Presentation is loading. Please wait.

Presentation is loading. Please wait.

Buffer Overflow Example Slides done by Magnus Almgren.

Similar presentations


Presentation on theme: "Buffer Overflow Example Slides done by Magnus Almgren."— Presentation transcript:

1 Buffer Overflow Example Slides done by Magnus Almgren

2 Source code of program example #include void sub2( char *str ) { char buf[8]; strcpy(buf,str); } void sub1() { char str[] = "Code"; sub2(str); } int main() { sub1(); return 0; }

3 int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } Code Stack

4 int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 4 bytes Stack grows downward (on this system). Code Stack Memory address

5 int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); }

6 ip = d int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); }

7 bp = bfa sp = bfa ip = d int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } …

8 bp = bfa sp = bfa ip = d int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars. When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars.

9 bp = bfa sp = bfa ip = d int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d When calling a function: (1)Push ip of next instruction (1)Next instr address? (2)Increase sp (3)Store address (2)… When calling a function: (1)Push ip of next instruction (1)Next instr address? (2)Increase sp (3)Store address (2)…

10 bp = bfa sp = bfa0 968c ip = d int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d When calling a function: (1)Push ip of next instruction (1)Next instr address? (2)Increase sp (3)Store address (2)… When calling a function: (1)Push ip of next instruction (1)Next instr address? (2)Increase sp (3)Store address (2)…

11 bp = bfa sp = bfa0 968c ip = d int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d When calling a function: (1)Push ip of next instruction (1)Next instr address? (2)Increase sp (3)Store address (2)… When calling a function: (1)Push ip of next instruction (1)Next instr address? (2)Increase sp (3)Store address (2)…

12 bp = bfa sp = bfa0 968c ip = d int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars. When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars.

13 bp = bfa sp = bfa0 968c ip = de int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars. When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars.

14 bp = bfa sp = bfa0 968c ip = de int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars. When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars.

15 8412 bp int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d bp = bfa sp = bfa ip = de 8696 When calling a function: (3) Update bp (1)Save old bp (2)Setup new bp (4) … When calling a function: (3) Update bp (1)Save old bp (2)Setup new bp (4) …

16 bp = bfa sp = bfa ip = df 8412 bp int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d When calling a function: (3) Update bp (1)Save old bp (2)Setup new bp (4) … When calling a function: (3) Update bp (1)Save old bp (2)Setup new bp (4) …

17 bp = bfa sp = bfa ip = df 8412 bp int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d When calling a function: (3) Update bp (1)Save old bp (2)Setup new bp (4) … When calling a function: (3) Update bp (1)Save old bp (2)Setup new bp (4) …

18 bp = bfa sp = bfa ip = e bp int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars. When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars.

19 bp = bfa sp = bfa ip = e bp int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars. When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars.

20 bp = bfa sp = bfa ip = e bp int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars. When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars.

21 str : bfa buf : bp = bfa sp = bfa ip = e bp f \0edo 43ed6ff4 C int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars. When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars.

22 str : bfa buf : bp = bfa sp = bfa ip = ef 8412 bp f \0edo 43ed6ff4 C int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d

23 str : bfa buf : bp = bfa sp = bfa ip = ef 8412 bp f \0edo 43ed6ff4 C int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d … bp f \0edo 43ed6ff4 C 0 Parameters to function = (…) Return address to ”old” fcn ”Old” frame pointer Local variables in fcn Temporary values Stack Frame: bp sp

24 str : bfa buf : bp = bfa sp = bfa ip = ef 8412 bp f \0edo 43ed6ff4 C int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d

25 str : bfa buf : bp = bfa sp = bfa0 966c ip = f bp f \0edo 43ed6ff4 C str: fa int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d fa

26 str : bfa buf : bp = bfa sp = bfa0 966c ip = c bp f \0edo 43ed6ff4 C str: int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d fa

27 str : bfa buf : bfa bp = bfa sp = bfa ip = ca 8412 bp f \0edo 43ed6ff4 C str:9683 bp int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d fa

28 str : bfa buf : bfa bp = bfa sp = bfa ip = d bp f \0edo 43ed6ff4 C str:9683 bp str:9683 buf: int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d fa

29 str : bfa buf : bfa bp = bfa sp = bfa ip = dc 8412 bp f \0edo 43ed6ff4 C str:9683 bp \ f43 edoC str:9683 buf: int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d fa

30 str : bfa buf : bfa bp = bfa sp = bfa ip = dc 8412 bp f \0edo 43ed6ff4 C str: fa bp \ f43 edoC str:9683 buf: int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d fa What if the string str was longer than 5 characters? (4 characters + ending ’\0’-character) Let’s back up a few steps …

31 83fa str : bfa buf : bfa bp = bfa sp = bfa ip = d bp f \0edo 43ed6ff4 C str:9683 bp str:9683 buf: int main() { sub1(); return 0; } void sub1() { char str[] = " CodeABCDEFGHIJKL "; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d fa

32 str : bfa buf : bfa bp = bfa sp = bfa ip = … 8412 bp f \0edo 43ed6ff4 C str:9683 bp DCBA 65646f43 edoC str:9683 buf: int main() { sub1(); return 0; } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d void sub1() { char str[] = " CodeABCDEFGHIJKL "; sub2(str); } 1 83fa

33 str : bfa buf : bfa bp = bfa sp = bfa ip = … 8412 bp f \0edo 43ed6ff4 C str: HGFE DCBA 65646f43 edoC str:9683 buf: int main() { sub1(); return 0; } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d void sub1() { char str[] = " CodeABCDEFGHIJKL "; sub2(str); } 1 83fa

34 str : bfa buf : bfa bp = bfa sp = bfa ip = dc 8412 bp f \0edo 43ed6ff4 C str: HGFE DCBA 65646f43 edoC str:9683 buf: int main() { sub1(); return 0; } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d ? void sub1() { char str[] = " CodeABCDEFGHIJKL "; sub2(str); } 1 83fa

35 str : bfa buf : bfa bp = bfa sp = bfa ip = dc 8412 bp f \0edo 43ed6ff4 C str: HGFE DCBA 65646f43 edoC str:9683 buf: int main() { sub1(); return 0; } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d void sub1() { char str[] = "CodeABCDEFGHIJKL"; sub2(str); } 1 83fa ? The return address has been overwritten. In this example, probably an invalid address so the program will crash.

36 str : bfa buf : bfa bp = bfa sp = bfa ip = dc 8412 bp f \0edo 43ed6ff4 C str: HGFE DCBA 65646f43 edoC str:9683 buf: int main() { sub1(); return 0; } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d ? void sub1() { char str[] = " CodeABCDEFGHIJKL "; sub2(str); } 1 83fa Trick: Jump back into your buffer HGFE DCBA 65646f43 edoC 9660 ?


Download ppt "Buffer Overflow Example Slides done by Magnus Almgren."

Similar presentations


Ads by Google