Presentation is loading. Please wait.

Presentation is loading. Please wait.

Buffer Overflow Example Slides done by Magnus Almgren.

Published byAlana Algood Modified over 9 years ago

Similar presentations

Presentation on theme: "Buffer Overflow Example Slides done by Magnus Almgren."— Presentation transcript:

1 Buffer Overflow Example Slides done by Magnus Almgren

2 Source code of program example #include void sub2( char *str ) { char buf[8]; strcpy(buf,str); } void sub1() { char str[] = "Code"; sub2(str); } int main() { sub1(); return 0; }

3 int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } Code Stack

4 9690 9680 9670 9660 9650 int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 4 bytes Stack grows downward (on this system). Code Stack Memory address

5 9690 9680 9670 9660 9650 int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); }

6 ip = 0804 840d 9690 9680 9670 9660 9650 int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); }

7 bp = bfa0 9698 sp = bfa0 9690 ip = 0804 840d 9690 9680 9670 9660 9650 int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } …

8 bp = bfa0 9698 sp = bfa0 9690 ip = 0804 840d 9690 9680 9670 9660 9650 int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars. When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars.

9 bp = bfa0 9698 sp = bfa0 9690 ip = 0804 840d 9690 9680 9670 9660 9650 int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d 8412 0 When calling a function: (1)Push ip of next instruction (1)Next instr address? (2)Increase sp (3)Store address (2)… When calling a function: (1)Push ip of next instruction (1)Next instr address? (2)Increase sp (3)Store address (2)…

10 bp = bfa0 9698 sp = bfa0 968c ip = 0804 840d 9690 9680 9670 9660 9650 int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d 8412 0 When calling a function: (1)Push ip of next instruction (1)Next instr address? (2)Increase sp (3)Store address (2)… When calling a function: (1)Push ip of next instruction (1)Next instr address? (2)Increase sp (3)Store address (2)…

11 bp = bfa0 9698 sp = bfa0 968c ip = 0804 840d 8412 9690 9680 9670 9660 9650 int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d 0 8412 0 When calling a function: (1)Push ip of next instruction (1)Next instr address? (2)Increase sp (3)Store address (2)… When calling a function: (1)Push ip of next instruction (1)Next instr address? (2)Increase sp (3)Store address (2)…

12 bp = bfa0 9698 sp = bfa0 968c ip = 0804 840d 8412 9690 9680 9670 9660 9650 int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d 0 8412 0 When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars. When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars.

13 bp = bfa0 9698 sp = bfa0 968c ip = 0804 83de 8412 9690 9680 9670 9660 9650 int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d 0 8412 0 When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars. When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars.

14 bp = bfa0 9698 sp = bfa0 968c ip = 0804 83de 8412 9690 9680 9670 9660 9650 int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d 0 8412 0 When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars. When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars.

15 8412 bp 0 9698 9690 9680 9670 9660 9650 int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d 8412 0 0 bp = bfa0 9698 sp = bfa0 9688 ip = 0804 83de 8696 When calling a function: (3) Update bp (1)Save old bp (2)Setup new bp (4) … When calling a function: (3) Update bp (1)Save old bp (2)Setup new bp (4) …

16 bp = bfa0 9698 sp = bfa0 9688 ip = 0804 83df 8412 bp 0 9698 9690 9680 9670 9660 9650 int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d 8412 0 0 When calling a function: (3) Update bp (1)Save old bp (2)Setup new bp (4) … When calling a function: (3) Update bp (1)Save old bp (2)Setup new bp (4) …

17 bp = bfa0 9688 sp = bfa0 9688 ip = 0804 83df 8412 bp 0 9698 9690 9680 9670 9660 9650 int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d 8412 0 0 When calling a function: (3) Update bp (1)Save old bp (2)Setup new bp (4) … When calling a function: (3) Update bp (1)Save old bp (2)Setup new bp (4) …

18 bp = bfa0 9688 sp = bfa0 9688 ip = 0804 83e1 8412 bp 0 9698 9690 9680 9670 9660 9650 int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d 8412 0 0 When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars. When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars.

19 bp = bfa0 9688 sp = bfa0 9670 ip = 0804 83e1 8412 bp 0 9698 9690 9680 9670 9660 9650 int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d 8412 0 0 When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars. When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars.

20 bp = bfa0 9688 sp = bfa0 9670 ip = 0804 83e1 8412 bp 0 9698 9690 9680 9670 9660 9650 int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d 8412 0 0 When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars. When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars.

21 str : bfa0 9683 buf :........ bp = bfa0 9688 sp = bfa0 9670 ip = 0804 83e4 8412 bp 0 9698 0065646f \0edo 43ed6ff4 C 9690 9680 9670 9660 9650 int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d 8412 0 0 When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars. When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars.

22 str : bfa0 9683 buf :........ bp = bfa0 9688 sp = bfa0 9670 ip = 0804 83ef 8412 bp 0 9698 0065646f \0edo 43ed6ff4 C 9690 9680 9670 9660 9650 int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d 8412 0 0

23 str : bfa0 9683 buf :........ bp = bfa0 9688 sp = bfa0 9670 ip = 0804 83ef 8412 bp 0 9698 0065646f \0edo 43ed6ff4 C 9690 9680 9670 9660 9650 int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d 8412 0 0 … bp 0 9698 0065646f \0edo 43ed6ff4 C 0 Parameters to function = (…) Return address to ”old” fcn ”Old” frame pointer Local variables in fcn Temporary values Stack Frame: bp sp

24 str : bfa0 9683 buf :........ bp = bfa0 9688 sp = bfa0 9670 ip = 0804 83ef 8412 bp 0 9698 0065646f \0edo 43ed6ff4 C 9690 9680 9670 9660 9650 int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d 8412 0 0

25 str : bfa0 9683 buf :........ bp = bfa0 9688 sp = bfa0 966c ip = 0804 83f5 8412 bp 0 9698 0065646f \0edo 43ed6ff4 C str:9683 83fa 9690 9680 9670 9660 9650 int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d 8412 0 0 1 1 83fa

26 str : bfa0 9683 buf :........ bp = bfa0 9688 sp = bfa0 966c ip = 0804 83c4 8412 bp 0 9698 0065646f \0edo 43ed6ff4 C str:9683 9690 9680 9670 9660 9650 int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d 8412 0 0 1 1 83fa

27 str : bfa0 9683 buf : bfa0 9660 bp = bfa0 9668 sp = bfa0 9650 ip = 0804 83ca 8412 bp 0 9698 0065646f \0edo 43ed6ff4 C str:9683 bp 1 9688 9690 9680 9670 9660 9650 int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d 8412 0 0 1 1 83fa

28 str : bfa0 9683 buf : bfa0 9660 bp = bfa0 9668 sp = bfa0 9650 ip = 0804 83d7 8412 bp 0 9698 0065646f \0edo 43ed6ff4 C str:9683 bp 1 9688 str:9683 buf:9660 9690 9680 9670 9660 9650 int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d 8412 0 0 1 1 83fa

29 str : bfa0 9683 buf : bfa0 9660 bp = bfa0 9668 sp = bfa0 9650 ip = 0804 83dc 8412 bp 0 9698 0065646f \0edo 43ed6ff4 C str:9683 bp 1 9688......00......\0 65646f43 edoC str:9683 buf:9660 9690 9680 9670 9660 9650 int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d 8412 0 0 1 1 83fa

30 str : bfa0 9683 buf : bfa0 9660 bp = bfa0 9668 sp = bfa0 9650 ip = 0804 83dc 8412 bp 0 9698 0065646f \0edo 43ed6ff4 C str:9683 83fa bp 1 9688......00......\0 65646f43 edoC str:9683 buf:9660 9690 9680 9670 9660 9650 int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d 8412 0 0 1 1 83fa What if the string str was longer than 5 characters? (4 characters + ending ’\0’-character) Let’s back up a few steps …

31 83fa str : bfa0 9683 buf : bfa0 9660 bp = bfa0 9668 sp = bfa0 9650 ip = 0804 83d7 8412 bp 0 9698 0065646f \0edo 43ed6ff4 C str:9683 bp 1 9688 str:9683 buf:9660 9690 9680 9670 9660 9650 int main() { sub1(); return 0; } void sub1() { char str[] = " CodeABCDEFGHIJKL "; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d 8412 0 0 1 1 83fa

32 str : bfa0 9683 buf : bfa0 9660 bp = bfa0 9668 sp = bfa0 9650 ip = … 8412 bp 0 9698 0065646f \0edo 43ed6ff4 C str:9683 bp 1 9688 44434241 DCBA 65646f43 edoC str:9683 buf:9660 9690 9680 9670 9660 9650 int main() { sub1(); return 0; } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d 8412 0 0 1 void sub1() { char str[] = " CodeABCDEFGHIJKL "; sub2(str); } 1 83fa

33 str : bfa0 9683 buf : bfa0 9660 bp = bfa0 9668 sp = bfa0 9650 ip = … 8412 bp 0 9698 0065646f \0edo 43ed6ff4 C str:9683 48474645 HGFE 44434241 DCBA 65646f43 edoC str:9683 buf:9660 9690 9680 9670 9660 9650 int main() { sub1(); return 0; } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d 8412 0 0 1 void sub1() { char str[] = " CodeABCDEFGHIJKL "; sub2(str); } 1 83fa

34 str : bfa0 9683 buf : bfa0 9660 bp = bfa0 9668 sp = bfa0 9650 ip = 0804 83dc 8412 bp 0 9698 0065646f \0edo 43ed6ff4 C str:9600 5251 5049 48474645 HGFE 44434241 DCBA 65646f43 edoC str:9683 buf:9660 9690 9680 9670 9660 9650 int main() { sub1(); return 0; } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d 8412 0 0 ? void sub1() { char str[] = " CodeABCDEFGHIJKL "; sub2(str); } 1 83fa

35 str : bfa0 9683 buf : bfa0 9660 bp = bfa0 9668 sp = bfa0 9650 ip = 0804 83dc 8412 bp 0 9698 0065646f \0edo 43ed6ff4 C str:9600 48474645 HGFE 44434241 DCBA 65646f43 edoC str:9683 buf:9660 9690 9680 9670 9660 9650 int main() { sub1(); return 0; } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d 8412 0 0 void sub1() { char str[] = "CodeABCDEFGHIJKL"; sub2(str); } 1 83fa 5251 5049 ? The return address has been overwritten. In this example, probably an invalid address so the program will crash.

36 str : bfa0 9683 buf : bfa0 9660 bp = bfa0 9668 sp = bfa0 9650 ip = 0804 83dc 8412 bp 0 9698 0065646f \0edo 43ed6ff4 C str:9600 5251 5049 48474645 HGFE 44434241 DCBA 65646f43 edoC str:9683 buf:9660 9690 9680 9670 9660 9650 int main() { sub1(); return 0; } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d 8412 0 0 ? void sub1() { char str[] = " CodeABCDEFGHIJKL "; sub2(str); } 1 83fa Trick: Jump back into your buffer 5251 5049 48474645 HGFE 44434241 DCBA 65646f43 edoC 9660 ?

Download ppt "Buffer Overflow Example Slides done by Magnus Almgren."

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Functions, Varargs, and Stack Smashing Using the Stack for Good And Evil Before You Sit Down Please Get The Handout at the Entrance This file is called.

Functions, Varargs, and Stack Smashing Using the Stack for Good And Evil Before You Sit Down Please Get The Handout at the Entrance This file is called.
Calling sequence ESP.

Calling sequence ESP.
Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.

Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Procedures 2 Intructions Supporting Procedures Making Use of a Stack.

Procedures 2 Intructions Supporting Procedures Making Use of a Stack.
The University of Adelaide, School of Computer Science

The University of Adelaide, School of Computer Science
Run-time Environment for a Program different logical parts of a program during execution stack – automatically allocated variables (local variables, subdivided.

Run-time Environment for a Program different logical parts of a program during execution stack – automatically allocated variables (local variables, subdivided.
1 Lecture 4: Procedure Calls Today’s topics:  Procedure calls  Large constants  The compilation process Reminder: Assignment 1 is due on Thursday.

1 Lecture 4: Procedure Calls Today’s topics:  Procedure calls  Large constants  The compilation process Reminder: Assignment 1 is due on Thursday.
Procedure Calls Prof. Sirer CS 316 Cornell University.

Procedure Calls Prof. Sirer CS 316 Cornell University.
1 Nested Procedures Procedures that don't call others are called leaf procedures, procedures that call others are called nested procedures. Problems may.

1 Nested Procedures Procedures that don't call others are called leaf procedures, procedures that call others are called nested procedures. Problems may.
Ch. 8 Functions.

Ch. 8 Functions.
The University of Adelaide, School of Computer Science

The University of Adelaide, School of Computer Science
Functions Functions and Parameters. History A function call needs to save the registers in use The called function will use the registers The registers.

Functions Functions and Parameters. History A function call needs to save the registers in use The called function will use the registers The registers.
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
Buffer Overflows By Tim Peterson Joel Miller Dan Block.

Buffer Overflows By Tim Peterson Joel Miller Dan Block.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.

Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
Stack buffer overflow.

Stack buffer overflow.
Stack buffer overflow http://en.wikipedia.org/wiki/Stack_buffer_overflow.

Stack buffer overflow

Similar presentations

Ads by Google