15 213 The course that gives CMU its Zip Machine Language V Miscellaneous Topics Sept 25 2001 Topics class09 ppt Linux Memory Layout Understanding Pointers Buffer Overflow Floating Point Code FF Linux Memory Layout Stack Runtime stack 8MB limit C0 BF Upper 2 hex digits of address Stack Heap Dynamically allocated storage When call malloc calloc new DLLs 80 7F Red Hat v 6 2 1920MB memory limit 40 3F Heap Dynamically Linked Libraries Library routines e g printf malloc Linked into object code when first executed Data DLLs Heap Data Text 08 00 class09 ppt Statically allocated data E g arrays strings declared in code Text Executable machine instructions Read only 2 CS 213 F 01 Linux Memory Allocation BF Initially Stack 80 7F BF Linked Stack 80 7F BF Some Heap Stack 80 7F BF More Heap Stack 80 7F Heap Heap 40 3F 08 00 40 3F Data Text class09 ppt 08 00 DLLs Data Text 40 3F 08 00 3 DLLs Data Text 40 3F 08 00 CS 213 F 01 DLLs Heap Data Text Memory Allocation Example char big array 1 24 16 MB char huge array 1 28 256 MB int beyond char p1 p2 p3 p4 int useless int p1 p2 p3 p4 return 0 main malloc 1 malloc 1 malloc 1 malloc 1 Some print class09 ppt 28 8 28 8 statements 256 256 256 256 4 MB B MB B CS 213 F 01 Dynamic Linking Example gdb print malloc 1 text variable no debug info 0x8048454 malloc gdb run Program exited normally gdb print malloc 2 void unsigned int 0x40006240 malloc Initially Code in text segment that invokes dynamic linker Address 0x8048454 should be read 0x08048454 Final Code in DLL region class09 ppt 5 CS 213 F 01 Breakpointing Example gdb break main gdb run Breakpoint 1 0x804856f in main gdb print esp 3 void 0xbffffc78 Main Address 0x804856f should be read 0x0804856f Stack Address 0xbffffc78 class09 ppt 6 CS 213 F 01 Example Addresses BF esp p3 p1 Final malloc p4 p2 beyond big array huge array main useless Initial malloc class09 ppt 0xbffffc78 0x500b5008 0x400b4008 0x40006240 0x1904a640 0x1904a538 0x1904a524 0x1804a520 0x0804a510 0x0804856f 0x08048560 0x08048454 7 Stack 80 7F 50 40 3F 19 18 08 00 DLLs Data Text CS 213 F 01 C operators Operators Associativity left to right right to left left to right left to right left to right left to right left to right left to right left to right left to right left to right left to right right to left right to left left to right type sizeof Note Unary and have higher precedence than binary forms class09 ppt 8 CS 213 F 01 C pointer declarations int p p is a pointer to int int p 13 p is an array 13 of pointer to int int p 13 p is an array 13 of pointer to int int p p is a pointer to a pointer to an int int p 13 p is a pointer to an array 13 of int int f f is a function returning a pointer to int int f f is a pointer to a function returning int int f 13 f is a function returning ptr to an array 13 of pointers to functions returning int int x 3 5 x is an array 3 of pointers to functions returning pointers to array 5 of ints class09 ppt 9 CS 213 F 01 Internet Worm and IM War November 1988 Internet Worm attacks thousands of Internet hosts How did it happen July 1999 Microsoft launches MSN Messenger instant messaging system Messenger clients can access popular AOL Instant Messaging Service AIM servers AIM client MSN server MSN client AIM server AIM client class09 ppt 10 CS 213 F 01 Internet Worm and IM War cont August 1999 Mysteriously Messenger clients can no longer access AIM servers Microsoft and AOL begin the IM war AOL changes server to disallow Messenger clients Microsoft makes changes to clients to defeat AOL changes At least 13 such skirmishes How did it happen The Internet Worm and AOL Microsoft War were both based on stack buffer overflow exploits many Unix functions such as gets and strcpy do not check argument sizes allows target buffers to overflow class09 ppt 11 CS 213 F 01 Vulnerable Buffer Code Echo Line void echo char buf 4 gets buf puts buf Way too small int main printf Type a string echo return 0 class09 ppt 12 CS 213 F 01 Buffer Overflow Executions unix bufdemo Type a string 123 123 unix bufdemo Type a string 12345 Segmentation Fault unix bufdemo Type a string 12345678 Segmentation Fault class09 ppt 13 CS 213 F 01 Buffer Overflow Stack Stack Frame for main Return Address Saved ebp ebp 3 2 1 0 buf Stack Frame for echo Echo Line void echo char buf 4 gets buf puts buf Way too small echo pushl ebp Save ebp on stack movl esp ebp subl 20 esp Allocate space on stack pushl ebx Save ebx addl 12 esp Allocate space on stack leal 4 ebp ebx Compute buf as ebp 4 pushl ebx Push buf on stack call gets Call gets class09 ppt 14 CS 213 F 01 Buffer Overflow Stack Example Before Call to gets unix gdb bufdemo gdb break echo Breakpoint 1 at 0x8048583 gdb run Breakpoint 1 0x8048583 in echo gdb print x unsigned ebp 1 0xbffff8f8 gdb print x unsigned ebp 1 3 0x804864d Stack Frame for main Stack Frame for main Return Address Saved ebp ebp 3 2 1 0 buf 08 04 86 4d bf ff f8 f8 0xbffff8d8 xx xx xx xx Stack Frame for echo Stack Frame for echo 8048648 call 804857c echo 804864d mov 0xffffffe8 ebp ebx Return Point class09 ppt 15 CS 213 F 01 Buffer Overflow Stack Example 1 Before Call to gets Stack Frame for main Return Address Saved ebp ebp 3 2 1 0 buf Stack Frame for echo Input 123 Stack Frame for main Stack Frame for main 08 04 86 4d bf ff f8 f8 xx xx xx xx 08 04 86 4d bf ff f8 f8 00 33 32 31 Stack Frame for echo Stack Frame for echo No Problem class09 ppt 16 CS 213 F 01 Buffer Overflow Stack Example 2 Stack Frame for main Stack Frame for main Return Address Saved ebp ebp 3 2 1 0 buf Stack Frame for echo 08 04 86 4d bf ff 00 35 34 33 32 31 Input 12345 Saved value of ebp set to 0xbfff0035 0xbffff8d8 Stack Frame for echo echo code 8048592 8048593 8048598 804859b 804859d 804859e push call mov mov pop ret class09 ppt ebx 80483e4 init 0x50 0xffffffe8 ebp ebx ebp esp ebp ebp gets set to invalid value 17 CS 213 F 01 Buffer Overflow Stack Example Stack Frame for main Stack Frame for main Return Address Saved ebp ebp 3 2 1 0 buf Stack Frame for echo Input 12345678 ebp and return address corrupted 08 04 86 00 38 37 36 35 34 33 32 31 Stack Frame for echo Function good echo 80485fc 80 3c 33 0a …
View Full Document
Unlocking...