1  == exploits ==
 2  # Buffer Overflow
 3  A buffer overflow happens when you place data into a variable that is larger than the memory that was allocated for the data. This leads to whatever was next in the memory being overwritten, possibly for malicious purposes.  
 4  
 5  
 6  = memory = 
 7  a program is made up of 5 segments, they are ordered in this way:
 8  * text -> code, fixed size
 9  * data -> global and static variables, fixed size
10  * bss -> uninitialized variables, fixed size
11  * heap -> stores whatever the programmer wants, variable size, grows downwards towards the stack
12  * stack -> temporary scratch pad, variable size, grows upwards towards the heap
13  
14  the stack is built of stack frames. the EBP also known as FP (frame pointer) refers to local function variables in the current stack frame. each frame contains context for the current function, and two pointers; the SFP (saved frame pointer) and return address. These pointers help put things back together. The SFP returns the EBP to it's previous value, and the return address changes the EIP to it's old value.
15  
16  storing memory on the heap requires the system call 'malloc()'. it takes a single argument (size) and returns a void pointer to the address. in case it fails to allocate the memory, it will return a null pointer (0x0), so error checking is required!
17  deallocating it is done through 'heap()', it takes a single argument (pointer) and frees that address
18  
19  = c lang =
20  pointers -> are memory address that point to other memory addresses
21  address of (&) -> takes a variable and tells you the memory location of it
22  dereference (*) -> takes a pointer and tells you the value of the address it is pointing to
23  
24  various format strings require either a variable or a pointer; be careful!
25  %s -> string, needs a pointer
26  %p -> pointer, short hand for 0x%08x (0x<0 padded 8 hexadecimal>), obviously for a pointer
27  %d -> decimal, needs a variable
28  etc...
29  
30  scanf uses format strings to take input, but requires a pointer! (check input.c)
31  
32  you can also take input through command line arguments:
33  	./<exe> this is a test
34  	int main(int argc, char *argv[]) { ...
35  these are passed as strings (which are themselves just pointers) to the argv variable. argc holds the number of command line arguments passed
36  ! warning ! if you try to access a command line argument that wasn't passed, you'll segmentation fault.
37  
38  seg fault:
39  	when you try to access a memory segment that is outside the memory allocated to your program
40  A good way to debug these is with gdb, because you can see which line tried to access which memory address that lead to the seg fault (for example, check the memory that is stored in argv, they're all pointers to other memory address)
41  
42  scoping:
43  be default all variables declared in a function are local to that function. a global variable must be defined outside of any function. if there is a clash, preference is given to local variables.
44  
45  static:
46  static variables will retain their value outside their scope and are only initiliazed once.
47  
48  = gdb =
49  list -> show source code if compiled with -g command in gcc
50  disassemble main (disass main) -> fairly obvious 
51  break main -> set break point to main
52  run -> execute to break point
53  info register <register> -> show details of the register
54  i r <register> -> short hand for the above
55  x/o <register> -> examine the register displaying in octal
56  nexti -> next instruction
57  bt -> backtrace, print the stack trace
58  bt full -> backtrace with all the stack frames printed too (shows variables)
59  
60  = gdb examine command =
61  
62  format letters for the examine (x) command:
63  	o: octal
64  	x: hexadecimal
65  	u: unsigned base-10 decimal
66  	t: binary
67  	i: instruction 
68  	c: character
69  	s: string
70  	d: integer(?)
71  	&: address of -> returns the address of the variable rather than the variable itself
72  	*: dereference -> take the value of the pointer rather than the address it is pointing to
73  
74  registers can be referenced using $<register id> as listed below (the below is listed in the books intel flavor, my gdb uses a different intel flavour)
75  
76  we can also choose to show more data around the register we are examining by adding a number before the format like so:
77  	x/12x <register>
78  
79  = opening with gdb = 
80  compile: gcc -g -o <file> <file>.c
81  run: gdb -q ./<file>
82  
83  = Register names =
84  EBP -> base pointer
85  ESP -> stack pointer
86  ESI -> source index
87  EDI -> destination index
88  EIP -> instruction pointer
89  General purpose registers include EAX, ECX, EDX, EBX. Accumulator, Counter, Data and Base respectively