Memory Layout

Linux Userspace Process Memory Layout

 Content

Intel Architecture

Memory Layout Buffer Overflow

C Arrays
BoF Exploit

Assembler
Remote Exploit

Shellcode
Exploit Mitigations
Function Calls

Debugging Defeat Exploit Mitigations

Slide 2
Userspace Memory Layout

In 32 bit
x32 Memory Layout
0xc0000000
0xbfffffff

Stack

Heap

Code
0x0804800

0x0000000
Slide 4
x32 Memory Layout
0xc0000000
0xbfffffff

Stack char array[16];

malloc(16)

Heap

mapping
Code ELF File
0x0804800

0x0000000
Slide 5
x32 Memory Layout
0xc0000000
0xbfffffff

Stack char array[16];

ESP

malloc(16)

Heap

EIP mapping
Code ELF File
0x0804800

0x0000000
Slide 6
x32 Memory Layout

Memory regions:

Stack
 There’s one contiguous memory region containing the stack for the process
 LIFO – Last in, First Out
 Contains function local variables
 Also contains: Saved Instruction Pointer (SIP)
 Current function adds data to the top (bottom) of the stack

Heap
 There’s one contiguous memory region containing the heap
 Memory allocator returns specific pieces of the memory region
 For malloc()
 Also contains: heap management data

Code
 Compiled program code

Slide 7
ELF Format

How do programs on disk look like

ELF Format

Programs (e.g. Firefox) are stored in ELF files

ELF: Executable and Linkable Format

 Previously: “a.out” (Linux 1.2)
 Like COFF, PE (EXE), COM, …

ELF types:
 ET_EXEC: Executable File
 ET_REL: Relocatable File
 ET_DYN: Shared Object File

ELF “views”:
 Sections
 Segments

$ readelf –l <binary>

Slide 9
 ELF Format - Sections and Segments

ELF Header
Program Header Table

Sections
Segments

Section Header Table

Slide 10
 ELF Format - Segment View
Program Headers:
Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
PHDR 0x00000040 0x0000400040 0x0000000000400040
0x000001c0 0x00000001c0 R E 8
INTERP 0x00000200 0x0000400200 0x0000000000400200
0x0000001c 0x000000001c R 1
02 LOAD 0x00000000 0x0000400000 0x0000000000400000
0x00000b24 0x0000000b24 R E 200000
03 LOAD 0x00000b28 0x0000600b28 0x0000000000600b28
0x00000270 0x0000000278 RW 200000
DYNAMIC 0x00000b40 0x0000600b40 0x0000000000600b40
0x000001e0 0x00000001e0 RW 8
NOTE 0x0000021c 0x000040021c 0x000000000040021c
0x00000044 0x0000000044 R 4
GNU_EH_FRAME 0x000009ac 0x00004009ac 0x00000000004009ac
0x00000044 0x0000000044 R 4
07 GNU_STACK 0x00000000 0x0000000000 0x0000000000000000
0x00000000 0x0000000000 RW 10
Slide 11
ELF Format

$ readelf –l challenge0

Section to Segment mapping:

Segment Sections...
00
01 .interp
02 .interp .note.ABI-tag .note.gnu.build-id .gnu.hash
.dynsym .dynstr .gnu.version .gnu.version_r
.rela.dyn .rela.plt .init .plt .text .fini .rodata
.eh_frame_hdr .eh_frame
03 .init_array .fini_array .jcr .dynamic .got .got.plt
.data .bss
04 .dynamic
05 .note.ABI-tag .note.gnu.build-id
06 .eh_frame_hdr
07

Slide 12
ELF Format

Sections:
 .text: Executable instructions
 .bss: Unitialized data (usually the heap)
 .data: initialized data
 .rodata: Read-Only data
 .got: Global Offset Table
 .plt: Procedure Linkage Table
 .init/.fini: Initialization instructions (“glibc”)

Slide 13
 ELF Format
Program Headers:
Type Offset PhysAddr
FileSiz Flags Align
(02) LOAD 0x0000000000000000 0x0000000000400000
0x0000000000000b24 R E 200000
(03) LOAD 0x0000000000000b28 0x0000000000600b28
0x0000000000000270 RW 200000
(07) GNU_STACK 0x0000000000000000 0x0000000000000000
0x0000000000000000 RW 10

02 .init .plt .text .fini .rodata Executable Code R/E

03 .got .got.plt .data .bss Heap Data R/W

07 Stack Data R/W

Slide 14
ELF Loader
ELF Format

ELF Header
Program Header Table
.plt 02 Executable Segment
.text r-x
.init
.got
.data
03 Data Segment
rw-
.bss
07 Stack
rw-

Section Header Table

Slide 16
ELF Format
FILE Process
ELF Header
Program Header Table
.plt
Code
.text
.init
.got
.data Heap
.bss

Stack
Section Header Table
Slide 17
 x64 Memory Layout

0x7fffffffe000

Stack
RSP

Heap
0x600000

RIP
Code
0x400000

0x000000
Slide 18
Stack, Heap, Code from ELF File
By Example

some static and dynamic binary analysis

ELF Format - Example C code

char *globalVar = "Global";

void main(void) {
char stackVar[16];
char *heapVar = (char *) malloc(4);

printf("Global var: %p\n", globalVar);

printf("Heap var : %p\n", heapVar);
printf("Stack var : %p\n", stackVar);
}

Slide 20
ELF Format - ELF Analysis

Global var: 0x400654

Heap var : 0x601010
Stack var : 0x7fffffffe990

(2) LOAD 0x0000000000400000

R E 200000
(3) LOAD 0x0000000000600b28
RW 200000
(7) GNU_STACK 0x0000000000000000
RW 10

Slide 21
 ELF Format

See it at runtime
# cat /proc/self/maps
00400000-0040c000 r-xp 00000000 08:01 391694 /bin/cat
0060b000-0060c000 r--p 0000b000 08:01 391694 /bin/cat
0060c000-0060d000 rw-p 0000c000 08:01 391694 /bin/cat
…
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [stack]

Slide 22
 ELF Format

Show Code section, and disassemble:

$ objdump -d ./challenge1
./challenge1: file format elf64-x86-64
Disassembly of section .init:
0000000000400588 <_init>:
…
000000000040077f <handleData>:
40077f: 55 push %rbp
400780: 48 89 e5 mov %rsp,%rbp
400783: 48 83 ec 30 sub $0x30,%rsp
400787: 48 89 7d d8 mov %rdi,-0x28(%rbp)
40078b: 48 89 75 d0 mov %rsi,-0x30(%rbp)

Slide 23
ELF Format

The process of creating a process from an ELF file is called:

 “Linking and Loading”

Sections:
 Are for compiler (gcc), to link several object files together (.o)

Segments:
 Are for the loader, to create the process
 Each segment consists of one ore more sections

Slide 24
ELF Format

Recap:
 Program Code is stored in ELF Files
 ELF Files contain segments
 Segments are copied 1:1 in the memory to create a process (of that program)
 A process has generally three important segments:
 Code segment (the actual compiled code)
 Heap (global allocations with malloc())
 Stack (local variables of functions)

Slide 25
Challenges

Challenges:

https://exploit.courses
 Challenge 0: Introduction to memory layout – basic
 Challenge 1: Introduction to memory layout - advanced
 (Challenge 4: Introduction to hex numbers, code and GDB)

Slide 26
Slide 27