will happen when it finishes?
We'll bring SP back down E E v p.
We'll get the save TV fee for main movie V P there
on. Then the victory will pop that off into the VP to restore e v p o E s p. Since we pop this off will now be pointing here of the hour return address will return to it so low that indie i p to whatever is here which should be our safe return address in Maine.
Since we're doing exploit development, I can imagine we might want to put
something else there, get control of the I P. That is in fact, exactly what we're gonna do in a section.
And then if we pop that off, then E s P will now be pointing back at the top of Maine. We will restored ESPN ABP again that we can see that with the assembly if we look at our assembly instructions. If you're not familiar with assembly, don't worry. No requirement for that. We're not really going to do too terribly much assembly
in this class
a little bit we need in order to work through this with us. Just a general idea of how this works. So again, just a little bit of theory here. Just remember our register Z i p e s p and e v p and kind of get an idea of what this looks like. You actually look at a program. We'll see
how this works will see that it actually does follow the theory, which is nice.
So with that, let's stop playing with slides, and I'm sure you didn't look at it.

Up Next

Advanced Penetration Testing

This course covers how to attack from the web using cross-site scripting, SQL injection attacks, remote and local file inclusion and how to understand the defender of the network you're breaking into to. You'll also learn tricks for exploiting a network.

Instructed By

Instructor Profile Image
Georgia Weidman
Founder and CTO at Shevirah and Bulb Security