Buffer Overflow Example Slides done by Magnus Almgren.

Slides:



Advertisements
Similar presentations
Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Advertisements

Functions, Varargs, and Stack Smashing Using the Stack for Good And Evil Before You Sit Down Please Get The Handout at the Entrance This file is called.
Calling sequence ESP.
Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.
Smashing the Stack for Fun and Profit
Procedures 2 Intructions Supporting Procedures Making Use of a Stack.
The University of Adelaide, School of Computer Science
Run-time Environment for a Program different logical parts of a program during execution stack – automatically allocated variables (local variables, subdivided.
1 Lecture 4: Procedure Calls Today’s topics:  Procedure calls  Large constants  The compilation process Reminder: Assignment 1 is due on Thursday.
Procedure Calls Prof. Sirer CS 316 Cornell University.
1 Nested Procedures Procedures that don't call others are called leaf procedures, procedures that call others are called nested procedures. Problems may.
Ch. 8 Functions.
The University of Adelaide, School of Computer Science
Functions Functions and Parameters. History A function call needs to save the registers in use The called function will use the registers The registers.
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
Buffer Overflows By Tim Peterson Joel Miller Dan Block.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
Stack buffer overflow.
Stack buffer overflow
Dynamic Memory Allocation in C++. Memory Segments in C++ Memory is divided in certain segments – Code Segment Stores application code – Data Segment Holds.
1 Storage Registers vs. memory Access to registers is much faster than access to memory Goal: store as much data as possible in registers Limitations/considerations:
Computer Security Buffer Overflow lab Eu-Jin Goh.
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
Netprog: Buffer Overflow1 Buffer Overflow Exploits Taken shamelessly from: netprog/overflow.ppt.
Stack Activation Records Topics IA32 stack discipline Register saving conventions Creating pointers to local variables February 6, 2003 CSCE 212H Computer.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Buffer overflows.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Assembly, Stacks, and Registers Kevin C. Su 9/26/2011.
Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Stack allocation and buffer overflow CSCE 531 Presentation by Miao XU
Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.
Stack Operations LIFO structure (last-in,first-out) –The last value put into the stack is the first value taken out Runtime stack –A memory array that.
Buffer Overflow Computer Organization II 1 © McQuain Buffer Overflows Many of the following slides are based on those from Complete Powerpoint.
Runtime Environments Compiler Construction Chapter 7.
1 Program Layout in memory –Code –Data Global variables –Stack Local variables & function Invocation Frames –Heap Dynamically allocated memory Today’s.
University of Washington Today Happy Monday! HW2 due, how is Lab 3 going? Today we’ll go over:  Address space layout  Input buffers on the stack  Overflowing.
Smashing the Stack Overview The Stack Region Buffer Overflow
Buffer Overflows Many of the following slides are based on those from
MicroComputer Engineering IntroLab1 page 1 Introduction Lab1  A crash course in assembler programming  Learn how a processor works!  Decode a coded.
Stack-based buffer overflows Yves Younan DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium
What is exactly Exploit writing?  Writing a piece of code which is capable of exploit the vulnerability in the target software.
Part I The Basic Idea software sequence of instructions in memory logically divided in functions that call each other – function ‘IE’ calls function.
JMU GenCyber Boot Camp Summer, Introduction to Penetration Testing Elevating privileges – Getting code run in a privileged context Exploiting misconfigurations.
ITEC 352 Lecture 19 Functions in Assembly. Functions + Assembly Review Questions? Project due on Friday Stacks Function activation / deactivation.
CS 155 Section 1 PP1 Eu-Jin Goh. Setting up Environment Demo.
Reminder Bomb lab is due tomorrow! Attack lab is released tomorrow!!
Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
POINTERS IN C. Introduction  A pointer is a variable that holds a memory address  This address is the location of another object (typically another.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2014.
“Success consists of going from failure to failure without loss of enthusiasm.” Winston Churchill.
Refs: rootshell, antionline, your favorite hacker site…
Instructions for test_function
Lecture 5: Procedure Calls
Recitation: Attack Lab
Carnegie Mellon Machine-Level Programming III: Procedures : Introduction to Computer Systems October 22, 2015 Instructor: Rabi Mahapatra Authors:
C – Scope, Lifetime, and the Stack
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Stack Memory 2 (also called Call Stack)
The University of Adelaide, School of Computer Science
Understanding Program Address Space
CNT4704: Analysis of Computer Communication Network Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Fall 2011.
Buffer Overflows.
Procedures and Calling Conventions
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2016.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2013.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2010.
Presentation transcript:

Buffer Overflow Example Slides done by Magnus Almgren

Source code of program example #include void sub2( char *str ) { char buf[8]; strcpy(buf,str); } void sub1() { char str[] = "Code"; sub2(str); } int main() { sub1(); return 0; }

int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } Code Stack

int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 4 bytes Stack grows downward (on this system). Code Stack Memory address

int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); }

ip = d int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); }

bp = bfa sp = bfa ip = d int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } …

bp = bfa sp = bfa ip = d int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars. When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars.

bp = bfa sp = bfa ip = d int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d When calling a function: (1)Push ip of next instruction (1)Next instr address? (2)Increase sp (3)Store address (2)… When calling a function: (1)Push ip of next instruction (1)Next instr address? (2)Increase sp (3)Store address (2)…

bp = bfa sp = bfa0 968c ip = d int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d When calling a function: (1)Push ip of next instruction (1)Next instr address? (2)Increase sp (3)Store address (2)… When calling a function: (1)Push ip of next instruction (1)Next instr address? (2)Increase sp (3)Store address (2)…

bp = bfa sp = bfa0 968c ip = d int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d When calling a function: (1)Push ip of next instruction (1)Next instr address? (2)Increase sp (3)Store address (2)… When calling a function: (1)Push ip of next instruction (1)Next instr address? (2)Increase sp (3)Store address (2)…

bp = bfa sp = bfa0 968c ip = d int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars. When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars.

bp = bfa sp = bfa0 968c ip = de int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars. When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars.

bp = bfa sp = bfa0 968c ip = de int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars. When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars.

8412 bp int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d bp = bfa sp = bfa ip = de 8696 When calling a function: (3) Update bp (1)Save old bp (2)Setup new bp (4) … When calling a function: (3) Update bp (1)Save old bp (2)Setup new bp (4) …

bp = bfa sp = bfa ip = df 8412 bp int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d When calling a function: (3) Update bp (1)Save old bp (2)Setup new bp (4) … When calling a function: (3) Update bp (1)Save old bp (2)Setup new bp (4) …

bp = bfa sp = bfa ip = df 8412 bp int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d When calling a function: (3) Update bp (1)Save old bp (2)Setup new bp (4) … When calling a function: (3) Update bp (1)Save old bp (2)Setup new bp (4) …

bp = bfa sp = bfa ip = e bp int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars. When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars.

bp = bfa sp = bfa ip = e bp int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars. When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars.

bp = bfa sp = bfa ip = e bp int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars. When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars.

str : bfa buf : bp = bfa sp = bfa ip = e bp f \0edo 43ed6ff4 C int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars. When calling a function: (0) Setup fcn parameters. (1)Push ip of next instruction (2)Jump to new fcn (3)Update bp (4)Update sp (5)Setup local vars.

str : bfa buf : bp = bfa sp = bfa ip = ef 8412 bp f \0edo 43ed6ff4 C int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d

str : bfa buf : bp = bfa sp = bfa ip = ef 8412 bp f \0edo 43ed6ff4 C int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d … bp f \0edo 43ed6ff4 C 0 Parameters to function = (…) Return address to ”old” fcn ”Old” frame pointer Local variables in fcn Temporary values Stack Frame: bp sp

str : bfa buf : bp = bfa sp = bfa ip = ef 8412 bp f \0edo 43ed6ff4 C int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d

str : bfa buf : bp = bfa sp = bfa0 966c ip = f bp f \0edo 43ed6ff4 C str: fa int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d fa

str : bfa buf : bp = bfa sp = bfa0 966c ip = c bp f \0edo 43ed6ff4 C str: int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d fa

str : bfa buf : bfa bp = bfa sp = bfa ip = ca 8412 bp f \0edo 43ed6ff4 C str:9683 bp int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d fa

str : bfa buf : bfa bp = bfa sp = bfa ip = d bp f \0edo 43ed6ff4 C str:9683 bp str:9683 buf: int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d fa

str : bfa buf : bfa bp = bfa sp = bfa ip = dc 8412 bp f \0edo 43ed6ff4 C str:9683 bp \ f43 edoC str:9683 buf: int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d fa

str : bfa buf : bfa bp = bfa sp = bfa ip = dc 8412 bp f \0edo 43ed6ff4 C str: fa bp \ f43 edoC str:9683 buf: int main() { sub1(); return 0; } void sub1() { char str[] = "Code"; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d fa What if the string str was longer than 5 characters? (4 characters + ending ’\0’-character) Let’s back up a few steps …

83fa str : bfa buf : bfa bp = bfa sp = bfa ip = d bp f \0edo 43ed6ff4 C str:9683 bp str:9683 buf: int main() { sub1(); return 0; } void sub1() { char str[] = " CodeABCDEFGHIJKL "; sub2(str); } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d fa

str : bfa buf : bfa bp = bfa sp = bfa ip = … 8412 bp f \0edo 43ed6ff4 C str:9683 bp DCBA 65646f43 edoC str:9683 buf: int main() { sub1(); return 0; } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d void sub1() { char str[] = " CodeABCDEFGHIJKL "; sub2(str); } 1 83fa

str : bfa buf : bfa bp = bfa sp = bfa ip = … 8412 bp f \0edo 43ed6ff4 C str: HGFE DCBA 65646f43 edoC str:9683 buf: int main() { sub1(); return 0; } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d void sub1() { char str[] = " CodeABCDEFGHIJKL "; sub2(str); } 1 83fa

str : bfa buf : bfa bp = bfa sp = bfa ip = dc 8412 bp f \0edo 43ed6ff4 C str: HGFE DCBA 65646f43 edoC str:9683 buf: int main() { sub1(); return 0; } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d ? void sub1() { char str[] = " CodeABCDEFGHIJKL "; sub2(str); } 1 83fa

str : bfa buf : bfa bp = bfa sp = bfa ip = dc 8412 bp f \0edo 43ed6ff4 C str: HGFE DCBA 65646f43 edoC str:9683 buf: int main() { sub1(); return 0; } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d void sub1() { char str[] = "CodeABCDEFGHIJKL"; sub2(str); } 1 83fa ? The return address has been overwritten. In this example, probably an invalid address so the program will crash.

str : bfa buf : bfa bp = bfa sp = bfa ip = dc 8412 bp f \0edo 43ed6ff4 C str: HGFE DCBA 65646f43 edoC str:9683 buf: int main() { sub1(); return 0; } void sub2( char *str ) { char buf[8]; strcpy(buf,str); } 840d ? void sub1() { char str[] = " CodeABCDEFGHIJKL "; sub2(str); } 1 83fa Trick: Jump back into your buffer HGFE DCBA 65646f43 edoC 9660 ?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.