Unformatted text preview:

18 213 Recitation 5 Attack Lab and Stacks Carnegie Mellon Agenda Attack Lab Overview Stacks Review Activity 1 Procedure Calling Review Activity 2 Carnegie Mellon Learning objectives By the end of this recitation we want you to know Stack discipline and calling conventions How to perform a simple buffer overflow attack More discussion in lecture on Tuesday Machine Level Programming V Advanced Topics Carnegie Mellon Reminders and Lab Overview Carnegie Mellon Reminders Bomb Lab Attack Lab Carnegie Mellon Attack Lab overview Attack programs by crafting buffer overflow attacks that hijack the control flow Provide inputs to the rtarget and ctarget programs that cause them to call certain functions Unlike in bomblab the targets don t explode Carnegie Mellon Stacks Review Carnegie Mellon Manipulating the stack What instructions do we typically use to change the stack pointer rsp Shrinking the stack Growing the stack sub 0x28 rsp push rbx callq my function Carnegie Mellon Carnegie Mellon Manipulating the stack What instructions do we typically use to change the stack pointer rsp Growing the stack Shrinking the stack Manipulating the stack What instructions do we typically use to change the stack pointer rsp Growing the stack sub 0x28 rsp push rbx callq my function Shrinking the stack add 0x28 rsp pop rbx retq Carnegie Mellon x86 64 Stack Frames What kinds of data are stored on the stack Carnegie Mellon x86 64 Stack Frames What kinds of data are stored on the stack Saved registers Local variables Arguments 7 Saved return address Carnegie Mellon Which way does the stack grow Carnegie Mellon Up Down Left Right Which way does the stack grow Carnegie Mellon Up Down Left Right It depends on how you draw it The stack always grows towards lower addresses in x86 64 Informally this usually means down Be aware of this possible ambiguity when reading diagrams Drawing memory Stack diagrams Everything else Addresses are displayed increasing to the left and then upwards Addresses are displayed increasing to the right and then downwards Carnegie Mellon Carnegie Mellon Endianness Describes how integers are represented as bytes Little endian means that the least significant 8 bits of an integer are stored at the lowest address A 0 A 1 A 2 A 3 32 bit integer 0x0102030 4 Big end Little end Little endian Big endian Middle endian Endianness Describes how integers are represented as bytes Little endian means that the least significant 8 bits of an integer are stored at the lowest address 32 bit integer 0x0102030 4 Big end Little end Little endian Big endian Middle endian A 0 A 1 A 2 A 3 0x04 0x03 0x02 0x01 0x01 0x02 0x03 0x04 0x02 0x01 0x04 0x03 Carnegie Mellon Activity 1 Carnegie Mellon Part 1 Introduction to solve Carnegie Mellon Let s look at solve in the src activity c file What is it doing Is it possible for the program to call win void solve void long before 0xb4 char buf 16 long after 0xaf Gets buf if before 0x3331323531 win 0x15213 if after 0x3331323831 win 0x18213 Part 1 The gets function char gets char s gets reads from standard input and writes characters into s until it reaches a newline Since it has no information about the size of the buffer s its design is fundamentally flawed Never use gets yourself Gets is a CS APP wrapper function that checks for errors and exits if it encounters any Carnegie Mellon Part 1 Activity setup Split up into groups of 2 3 people One person needs a laptop Log in to a Shark machine and type wget https www cs cmu edu 213 activities rec5 tar tar xvf rec5 tar cd rec5 Take a look at the code in src activity c Carnegie Mellon Part 1 Diving into assembly Look at the disassembly of solve Try drawing a stack diagram How large is the stack frame Where is the saved return address Where are before buf and after Which variable will be overwritten if we perform a buffer overflow before or after Carnegie Mellon Part 1 Drawing the stack diagram Carnegie Mellon 0x4006b5 0 sub 0x38 rsp return address rsp 0x38 rsp Addresses increase towards the top of the slide Part 1 Drawing the stack diagram Carnegie Mellon 0x4006b5 0 sub 0x38 rsp 0x4006b9 4 movq 0xb4 0x28 rsp return address rsp 0x38 Addresses increase towards the top of the slide rsp Part 1 Drawing the stack diagram Carnegie Mellon 0x4006b5 0 sub 0x38 rsp 0x4006b9 4 movq 0xb4 0x28 rsp 0x4006c2 13 movq 0xaf 0x8 rsp return address rsp 0x38 before rsp 0x28 Addresses increase towards the top of the slide rsp Part 1 Drawing the stack diagram Carnegie Mellon 0x4006b5 0 sub 0x38 rsp 0x4006b9 4 movq 0xb4 0x28 rsp 0x4006c2 13 movq 0xaf 0x8 rsp 0x4006cb 22 lea 0x10 rsp rdi 0x4006d0 27 callq 0x40073f Gets Addresses increase towards the top of the slide return address rsp 0x38 before rsp 0x28 after rsp 0x8 rsp Part 1 Drawing the stack diagram Carnegie Mellon 0x4006b5 0 sub 0x38 rsp 0x4006b9 4 movq 0xb4 0x28 rsp 0x4006c2 13 movq 0xaf 0x8 rsp 0x4006cb 22 lea 0x10 rsp rdi 0x4006d0 27 callq 0x40073f Gets 0x4006d5 32 mov 0x28 rsp rdx Addresses increase towards the top of the slide rsp return address rsp 0x38 before rsp 0x28 buf buf after rsp 0x10 rsp 0x8 Part 1 Comparing with GDB output Carnegie Mellon gdb x 8gx rsp 0x602020 0x0000000000000000 0x00000000000000af 0x602030 0x6867666564636261 0x3837363534333231 0x602040 0x0000000000000000 0x00000000000000b4 0x602050 0x0000000000000000 0x0000000000400783 gdb x 64bx rsp 0x602020 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x602028 0xaf 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x602030 0x61 0x62 0x63 0x64 0x65 0x66 0x67 0x68 0x602038 0x31 0x32 0x33 0x34 0x35 0x36 0x37 0x38 0x602040 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x602048 0xb4 0x00 0x00 0x00 0x00 0x00 0x00 0x00 Addresses rsp 0x602050 0x00 0x00 0x00 0x00 0x00 0x00 0x00 increase towards 0x00 bottom of the slide 0x602058 0x83 0x07 0x40 0x00 0x00 0x00 0x00 0x00 return address rsp 0x38 before rsp 0x28 buf buf after rsp 0x10 rsp 0x8 Addresses increase towards top of the slide Part 1 Comparing with GDB output Carnegie Mellon Let s compare the stack diagram we drew with the actual values on the stack after Gets returns 0x4006d0 27 callq 0x40073f Gets 0x4006d5 32 mov 0x28 rsp rdx gdb break 0x4006d5 gdb run Starting program act1 abcdefgh12345678 gdb x 8gx rsp gdb x 64bx rsp rsp return address rsp 0x38 before rsp 0x28 buf buf after rsp 0x10 rsp 0x8 Part 1 Exploitation Try to find an input string that wins 1 cookie What do we need to overwrite before with if we want to have before 0x3331323531 Constructing an exploit gets stops reading once it sees a newline In the


View Full Document

CMU CS 15213 - Attack Lab and Stacks

Documents in this Course
lecture

lecture

14 pages

lecture

lecture

46 pages

Caches

Caches

9 pages

lecture

lecture

39 pages

Lecture

Lecture

36 pages

Lecture

Lecture

45 pages

Lecture

Lecture

56 pages

lecture

lecture

11 pages

lecture

lecture

9 pages

Lecture

Lecture

36 pages

Lecture

Lecture

37 pages

Exam

Exam

16 pages

Lecture

Lecture

10 pages

Lecture

Lecture

43 pages

Lecture

Lecture

8 pages

Lecture

Lecture

8 pages

Lecture

Lecture

36 pages

Lecture

Lecture

43 pages

Lecture

Lecture

12 pages

Lecture

Lecture

37 pages

Lecture

Lecture

6 pages

Lecture

Lecture

40 pages

coding

coding

2 pages

Exam

Exam

17 pages

Exam

Exam

14 pages

Lecture

Lecture

29 pages

Lecture

Lecture

34 pages

Exam

Exam

11 pages

Lecture

Lecture

9 pages

Lecture

Lecture

37 pages

Lecture

Lecture

36 pages

lecture

lecture

46 pages

Lecture

Lecture

33 pages

Lecture

Lecture

57 pages

Lecture

Lecture

32 pages

Lecture

Lecture

46 pages

Lecture

Lecture

40 pages

Lecture

Lecture

11 pages

Lecture

Lecture

6 pages

Lecture

Lecture

43 pages

Lecture

Lecture

12 pages

Lecture

Lecture

18 pages

Exam

Exam

10 pages

Lecture

Lecture

45 pages

Lecture

Lecture

37 pages

Exam

Exam

24 pages

class09

class09

21 pages

class22

class22

37 pages

class20

class20

30 pages

class27

class27

33 pages

class25

class25

21 pages

class04

class04

31 pages

Lecture

Lecture

59 pages

class01a

class01a

14 pages

class12

class12

45 pages

class29

class29

33 pages

Lecture

Lecture

39 pages

Lecture

Lecture

6 pages

class03

class03

34 pages

lecture

lecture

42 pages

Lecture

Lecture

40 pages

Lecture

Lecture

47 pages

Exam

Exam

19 pages

R06-B

R06-B

25 pages

class17

class17

37 pages

class25

class25

31 pages

Lecture

Lecture

15 pages

final-f06

final-f06

17 pages

Lecture

Lecture

9 pages

lecture

lecture

9 pages

Exam

Exam

15 pages

Lecture

Lecture

22 pages

class11

class11

45 pages

lecture

lecture

50 pages

Linking

Linking

37 pages

Lecture

Lecture

64 pages

Integers

Integers

40 pages

Exam

Exam

11 pages

Lecture

Lecture

37 pages

Lecture

Lecture

44 pages

Lecture

Lecture

37 pages

Lecture

Lecture

9 pages

Lecture

Lecture

37 pages

Lecture

Lecture

45 pages

Final

Final

25 pages

lecture

lecture

9 pages

Lecture

Lecture

30 pages

Lecture

Lecture

16 pages

Final

Final

17 pages

Lecture

Lecture

8 pages

Exam

Exam

11 pages

Lecture

Lecture

47 pages

Lecture

Lecture

9 pages

lecture

lecture

39 pages

Exam

Exam

11 pages

lecture

lecture

41 pages

lecture

lecture

37 pages

Lecture

Lecture

59 pages

Lecture

Lecture

45 pages

Exam 1

Exam 1

18 pages

Lecture

Lecture

41 pages

Lecture

Lecture

32 pages

Lecture

Lecture

30 pages

Lecture

Lecture

9 pages

Lecture

Lecture

9 pages

Lecture

Lecture

15 pages

Lecture

Lecture

11 pages

Lecture

Lecture

9 pages

Lecture

Lecture

34 pages

Lecture

Lecture

40 pages

Lecture

Lecture

4 pages

Lecture

Lecture

46 pages

Lecture

Lecture

8 pages

Lecture

Lecture

65 pages

Lecture

Lecture

38 pages

Lecture

Lecture

35 pages

Lecture

Lecture

8 pages

Lecture

Lecture

34 pages

Lecture

Lecture

8 pages

Exam

Exam

13 pages

Lecture

Lecture

43 pages

Lecture

Lecture

9 pages

Lecture

Lecture

12 pages

Lecture

Lecture

9 pages

Lecture

Lecture

34 pages

Lecture

Lecture

43 pages

Lecture

Lecture

7 pages

Lecture

Lecture

45 pages

Lecture

Lecture

24 pages

Lecture

Lecture

47 pages

Lecture

Lecture

12 pages

Lecture

Lecture

20 pages

Lecture

Lecture

9 pages

Exam

Exam

11 pages

Lecture

Lecture

52 pages

Lecture

Lecture

20 pages

Exam

Exam

11 pages

Lecture

Lecture

35 pages

Lecture

Lecture

47 pages

Lecture

Lecture

18 pages

Lecture

Lecture

30 pages

Lecture

Lecture

59 pages

Lecture

Lecture

37 pages

Lecture

Lecture

22 pages

Lecture

Lecture

35 pages

Exam

Exam

23 pages

Lecture

Lecture

9 pages

Lecture

Lecture

22 pages

class12

class12

32 pages

Lecture

Lecture

8 pages

Lecture

Lecture

39 pages

Lecture

Lecture

44 pages

Lecture

Lecture

38 pages

Lecture

Lecture

69 pages

Lecture

Lecture

41 pages

Lecture

Lecture

12 pages

Lecture

Lecture

52 pages

Lecture

Lecture

59 pages

Lecture

Lecture

39 pages

Lecture

Lecture

83 pages

Lecture

Lecture

59 pages

class01b

class01b

17 pages

Exam

Exam

21 pages

class07

class07

47 pages

Lecture

Lecture

11 pages

Odyssey

Odyssey

18 pages

multicore

multicore

66 pages

Lecture

Lecture

6 pages

lecture

lecture

41 pages

lecture

lecture

55 pages

lecture

lecture

52 pages

lecture

lecture

33 pages

lecture

lecture

46 pages

lecture

lecture

55 pages

lecture

lecture

17 pages

lecture

lecture

49 pages

Exam

Exam

17 pages

lecture

lecture

56 pages

Exam 2

Exam 2

16 pages

Exam 2

Exam 2

16 pages

Notes

Notes

37 pages

Lecture

Lecture

40 pages

Lecture

Lecture

36 pages

Lecture

Lecture

43 pages

Lecture

Lecture

25 pages

Exam

Exam

13 pages

Lecture

Lecture

32 pages

Lecture

Lecture

12 pages

Lecture

Lecture

58 pages

Lecture

Lecture

29 pages

Lecture

Lecture

59 pages

Lecture

Lecture

41 pages

Lecture

Lecture

50 pages

Exam

Exam

17 pages

Lecture

Lecture

29 pages

Lecture

Lecture

44 pages

Lecture

Lecture

41 pages

Lecture

Lecture

52 pages

Lecture

Lecture

40 pages

Lecture

Lecture

33 pages

lecture

lecture

10 pages

Lecture

Lecture

27 pages

Lecture

Lecture

29 pages

Lecture

Lecture

39 pages

Lecture

Lecture

9 pages

Lecture

Lecture

29 pages

Lecture

Lecture

8 pages

Lecture

Lecture

43 pages

Lecture

Lecture

43 pages

Lecture

Lecture

75 pages

Lecture

Lecture

55 pages

Exam

Exam

12 pages

Lecture

Lecture

43 pages

Lecture

Lecture

35 pages

lecture

lecture

36 pages

Exam

Exam

33 pages

lecture

lecture

56 pages

lecture

lecture

64 pages

lecture

lecture

8 pages

Exam

Exam

14 pages

Lecture

Lecture

43 pages

Lecture

Lecture

36 pages

lecture

lecture

56 pages

lecture

lecture

75 pages

lecture

lecture

36 pages

Lecture

Lecture

50 pages

Lecture

Lecture

45 pages

Lecture

Lecture

13 pages

Exam

Exam

23 pages

Lecture

Lecture

10 pages

Lecture

Lecture

48 pages

Lecture

Lecture

83 pages

lecture

lecture

57 pages

Lecture

Lecture

33 pages

Lecture

Lecture

39 pages

Lecture

Lecture

33 pages

lecture

lecture

54 pages

Lecture

Lecture

30 pages

Exam

Exam

13 pages

Lecture

Lecture

36 pages

Lecture

Lecture

40 pages

Exam

Exam

17 pages

Lecture

Lecture

9 pages

Exam

Exam

15 pages

Lecture

Lecture

44 pages

Lecture

Lecture

34 pages

Lecture

Lecture

24 pages

Lecture

Lecture

29 pages

class12

class12

43 pages

lecture

lecture

43 pages

class22

class22

22 pages

R06-B

R06-B

25 pages

class01b

class01b

19 pages

lecture

lecture

29 pages

lab1

lab1

8 pages

Caches

Caches

36 pages

lecture

lecture

55 pages

Lecture,

Lecture,

37 pages

Integers

Integers

40 pages

Linking

Linking

38 pages

lecture

lecture

45 pages

Lecture

Lecture

61 pages

Linking

Linking

33 pages

lecture

lecture

40 pages

lecture

lecture

40 pages

Lecture

Lecture

32 pages

lecture

lecture

48 pages

lecture

lecture

44 pages

Exam

Exam

11 pages

Lecture

Lecture

31 pages

Lecture

Lecture

46 pages

Lecture

Lecture

40 pages

Lecture

Lecture

40 pages

Exam

Exam

12 pages

Lecture

Lecture

42 pages

Lecture

Lecture

36 pages

Lecture

Lecture

45 pages

Lecture

Lecture

41 pages

Lecture

Lecture

13 pages

Lecture

Lecture

35 pages

Lecture

Lecture

20 pages

Final

Final

19 pages

Lecture

Lecture

33 pages

Lecture

Lecture

50 pages

Lecture

Lecture

33 pages

Lecture

Lecture

27 pages

Lecture

Lecture

6 pages

Exam

Exam

15 pages

Lecture

Lecture

24 pages

Lecture

Lecture

23 pages

Lecture

Lecture

43 pages

Lecture

Lecture

32 pages

Lecture

Lecture

52 pages

Lecture

Lecture

37 pages

Lecture

Lecture

36 pages

Lecture

Lecture

34 pages

Lecture

Lecture

40 pages

Lecture

Lecture

15 pages

lecture

lecture

21 pages

Lecture

Lecture

58 pages

Lecture

Lecture

49 pages

Lecture

Lecture

36 pages

Lecture

Lecture

11 pages

Lecture

Lecture

12 pages

Lecture

Lecture

58 pages

Lecture

Lecture

33 pages

Exam

Exam

15 pages

Lecture

Lecture

35 pages

Lecture

Lecture

10 pages

Lecture

Lecture

25 pages

Lecture

Lecture

31 pages

Lecture

Lecture

24 pages

Lecture

Lecture

34 pages

Lecture

Lecture

50 pages

lecture

lecture

35 pages

Lecture

Lecture

11 pages

Lecture

Lecture

39 pages

Lecture

Lecture

45 pages

Lecture

Lecture

41 pages

exam1-f05

exam1-f05

11 pages

Lecture

Lecture

4 pages

Lecture

Lecture

17 pages

Exam

Exam

17 pages

malloc()

malloc()

12 pages

Lecture

Lecture

57 pages

Lecture

Lecture

30 pages

Lecture

Lecture

30 pages

Lecture

Lecture

47 pages

Lecture

Lecture

33 pages

Exam

Exam

12 pages

Lecture

Lecture

43 pages

Lectures

Lectures

33 pages

Lecture

Lecture

36 pages

lecture

lecture

33 pages

Exam

Exam

14 pages

Lecture

Lecture

43 pages

Lecture

Lecture

25 pages

Load more
Download Attack Lab and Stacks
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Attack Lab and Stacks and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Attack Lab and Stacks and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?