FF Stack IA32 Linux Memory Layout 15 213 Stack The course that gives CMU its Zip Heap Machine Level Programming V Advanced Topics February 7 2008 Linux Memory Layout Understanding Pointers Buffer Overflow Floating Point Code 2 class08 ppt Memory Allocation Example Dynamically allocated storage When call malloc calloc new Data Upper 2 hex digits of address Topics Runtime stack 8MB limit Statically allocated data E g arrays strings declared in code Text 08 00 Executable machine instructions Read only Heap Data Text 15 213 S 08 IA32 Example Addresses FF char big array 1 24 16 MB char huge array 1 28 256 MB esp p3 p1 p4 p2 beyond big array huge array main useless final malloc int beyond char p1 p2 p3 p4 int useless int p1 p2 p3 p4 return 0 main malloc 1 malloc 1 malloc 1 malloc 1 Some print 28 8 28 8 statements 256 256 256 256 MB B MB B address range 232 p2 3 0xffffbcd0 0x65586008 0x55585008 0x1904a110 0x1904a008 0x08049744 0x18049780 0x08049760 0x080483c6 0x08049744 0x006be166 15 213 S 08 4 Stack 80 Heap 08 00 Data Text 0x18049760 15 213 S 08 x86 64 Example Addresses C operators 7F rsp p3 p1 p4 p2 beyond big array huge array main useless final malloc 0x7ffffff8d1f8 0x2aaabaadd010 0x2aaaaaadc010 0x000011501120 0x000011501010 0x000000500a44 0x000010500a80 0x000000500a50 0x000000400510 0x000000400500 0x00386ae6a170 Operators Associativity Heap Data Text type sizeof left to right right to left left to right left to right left to right left to right left to right left to right left to right left to right left to right left to right right to left right to left left to right 30 08 00 address range 247 Stack p2 0x000010500a60 15 213 S 08 5 C pointer declarations int p p is a pointer to int int p 13 p is an array 13 of pointer to int int p 13 p is an array 13 of pointer to int int p p is a pointer to a pointer to an int has very high precedence has very high precedence monadic just below 15 213 S 08 6 Avoiding Complex Declarations Use typedef to build up the declaration Instead of int x 3 5 typedef int fiveints 5 typedef fiveints fiveints p5i int p 13 p is a pointer to an array 13 of int int f f is a function returning a pointer to int int f f is a pointer to a function returning int int f 13 f is a function returning ptr to an array 13 of pointers to functions returning int int x 3 5 x is an array 3 of pointers to functions returning pointers to array 5 of ints 15 213 S 08 7 typedef p5i f of p5is f of p5is x 3 x is an array of 3 elements each of which is a pointer to a function returning an array of 5 ints ints 8 15 213 S 08 Internet Worm and IM War Internet Worm and IM War cont November 1988 August 1999 Internet Worm attacks thousands of Internet hosts How did it happen July 1999 Microsoft launches MSN Messenger instant messaging system Messenger clients can access popular AOL Instant Messaging Service AIM servers 9 Microsoft and AOL begin the IM war z At least 13 such skirmishes z many Unix functions do not check argument sizes z allows target buffers to overflow 15 213 S 08 Vulnerable Buffer Code Implementation of Unix function gets Echo Line void echo char buf 4 gets buf puts buf z No way to specify limit on number of characters to read Get string from stdin char gets char dest int c getchar char p dest while c EOF c n p c c getchar p 0 return dest 15 213 S 08 10 String Library Code How did it happen The Internet Worm and AOL Microsoft War were both based on stack buffer overflow exploits AIM server AIM client z Microsoft makes changes to clients to defeat AOL changes AIM client MSN client Mysteriously Messenger clients can no longer access AIM servers z AOL changes server to disallow Messenger clients MSN server Way too small int main printf Type a string echo return 0 Similar problems with other Unix functions z strcpy Copies string of arbitrary length z scanf fscanf sscanf when given s conversion specification 11 15 213 S 08 12 15 213 S 08 Buffer Overflow Executions Buffer Overflow Stack Stack Frame for main unix bufdemo Type a string 123 123 Return Address ebp Saved ebp 3 2 1 0 buf unix bufdemo Type a string 12345 Segmentation Fault Stack Frame for echo unix bufdemo Type a string 12345678 Segmentation Fault 15 213 S 08 13 Buffer Overflow Stack Example Stack Frame for main Return Address ebp Saved ebp 3 2 1 0 buf Stack Frame for echo unix gdb bufdemo gdb break echo Breakpoint 1 at 0x8048583 gdb run Breakpoint 1 0x8048583 in echo gdb print x unsigned ebp 1 0xbffff8f8 gdb print x unsigned ebp 1 3 0x804864d Stack Frame for main echo pushl ebp movl esp ebp subl 20 esp pushl ebx addl 12 esp leal 4 ebp ebx pushl ebx call gets Way too small Save ebp on stack Allocate stack space Save ebx Allocate stack space Compute buf as ebp 4 Push buf on stack Call gets 15 213 S 08 14 Buffer Overflow Example 1 Before Call to gets Input 123 Stack Frame for main Stack Frame for main Before call to gets Return Address ebp Saved ebp 3 2 1 0 buf 08 04 Address 86 4d Return bf ff f8 f8 0xbffff8f8 Saved ebp 3 2 1 0 xx xx xx xx buf Stack Frame for echo Stack Frame for echo 08 04 Address 86 4d Return bf ff f8 f8 0xbffff8d8 Saved ebp 3 2 1 0 00 33 32 31 buf Stack Frame for echo No Problem 8048648 call 804857c echo 804864d mov 0xffffffe8 ebp ebx Return Point 15 Echo Line void echo char buf 4 gets buf puts buf 15 213 S 08 16 15 213 S 08 Buffer Overflow Stack Example 2 Stack Frame for main Stack Frame for main Return Address ebp Saved ebp 3 2 1 0 buf Stack Frame for echo Input 12345 Saved value of ebp set to 0xbfff0035 Stack Frame for echo push call mov mov pop ret Bad news when later attempt to restore ebp 15 213 S 08 Malicious Use of Buffer Overflow Stack after call to gets void foo bar int bar char buf 64 gets buf return 19 Stack Frame Return 08 04 Address 86 00 Saved 38 37 ebp 36 35 0xbffff8d8 3 34 2 33 1 32 0 31 buf Stack Frame for echo Input 12345678 for main Return Address ebp Saved ebp 3 2 1 0 buf Stack Frame for echo ebp and return address corrupted Invalid address ebx 80483e4 init 0x50 gets 0xffffffe8 ebp ebx ebp esp ebp ebp gets set to invalid value 17 return address A Stack Frame for main 08 04 Address 86 4d Return bfSaved ff 00 ebp35 0xbffff8d8 3 34 2 33 1 32 0 …
View Full Document
Unlocking...