Download presentation
Presentation is loading. Please wait.
1
Brian E. Brzezicki
2
This tutorial just illustrates the underlying concepts of buffer overflows by way of an extremely simple stack overflow Most buffer overflow concepts derive from these concepts This techniques is for basic understanding, they are not advanced techniques This technique described as is will not work in any modern OS due to compiler and OS protections
3
To understand buffer overflow requires understanding a few terms IP register Function Stack
4
A special memory location directly on the CPU which holds the address in memory of the next instruction to be executed On Intel IA32 architectures it is called EIP On Intel IA64 architectures it is called RIP * if an attacker can set the value of this register, they can direct the CPU to execute their instructions
5
A data structure in system memory where data is stored temporarily Stacks usually grow down from lower to higher memory addresses, as data is added to the stack Memory AddressValue 1000First stack variable 9996 9992 …
6
A data structure in system memory where data is stored temporarily Stacks usually grow down from lower to higher memory addresses, as data is added to the stack Memory AddressValue 1000First stack variable 9996Second stack variable 9992 …
7
A data structure in system memory where data is stored temporarily Stacks usually grow down from lower to higher memory addresses, as data is added to the stack Memory AddressValue 1000First stack variable 9996Second stack variable 9992Third stack variable …
8
A data structure in system memory where data is stored temporarily Stacks usually grow down from lower to higher memory addresses, as data is added to the stack Memory AddressValue 1000First stack variable 9996Second stack variable 9992Third stack variable ……
9
A small part of a program that performs a specific action or function Programs are comprised of many functions main() { char [8] string; printf(“hi there how are you?”); gets(string); }
![ A small part of a program that performs a specific action or function Programs are comprised of many functions main() { char [8] string; printf( hi there how are you ); gets(string); }](http://images.slideplayer.com/25/7796515/slides/slide_9.jpg " A small part of a program that performs a specific action or function Programs are comprised of many functions main() { char [8] string; printf( hi there how are you ); gets(string); }")
10
A small part of a program that performs a specific action or function Programs are comprised of many functions main() { char [8] string; printf(“hi there how are you?”); gets(string); } * printf and gets are functions
![ A small part of a program that performs a specific action or function Programs are comprised of many functions main() { char [8] string; printf( hi there how are you ); gets(string); } * printf and gets are functions](http://images.slideplayer.com/25/7796515/slides/slide_10.jpg " A small part of a program that performs a specific action or function Programs are comprised of many functions main() { char [8] string; printf( hi there how are you ); gets(string); } * printf and gets are functions")
11
When a function is called any parameters passed to the function are added to the stack add(x,y); printf(“hi there”); Memory AddressValue 1000 9996 9992 …
12
When a function is called any parameters passed to the function are added to the stack add(x,y); printf(“hi there”); Memory AddressValue 1000 9996 9992 …
13
When a function is called any parameters passed to the function are added to the stack add(x,y); printf(“hi there”); Memory AddressValue 1000y 9996 9992 …
14
When a function is called any parameters passed to the function are added to the stack add(x,y); printf(“hi there”); Memory AddressValue 1000y 9996x 9992 …
15
After the parameters are added to the stack, the memory address of the next instruction after the function is put on the stack add(x,y); printf(“hi there”); Memory AddressValue 1000y 9996x 9992 …
16
After the parameters are added to the stack, the memory address of the next instruction after the function is put on the stack (return address) add(x,y); printf(“hi there”); Memory AddressValue 1000y 9996x 9992address_of printf(“hi there”); …
17
Any local variable that the function uses will be placed on the stack after the return address. sub add(x,y) { int total; total=x+y; return(total); } Memory Address Value 1000y 9996x 9992address_of printf(“hi there”); …
18
Any local variable that the function uses will be placed on the stack after the return address. sub add(x,y) { int total; total=x+y; return(total); } Memory Address Value 1000y 9996x 9992address_of printf(“hi there”); …total
19
Once the function completes, the local variables will be removed from the stack sub add(x,y) { int total; total=x+y; return(total); } Memory Address Value 1000y 9996x 9992address_of printf(“hi there”); …total
20
Once the function completes, the local variables will be removed from the stack sub add(x,y) { int total; total=x+y; return(total); } Memory Address Value 1000y 9996x 9992address_of printf(“hi there”); …
21
Finally the CPU will load the memory address that is on the stack into the IP register and continue execution at that point sub add(x,y) { int total; total=x+y; return(total); } Memory Address Value 1000y 9996x 9992address_of printf(“hi there”); …
22
Finally the CPU will load the memory address that is on the stack into the IP register and continue execution at that point sub add(x,y) { int total; total=x+y; return(total); } Memory Address Value 1000y 9996x 9992address_of printf(“hi there”); … IP Register = address_of printf(“hi there”);
23
The key of an buffer overflow is to 1. get your own code (shellcode) into memory 2. overwrite the function return address to point to the memory location of your code
24
interactWithUser(int x) { char msg=“please enter input”; char[8] input; printf(“%s”,msg); gets(input); return(); }
![interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); }](http://images.slideplayer.com/25/7796515/slides/slide_24.jpg "interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); }")
25
interactWithUser(int x) { char msg=“please enter input”; char[8] input; printf(“%s”,msg); gets(input); return(); } In this function the line above is vulnerable, as it takes any length input and tries to store it into the location assigned to input which is only 8 bytes long
![interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } In this function the line above is vulnerable, as it takes any length input and tries to store it into the location assigned to input which is only 8 bytes long](http://images.slideplayer.com/25/7796515/slides/slide_25.jpg "interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } In this function the line above is vulnerable, as it takes any length input and tries to store it into the location assigned to input which is only 8 bytes long")
26
Now let’s look at the memory layout of the stack
27
interactWithUser(int x) { char msg=“please enter input”; char[8] input; printf(“%s”,msg); gets(input); return(); } Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980se e 9976plea 9972input variable cont 9968input variable space
![interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980se e 9976plea 9972input variable cont 9968input variable space](http://images.slideplayer.com/25/7796515/slides/slide_27.jpg "interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980se e 9976plea 9972input variable cont 9968input variable space")
28
interactWithUser(int x) { char msg=“please enter input”; char[8] input; printf(“%s”,msg); gets(input); return(); } Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980se e 9976plea 9972input variable cont 9968input variable space
![interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980se e 9976plea 9972input variable cont 9968input variable space](http://images.slideplayer.com/25/7796515/slides/slide_28.jpg "interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980se e 9976plea 9972input variable cont 9968input variable space")
29
interactWithUser(int x) { char msg=“please enter input”; char[8] input; printf(“%s”,msg); gets(input); return(); } Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980se e 9976plea 9972input variable cont 9968input variable space
![interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980se e 9976plea 9972input variable cont 9968input variable space](http://images.slideplayer.com/25/7796515/slides/slide_29.jpg "interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980se e 9976plea 9972input variable cont 9968input variable space")
30
interactWithUser(int x) { char msg=“please enter input”; char[8] input; printf(“%s”,msg); gets(input); return(); } Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980se e 9976plea 9972input variable cont 9968input variable space
![interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980se e 9976plea 9972input variable cont 9968input variable space](http://images.slideplayer.com/25/7796515/slides/slide_30.jpg "interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980se e 9976plea 9972input variable cont 9968input variable space")
31
interactWithUser(int x) { char msg=“please enter input”; char[8] input; printf(“%s”,msg); gets(input); return(); } Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980se e 9976plea 9972input variable cont 9968input variable space
![interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980se e 9976plea 9972input variable cont 9968input variable space](http://images.slideplayer.com/25/7796515/slides/slide_31.jpg "interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980se e 9976plea 9972input variable cont 9968input variable space")
32
interactWithUser(int x) { char msg=“please enter input”; char[8] input; printf(“%s”,msg); gets(input); return(); } When the input is read from the user, the data will be stored in the space allocated for the input variable Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980se e 9976plea 9972input variable cont 9968input variable space
![interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } When the input is read from the user, the data will be stored in the space allocated for the input variable Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980se e 9976plea 9972input variable cont 9968input variable space](http://images.slideplayer.com/25/7796515/slides/slide_32.jpg "interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } When the input is read from the user, the data will be stored in the space allocated for the input variable Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980se e 9976plea 9972input variable cont 9968input variable space")
33
interactWithUser(int x) { char msg=“please enter input”; char[8] input; printf(“%s”,msg); gets(input); return(); } When the input is read from the user, the data will be stored in the space allocated for the input variable Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980se e 9976plea 9972input variable cont 9968input variable space
![interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } When the input is read from the user, the data will be stored in the space allocated for the input variable Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980se e 9976plea 9972input variable cont 9968input variable space](http://images.slideplayer.com/25/7796515/slides/slide_33.jpg "interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } When the input is read from the user, the data will be stored in the space allocated for the input variable Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980se e 9976plea 9972input variable cont 9968input variable space")
34
interactWithUser(int x) { char msg=“please enter input”; char[8] input; printf(“%s”,msg); gets(input); return(); } When the input is read from the user, the data will be stored in the space allocated for the input variable Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980se e 9976plea 9972input variable cont 9968input variable space
![interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } When the input is read from the user, the data will be stored in the space allocated for the input variable Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980se e 9976plea 9972input variable cont 9968input variable space](http://images.slideplayer.com/25/7796515/slides/slide_34.jpg "interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } When the input is read from the user, the data will be stored in the space allocated for the input variable Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980se e 9976plea 9972input variable cont 9968input variable space")
35
interactWithUser(int x) { char msg=“please enter input”; char[8] input; printf(“%s”,msg); gets(input); return(); } You could enter your own code when prompted to “please enter input” Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980se e 9976plea 9972input variable cont 9968input variable space
![interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } You could enter your own code when prompted to please enter input Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980se e 9976plea 9972input variable cont 9968input variable space](http://images.slideplayer.com/25/7796515/slides/slide_35.jpg "interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } You could enter your own code when prompted to please enter input Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980se e 9976plea 9972input variable cont 9968input variable space")
36
interactWithUser(int x) { char msg=“please enter input”; char[8] input; printf(“%s”,msg); gets(input); return(); } You could enter your own code when prompted to “please enter input” Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980se e 9976plea 9972input variable cont 9968input variable space
![interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } You could enter your own code when prompted to please enter input Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980se e 9976plea 9972input variable cont 9968input variable space](http://images.slideplayer.com/25/7796515/slides/slide_36.jpg "interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } You could enter your own code when prompted to please enter input Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980se e 9976plea 9972input variable cont 9968input variable space")
37
interactWithUser(int x) { char msg=“please enter input”; char[8] input; printf(“%s”,msg); gets(input); return(); } You could enter your own code when prompted to “please enter input” Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980se e 9976plea 9972input variable cont 9968your shellcode
![interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } You could enter your own code when prompted to please enter input Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980se e 9976plea 9972input variable cont 9968your shellcode](http://images.slideplayer.com/25/7796515/slides/slide_37.jpg "interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } You could enter your own code when prompted to please enter input Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980se e 9976plea 9972input variable cont 9968your shellcode")
38
interactWithUser(int x) { char msg=“please enter input”; char[8] input; printf(“%s”,msg); gets(input); return(); } You could enter your own code when prompted to “please enter input” Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980se e 9976plea 9972your shellcode 9968your shellcode
![interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } You could enter your own code when prompted to please enter input Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980se e 9976plea 9972your shellcode 9968your shellcode](http://images.slideplayer.com/25/7796515/slides/slide_38.jpg "interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } You could enter your own code when prompted to please enter input Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980se e 9976plea 9972your shellcode 9968your shellcode")
39
interactWithUser(int x) { char msg=“please enter input”; char[8] input; printf(“%s”,msg); gets(input); return(); } If you enter more than 8 characters, you will start overwriting the other data on the stack Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980se e 9976plea 9972your shellcode 9968your shellcode
![interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } If you enter more than 8 characters, you will start overwriting the other data on the stack Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980se e 9976plea 9972your shellcode 9968your shellcode](http://images.slideplayer.com/25/7796515/slides/slide_39.jpg "interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } If you enter more than 8 characters, you will start overwriting the other data on the stack Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980se e 9976plea 9972your shellcode 9968your shellcode")
40
interactWithUser(int x) { char msg=“please enter input”; char[8] input; printf(“%s”,msg); gets(input); return(); } If you enter more than 8 characters, you will start overwriting the other data on the stack Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980se e 9976your shellcode 9972your shellcode 9968your shellcode
![interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } If you enter more than 8 characters, you will start overwriting the other data on the stack Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980se e 9976your shellcode 9972your shellcode 9968your shellcode](http://images.slideplayer.com/25/7796515/slides/slide_40.jpg "interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } If you enter more than 8 characters, you will start overwriting the other data on the stack Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980se e 9976your shellcode 9972your shellcode 9968your shellcode")
41
interactWithUser(int x) { char msg=“please enter input”; char[8] input; printf(“%s”,msg); gets(input); return(); } If you enter more than 8 characters, you will start overwriting the other data on the stack Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980your shellcode 9976your shellcode 9972your shellcode 9968your shellcode
![interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } If you enter more than 8 characters, you will start overwriting the other data on the stack Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980your shellcode 9976your shellcode 9972your shellcode 9968your shellcode](http://images.slideplayer.com/25/7796515/slides/slide_41.jpg "interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } If you enter more than 8 characters, you will start overwriting the other data on the stack Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984nter 9980your shellcode 9976your shellcode 9972your shellcode 9968your shellcode")
42
interactWithUser(int x) { char msg=“please enter input”; char[8] input; printf(“%s”,msg); gets(input); return(); } If you enter more than 8 characters, you will start overwriting the other data on the stack Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984your shellcode 9980your shellcode 9976your shellcode 9972your shellcode 9968your shellcode
![interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } If you enter more than 8 characters, you will start overwriting the other data on the stack Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984your shellcode 9980your shellcode 9976your shellcode 9972your shellcode 9968your shellcode](http://images.slideplayer.com/25/7796515/slides/slide_42.jpg "interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } If you enter more than 8 characters, you will start overwriting the other data on the stack Memory AddressValue 1000x 9996return address 9992ut 9988 inp 9984your shellcode 9980your shellcode 9976your shellcode 9972your shellcode 9968your shellcode")
43
interactWithUser(int x) { char msg=“please enter input”; char[8] input; printf(“%s”,msg); gets(input); return(); } If you enter more than 8 characters, you will start overwriting the other data on the stack Memory AddressValue 1000x 9996return address 9992ut 9988your shellcode 9984your shellcode 9980your shellcode 9976your shellcode 9972your shellcode 9968your shellcode
![interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } If you enter more than 8 characters, you will start overwriting the other data on the stack Memory AddressValue 1000x 9996return address 9992ut 9988your shellcode 9984your shellcode 9980your shellcode 9976your shellcode 9972your shellcode 9968your shellcode](http://images.slideplayer.com/25/7796515/slides/slide_43.jpg "interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } If you enter more than 8 characters, you will start overwriting the other data on the stack Memory AddressValue 1000x 9996return address 9992ut 9988your shellcode 9984your shellcode 9980your shellcode 9976your shellcode 9972your shellcode 9968your shellcode")
44
interactWithUser(int x) { char msg=“please enter input”; char[8] input; printf(“%s”,msg); gets(input); return(); } If you enter more than 8 characters, you will start overwriting the other data on the stack Memory AddressValue 1000x 9996return address 9992your shellcode 9988your shellcode 9984your shellcode 9980your shellcode 9976your shellcode 9972your shellcode 9968your shellcode
![interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } If you enter more than 8 characters, you will start overwriting the other data on the stack Memory AddressValue 1000x 9996return address 9992your shellcode 9988your shellcode 9984your shellcode 9980your shellcode 9976your shellcode 9972your shellcode 9968your shellcode](http://images.slideplayer.com/25/7796515/slides/slide_44.jpg "interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } If you enter more than 8 characters, you will start overwriting the other data on the stack Memory AddressValue 1000x 9996return address 9992your shellcode 9988your shellcode 9984your shellcode 9980your shellcode 9976your shellcode 9972your shellcode 9968your shellcode")
45
interactWithUser(int x) { char msg=“please enter input”; char[8] input; printf(“%s”,msg); gets(input); return(); } Now you’ve overwrote the local stack variables… if you write more you’ll overwrite the return address Memory AddressValue 1000x 9996return address 9992your shellcode 9988your shellcode 9984your shellcode 9980your shellcode 9976your shellcode 9972your shellcode 9968your shellcode
![interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } Now you’ve overwrote the local stack variables… if you write more you’ll overwrite the return address Memory AddressValue 1000x 9996return address 9992your shellcode 9988your shellcode 9984your shellcode 9980your shellcode 9976your shellcode 9972your shellcode 9968your shellcode](http://images.slideplayer.com/25/7796515/slides/slide_45.jpg "interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } Now you’ve overwrote the local stack variables… if you write more you’ll overwrite the return address Memory AddressValue 1000x 9996return address 9992your shellcode 9988your shellcode 9984your shellcode 9980your shellcode 9976your shellcode 9972your shellcode 9968your shellcode")
46
interactWithUser(int x) { char msg=“please enter input”; char[8] input; printf(“%s”,msg); gets(input); return(); } If you put the address of the start of your shellcode, when the function returns the IP will be loaded with the address of your shellcode Memory AddressValue 1000x 99969968 9992your shellcode 9988your shellcode 9984your shellcode 9980your shellcode 9976your shellcode 9972your shellcode 9968your shellcode
![interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } If you put the address of the start of your shellcode, when the function returns the IP will be loaded with the address of your shellcode Memory AddressValue 1000x your shellcode 9988your shellcode 9984your shellcode 9980your shellcode 9976your shellcode 9972your shellcode 9968your shellcode](http://images.slideplayer.com/25/7796515/slides/slide_46.jpg "interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } If you put the address of the start of your shellcode, when the function returns the IP will be loaded with the address of your shellcode Memory AddressValue 1000x your shellcode 9988your shellcode 9984your shellcode 9980your shellcode 9976your shellcode 9972your shellcode 9968your shellcode")
47
interactWithUser(int x) { char msg=“please enter input”; char[8] input; printf(“%s”,msg); gets(input); return(); } If you put the address of the start of your shellcode, when the function returns the IP will be loaded with the address of your shellcode Memory AddressValue 1000x 99969968 9992your shellcode 9988your shellcode 9984your shellcode 9980your shellcode 9976your shellcode 9972your shellcode 9968your shellcode
![interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } If you put the address of the start of your shellcode, when the function returns the IP will be loaded with the address of your shellcode Memory AddressValue 1000x your shellcode 9988your shellcode 9984your shellcode 9980your shellcode 9976your shellcode 9972your shellcode 9968your shellcode](http://images.slideplayer.com/25/7796515/slides/slide_47.jpg "interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } If you put the address of the start of your shellcode, when the function returns the IP will be loaded with the address of your shellcode Memory AddressValue 1000x your shellcode 9988your shellcode 9984your shellcode 9980your shellcode 9976your shellcode 9972your shellcode 9968your shellcode")
48
interactWithUser(int x) { char msg=“please enter input”; char[8] input; printf(“%s”,msg); gets(input); return(); } Then the system will run your shell code instead of returning to the normal program! Memory AddressValue 1000x 9996return address 9992your shellcode 9988your shellcode 9984your shellcode 9980your shellcode 9976your shellcode 9972your shellcode 9968your shellcode
![interactWithUser(int x) { char msg= please enter input ; char[8] input; printf( %s ,msg); gets(input); return(); } Then the system will run your shell code instead of returning to the normal program.](http://images.slideplayer.com/25/7796515/slides/slide_48.jpg "Memory AddressValue 1000x 9996return address 9992your shellcode 9988your shellcode 9984your shellcode 9980your shellcode 9976your shellcode 9972your shellcode 9968your shellcode.")
49
Now you have Successfully input your own code in memory Directed the system to execute your code
51
How did we know where our shellcode’s address is in memory? How do we determine the shellcode? Don’t programs generally generaly filter input for un-allowed characters? What happens if the system uses a Non- eXecutable stack / memory or Address Space Layout Randomization (ALSR)
52
“Smashing the Stack for Fun and Profit” Phrack issue 49 available at http://insecure.org/stf/smashstack.html
Similar presentations
