Presentation is loading. Please wait.

Presentation is loading. Please wait.

Recitation 4: The Stack & Lab3 Andrew Faulring 15213 Section A 30 September 2002.

Published byAlan Turner Modified over 9 years ago

Similar presentations

Presentation on theme: "Recitation 4: The Stack & Lab3 Andrew Faulring 15213 Section A 30 September 2002."— Presentation transcript:

1 Recitation 4: The Stack & Lab3 Andrew Faulring 15213 Section A 30 September 2002

2 Andrew Faulring faulring@cs.cmu.edu Office hours: –NSH 2504 (lab) / 2507 (conference room) –Thursday 5–6 Lab 3: due Monday (7 Oct), 11:59pm Exam 1: Tuesday (8 Oct), 6:00–7:30pm Doherty Hall 2315

3 Today’s Plan Practical skills for Lab 3 –Out of bounds array access –Mechanics of putting your code onto the stack

4 Local Variables void localvars() { volatile int n; char buf[8]; volatile int x; n = 2; x = 0xdeadbeef; strcpy(buf, "Carnegiem;"); // 'm' = 0x6d, ';' = 0x3b // n = 15213 (0x3b6d) buf[8] = 0x6c; // n = 15212 buf[-4] = 0xa8; // x = 0xdeadbea8 } push %ebp mov %esp,%ebp sub $0x18,%esp movl $0x2,0xfffffffc(%ebp) movl $0xdeadbeef,0xfffffff0(%ebp) add $0xfffffff8,%esp push $0x80484a8 lea 0xfffffff4(%ebp),%eax push %eax call 0x8048308 add $0x10,%esp movb $0x6c,0xfffffffc(%ebp) mov $0xfffffffc,%eax lea 0xfffffff4(%ebp),%edx movb $0xa8,(%eax,%edx,1) mov %ebp,%esp pop %ebp ret %ebp – 24

5 Local Variables void localvars() { volatile int n; char buf[8]; volatile int x; n = 2; x = 0xdeadbeef; strcpy(buf, "Carnegiem;"); // 'm' = 0x6d, ';' = 0x3b // n = 15213 (0x3b6d) buf[8] = 0x6c; // n = 15212 buf[-4] = 0xa8; // x = 0xdeadbea8 } push %ebp mov %esp,%ebp sub $0x18,%esp movl $0x2,0xfffffffc(%ebp) movl $0xdeadbeef,0xfffffff0(%ebp) add $0xfffffff8,%esp push $0x80484a8 lea 0xfffffff4(%ebp),%eax push %eax call 0x8048308 add $0x10,%esp movb $0x6c,0xfffffffc(%ebp) mov $0xfffffffc,%eax lea 0xfffffff4(%ebp),%edx movb $0xa8,(%eax,%edx,1) mov %ebp,%esp pop %ebp ret %ebp – 4

6 Local Variables void localvars() { volatile int n; char buf[8]; volatile int x; n = 2; x = 0xdeadbeef; strcpy(buf, "Carnegiem;"); // 'm' = 0x6d, ';' = 0x3b // n = 15213 (0x3b6d) buf[8] = 0x6c; // n = 15212 buf[-4] = 0xa8; // x = 0xdeadbea8 } push %ebp mov %esp,%ebp sub $0x18,%esp movl $0x2,0xfffffffc(%ebp) movl $0xdeadbeef,0xfffffff0(%ebp) add $0xfffffff8,%esp push $0x80484a8 lea 0xfffffff4(%ebp),%eax push %eax call 0x8048308 add $0x10,%esp movb $0x6c,0xfffffffc(%ebp) mov $0xfffffffc,%eax lea 0xfffffff4(%ebp),%edx movb $0xa8,(%eax,%edx,1) mov %ebp,%esp pop %ebp ret %ebp – 16

7 Local Variables void localvars() { volatile int n; char buf[8]; volatile int x; n = 2; x = 0xdeadbeef; strcpy(buf, "Carnegiem;"); // 'm' = 0x6d, ';' = 0x3b // n = 15213 (0x3b6d) buf[8] = 0x6c; // n = 15212 buf[-4] = 0xa8; // x = 0xdeadbea8 } push %ebp mov %esp,%ebp sub $0x18,%esp movl $0x2,0xfffffffc(%ebp) movl $0xdeadbeef,0xfffffff0(%ebp) add $0xfffffff8,%esp push $0x8048488 lea 0xfffffff4(%ebp),%eax push %eax call 0x8048308 add $0x10,%esp movb $0x6c,0xfffffffc(%ebp) mov $0xfffffffc,%eax lea 0xfffffff4(%ebp),%edx movb $0xa8,(%eax,%edx,1) mov %ebp,%esp pop %ebp ret %ebp – 32

8 Local Variables void localvars() { volatile int n; char buf[8]; volatile int x; n = 2; x = 0xdeadbeef; strcpy(buf, "Carnegiem;"); // 'm' = 0x6d, ';' = 0x3b // n = 15213 (0x3b6d) buf[8] = 0x6c; // n = 15212 buf[-4] = 0xa8; // x = 0xdeadbea8 } push %ebp mov %esp,%ebp sub $0x18,%esp movl $0x2,0xfffffffc(%ebp) movl $0xdeadbeef,0xfffffff0(%ebp) add $0xfffffff8,%esp push $0x80484a8 lea 0xfffffff4(%ebp),%eax push %eax call 0x8048308 add $0x10,%esp movb $0x6c,0xfffffffc(%ebp) mov $0xfffffffc,%eax lea 0xfffffff4(%ebp),%edx movb $0xa8,(%eax,%edx,1) mov %ebp,%esp pop %ebp ret %ebp – 12, allocated for buf

9 Local Variables Saved %ebp %ebp Return addr … %esp 0xffc 0xff4 0xff0 So what’s happening after strcpy? void localvars() { volatile int n; char buf[8]; volatile int x; n = 2; x = 0xdeadbeef; strcpy(buf, "Carnegiem;"); // 'm' = 0x6d, ';' = 0x3b // n = 15213 (0x3b6d) buf[8] = 0x6c; // n = 15212 buf[-4] = 0xa8; // x = 0xdeadbea8 } buf...... 0xfd8 000200 beefdead

10 Local Variables Saved %ebp %ebp Return addr … %esp 0xffc 0xff4 0xff0 void localvars() { volatile int n; char buf[8]; volatile int x; n = 2; x = 0xdeadbeef; strcpy(buf, "Carnegiem;"); // 'm' = 0x6d, ';' = 0x3b // n = 15213 (0x3b6d) buf[8] = 0x6c; // n = 15212 buf[-4] = 0xa8; // x = 0xdeadbea8 }...... 0xfd8 3b6d00 61436e72 6765 69 beefdead

11 Local Variables Saved %ebp %ebp Return addr … %esp 0xffc 0xff4 0xff0 void localvars() { volatile int n; char buf[8]; volatile int x; n = 2; x = 0xdeadbeef; strcpy(buf, "Carnegiem;"); // 'm' = 0x6d, ';' = 0x3b // n = 15213 (0x3b6d) buf[8] = 0x6c; // n = 15212 buf[-4] = 0xa8; // x = 0xdeadbea8 }...... 0xfd8 3b6c00 61436e72 6765 69 beefdead

12 Local Variables Saved %ebp %ebp Return addr … %esp 0xffc 0xff4 0xff0 void localvars() { volatile int n; char buf[8]; volatile int x; n = 2; x = 0xdeadbeef; strcpy(buf, "Carnegiem;"); // 'm' = 0x6d, ';' = 0x3b // n = 15213 (0x3b6d) buf[8] = 0x6c; // n = 15212 buf[-4] = 0xa8; // x = 0xdeadbea8 }...... 0xfd8 3b6c00 61436e72 6765 69 bea8dead

13 Buffer Overflow int bufoverflow( char* string, int n) { char buf[8]; strcpy(buf, string); return n; } push %ebp mov %esp,%ebp sub $0x18,%esp mov 0x8(%ebp),%eax add $0xfffffff8,%esp push %eax lea 0xfffffff0(%ebp),%eax push %eax call 0x804833c mov 0xc(%ebp),%eax mov %ebp,%esp pop %ebp ret

14 Your Exploit Code int abs_shift(int n) { return (n>=0 ? n : -n) << 2; } movl 8(%ebp),%eax testl %eax,%eax jge.L1 negl %eax.L1: sall $2,%eax.long 0x00000000

15 Putting exploit code onto the stack (1) unix> gcc –c exploit.s unix> objdump –d exploit.o 00000000 : 0: 8b 45 08 mov 0x8(%ebp),%eax 3: 85 c0 test %eax,%eax 5: 7d 02 jge 0x9 7: f7 d8 neg %eax 9: c1 e0 02 shl $0x2,%eax c: 00 00 add %al,(%eax) unix> cat > exploit.txt 8b 45 08 85 c0 7d 02 f7 d8 c1 e0 02 unix> sendstring exploit.raw unix> od -t x1 exploit.raw 0000000 8b 45 08 85 c0 7d 02 f7 d8 c1 e0 02 0a

16 Putting exploit code onto the stack (2) unix> gdb bufoverflow (gdb) break bufoverflow (gdb) run < exploit.raw (gdb) x/4w $ebp-16 (gdb) nexti 6 (gdb) x/4w $ebp-16 (gdb) disas 0xbffff7c8 0xbffff7d4

Download ppt "Recitation 4: The Stack & Lab3 Andrew Faulring 15213 Section A 30 September 2002."

Similar presentations

Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.

Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
15-213 Recitation 4: 09/30/02 Outline The Stack! Essential skill for Lab 3 –Out-of-bound array access –Put your code on the stack Annie Luo

Recitation 4: 09/30/02 Outline The Stack! Essential skill for Lab 3 –Out-of-bound array access –Put your code on the stack Annie Luo
CS 4284 Systems Capstone Godmar Back Linking and Loading.

CS 4284 Systems Capstone Godmar Back Linking and Loading.
University of Washington Last Time For loops  for loop → while loop → do-while loop → goto version  for loop → while loop → goto “jump to middle” version.

University of Washington Last Time For loops  for loop → while loop → do-while loop → goto version  for loop → while loop → goto “jump to middle” version.
Advanced Buffer Overflow Methods

Advanced Buffer Overflow Methods
Foundations of Network and Computer Security J J ohn Black Lecture #29 Nov 12 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #29 Nov 12 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.

Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.
Buffer overflows and various code injection methods Raghunathan Srinivasan CSE 539, 2/2/2011.

Buffer overflows and various code injection methods Raghunathan Srinivasan CSE 539, 2/2/2011.
UBC104 Embedded Systems Functions & Pointers.

UBC104 Embedded Systems Functions & Pointers.
Foundations of Network and Computer Security J J ohn Black Lecture #19 Nov 3 rd 2005 CSCI 6268/TLEN 5831, Fall 2005.

Foundations of Network and Computer Security J J ohn Black Lecture #19 Nov 3 rd 2005 CSCI 6268/TLEN 5831, Fall 2005.
Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 13 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 13 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
September 22, 2014 Pengju (Jimmy) Jin Section E

September 22, 2014 Pengju (Jimmy) Jin Section E
C Prog. To Object Code text text binary binary Code in files p1.c p2.c

C Prog. To Object Code text text binary binary Code in files p1.c p2.c
Attacks Using Stack Buffer Overflow Boxuan Gu

Attacks Using Stack Buffer Overflow Boxuan Gu
Recitation 2: Assembly & gdb Andrew Faulring 15213 Section A 16 September 2002.

Recitation 2: Assembly & gdb Andrew Faulring Section A 16 September 2002.
15-213 Recitation: Bomb Lab June 5, 2015 Dipayan Bhattacharya.

Recitation: Bomb Lab June 5, 2015 Dipayan Bhattacharya.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
CS 3204 Operating Systems Godmar Back Lecture 11.

CS 3204 Operating Systems Godmar Back Lecture 11.
1 Carnegie Mellon Stacks 15-213: Introduction to Computer Systems Recitation 5: September 24, 2012 Joon-Sup Han Section F.

1 Carnegie Mellon Stacks : Introduction to Computer Systems Recitation 5: September 24, 2012 Joon-Sup Han Section F.

Similar presentations

Ads by Google