15213 Recitation Section C Shimin Chen Sept 30 2002 Outline Buffer overflow Putting code onto stack Example 1 Buffer Overflow Please draw the stack frame of example1 What are the values of n and x at the marked points void example1 volatile int n char buf 8 volatile int x n 0x12345678 x 0xdeadbeef strcpy buf abcdefghijk a 0x61 b 0x62 buf 8 0xab buf 4 0xcd 1 n x 2 n x 3 n x 15213 Recitation C 2 Shimin Chen ASM of example1 0x80483f0 0x80483f1 0x80483f3 0x80483f6 0x80483fd 0x8048404 0x8048407 0x804840c 0x804840f 0x8048410 0x8048415 0x8048418 0x804841c 0x8048421 0x8048424 0x8048428 0x804842a 0x804842b 15213 Recitation C push mov sub movl movl add push lea push call add movb mov lea movb mov pop ret ebp esp ebp 0x18 esp 0x12345678 0xfffffffc ebp 0xdeadbeef 0xfffffff0 ebp 0xfffffff8 esp 0x80484a8 0xfffffff4 ebp eax eax 0x8048308 strcpy 0x10 esp 0xab 0xfffffffc ebp 0xfffffffc eax 0xfffffff4 ebp edx 0xcd eax edx 1 ebp esp ebp 3 Shimin Chen Stack Frame push mov sub movl movl add push lea push call add movb mov lea movb mov pop ret ebp esp ebp 0x18 esp 0x12345678 0xfffffffc ebp 0xdeadbeef 0xfffffff0 ebp 0xfffffff8 esp 0x80484a8 0xfffffff4 ebp eax ebp eax 0x8048308 strcpy 0x10 esp 0xab 0xfffffffc ebp 0xfffffffc eax 0xfffffff4 ebp edx 0xcd eax edx 1 ebp esp esp ebp 15213 Recitation C 4 Return addr old ebp n 0xfc buf x 0xf4 0xf0 Shimin Chen Before Calling strcpy push mov sub movl movl ebp esp ebp 0x18 esp 0x12345678 0xfffffffc ebp 0xdeadbeef 0xfffffff0 ebp Address high Return addr old ebp ebp n 12 34 56 78 0xfc low buf 0xf4 x de ad be ef 0xf0 esp 15213 Recitation C 5 Shimin Chen After Calling strcpy push mov sub movl movl add push lea push call add ebp esp ebp 0x18 esp 0x12345678 0xfffffffc ebp 0xdeadbeef 0xfffffff0 ebp 0xfffffff8 esp 0x80484a8 Return addr 0xfffffff4 ebp eax old ebp ebp eax n 00 6b 6a 69 0xfc 0x8048308 strcpy 68 67 66 65 0x10 esp buf 64 63 62 61 0xf4 x de ad be ef 0xf0 Strcpy buf abcdefghijk 15213 Recitation C 6 esp Shimin Chen Before Return push mov sub movl movl add push lea push call add movb mov lea movb ebp esp ebp 0x18 esp 0x12345678 0xfffffffc ebp 0xdeadbeef 0xfffffff0 ebp 0xfffffff8 esp 0x80484a8 0xfffffff4 ebp eax ebp eax n 0x8048308 strcpy 0x10 esp buf 0xab 0xfffffffc ebp 0xfffffffc eax x 0xfffffff4 ebp edx 0xcd eax edx 1 Return addr old ebp 00 6b 6a ab 0xfc 68 67 66 65 64 63 62 61 0xf4 de ad be cd 0xf0 esp 15213 Recitation C 7 Shimin Chen What If What if we instead strcpy buf abcdefghijklmn 14 1 chars Old ebp is overwritten What if we instead strcpy buf abcdefghijklmnopq 17 1 chars Return addr is overwritten 15213 Recitation C 8 Shimin Chen Example 2 How to Put Code onto Stack int example2 char buf 8 gets buf return 0 15213 Recitation C push mov sub add lea push call xor mov pop ret 9 ebp esp ebp 0x18 esp 0xfffffff4 esp 0xfffffff8 ebp eax eax 0x80482e8 gets eax eax ebp esp ebp Shimin Chen Steps 1 2 3 4 Write assembly code Get binary representation of the code Generate ASCII for the binary code Run the program with the input 15213 Recitation C 10 Shimin Chen Write assembly code Use your favorite text editor For example movl 0 8 ebp addl 0x12345678 eax Save as s e g input s 15213 Recitation C 11 Shimin Chen Get binary representation of the code Compile the assembly with gcc gcc c input s Display binary representation with objdump objdump d input o Copy the byte code into a text file 15213 Recitation C 12 Shimin Chen Generate ASCII for the binary code Use sendstring to generate ASCII string sendstring input txt input raw 15213 Recitation C 13 Shimin Chen Run the program with the input Run at the command line example2 input raw Run in gdb gdb example2 run input raw 15213 Recitation C 14 Shimin Chen Show Code on the Stack gdb gdb gdb gdb gdb gdb gdb 15213 Recitation C break example2 break 0x80483f6 run input raw p x ebp 8 p x ebp 3 continue disas 0xbffffa40 0xbffffa4b 15 Shimin Chen Important Dates Lab 3 due Monday Oct 7 11 59pm Exam 1 Tuesday Oct 8 6 00 7 30pm Doherty Hall 2315 15213 Recitation C 16 Shimin Chen
View Full Document
Unlocking...