CNT 4704 Analysis of Computer Communication Network Buffer
CNT 4704: Analysis of Computer Communication Network Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Fall 2011
A Stack Frame BP SP+offset Parameters Return Address Calling Stack Pointer Local Variables SP Addresses 0000 SP: stack pointer BP: base/frame pointer Calling stack pointer: previous function’s SP 2
Using GDB to Check Stack q GDB tutorial: q q http: //gemma. apple. com/mac/library/documentation/Developer. Tools/gdb/gdb_7. html http: //www. yolinux. com/TUTORIALS/GDB-Commands. html#GDB_COMMAND_LINE_ARGS When compile the c code, use “gcc –g …. . ” so that Gdb can match source code line number with code Some knowledge: http: //en. wikipedia. org/wiki/X 86_assembly_language q q Register eip: instruction pointer, the current position of next executable instruction Register ebp: stack pointer, the top of the current stack, used for addressing local variable 3
q Related Gdb Commands: q q q List: list the source code and each execution’s corresponding line number Break linenumber: set breakpoint at the linenumber Run argv: run the execution code with the parameter argv Next: execute the next line of code Backtrace: show trace of all function calls in stack Info frame: List address, language, address of arguments/local variables and which registers were saved in frame. q q q This will show where the return address is saved Return address is in Register EIP Calling stack pointer is in Register EBP x &variable: show the address and value of a local variable (in hex format) x address: print binary representation of 4 bytes of memory pointed to by address. 4
Example of Using GDB #include <stdio. h> void foo(char * input){ int a 1=11; int a 2=22; char buf[7]; strcpy(buf, input); } void main(int argc, char **argv){ foo(argv[1]); } Question: What does the stack look like before strcpy()? 5
czou@eustis: ~/buffer-code$ setarch i 686 –R gdb. /gdb-example (gdb) list 1 #include <stdio. h> Used to disable address 2 void foo(char * input){ randomization used by Unix 3 int a 1=11; 4 int a 2=22; 5 char buf[7]; 6 strcpy(buf, input); 7 } 8 void main(int argc, char **argv){ 9 foo(argv[1]); 10 } (gdb) break 6 Breakpoint 1 at 0 x 80483 e 9: file gdb-example. c, line 6. (gdb) run Starting program: /home/czou/buffer-code/gdb-example Breakpoint 1, foo (input=0 x 0) at gdb-example. c: 6 6 strcpy(buf, input); (gdb) 6
(gdb) info frame Stack level 0, frame at 0 xbffff 7 d 0: eip = 0 x 80483 e 9 in foo (gdb-example. c: 6); saved eip 0 x 804842 f called by frame at 0 xbffff 7 e 0 source language c. Arglist at 0 xbffff 7 c 8, args: input=0 x 0 Locals at 0 xbffff 7 c 8, Previous frame's sp is 0 xbffff 7 d 0 Saved registers: ebp at 0 xbffff 7 c 8, eip at 0 xbffff 7 cc (gdb) x &a 1 0 xbffff 7 b 8: 0 x 0000000 b (gdb) x &a 2 0 xbffff 7 b 4: 0 x 00000016 (gdb) x buf 0 xbffff 7 bc: 0 x 080482 ec (gdb) x 0 xbffff 7 b 4: 0 x 00000016 7
Two Techniques for Generating Stack Overflow Codes
NOPs q q q Most CPUs have a No-Operation instruction – it does nothing but advance the instruction pointer. Usually we can put a bunch of these ahead of our program (in the string). As long as the new return-address points to a NOP we are OK.
Using NOPs new return address nt i po ere n h a C yw ere an n h i Real program (exec /bin/ls or whatever) nop instructions
Estimating the stack size q q We can also guess at the location of the return address relative to the overflowed buffer. Put in a bunch of new return addresses!
Estimating the Location new new new return return address address Real program nop instructions
- Slides: 12