Embed Size (px)
Citation preview
Carnegie Mellon
1
Introduction to x86 Assemblyor “How does someone hack my laptop?”
Ýmir VigfússonS.P.E.C.T.R.E.
2
Plan for today
Review the memory abstraction and dynamic memory
Talk about the stack principle
Discuss the essence of buffer overflows
3
Memory
4
Memory
1296 1297 1298 1299 1300 1301 1302 1303 1304 1305
Address
Memory manager
5
Memory
1296 1297 1298 1299 1300 1301 1302 1303 1304 1305
Address
6
9000
I: Storing data in memory
1296 1297 1298 1299 1300 1301 1302 1303 1304 1305
movl %eax, 1301
mov , 9000
7
Register
Value
%eax ???
%ecx 1301
II: Retrieving data from memory
1296 1297 1298 1299 1300 1301 1302 1303 1304 1305
movl 1301, %eax
mov ,
Register
Value
%eax 9000
%ecx 1301
or movl (%ecx), %eax
8
III: Pointers to memory
1296 1297 1298 1299 1300 1301 1302 1303 1304 1305
movl (1301), %eax
mov ( ),
9
Note: Copying pointers does not copy contents
int *a, *b;
a = ;
b = ;
1296 1297 1298
*b = *a;
b = a;
10
But how does one create a „key“ ? In the course so far, we have used local and
static variables.
Local variables are allocated memory on the stack The stack is a portion of global memory governed by a special principle As mentioned before, the stack on Intel x86 grows down
char *global;
int func(void) { char *buf = “I ♥ STYRIKERFI”; int n;
n = strlen(buf); printf ("Buf[%d]: %s\n", n, buf); return (n); }
Local variables
11
Local variables: the stack principle
9990 9991 9992 9993 9994 9995 9996 9997 9998 9999
void bla(void) { char A[16]; function();}
void function(void) { char B[12]; int i; ...}
Buffer A
Buffer B
Int i
STACK
Return address
%esp
I assign memory
addresses sequentially
12
Is the stack principle enough?
Not really sufficient for modern memory use• You may want to create variables for parent functions
to use• You may want to have very large data in memory• You may want to control when some memory is and
isn‘t available
Most languages also provide dynamic memory allocation• Think “new“ and “delete“ in C++.• Exception: Functional programming languages
13
Dynamic memory allocation
Now I assign new data to any series of
„empty“ lockers that can fit the data
1296 1297 1298 1299 1300 1301 1302 1303 1304 1305int *a, *b, *c;char *c, *d;
a = (int *)malloc(sizeof(int));b = (int *)malloc(sizeof(int));c = a;
free (a);d = (char *)malloc(5);
To where does c point under the end?What happens if d gets written now?
14
Locker analogy overviewComputing world (C / assembly)
Address space (consecutive memory)
Data in memory
Memory address / pointer
Memory management strategy
Array or struct
Stack pointer
Copying a pointer (e.g. ptr = ptr2;)
Freeing memory (via free() or delete())
Releasing pointer (e.g. ptr = NULL;)
Writing to an uninitialized variable
Stale reference to a freed object
Memory leakage
Locker world
Rows of lockers
Contents of a locker
Key to the locker (on a keyring)
Locker manager
Series of consecutive lockers
Next available locker in a sequence
Copying a key (not the locker contents)
Telling the manager the locker is available
Returning the key
Accidentally using someone else‘s lockerbecause you kept the old key
Forgetting to return the keys for a locker
Forgetting to telling the manager that the locker was indeed free
15
Carnegie Mellon
Today Switch statements IA 32 Procedures
Stack Structure Calling Conventions Illustrations of Recursion & Pointers
16
Carnegie Mellon
IA32 Stack Region of memory
managed with stack discipline
Grows toward lower addresses
Register %esp contains
lowest stack address address of “top” elementStack Pointer: %esp
Stack GrowsDown
IncreasingAddresses
Stack “Top”
Stack “Bottom”
17
Carnegie Mellon
IA32 Stack: Push pushl Src
Fetch operand at Src Decrement %esp by 4 Write operand at address given by %esp
-4
Stack GrowsDown
IncreasingAddresses
Stack “Bottom”
Stack Pointer: %esp
Stack “Top”
18
Stack Pointer: %esp
Stack GrowsDown
IncreasingAddresses
Stack “Top”
Stack “Bottom”
Carnegie Mellon
IA32 Stack: Pop
+4
19
Carnegie Mellon
Procedure Control Flow Use stack to support procedure call and
return Procedure call: call label
Push return address on stack Jump to label
Return address: Address of the next instruction right after call Example from disassembly804854e: e8 3d 06 00 00 call 8048b90 <main>
8048553: 50 pushl %eax Return address = 0x8048553
Procedure return: ret Pop address from stack Jump to address
20
0x8048553
0x104
Carnegie Mellon
%esp
%eip
%esp
%eip 0x8048b90
0x108
0x10c
0x110
0x104
0x804854e
123
Procedure Call Example
0x108
0x10c
0x110
123
0x108
call 8048b90
804854e: e8 3d 06 00 00 call 8048b90 <main>8048553: 50 pushl %eax
804854e: e8 3d 06 00 00 call 8048b90 <main>8048553: 50 pushl %eax
%eip: program counter
21
Carnegie Mellon
%esp
%eip
0x104
%esp
%eip0x804859
1
0x104
0x108
0x10c
0x110
0x8048553
123
Procedure Return Example
0x108
0x10c
0x110
123
ret
8048591: c3 ret8048591: c3 ret
0x108
0x8048553
0x8048553
%eip: program counter
22
Carnegie Mellon
Stack-Based Languages Languages that support recursion
e.g., C, Pascal, Java Code must be “Reentrant”
Multiple simultaneous instantiations of single procedure Need some place to store state of each instantiation
Arguments Local variables Return pointer
Stack discipline State for given procedure needed for limited time
From when called to when return Callee returns before caller does
Stack allocated in Frames state for single procedure instantiation
23
Carnegie Mellon
Call Chain Example
yoo(…){ • • who(); • •}
yoo(…){ • • who(); • •}
who(…){ • • • amI(); • • • amI(); • • •}
who(…){ • • • amI(); • • • amI(); • • •}
amI(…){ • • amI(); • •}
amI(…){ • • amI(); • •}
yoo
who
amI
amI
amI
ExampleCall Chain
amI
Procedure amI() is recursive
24
Carnegie Mellon
Frame Pointer: %ebp
Stack Frames Contents
Local variables Return information Temporary space
Management Space allocated when enter procedure
“Set-up” code Deallocated when return
“Finish” code
Stack Pointer: %esp
Stack “Top”
Previous Frame
Frame for
proc
25
Carnegie Mellon
Example
yoo
who
amI
amI
amI
amI
yoo%ebp
%esp
Stack
yoo
yoo(…){ • • who(); • •}
yoo(…){ • • who(); • •}
26
yoo(…){ • • who(); • •}
yoo(…){ • • who(); • •}
Carnegie Mellon
Example
yoo
who
amI
amI
amI
amI
yoo
%ebp
%esp
Stack
yoo
who
who(…){ • • • amI(); • • • amI(); • • •}
who(…){ • • • amI(); • • • amI(); • • •}
27
yoo(…){ • • who(); • •}
yoo(…){ • • who(); • •}
who(…){ • • • amI(); • • • amI(); • • •}
who(…){ • • • amI(); • • • amI(); • • •}
Carnegie Mellon
Example
yoo
who
amI
amI
amI
amI
yoo
%ebp
%esp
Stack
yoo
who
amI
amI(…){ • • amI(); • •}
amI(…){ • • amI(); • •}
28
Carnegie Mellon
Example
yoo
who
amI
amI
amI
amI
yoo
%ebp
%esp
Stack
yoo
who
amI
amI
yoo(…){ • • who(); • •}
yoo(…){ • • who(); • •}
who(…){ • • • amI(); • • • amI(); • • •}
who(…){ • • • amI(); • • • amI(); • • •}
amI(…){ • • amI(); • •}
amI(…){ • • amI(); • •}
amI(…){ • • amI(); • •}
amI(…){ • • amI(); • •}
29
Carnegie Mellon
Example
yoo
who
amI
amI
amI
amI
yoo
%ebp
%esp
Stack
yoo
who
amI
amI
amI
yoo(…){ • • who(); • •}
yoo(…){ • • who(); • •}
who(…){ • • • amI(); • • • amI(); • • •}
who(…){ • • • amI(); • • • amI(); • • •}
amI(…){ • • amI(); • •}
amI(…){ • • amI(); • •}
amI(…){ • • amI(); • •}
amI(…){ • • amI(); • •}
amI(…){ • • amI(); • •}
amI(…){ • • amI(); • •}
30
Carnegie Mellon
Example
yoo
who
amI
amI
amI
amI
yoo
%ebp
%esp
Stack
yoo
who
amI
amI
yoo(…){ • • who(); • •}
yoo(…){ • • who(); • •}
who(…){ • • • amI(); • • • amI(); • • •}
who(…){ • • • amI(); • • • amI(); • • •}
amI(…){ • • amI(); • •}
amI(…){ • • amI(); • •}
amI(…){ • • amI(); • •}
amI(…){ • • amI(); • •}
31
Carnegie Mellon
Example
yoo
who
amI
amI
amI
amI
yoo
%ebp
%esp
Stack
yoo
who
amI
yoo(…){ • • who(); • •}
yoo(…){ • • who(); • •}
who(…){ • • • amI(); • • • amI(); • • •}
who(…){ • • • amI(); • • • amI(); • • •}
amI(…){ • • amI(); • •}
amI(…){ • • amI(); • •}
32
Carnegie Mellon
Example
yoo
who
amI
amI
amI
amI
yoo
%ebp
%esp
Stack
yoo
who
yoo(…){ • • who(); • •}
yoo(…){ • • who(); • •}
who(…){ • • • amI(); • • • amI(); • • •}
who(…){ • • • amI(); • • • amI(); • • •}
33
Carnegie Mellon
Example
yoo
who
amI
amI
amI
amI
yoo
%ebp
%esp
Stack
yoo
who
amI
yoo(…){ • • who(); • •}
yoo(…){ • • who(); • •}
who(…){ • • • amI(); • • • amI(); • • •}
who(…){ • • • amI(); • • • amI(); • • •}
amI(…){ • • amI(); • •}
amI(…){ • • amI(); • •}
34
Carnegie Mellon
Example
yoo
who
amI
amI
amI
amI
yoo
%ebp
%esp
Stack
yoo
who
yoo(…){ • • who(); • •}
yoo(…){ • • who(); • •}
who(…){ • • • amI(); • • • amI(); • • •}
who(…){ • • • amI(); • • • amI(); • • •}
35
Carnegie Mellon
Example
yoo
who
amI
amI
amI
amI
yoo%ebp
%esp
Stack
yooyoo(…){ • • who(); • •}
yoo(…){ • • who(); • •}
36
Carnegie Mellon
IA32/Linux Stack Frame Current Stack Frame (“Top”
to Bottom) “Argument build:”
Parameters for function about to call Local variables
If can’t keep in registers Saved register context Old frame pointer
Caller Stack Frame Return address
Pushed by call instruction Arguments for this call
Return Addr
SavedRegisters
+Local
Variables
ArgumentBuild
Old %ebp
Arguments
CallerFrame
Frame pointer
%ebp
Stack pointer
%esp
37
Carnegie Mellon
Revisiting swap
void swap(int *xp, int *yp) { int t0 = *xp; int t1 = *yp; *xp = t1; *yp = t0;}
void swap(int *xp, int *yp) { int t0 = *xp; int t1 = *yp; *xp = t1; *yp = t0;}
int course1 = 15213;int course2 = 18243;
void call_swap() { swap(&course1, &course2);}
int course1 = 15213;int course2 = 18243;
void call_swap() { swap(&course1, &course2);}
call_swap:• • •subl $8, %espmovl $course2, 4(%esp)movl $course1, (%esp)call swap• • •
call_swap:• • •subl $8, %espmovl $course2, 4(%esp)movl $course1, (%esp)call swap• • •
&course2
&course1
Rtn adr %esp
ResultingStack•
••
Calling swap from call_swap
%esp
%espsubl
call
38
Carnegie Mellon
Revisiting swap
void swap(int *xp, int *yp) { int t0 = *xp; int t1 = *yp; *xp = t1; *yp = t0;}
void swap(int *xp, int *yp) { int t0 = *xp; int t1 = *yp; *xp = t1; *yp = t0;}
swap:pushl %ebpmovl %esp, %ebppushl %ebx
movl 8(%ebp), %edxmovl 12(%ebp), %ecxmovl (%edx), %ebxmovl (%ecx), %eaxmovl %eax, (%edx)movl %ebx, (%ecx)
popl %ebxpopl %ebpret
Body
SetUp
Finish
39
Carnegie Mellon
swap Setup #1
swap:
pushl %ebp
movl %esp,%ebp
pushl %ebx
Resulting Stack
&course2
&course1
Rtn adr %esp
Entering Stack
•••
%ebp
yp
xp
Rtn adr
Old %ebp
%ebp•••
%esp
40
Carnegie Mellon
swap Setup #2
swap:
pushl %ebp
movl %esp,%ebp
pushl %ebx
Resulting Stack
&course2
&course1
Rtn adr %esp
Entering Stack
•••
%ebp
yp
xp
Rtn adr
Old %ebp%ebp
•••
%esp
41
Carnegie Mellon
swap Setup #3
swap:
pushl %ebp
movl %esp,%ebp
pushl %ebx
Resulting Stack
&course2
&course1
Rtn adr %esp
Entering Stack
•••
%ebp
yp
xp
Rtn adr
Old %ebp %ebp
•••
%espOld %ebx
42
Carnegie Mellon
swap Body
movl 8(%ebp),%edx # get xpmovl 12(%ebp),%ecx # get yp. . .
Resulting Stack
&course2
&course1
Rtn adr %esp
Entering Stack
•••
%ebp
yp
xp
Rtn adr
Old %ebp %ebp
•••
%espOld %ebx
Offset relative to %ebp
12
8
4
43
Carnegie Mellon
swap FinishStack Before Finish
popl %ebxpopl %ebp
yp
xp
Rtn adr
Old %ebp %ebp
•••
%espOld %ebx
Resulting Stack
yp
xp
Rtn adr
•••
%ebp
%esp
Observation Saved and restored register %ebx Not so for %eax, %ecx, %edx
44
Carnegie Mellon
Disassembled swap08048384 <swap>: 8048384: 55 push %ebp 8048385: 89 e5 mov %esp,%ebp 8048387: 53 push %ebx 8048388: 8b 55 08 mov 0x8(%ebp),%edx 804838b: 8b 4d 0c mov 0xc(%ebp),%ecx 804838e: 8b 1a mov (%edx),%ebx 8048390: 8b 01 mov (%ecx),%eax 8048392: 89 02 mov %eax,(%edx) 8048394: 89 19 mov %ebx,(%ecx) 8048396: 5b pop %ebx 8048397: 5d pop %ebp 8048398: c3 ret
80483b4: movl $0x8049658,0x4(%esp) # Copy &course2 80483bc: movl $0x8049654,(%esp) # Copy &course1 80483c3: call 8048384 <swap> # Call swap 80483c8: leave # Prepare to return 80483c9: ret # Return
Calling Code
45
Carnegie Mellon
IA32/Linux+Windows Register Usage
%eax, %edx, %ecx Caller saves prior to call if values
are used later
%eax also used to return integer value
%ebx, %esi, %edi Callee saves if wants to use them
%esp, %ebp special form of callee save Restored to original values upon
exit from procedure
%eax
%edx
%ecx
%ebx
%esi
%edi
%esp
%ebp
Caller-SaveTemporaries
Callee-SaveTemporaries
Special
46
Carnegie Mellon
So far IA 32 Procedures
Stack Structure Calling Conventions Illustrations of Recursion & Pointers
47
Carnegie Mellon
%esp
Creating and Initializing Local Variableint add3(int x) { int localx = x; incrk(&localx, 3); return localx;}
int add3(int x) { int localx = x; incrk(&localx, 3); return localx;}
Variable localx must be stored on stack Because: Need to create pointer to it
Compute pointer as -4(%ebp)
First part of add3
x
Rtn adrOld
%ebp%ebp 0
4
8
-4 localx = x
Unused-12
-8
-16
add3:pushl%ebpmovl %esp, %ebpsubl $24, %esp # Alloc. 24 bytesmovl 8(%ebp), %eaxmovl %eax, -4(%ebp)# Set localx to x
add3:pushl%ebpmovl %esp, %ebpsubl $24, %esp # Alloc. 24 bytesmovl 8(%ebp), %eaxmovl %eax, -4(%ebp)# Set localx to x -20
-24
48
Carnegie Mellon
%esp
Creating Pointer as Argument
int add3(int x) { int localx = x; incrk(&localx, 3); return localx;}
int add3(int x) { int localx = x; incrk(&localx, 3); return localx;}
Use leal instruction to compute address of localx
Middle part of add3
x
Rtn adrOld
%ebp%ebp 0
4
8
-4 localx
Unused-12
-8
-16
movl $3, 4(%esp) # 2nd arg = 3leal -4(%ebp), %eax# &localxmovl %eax, (%esp) # 1st arg = &localxcall incrk
movl $3, 4(%esp) # 2nd arg = 3leal -4(%ebp), %eax# &localxmovl %eax, (%esp) # 1st arg = &localxcall incrk
-20
-24
3 %esp+4
49
Carnegie Mellon
%esp
Retrieving local variable
int add3(int x) { int localx = x; incrk(&localx, 3); return localx;}
int add3(int x) { int localx = x; incrk(&localx, 3); return localx;}
Retrieve localx from stack as return value
Final part of add3
x
Rtn adrOld
%ebp%ebp 0
4
8
-4 localx
Unused-12
-8
-16
movl -4(%ebp), %eax # Return val= localxleaveret
movl -4(%ebp), %eax # Return val= localxleaveret
-20
-24
50
Carnegie Mellon
IA32/Linux+Windows Register Usage
%eax, %edx, %ecx Caller saves prior to call if values
are used later
%eax also used to return integer value
%ebx, %esi, %edi Callee saves if wants to use them
%esp, %ebp special form of callee save Restored to original values upon
exit from procedure
%eax
%edx
%ecx
%ebx
%esi
%edi
%esp
%ebp
Caller-SaveTemporaries
Callee-SaveTemporaries
Special
51
Internet Worm and IM War
November, 1988 Internet Worm attacks thousands of
Internet hosts. How did it happen?
52
Internet Worm and IM War
November, 1988 Internet Worm attacks thousands of Internet hosts. How did it happen?
July, 1999 Microsoft launches MSN Messenger (instant
messaging system). Messenger clients can access popular AOL Instant
Messaging Service (AIM) servers
AIMserver
AIMclient
AIMclient
MSNclient
MSNserver
53
Internet Worm and IM War (cont.)
August 1999 Mysteriously, Messenger clients can no
longer access AIM servers. Microsoft and AOL begin the IM war:
▪ AOL changes server to disallow Messenger clients
▪ Microsoft makes changes to clients to defeat AOL changes.
▪ At least 13 such skirmishes. How did it happen?
The Internet Worm and AOL/Microsoft War were both based on stack buffer overflow exploits!
▪ many library functions do not check argument sizes.
▪ allows target buffers to overflow.
Buffer overflows
Strings in C terminate at the first NUL-byte Copying strings requires bounds
checking!
Buffer A
Buffer B
Int i
void function(void) { char A[16]; char B[64]; int i;
strcpy (B, “Antimony arsenic aluminum celenium“); strcpy (A, “AAAABBBBCCCCDDDD“); printf (“String B: %s\n“, B);}
000000000000000000000000000000000000000000000000000...0000000000000000Antimony arsenic aluminum celenium0..AAAABBBBCCCCDDDD0ntimony arsenic aluminum celenium0..
AAAABBBBCCCCDDDD0Antimony arsenic aluminum celenium0
Buffer overflows
C stores all variables on stack, but also other important stuff! E.g. the address of where it was last
executing (called the return address)
void bla(void) { char A[16]; function();}
void function(void) { char B[64]; int i; ...}
Buffer A
Buffer B
Int i
STACK
Return address
Buffer overflows
What happens if we write too much to B?
Buffer A
Buffer B
Int i
STACK
Return address
Could return to
anywhere!
somebuffer
void function(void) { char B[64]; int i; strcpy (B, somebuffer);}
Buffer overflows
Where would we want to return? Could return to OUR input buffer Treated as machine code! Can execute
anything
void bla(void) { char A[16]; function();}
void function(void) { char B[64]; int i; ...}
Buffer A
Buffer B
Int i
STACK
Return address
somebuffer
Buffer overflows
What do we want to execute? Could eject CDROM or delete all files Could launch a shell (say „/bin/bash“) Could open a new port and launch a shell
there Could connect back to our host
Need to careful about the input Such as NUL bytes
Known as shellcode
59
String Library Code Implementation of Unix function gets()
No way to specify limit on number of characters to read
Similar problems with other library functions strcpy, strcat: Copy strings of arbitrary length scanf, fscanf, sscanf, when given %s conversion
specification
/* Get string from stdin */char *gets(char *dest){ int c = getchar(); char *p = dest; while (c != EOF && c != '\n') { *p++ = c; c = getchar(); } *p = '\0'; return dest;}
60
Vulnerable Buffer Code
void call_echo() { echo();}
/* Echo Line */void echo(){ char buf[4]; /* Way too small! */ gets(buf); puts(buf);}
unix>./bufdemoType a string:12345671234567
unix>./bufdemoType a string:12345678Segmentation Fault
unix>./bufdemoType a string:123456789ABCSegmentation Fault
61
Buffer Overflow Disassembly
80485c5: 55 push %ebp 80485c6: 89 e5 mov %esp,%ebp 80485c8: 53 push %ebx 80485c9: 83 ec 14 sub $0x14,%esp 80485cc: 8d 5d f8 lea 0xfffffff8(%ebp),%ebx 80485cf: 89 1c 24 mov %ebx,(%esp) 80485d2: e8 9e ff ff ff call 8048575 <gets> 80485d7: 89 1c 24 mov %ebx,(%esp) 80485da: e8 05 fe ff ff call 80483e4 <puts@plt> 80485df: 83 c4 14 add $0x14,%esp 80485e2: 5b pop %ebx 80485e3: 5d pop %ebp 80485e4: c3 ret
80485eb: e8 d5 ff ff ff call 80485c5 <echo> 80485f0: c9 leave 80485f1: c3 ret
call_echo:
echo:
62
Buffer Overflow Stack
echo:pushl %ebp # Save %ebp on stackmovl %esp, %ebppushl %ebx # Save %ebxsubl $20, %esp # Allocate stack spaceleal -8(%ebp),%ebx # Compute buf as %ebp-8movl %ebx, (%esp) # Push buf on stackcall gets # Call gets. . .
/* Echo Line */void echo(){ char buf[4]; /* Way too small! */ gets(buf); puts(buf);}
Return AddressSaved %ebp %ebp
Stack Framefor main
Stack Framefor echo
[3][2][1][0] buf
Before call to gets
Saved %ebx
63
Buffer Overflow Stack Example
unix> gdb bufdemo(gdb) break echoBreakpoint 1 at 0x80485c9(gdb) runBreakpoint 1, 0x80485c9 in echo ()(gdb) print /x $ebp$1 = 0xffffd678(gdb) print /x *(unsigned *)$ebp$2 = 0xffffd688(gdb) print /x *((unsigned *)$ebp + 1)$3 = 0x80485f0
80485eb: e8 d5 ff ff ff call 80485c5 <echo> 80485f0: c9 leave
0xffffd678
buf
0xffffd688
Return AddressSaved %ebp
Stack Framefor main
Stack Framefor echo
[3][2][1][0]
Stack Framefor main
Stack Framefor echo
xx xx xx xx buf
ff ff d6 8808 04 85 f0
Before call to gets Before call to gets
Saved %ebx Saved %ebx
64
Buffer Overflow Example #1
Overflow buf, and corrupt %ebx,but no problem
Stack Framefor echo
xx xx xx xx buf
Stack Framefor echo
34 33 32 31 buf00 37 36 35
Before call to gets Input 1234567
0xffffd678
0xffffd688Stack Framefor main
ff ff d6 8808 04 85 f0
0xffffd678
0xffffd688Stack Framefor main
ff ff d6 8808 04 85 f0
Saved %ebx
65
Buffer Overflow Example #2
Base pointer corrupted
Stack Framefor echo
xx xx xx xx buf
Stack Framefor echo
34 33 32 31 buf
0038 37 36 35
Before call to gets Input 12345678
. . . 80485eb: e8 d5 ff ff ff call 80485c5 <echo> 80485f0: c9 leave # Set %ebp to corrupted value 80485f1: c3 ret
0xffffd678
0xffffd688Stack Framefor main
ff ff d6 8808 04 85 f0
0xffffd678
0xffffd688Stack Framefor main
ff ff d608 04 85 f0
Saved %ebx
66
Buffer Overflow Example #3
Return address corrupted
Stack Framefor echo
xx xx xx xx buf
Stack Framefor echo
34 33 32 31 buf
43 42 41 3900
38 37 36 35
Before call to gets Input 123456789
80485eb: e8 d5 ff ff ff call 80485c5 <echo> 80485f0: c9 leave # Desired return point
0xffffd678
0xffffd688Stack Framefor main
ff ff d6 8808 04 85 f0
0xffffd678
0xffffd688Stack Framefor main
08 04 85
Saved %ebx
67
Malicious Use of Buffer Overflow
Input string contains byte representation of executable code
Overwrite return address A with address of buffer BWhen bar() executes ret, will jump to exploit code
int bar() { char buf[64]; gets(buf); ... return ...; }
void foo(){ bar(); ...}
Stack after call to gets()
B
returnaddressA
foo stack frame
bar stack frame
B
exploitcode
paddata writtenby gets()
68
Buflab (7%)
You will be writing rudimentary exploit code Yeah! How cool is that?
The goal: Take a carefully crafted service Overflow its buffers Make it do different / new things
The assignment proceeds in stages, scores for each Competitive scoreboard:
http://skel.ru.is:1337
Deadline: 28/1 23:59. Individual assignment.
