1 / 9

CS 155 Section 1 PP1

CS 155 Section 1 PP1. Eu-Jin Goh. Setting up Environment. Demo. target1.c. int foo( char *arg, char *out ) { strcpy( out, arg ); return 0; } int main( int argc, char *argv[] ) { char buf[64]; if ( argc != 2 ) { … } foo( argv[1], buf ); return 0; }.

tate
Télécharger la présentation

CS 155 Section 1 PP1

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS 155 Section 1PP1 Eu-Jin Goh

  2. Setting up Environment Demo

  3. target1.c int foo( char *arg, char *out ) { strcpy( out, arg ); return 0; } int main( int argc, char *argv[] ) { char buf[64]; if ( argc != 2 ) { … } foo( argv[1], buf ); return 0; }

  4. Stack in target1 – layout argv[1] == <shellcode + buf’s addy> argv[0] == “/tmp/target1” argc $ra – to which main() will return $fp – for main’s stack frame buf[64] ptr to buf == “out” // args to foo() ptr to argv[1] == “arg” // args to foo()

  5. sploit1 Need: • Location of return address • addr on stack for $ra to overwrite • need main()’s $ra (not foo()’s) • Address of the buffer (“buf” in target1) • address we want to force the program to jump to • Distance between buffer and $ra • Size of overflow buffer

  6. Buf addr • addr of the target1 buf depends exploit overflow buffer size • since exploit string lives above target1 buf on stack • Once exploit buffer buf fixed, addr of target1 buf won’t change.

  7. Details • Size of overflow buffer • Buf addr = 0x9ffffb80 • reg ebp = 0x9ffffbc8 • Difference is 0x48 = 72 • Buffer size = 72 + 4 + 4 + 1 = 81 • Addr of buf • Buf = 0x9ffffe60

  8. Crafting the exploit string • Want target to jump to start of buf, • place shellcode (size 45 bytes) at the start of the string • $ra exists at offset 76 • need exploit string[76] to contain the addr target1 buf (0x9ffffe60)

  9. Hints • Various ways of seizing program flow control without overwriting return address • Learn what registers esp, ebp point to during stages of program execution • Learn what happens to registers and memory during LEAVE and RET calls

More Related