CS 105 Tour of Black Holes of Computing Machine Level Programming V Miscellaneous Topics Topics Linux Memory Layout Understanding Pointers Buffer Overflow Floating Point Code FF Stack Linux Memory Layout Stack Upper 2 hex digits of address C0 BF Stack Runtime stack Heap Dynamically allocated storage When call malloc calloc realloc new DLLs 80 7F Heap Dynamically Linked Shared Libraries Library routines e g printf malloc Linked into object code when first executed Data 40 3F 2 08 00 DLLs Heap Data Text Statically allocated data E g arrays strings declared in code Text Executable machine instructions Read only 105 Linux Memory Allocation Initially BF Stack 80 7F Some Heap Linked BF Stack 80 7F BF Stack 80 7F More Heap BF Stack 80 7F Heap Heap 40 3F 08 00 3 40 3F Data Text 08 00 DLLs Data Text 40 3F 08 00 DLLs Data Text 40 3F 08 00 DLLs Heap Data Text 105 Text Stack Example gdb break main gdb run Breakpoint 1 0x804856f in main gdb print esp 3 void 0xbffffc78 Main Address 0x804856f should be read 0x0804856f Initially BF 80 7F 40 3F Stack 4 Address 0xbffffc78 Stack 08 00 Data Text 105 Dynamic Linking Example Linked gdb print malloc 1 text variable no debug info BF 0x8048454 malloc gdb run Program exited normally gdb print malloc 2 void unsigned int 0x40006240 malloc 80 7F Initially Code in text segment that invokes dynamic linker Address 0x8048454 should be read 0x08048454 Final 5 Code in DLL region 40 3F 08 00 Stack DLLs Data Text 105 Memory Allocation Example char big array 1 24 16 MB char huge array 1 28 256 MB int beyond char p1 p2 p3 p4 int useless int p1 p2 p3 p4 6 return 0 main malloc 1 malloc 1 malloc 1 malloc 1 Some print 28 256 MB 8 256 B 28 256 MB 8 256 B statements 105 Example Addresses esp p3 p1 Final malloc p4 p2 beyond big array huge array main useless Initial malloc 7 0xbffffc78 0x500b5008 0x400b4008 0x40006240 0x1904a640 0x1904a538 0x1904a524 0x1804a520 0x0804a510 0x0804856f 0x08048560 0x08048454 BF Stack 80 7F Heap 40 3F DLLs Heap 08 00 Data Text 105 C Operators Operators Associativity type sizeof left to right right to left left to right left to right left to right left to right left to right left to right left to right left to right left to right left to right right to left right to left left to right Note Unary and have higher precedence than binary forms 8 105 C Pointer Declarations int p p is a pointer to int int p 13 p is an array 13 of pointer to int int p 13 p is an array 13 of pointer to int int p p is a pointer to a pointer to an int int p 13 p is a pointer to an array 13 of int int f f is a function returning a pointer to int int f f is a pointer to a function returning int int f 13 f is a function returning ptr to an array 13 of pointers to functions returning int int x 3 5 x is an array 3 of pointers to functions returning pointers to array 5 of ints 9 105 Internet Worm and IM War November 1988 Internet Worm attacks thousands of Internet hosts How did it happen July 1999 Microsoft launches MSN Messenger instant messaging system Messenger clients can access popular AOL Instant Messaging Service AIM servers AIM client MSN server 10 MSN client AIM server AIM client 105 Internet Worm and IM War cont August 1999 Mysteriously Messenger clients can no longer access AIM servers Microsoft and AOL begin the IM war AOL changes server to disallow Messenger clients Microsoft makes changes to clients to defeat AOL changes At least 13 such skirmishes How did it happen The Internet Worm and AOL Microsoft War were both based on stack buffer overflow exploits Many Unix functions do not check argument sizes Allows target buffers to overflow 11 105 String Library Code Implementation of Unix function gets No way to specify limit on number of characters to read Get string from stdin char gets char dest int c getc char p dest while c EOF c n p c c getc p 0 return dest Similar problems with other Unix functions strcpy Copies string of arbitrary length scanf fscanf sscanf when given s conversion specification 12 105 Vulnerable Buffer Code Echo Line void echo char buf 4 gets buf puts buf Way too small int main printf Type a string echo return 0 13 105 Buffer Overflow Executions unix bufdemo Type a string 123 123 unix bufdemo Type a string 12345 Segmentation Fault unix bufdemo Type a string 12345678 Segmentation Fault 14 105 Buffer Overflow Stack Stack Frame for main Return Address Saved ebp ebp 3 2 1 0 buf Stack Frame for echo 15 Echo Line void echo char buf 4 gets buf puts buf echo pushl ebp movl esp ebp subl 20 esp pushl ebx addl 12 esp leal 4 ebp ebx pushl ebx call gets Way too small Save ebp on stack Allocate space on stack Save ebx Allocate space on stack Compute buf as ebp 4 Push buf on stack Call gets 105 Buffer Overflow Stack Example Stack Frame for main Return Address Saved ebp ebp 3 2 1 0 buf Stack Frame for echo unix gdb bufdemo gdb break echo Breakpoint 1 at 0x8048583 gdb run Breakpoint 1 0x8048583 in echo gdb print x unsigned ebp 1 0xbffff8f8 gdb print x unsigned ebp 1 3 0x804864d Stack Frame for main Before call to gets Return 08 04 Address 86 4d bf Saved ff ebp f8 f8 0xbffff8d8 3 2 1 0 xx xx xx xx buf Stack Frame for echo 8048648 call 804857c echo 804864d mov 0xffffffe8 ebp ebx Return Point 16 105 Buffer Overflow Example 1 Before Call to gets Stack Frame for main Return Address Saved ebp ebp 3 2 1 0 buf Stack Frame for echo Input 123 Stack Frame for main Return 08 04 Address 86 4d bf Saved ff f8 ebp f8 0xbffff8d8 3 2 1 0 00 33 32 31 buf Stack Frame for echo No Problem 17 105 Buffer Overflow Stack Example 2 Stack Frame for main Stack Frame for main Return Address Saved ebp ebp 3 2 1 0 buf Stack Frame for echo 8048592 8048593 8048598 804859b 804859d 804859e 18 Return 08 04 Address 86 4d bf Saved ff 00 ebp 35 0xbffff8d8 3 2 1 0 34 33 32 31 buf Stack Frame for echo echo code push call mov mov pop ret Input 12345 Saved value of ebp set to 0xbfff0035 Bad news when later attempt to restore ebp ebx 80483e4 init 0x50 gets 0xffffffe8 ebp ebx ebp esp ebp ebp gets set to invalid value 105 Buffer Overflow Stack Example 3 Stack Frame for main Return Address Saved ebp ebp 3 2 1 0 buf Stack Frame for echo Stack Frame for main Input 12345678 Return 08 04 Address 86 00 38 Saved 37 36 ebp 35 0xbffff8d8 3 2 1 0 34 …
View Full Document
Unlocking...