15-213 Recitation 4: 09/30/02 Outline The Stack! Essential skill for Lab 3 –Out-of-bound array access –Put your code on the stack Annie Luo

Slides:



Advertisements
Similar presentations
Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.
Advertisements

Smashing the Stack for Fun and Profit
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
Recitation 8 – 3/25/02 Outline Dynamic Linking Review prior test questions 213 Course Staff Office Hours: See Posting.
RECITATION - 09/20/2010 BY SSESHADR Buflab. Agenda Reminders  Bomblab should be finished up  Exam 1 is on Tuesday 09/28/2010 Stack Discipline Buflab.
Memory Image of Running Programs Executable file on disk, running program in memory, activation record, C-style and Pascal-style parameter passing.
PC hardware and x86 3/3/08 Frans Kaashoek MIT
Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.
UBC104 Embedded Systems Functions & Pointers.
September 22, 2014 Pengju (Jimmy) Jin Section E
Attacks Using Stack Buffer Overflow Boxuan Gu
Recitation 2: Assembly & gdb Andrew Faulring Section A 16 September 2002.
Recitation: Bomb Lab June 5, 2015 Dipayan Bhattacharya.
Carnegie Mellon 1 This week Buffer Overflow  Vulnerability  Protection.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Assembly, Stacks, and Registers Kevin C. Su 9/26/2011.
Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
Carnegie Mellon Introduction to Computer Systems /18-243, spring 2009 Recitation, Jan. 14 th.
1 Carnegie Mellon Stacks : Introduction to Computer Systems Recitation 5: September 24, 2012 Joon-Sup Han Section F.
Buffer Overflow Computer Organization II 1 © McQuain Buffer Overflows Many of the following slides are based on those from Complete Powerpoint.
University of Washington Today Memory layout Buffer overflow, worms, and viruses 1.
1 Machine-Level Programming V: Advanced Topics Andrew Case Slides adapted from Jinyang Li, Randy Bryant & Dave O’Hallaron.
Recitation 4: The Stack & Lab3 Andrew Faulring Section A 30 September 2002.
1 #include void silly(){ char s[30]; gets(s); printf("%s\n",s); } main(){ silly(); return 0; }
Recitation 6 – 2/26/01 Outline Linking Exam Review –Topics Covered –Your Questions Shaheen Gandhi Office Hours: Wednesday.
University of Washington Today Happy Monday! HW2 due, how is Lab 3 going? Today we’ll go over:  Address space layout  Input buffers on the stack  Overflowing.
Recitation 2 – 2/11/02 Outline Stacks & Procedures Homogenous Data –Arrays –Nested Arrays Mengzhi Wang Office Hours: Thursday.
Recitation 2: Outline Assembly programming Using gdb L2 practice stuff Minglong Shao Office hours: Thursdays 5-6PM Wean Hall.
Carnegie Mellon Recitation: Bomb Lab 21 Sep 2015 Monil Shah, Shelton D’Souza.
Buffer Overflows Many of the following slides are based on those from
Stack-based buffer overflows Yves Younan DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium
What is exactly Exploit writing?  Writing a piece of code which is capable of exploit the vulnerability in the target software.
CS 155 Section 1 PP1 Eu-Jin Goh. Setting up Environment Demo.
Buffer Overflow Attack- proofing of Code Binaries Ramya Reguramalingam Gopal Gupta Gopal Gupta Department of Computer Science University of Texas at Dallas.
Reminder Bomb lab is due tomorrow! Attack lab is released tomorrow!!
University of Amsterdam Computer Systems – the instruction set architecture Arnoud Visser 1 Computer Systems The instruction set architecture.
CS642: Computer Security X86 Review Process Layout, ISA, etc. Drew Davidson
Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.
1 Linking. 2 Outline Symbol Resolution Relocation Suggested reading: 7.6~7.7.
EXPLOITATION CRASH COURSE – FALL 2013 UTD Computer Security Group – Andrew Folloder csg.utdallas.edu (credit: Scott Hand)
Recitation 3 Outline Recursive procedure Complex data structures –Arrays –Structs –Unions Function pointer Reminders Lab 2: Wed. 11:59PM Lab 3: start early.
Improvements to the Compiler Lecture 27 Mon, Apr 26, 2004.
Buffer Overflow Attacks 1 Basic Idea Sample Attacks Protection , Computer & Network Security.
CS 3214 Computer Systems Godmar Back Lecture 7. Announcements Stay tuned for Project 2 & Exercise 4 Project 1 due Sep 16 Auto-fail rule 1: –Need at least.
OUTLINE 2 Pre-requisite Bomb! Pre-requisite Bomb! 3.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2014.
Buffer Overflows ...or How I Learned to Never Trust the User
Buffer Overflow Buffer overflows are possible because C doesn’t check array boundaries Buffer overflows are dangerous because buffers for user input are.
Recitation 3: Procedures and the Stack
C function call conventions and the stack
The Hardware/Software Interface CSE351 Winter 2013
Recitation: Attack Lab
Exploiting & Defense Day 2 Recap
Recitation 2 – 2/11/02 Outline Stacks & Procedures
Aaron Miller David Cohen Spring 2011
Recitation 2 – 2/4/01 Outline Machine Model
Recitation: Attack Lab
Chapter 3 Machine-Level Representation of Programs
Computer Architecture and Assembly Language
Defeating Instruction Set Randomization Nora Sovarel
Recitation: Attack Lab
C Prog. To Object Code text text binary binary Code in files p1.c p2.c
The Runtime Environment
Machine-Level Representation of Programs III
The Runtime Environment
Chapter 3 Machine-Level Representation of Programs
X86 Assembly Review.
Instructors: Majd Sakr and Khaled Harras
Computer Architecture and System Programming Laboratory
Computer Architecture and System Programming Laboratory
Presentation transcript:

Recitation 4: 09/30/02 Outline The Stack! Essential skill for Lab 3 –Out-of-bound array access –Put your code on the stack Annie Luo Office Hours: Thursday 6:00 – 7:00 Wean 8402 Out of town next week – Rajesh is taking over Reminder Exam1:Tue 10/8, 6-7:30pm, Doherty 2315 L3 due: Mon 10/7, 11:59pm

Local Variables void localvars() { volatile int n; char buf[8]; volatile int x; n = 2; x = 0xdeadbeef; strcpy(buf, "Carnegiem;"); // 'm' = 0x6d, ';' = 0x3b // n = (0x3b6d) buf[8] = 0x6c; // n = buf[-4] = 0xa8; // x = 0xdeadbea8 } push %ebp mov %esp,%ebp sub $0x18,%esp movl $0x2,0xfffffffc(%ebp) movl $0xdeadbeef,0xfffffff0(%ebp) add $0xfffffff8,%esp push $0x80484a8 lea 0xfffffff4(%ebp),%eax push %eax call 0x add $0x10,%esp movb $0x6c,0xfffffffc(%ebp) mov $0xfffffffc,%eax lea 0xfffffff4(%ebp),%edx movb $0xa8,(%eax,%edx,1) mov %ebp,%esp pop %ebp ret %ebp – 24

Local Variables void localvars() { volatile int n; char buf[8]; volatile int x; n = 2; x = 0xdeadbeef; strcpy(buf, "Carnegiem;"); // 'm' = 0x6d, ';' = 0x3b // n = (0x3b6d) buf[8] = 0x6c; // n = buf[-4] = 0xa8; // x = 0xdeadbea8 } push %ebp mov %esp,%ebp sub $0x18,%esp movl $0x2,0xfffffffc(%ebp) movl $0xdeadbeef,0xfffffff0(%ebp) add $0xfffffff8,%esp push $0x80484a8 lea 0xfffffff4(%ebp),%eax push %eax call 0x add $0x10,%esp movb $0x6c,0xfffffffc(%ebp) mov $0xfffffffc,%eax lea 0xfffffff4(%ebp),%edx movb $0xa8,(%eax,%edx,1) mov %ebp,%esp pop %ebp ret %ebp – 4

Local Variables void localvars() { volatile int n; char buf[8]; volatile int x; n = 2; x = 0xdeadbeef; strcpy(buf, "Carnegiem;"); // 'm' = 0x6d, ';' = 0x3b // n = (0x3b6d) buf[8] = 0x6c; // n = buf[-4] = 0xa8; // x = 0xdeadbea8 } push %ebp mov %esp,%ebp sub $0x18,%esp movl $0x2,0xfffffffc(%ebp) movl $0xdeadbeef,0xfffffff0(%ebp) add $0xfffffff8,%esp push $0x80484a8 lea 0xfffffff4(%ebp),%eax push %eax call 0x add $0x10,%esp movb $0x6c,0xfffffffc(%ebp) mov $0xfffffffc,%eax lea 0xfffffff4(%ebp),%edx movb $0xa8,(%eax,%edx,1) mov %ebp,%esp pop %ebp ret %ebp – 16

Local Variables void localvars() { volatile int n; char buf[8]; volatile int x; n = 2; x = 0xdeadbeef; strcpy(buf, "Carnegiem;"); // 'm' = 0x6d, ';' = 0x3b // n = (0x3b6d) buf[8] = 0x6c; // n = buf[-4] = 0xa8; // x = 0xdeadbea8 } push %ebp mov %esp,%ebp sub $0x18,%esp movl $0x2,0xfffffffc(%ebp) movl $0xdeadbeef,0xfffffff0(%ebp) add $0xfffffff8,%esp push $0x lea 0xfffffff4(%ebp),%eax push %eax call 0x add $0x10,%esp movb $0x6c,0xfffffffc(%ebp) mov $0xfffffffc,%eax lea 0xfffffff4(%ebp),%edx movb $0xa8,(%eax,%edx,1) mov %ebp,%esp pop %ebp ret %ebp – 32

Local Variables void localvars() { volatile int n; char buf[8]; volatile int x; n = 2; x = 0xdeadbeef; strcpy(buf, "Carnegiem;"); // 'm' = 0x6d, ';' = 0x3b // n = (0x3b6d) buf[8] = 0x6c; // n = buf[-4] = 0xa8; // x = 0xdeadbea8 } push %ebp mov %esp,%ebp sub $0x18,%esp movl $0x2,0xfffffffc(%ebp) movl $0xdeadbeef,0xfffffff0(%ebp) add $0xfffffff8,%esp push $0x lea 0xfffffff4(%ebp),%eax push %eax call 0x add $0x10,%esp movb $0x6c,0xfffffffc(%ebp) mov $0xfffffffc,%eax lea 0xfffffff4(%ebp),%edx movb $0xa8,(%eax,%edx,1) mov %ebp,%esp pop %ebp ret %ebp – 12, allocated for buf

Local Variables Saved %ebp %ebp Return addr … %esp 0xffc 0xff4 0xff0 So what’s happening after strcpy? void localvars() { volatile int n; char buf[8]; volatile int x; n = 2; x = 0xdeadbeef; strcpy(buf, "Carnegiem;"); // 'm' = 0x6d, ';' = 0x3b // n = (0x3b6d) buf[8] = 0x6c; // n = buf[-4] = 0xa8; // x = 0xdeadbea8 } buf xfd beefdead

Local Variables Saved %ebp %ebp Return addr … %esp 0xffc 0xff4 0xff0 void localvars() { volatile int n; char buf[8]; volatile int x; n = 2; x = 0xdeadbeef; strcpy(buf, "Carnegiem;"); // 'm' = 0x6d, ';' = 0x3b // n = (0x3b6d) buf[8] = 0x6c; // n = buf[-4] = 0xa8; // x = 0xdeadbea8 } xfd8 3b6d e beefdead

Local Variables Saved %ebp %ebp Return addr … %esp 0xffc 0xff4 0xff0 void localvars() { volatile int n; char buf[8]; volatile int x; n = 2; x = 0xdeadbeef; strcpy(buf, "Carnegiem;"); // 'm' = 0x6d, ';' = 0x3b // n = (0x3b6d) buf[8] = 0x6c; // n = buf[-4] = 0xa8; // x = 0xdeadbea8 } xfd8 3b6c e beefdead

Local Variables Saved %ebp %ebp Return addr … %esp 0xffc 0xff4 0xff0 void localvars() { volatile int n; char buf[8]; volatile int x; n = 2; x = 0xdeadbeef; strcpy(buf, "Carnegiem;"); // 'm' = 0x6d, ';' = 0x3b // n = (0x3b6d) buf[8] = 0x6c; // n = buf[-4] = 0xa8; // x = 0xdeadbea8 } xfd8 3b6c e beefdead

Local Variables Saved %ebp %ebp Return addr … %esp 0xffc 0xff4 0xff0 void localvars() { volatile int n; char buf[8]; volatile int x; n = 2; x = 0xdeadbeef; strcpy(buf, "Carnegiem;"); // 'm' = 0x6d, ';' = 0x3b // n = (0x3b6d) buf[8] = 0x6c; // n = buf[-4] = 0xa8; // x = 0xdeadbea8 } xfd8 3b6c e bea8dead

Code You Want To Buffer Overflow int bufoverflow( char* string, int n) { char buf[8]; strcpy(buf, string); return n; } push %ebp mov %esp,%ebp sub $0x18,%esp mov 0x8(%ebp),%eax add $0xfffffff8,%esp push %eax lea 0xfffffff0(%ebp),%eax push %eax call 0x804833c mov 0xc(%ebp),%eax mov %ebp,%esp pop %ebp ret

Your Exploit Code int abs_shift(int n) { return (n>=0 ? n : -n) << 2; } movl 8(%ebp),%eax testl %eax,%eax jge.L1 negl %eax.L1: sall $2,%eax.long 0x exploit.c exploit.s

Put Exploit Code into Bits n’ Bytes unix> gcc –c exploit.s unix> objdump –d exploit.o : 0: 8b mov 0x8(%ebp),%eax 3: 85 c0 test %eax,%eax 5: 7d 02 jge 0x9 7: f7 d8 neg %eax 9: c1 e0 02 shl $0x2,%eax c: add %al,(%eax) unix> cat exploit.txt 8b c0 7d 02 f7 d8 c1 e0 02 unix>./sendstring exploit.raw unix> od -t x1 exploit.raw b c0 7d 02 f7 d8 c1 e0 02 0a

Put Exploit Code onto the Stack unix> gdb bufoverflow (gdb) break bufoverflow (gdb) run < exploit.raw (gdb) x/4w $ebp-16 (gdb) nexti 6 (gdb) x/4w $ebp-16 (gdb) disas 0xbffff7e8 0xbffff7f5

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.