Download presentation
Presentation is loading. Please wait.
1
Computer Security Buffer Overflow lab Eu-Jin Goh
2
Setting up Environment Demo
3
target2.c int foo( char *arg, char *out ) { strcpy( out, arg ); return 0; } int main( int argc, char *argv[] ) { char buf[64]; if ( argc != 2 ) { … } foo( argv[1], buf ); return 0; }
![target2.c int foo( char *arg, char *out ) { strcpy( out, arg ); return 0; } int main( int argc, char *argv[] ) { char buf[64]; if ( argc != 2 ) { … } foo( argv[1], buf ); return 0; }](http://images.slideplayer.com./16/5122681/slides/slide_3.jpg "target2.c int foo( char *arg, char *out ) { strcpy( out, arg ); return 0; } int main( int argc, char *argv[] ) { char buf[64]; if ( argc != 2 ) { … } foo( argv[1], buf ); return 0; }")
4
Stack in target2 – layout argv[1] == argv[0] == “/tmp/target2” argc $ra – to which main() will return $fp – for main’s stack frame buf[64] ptr to buf == “out”// args to foo() ptr to argv[1] == “arg”// args to foo() foo’s $ra
![Stack in target2 – layout argv[1] == argv[0] == /tmp/target2 argc $ra – to which main() will return $fp – for main’s stack frame buf[64] ptr to buf == out // args to foo() ptr to argv[1] == arg // args to foo() foo’s $ra](http://images.slideplayer.com./16/5122681/slides/slide_4.jpg "Stack in target2 – layout argv[1] == argv[0] == /tmp/target2 argc $ra – to which main() will return $fp – for main’s stack frame buf[64] ptr to buf == out // args to foo() ptr to argv[1] == arg // args to foo() foo’s $ra")
5
sploit2 Need: 1.Exploit string length –Need exploit str to write from buf[0] to main $ra –Find main $ra and &(buf[0]) and subtract –Why not foo’s $ra? 2.Address of the buffer (“buf” in target2) address we want program to jump to Caveat: buf adr depends exploit string size Why? because exploit str above buf on stack But once exploit str len fixed, adr of buf won’t change.
![sploit2 Need: 1.Exploit string length –Need exploit str to write from buf[0] to main $ra –Find main $ra and &(buf[0]) and subtract –Why not foo’s $ra.](http://images.slideplayer.com./16/5122681/slides/slide_5.jpg "2.Address of the buffer ( buf in target2) address we want program to jump to Caveat: buf adr depends exploit string size Why. because exploit str above buf on stack But once exploit str len fixed, adr of buf won’t change..")
6
Details 1.Size of overflow buffer Buf addr = 0x9ffffdb0 reg ebp = 0x9ffffdf8 Difference is 0x48 = 72 Buffer size = 72 + 4 + 4 + 1 = 81 2.Find &buf again when str len is 81 Buf = 0x9ffffe60
7
Crafting the exploit string Want target to jump to start of buf, place shellcode (size 45 bytes) at the start of the string $ra exists at offset 76 need exploit string[76] to contain the addr target2 buf (0x9ffffe60)
![Crafting the exploit string Want target to jump to start of buf, place shellcode (size 45 bytes) at the start of the string $ra exists at offset 76 need exploit string[76] to contain the addr target2 buf (0x9ffffe60)](http://images.slideplayer.com./16/5122681/slides/slide_7.jpg "Crafting the exploit string Want target to jump to start of buf, place shellcode (size 45 bytes) at the start of the string $ra exists at offset 76 need exploit string[76] to contain the addr target2 buf (0x9ffffe60)")
Similar presentations
