Buffer Overflow Example Slides done by Magnus Almgren.

Post on 02-Apr-2015

225 views 0 download

Preview:

Click to see full reader
Report this document
SHARE

transcript

Buffer Overflow Example

Slides done by Magnus Almgren

Source code of program example#include <string.h> void sub2(char *str) { char buf[8]; strcpy(buf,str);} void sub1() { char str[] = "Code"; sub2(str);} int main() { sub1(); return 0;}

int main() { sub1(); return 0;}

void sub1() { char str[] = "Code"; sub2(str);}

void sub2(char *str) { char buf[8]; strcpy(buf,str);}

Code Stack

9690

9680

9670

9660

9650

int main() { sub1(); return 0;}

void sub1() { char str[] = "Code"; sub2(str);}

void sub2(char *str) { char buf[8]; strcpy(buf,str);}

4 bytes

Stack grows downward (on this system).

Code Stack

Memory address

9690

9680

9670

9660

9650

int main() { sub1(); return 0;}

void sub1() { char str[] = "Code"; sub2(str);}

void sub2(char *str) { char buf[8]; strcpy(buf,str);}

ip = 0804 840d

9690

9680

9670

9660

9650

int main() { sub1(); return 0;}

void sub1() { char str[] = "Code"; sub2(str);}

void sub2(char *str) { char buf[8]; strcpy(buf,str);}

bp = bfa0 9698sp = bfa0 9690ip = 0804 840d

9690

9680

9670

9660

9650

int main() { sub1(); return 0;}

void sub1() { char str[] = "Code"; sub2(str);}

void sub2(char *str) { char buf[8]; strcpy(buf,str);}

bp = bfa0 9698sp = bfa0 9690ip = 0804 840d

9690

9680

9670

9660

9650

int main() { sub1(); return 0;}

void sub1() { char str[] = "Code"; sub2(str);}

void sub2(char *str) { char buf[8]; strcpy(buf,str);}

When calling a function:(0) Setup fcn parameters.(1) Push ip of next instruction(2) Jump to new fcn(3) Update bp(4) Update sp(5) Setup local vars.

bp = bfa0 9698sp = bfa0 9690ip = 0804 840d

9690

9680

9670

9660

9650

int main() { sub1(); return 0;}

void sub1() { char str[] = "Code"; sub2(str);}

void sub2(char *str) { char buf[8]; strcpy(buf,str);}

840d84120

When calling a function:(1) Push ip of next instruction

(1) Next instr address?(2) Increase sp(3) Store address

(2) …

bp = bfa0 9698sp = bfa0 968cip = 0804 840d

9690

9680

9670

9660

9650

int main() { sub1(); return 0;}

void sub1() { char str[] = "Code"; sub2(str);}

void sub2(char *str) { char buf[8]; strcpy(buf,str);}

840d84120

When calling a function:(1) Push ip of next instruction

(1) Next instr address?(2) Increase sp(3) Store address

(2) …

bp = bfa0 9698sp = bfa0 968cip = 0804 840d 8412

9690

9680

9670

9660

9650

int main() { sub1(); return 0;}

void sub1() { char str[] = "Code"; sub2(str);}

void sub2(char *str) { char buf[8]; strcpy(buf,str);}

840d

0

84120

When calling a function:(1) Push ip of next instruction

(1) Next instr address?(2) Increase sp(3) Store address

(2) …

bp = bfa0 9698sp = bfa0 968cip = 0804 840d 8412

9690

9680

9670

9660

9650

int main() { sub1(); return 0;}

void sub1() { char str[] = "Code"; sub2(str);}

void sub2(char *str) { char buf[8]; strcpy(buf,str);}

840d

0

84120

When calling a function:(0) Setup fcn parameters.(1) Push ip of next instruction(2) Jump to new fcn(3) Update bp(4) Update sp(5) Setup local vars.

bp = bfa0 9698sp = bfa0 968cip = 0804 83de 8412

9690

9680

9670

9660

9650

int main() { sub1(); return 0;}

void sub1() { char str[] = "Code"; sub2(str);}

void sub2(char *str) { char buf[8]; strcpy(buf,str);}

840d

0

84120

When calling a function:(0) Setup fcn parameters.(1) Push ip of next instruction(2) Jump to new fcn(3) Update bp(4) Update sp(5) Setup local vars.

bp = bfa0 9698sp = bfa0 968cip = 0804 83de 8412

9690

9680

9670

9660

9650

int main() { sub1(); return 0;}

void sub1() { char str[] = "Code"; sub2(str);}

void sub2(char *str) { char buf[8]; strcpy(buf,str);}

840d

0

84120

When calling a function:(0) Setup fcn parameters.(1) Push ip of next instruction(2) Jump to new fcn(3) Update bp(4) Update sp(5) Setup local vars.

8412

bp0 9698

9690

9680

9670

9660

9650

int main() { sub1(); return 0;}

void sub1() { char str[] = "Code"; sub2(str);}

void sub2(char *str) { char buf[8]; strcpy(buf,str);}

840d84120

0

bp = bfa0 9698sp = bfa0 9688ip = 0804 83de

8696

When calling a function:(3) Update bp

(1) Save old bp(2) Setup new bp

(4) …

bp = bfa0 9698sp = bfa0 9688ip = 0804 83df 8412

bp0 9698

9690

9680

9670

9660

9650

int main() { sub1(); return 0;}

void sub1() { char str[] = "Code"; sub2(str);}

void sub2(char *str) { char buf[8]; strcpy(buf,str);}

840d84120

0

When calling a function:(3) Update bp

(1) Save old bp(2) Setup new bp

(4) …

bp = bfa0 9688sp = bfa0 9688ip = 0804 83df 8412

bp0 9698

9690

9680

9670

9660

9650

int main() { sub1(); return 0;}

void sub1() { char str[] = "Code"; sub2(str);}

void sub2(char *str) { char buf[8]; strcpy(buf,str);}

840d84120

0

When calling a function:(3) Update bp

(1) Save old bp(2) Setup new bp

(4) …

bp = bfa0 9688sp = bfa0 9688ip = 0804 83e1 8412

bp0 9698

9690

9680

9670

9660

9650

int main() { sub1(); return 0;}

void sub1() { char str[] = "Code"; sub2(str);}

void sub2(char *str) { char buf[8]; strcpy(buf,str);}

840d84120

0

When calling a function:(0) Setup fcn parameters.(1) Push ip of next instruction(2) Jump to new fcn(3) Update bp(4) Update sp(5) Setup local vars.

bp = bfa0 9688sp = bfa0 9670ip = 0804 83e1 8412

bp0 9698

9690

9680

9670

9660

9650

int main() { sub1(); return 0;}

void sub1() { char str[] = "Code"; sub2(str);}

void sub2(char *str) { char buf[8]; strcpy(buf,str);}

840d84120

0

When calling a function:(0) Setup fcn parameters.(1) Push ip of next instruction(2) Jump to new fcn(3) Update bp(4) Update sp(5) Setup local vars.

bp = bfa0 9688sp = bfa0 9670ip = 0804 83e1 8412

bp0 9698

9690

9680

9670

9660

9650

int main() { sub1(); return 0;}

void sub1() { char str[] = "Code"; sub2(str);}

void sub2(char *str) { char buf[8]; strcpy(buf,str);}

840d84120

0

When calling a function:(0) Setup fcn parameters.(1) Push ip of next instruction(2) Jump to new fcn(3) Update bp(4) Update sp(5) Setup local vars.

str : bfa0 9683buf : .... ....

bp = bfa0 9688sp = bfa0 9670ip = 0804 83e4 8412

bp0 96980065646f\0 e d o43ed6f f4C

9690

9680

9670

9660

9650

int main() { sub1(); return 0;}

void sub1() { char str[] = "Code"; sub2(str);}

void sub2(char *str) { char buf[8]; strcpy(buf,str);}

840d84120

0

When calling a function:(0) Setup fcn parameters.(1) Push ip of next instruction(2) Jump to new fcn(3) Update bp(4) Update sp(5) Setup local vars.

str : bfa0 9683buf : .... ....

bp = bfa0 9688sp = bfa0 9670ip = 0804 83ef 8412

bp0 96980065646f\0 e d o43ed6f f4C

9690

9680

9670

9660

9650

int main() { sub1(); return 0;}

void sub1() { char str[] = "Code"; sub2(str);}

void sub2(char *str) { char buf[8]; strcpy(buf,str);}

840d84120

0

str : bfa0 9683buf : .... ....

bp = bfa0 9688sp = bfa0 9670ip = 0804 83ef 8412

bp0 96980065646f\0 e d o43ed6f f4C

9690

9680

9670

9660

9650

int main() { sub1(); return 0;}

void sub1() { char str[] = "Code"; sub2(str);}

void sub2(char *str) { char buf[8]; strcpy(buf,str);}

840d84120

0

8412

bp0 96980065646f\0 e d o43ed6f f4C

0

Parameters to function = (…)Return address to ”old” fcn

”Old” frame pointer

Local variables in fcn

Temporary values

Stack Frame:

bp

sp

str : bfa0 9683buf : .... ....

bp = bfa0 9688sp = bfa0 9670ip = 0804 83ef 8412

bp0 96980065646f\0 e d o43ed6f f4C

9690

9680

9670

9660

9650

int main() { sub1(); return 0;}

void sub1() { char str[] = "Code"; sub2(str);}

void sub2(char *str) { char buf[8]; strcpy(buf,str);}

840d84120

0

sub1

str : bfa0 9683buf : .... ....

bp = bfa0 9688sp = bfa0 966cip = 0804 83f5 8412

bp0 96980065646f\0 e d o43ed6f f4C

str: 9683

83fa

9690

9680

9670

9660

9650

int main() { sub1(); return 0;}

void sub1() { char str[] = "Code"; sub2(str);}

void sub2(char *str) { char buf[8]; strcpy(buf,str);}

840d84120

0

1

sub1

1 83fa

83fa

str : bfa0 9683buf : .... ....

bp = bfa0 9688sp = bfa0 966cip = 0804 83c4 8412

bp0 96980065646f\0 e d o43ed6f f4C

str: 9683

9690

9680

9670

9660

9650

int main() { sub1(); return 0;}

void sub1() { char str[] = "Code"; sub2(str);}

void sub2(char *str) { char buf[8]; strcpy(buf,str);}

840d84120

0

1

sub1

1 83fa

83fa

str : bfa0 9683buf : bfa0 9660

bp = bfa0 9668sp = bfa0 9650ip = 0804 83ca 8412

bp0 96980065646f\0 e d o43ed6f f4C

str: 9683

bp1 9688

<buf>

<buf>

9690

9680

9670

9660

9650

int main() { sub1(); return 0;}

void sub1() { char str[] = "Code"; sub2(str);}

void sub2(char *str) { char buf[8]; strcpy(buf,str);}

840d84120

0

1

sub1

sub2

1 83fa

83fa

str : bfa0 9683buf : bfa0 9660

bp = bfa0 9668sp = bfa0 9650ip = 0804 83d7 8412

bp0 96980065646f\0 e d o43ed6f f4C

str: 9683

bp1 9688

<buf>

<buf>

str: 9683

buf: 9660

9690

9680

9670

9660

9650

int main() { sub1(); return 0;}

void sub1() { char str[] = "Code"; sub2(str);}

void sub2(char *str) { char buf[8]; strcpy(buf,str);}

840d84120

0

1

sub1

sub2

1 83fa

83fa

str : bfa0 9683buf : bfa0 9660

bp = bfa0 9668sp = bfa0 9650ip = 0804 83dc 8412

bp0 96980065646f\0 e d o43ed6f f4C

str: 9683

bp1 9688.. .. .. 00.. .. .. \065646f 43e d o C

str: 9683

buf: 9660

9690

9680

9670

9660

9650

int main() { sub1(); return 0;}

void sub1() { char str[] = "Code"; sub2(str);}

void sub2(char *str) { char buf[8]; strcpy(buf,str);}

840d84120

0

1

sub1

sub2

1 83fa

str : bfa0 9683buf : bfa0 9660

bp = bfa0 9668sp = bfa0 9650ip = 0804 83dc 8412

bp0 96980065646f\0 e d o43ed6f f4C

str: 9683

83fa

bp1 9688.. .. .. 00.. .. .. \065646f 43e d o C

str: 9683

buf: 9660

9690

9680

9670

9660

9650

int main() { sub1(); return 0;}

void sub1() { char str[] = "Code"; sub2(str);}

void sub2(char *str) { char buf[8]; strcpy(buf,str);}

840d84120

0

1

sub1

1 83fasub2

What if the string str was longer than 5 characters?

(4 characters + ending ’\0’-character)

Let’s back up a few steps …

83fa

str : bfa0 9683buf : bfa0 9660

bp = bfa0 9668sp = bfa0 9650ip = 0804 83d7 8412

bp0 96980065646f\0 e d o43ed6f f4C

str: 9683

bp1 9688

<buf>

<buf>

str: 9683

buf: 9660

9690

9680

9670

9660

9650

int main() { sub1(); return 0;}

void sub1() { char str[] = "CodeABCDEFGHIJKL"; sub2(str);}

void sub2(char *str) { char buf[8]; strcpy(buf,str);}

840d84120

0

1

sub1

sub2

1 83fa

83fa

str : bfa0 9683buf : bfa0 9660

bp = bfa0 9668sp = bfa0 9650ip = … 8412

bp0 96980065646f\0 e d o43ed6f f4C

str: 9683

bp1 968844434241D C B A65646f 43e d o C

str: 9683

buf: 9660

9690

9680

9670

9660

9650

int main() { sub1(); return 0;}

void sub2(char *str) { char buf[8]; strcpy(buf,str);}

840d84120

0

1

sub1

sub2

void sub1() { char str[] = "CodeABCDEFGHIJKL"; sub2(str);} 1 83fa

83fa

str : bfa0 9683buf : bfa0 9660

bp = bfa0 9668sp = bfa0 9650ip = … 8412

bp0 96980065646f\0 e d o43ed6f f4C

str: 9683

48474645H G F E44434241D C B A65646f 43e d o C

str: 9683

buf: 9660

9690

9680

9670

9660

9650

int main() { sub1(); return 0;}

void sub2(char *str) { char buf[8]; strcpy(buf,str);}

840d84120

0

1

sub1

sub2

void sub1() { char str[] = "CodeABCDEFGHIJKL"; sub2(str);} 1 83fa

str : bfa0 9683buf : bfa0 9660

bp = bfa0 9668sp = bfa0 9650ip = 0804 83dc 8412

bp0 96980065646f\0 e d o43ed6f f4C

str: 960052515049

48474645H G F E44434241D C B A65646f 43e d o C

str: 9683

buf: 9660

9690

9680

9670

9660

9650

int main() { sub1(); return 0;}

void sub2(char *str) { char buf[8]; strcpy(buf,str);}

840d84120

0

?

sub1

sub2

void sub1() { char str[] = "CodeABCDEFGHIJKL"; sub2(str);} 1 83fa

str : bfa0 9683buf : bfa0 9660

bp = bfa0 9668sp = bfa0 9650ip = 0804 83dc 8412

bp0 96980065646f\0 e d o43ed6f f4C

str: 9600

48474645H G F E44434241D C B A65646f 43e d o C

str: 9683

buf: 9660

9690

9680

9670

9660

9650

int main() { sub1(); return 0;}

void sub2(char *str) { char buf[8]; strcpy(buf,str);}

840d84120

0

sub1

void sub1() { char str[] = "CodeABCDEFGHIJKL"; sub2(str);} 1 83fa

sub2

52515049?

The return address has been overwritten. In this

example, probably an invalid address so the

program will crash.

str : bfa0 9683buf : bfa0 9660

bp = bfa0 9668sp = bfa0 9650ip = 0804 83dc 8412

bp0 96980065646f\0 e d o43ed6f f4C

str: 960052515049

48474645H G F E44434241D C B A65646f 43e d o C

str: 9683

buf: 9660

9690

9680

9670

9660

9650

int main() { sub1(); return 0;}

void sub2(char *str) { char buf[8]; strcpy(buf,str);}

840d84120

0

?

sub1

sub2

void sub1() { char str[] = "CodeABCDEFGHIJKL"; sub2(str);} 1 83fa

Trick: Jump back into your buffer

52515049

48474645H G F E44434241D C B A65646f 43e d o C9660

?

Top related

Albertus Magnus the Book of Secrets of Albertus Magnus
Documents
Almgren, Li - Closed-Form Solutions for Option Hedging With Market Impact
Documents
INTRODUCTION TO ALMGREN-PITTS MIN-MAX THEORY …yl15/notes/2019-min-max/... · 2019. 7. 7. · INTRODUCTION TO ALMGREN-PITTS MIN-MAX THEORY (PRELIMINARY VERSION) YANGYANG LI Abstract.
Documents
4. OVERFLOW-D-Mode Operation Without Grid Movement · 4. OVERFLOW-D-Mode Operation Without Grid Movement Two features distinguish “OVERFLOW-D-mode” from a traditional OVERFLOW
Documents
Farr, Richard and Tannock, James and Almgren, Torgny A ...
Documents
Overflow. Part 3 Overflowing Gratitude Overflow – perisseia “Superabundance”
Documents
Buffer Overflow
Documents
Magnus Profile
Documents
Mathematics in Finance - Analytical Finance - by Jan Römanjanroman.dhis.org/finance/Courses/Math in finance Almgren slides1.pdf · Mathematics in Finance Robert Almgren University
Documents
Magnus Field Rejuvenation - Devex Conference · Magnus Field Rejuvenation Magnus Field Rejuvenation Ogaga Esharefasa Petroleum Engineer May 2017. Outline • Magnus history summary
Documents
Magnus primum
Documents
Magnus Gifts
Documents
Plan Magnus
Documents
Buffer Overflow
Documents
by Dr. Ake Almgren
Documents
Carolus Magnus
Documents
Albertus Magnus
Documents
Distributed Computing in Sensor Systems DCOSS 2019 · Continuous Monitoring meets Synchronous Transmissions and InNetwork Aggregation- Charalampos Stylianopoulos, Magnus Almgren,
Documents
Poster magnus
Documents
Magnus Hagander
Documents

Copyright © 2018 DOCUMENTS