41 Matching Annotations
  1. Dec 2018
    1. int i; int *a[1]; for( i = 0 ; i < 20; i++) printf("%p\n", a[i]);

      Imagine that you insert this code in a certain function. What is the meaning of the values printed? Hint: Notice the size of array a and the number of iterations of the for loop.

    2. 5. Extra: FixME [3p]

      The first 6 bytes of main.bad are damaged. Fix them manually using bless to look like those of a 64-bit ELF.

      Then find out what is the address of _start and change the starting address of the binary to that address.

    3. chmod +x ./mycode.bin && ./mycode.bin

      Just because the mycode.bin file contains assembly instructions does not mean that the loader will run. The loader needs the file in the ELF file format.

    4. ./shellcode generate > mycode.bin

      Running the shellcode with a CMA will output the binary of the byte array. You can inspect the mycode.bin it will contain the same bytes as the SC string.

    5. Inspect the source code of shellcode.c

      Whenever the code is invoked with no command line arguments (argc==1) it tries to run the SC bytes as code.

      ret = (int(*)())SC;
    6. the loader only knows about segments

      The sections are for the compiler. The segments are for the loader.

    7. section

      The symbol table lists the address that is assigned to SC. You can find which section corresponds to that address in the Section Table (use the -S flag fro readelf).

    8. readelf -s ./shellcode | grep SC

      SC is a array of characters. SC and all other symbols are listed in the symbol table of the ELF. The symtab list information such as: name, scope (LOCAL, GLOBAL), size, type (FUN, OBJECT, SECTION).

    9. SIGSEGV

      A SIGSEGV is an error(signal) caused by an invalid memory reference or a segmentation fault. You are probably trying to access an array element out of bounds or trying to use too much memory.

  2. Mar 2018
    1. .fini

      This section holds executable instructions that contribute to the process termination code. That is, when a program exits normally, the system arranges to execute the code in this section

    2. init

      This section holds executable instructions that contribute to the process initialization code. That is, when a program starts to run the system arranges to execute the code in this section before the main program entry point (called main in C programs)

      From: http://l4u-00.jinr.ru/usoft/WWW/www_debian.org/Documentation/elf/node3.html

    3. .plt

      (from StackOverflow) PLT stands for Procedure Linkage Table which is, put simply, used to call external procedures/functions whose address isn't known in the time of linking, and is left to be resolved by the dynamic linker at run time.

      It is jump table to functions that are in the dynamically linked libraries (printf, scanf,...).

      Further reading: https://www.technovelty.org/linux/plt-and-got-the-key-to-code-sharing-and-dynamic-libraries.html

    4. EXEC (Executable file)


    1. 00000055

      The instruction at offset 0x55 references printf. The linker better solve this reference.

    2. 0000003f

      The instruction at offset 0x3f references foo. The linker uses this information.

    3. UND

      All the symbols with UNDefined must be resolved by the linker.

    4. .rodata

      Read Only Data: Here you would find string literals such as the "result is %d"

    5. .rel.text

      For programs compiled with -c option, this section provides information to the link editor ld where and how to "patch" executable code in .text section

    1. comment

      Comments about the compiler. You may read the raw content of any of these sections using: objdump -s -j .comment

    2. data

      The .data section contains data :-)

    3. .text

      The .text section contains the machine language instructions of the program.

    4. Section Headers:

      ELF files are subdivided into sections.

      A section is an area in the object file that contains information which is useful for linking: program's code, program's data (variables, array, string), relocation information and other. So, in each area, several information is grouped and it has a distinct meaning: code section only hold code, data section only holds initialized or non-initialized data, etc

    5. 0x0

      The first function in this file is at address 0x0.

    6. ELF32

      32-bit ELF

    7. 7f 45 4c 46

      The magic sequence that starts an ELF file is 0x7f 0x45 0x4c 0x46, i.e. .ELF.

    1. .cfi_startproc

      You can read about the cfi assembler directives in https://sourceware.org/binutils/docs/as/CFI-directives.html#CFI-directives.

      They are merely instructions for the assembler, similar to the preprocessor directives that you include in your C programs.

    2. leave

      When you compile using the gcc -fno-stack-protector, there is no validation of the stack at the end of the function.

    1. movl -4(%ebp), %eax

      The return value is returned through %eax.

    2. movl 8(%ebp), %eax

      This was compiled for 32 bits, notice that the parameter to foo is being received through the stack.

    1. movl %edi, -20(%rbp)

      This program was compiled for 64 bits and the parameter to the foo function is passed through register %edi.

    2. movl -4(%rbp), %eax

      The return value is passed through register %eax.

    1. movl %eax, %edi call foo

      Setting the parameter and invoking foo.

    2. "GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.9) 5.4.0 20160609"

      Information about the compiler.

    3. call __stack_chk_fail

      By default, the gcc compiler includes instructions to detect stack smashing.

    4. movl $.LC1, %edi movl $0, %eax call printf

      Setting the parameters and calling the printf function.

    5. movl $.LC0, %edi movl $0, %eax call __isoc99_scanf

      Setting the parameters and calling the scanf function.

    6. .text

      The .text section contains the actual assembly language instructions.

    7. .LC1:

      LC1 is the label by which we shall refer to "result is %d\n" in the program,

    8. .section .rodata

      "Here comes the read-only data segment"

      You can see the literal strings "%d" and "result is %d\n" that are parameters to the scanf and printf functions.

    9. .comm buffer,1048576,32

      This is saying "In this program there is a global variable called buffer of 1048576 bytes and 32-bit alignment.

      .comm name, size,alignment

      The '.comm' directive allocates storage in the data section.

  3. Jun 2017