1. CS 155 Section 1 PP1 Eu-Jin Goh

2. Setting up Environment Demo

3. target1.c int foo( char *arg, char *out ) { strcpy( out, arg ); return 0; } int main( int argc, char *argv[] ) { char buf[64]; if ( argc != 2 ) { … } foo( argv[1], buf ); return 0; }

4. Stack in target1 – layout argv[1] == argv[0] == “/tmp/target1” argc $ra – to which main() will return $fp – for main’s stack frame buf[64] ptr to buf == “out”// args to foo() ptr to argv[1] == “arg”// args to foo()

5. sploit1 Need: 1.Location of return address addr on stack for $ra to overwrite need main()’s $ra (not foo()’s) 2. Address of the buffer (“buf” in target1) address we want to force the program to jump to 3.Distance between buffer and $ra –Size of overflow buffer

6. Buf addr addr of the target1 buf depends exploit overflow buffer size since exploit string lives above target1 buf on stack Once exploit buffer buf fixed, addr of target1 buf won’t change.

7. Details 1.Size of overflow buffer Buf addr = 0x9ffffb80 reg ebp = 0x9ffffbc8 Difference is 0x48 = 72 Buffer size = 72 + 4 + 4 + 1 = 81 2.Addr of buf Buf = 0x9ffffe60

8. Crafting the exploit string Want target to jump to start of buf, place shellcode (size 45 bytes) at the start of the string $ra exists at offset 76 need exploit string[76] to contain the addr target1 buf (0x9ffffe60)

9. Hints 1.Various ways of seizing program flow control without overwriting return address 2.Learn what registers esp, ebp point to during stages of program execution 3.Learn what happens to registers and memory during LEAVE and RET calls

10. IA-32 review $esp : Stack Pointer (SP) : points to the top of the stack (lowest mem addy) Points to last used word in stack or next available word location on stack (implementation dependent) $ebp : Frame Pointer (FP) : points to fixed location within an activation record (stack frame) If $ebp for some stack frame is stored at addr X then $eip for that frame is stored at addr X + 4 Used to reference local vars and parameters since the distance from those to the frame pointer will not change whereas the distance from those to the stack pointer will (as other functions are called and the stack pointer is decrem’d …) $eip : instruction pointer (aka $ra) “The instruction pointer (EIP) register contains the offset in the current code segment for the next instruction to be executed.”

11. More IA-32 review When CALL procedure p(), Push eip : the return address ($ra) Push ebp : saves previous frame pointer Copy sp into fp : ebp = esp The new AR’s frame pointer will be the previous value of the stack pointer Advance sp (esp) for allocations on stack (that is, decrement it) When LEAVE procedure p(), This process is reversed Load ebp into esp Restore ebp from the stack

12. Interaction between EIP, EBP, ESP During CALL, value of eip register pushed onto stack Before RET, programmer should make sure that stack pointer (esp) is pointing to the eip on the stack; does this via: Move contents of $ebp into $esp Increment $esp by 4 $esp should now point to (contain addy of) $eip RET will load the value stored in $esp into the $eip register then jump to that value

13. The stack 0x9ffffef8| 0x9fffff9e| argv[1] : f9e = SHELLCODE 0x9ffffef4| 0x9fffff91| argv[0] : f91 = "/tmp/target1" 0x9ffffef0| 2| argc 0x9ffffeb8| 0x9fffff00| <--- argv[1] : f00 points to NULL 0x9ffffeb4| 0x9ffffef4| <--- argv[0] : ef4 points to f91 0x9ffffeb0| 2| <--- argc 0x9ffffeac| __libc_start_main+198 | <--- $ra : what we want to overwrite 0x9ffffea8| 0x9ffffec8| <--- $fp : frame pointer 0x9ffffea4| 0x9ffffef4| <--- argv[0] : ef4 points to f91 0x9ffffea0| _rtld_global| <--- garbage alignment stuff? 0x9ffffe9c|| ------last word of buf------ 0x9ffffe60|| ------beginning of buf------ 0x9ffffe5c|| 0x9ffffe58|| 0x9ffffe54| 0x9ffffe60| argv[1] <-- points to beginning of buf 0x9ffffe50| 0x9fffff9e| argv[0] <-- points to shellcode 0x9ffffe4c| 0x8048461 | 0x9ffffe48| 0x9ffffea8| <--- $fp in foo()