Computer Security Buffer Overflow lab EuJin Goh Setting
Computer Security Buffer Overflow lab • Eu-Jin Goh
Setting up Environment Demo
target 2. c int foo( char *arg, char *out ) { strcpy( out, arg ); return 0; } int main( int argc, char *argv[] ) { char buf[64]; if ( argc != 2 ) { … } foo( argv[1], buf ); return 0; }
![Stack in target 2 – layout argv[1] == <shellcode + buf’s addy> argv[0] ==](http://slidetodoc.com/presentation_image_h2/0a40919cc09193d3d232f7e7683b14e8/image-4.jpg "Stack in target 2 – layout argv[1] == <shellcode + buf’s addy> argv[0] ==")
Stack in target 2 – layout argv[1] == <shellcode + buf’s addy> argv[0] == “/tmp/target 2” argc $ra – to which main() will return $fp – for main’s stack frame buf[64] ptr to buf == “out” // args to foo() ptr to argv[1] == “arg” // args to foo() foo’s $ra
sploit 2 Need: 1. Exploit string length 1. 2. 3. Need exploit str to write from buf[0] to main $ra Find main $ra and &(buf[0]) and subtract Why not foo’s $ra? 2. Address of the buffer (“buf” in target 2) • • address we want program to jump to Caveat: buf adr depends exploit string size Why? because exploit str above buf on stack But once exploit str len fixed, adr of buf won’t change.
Details 1. Size of overflow buffer • • Buf addr = 0 x 9 ffffdb 0 reg ebp = 0 x 9 ffffdf 8 Difference is 0 x 48 = 72 Buffer size = 72 + 4 + 1 = 81 2. Find &buf again when str len is 81 • Buf = 0 x 9 ffffe 60
Crafting the exploit string • Want target to jump to start of buf, • place shellcode (size 45 bytes) at the start of the string • $ra exists at offset 76 • need exploit string[76] to contain the addr target 2 buf (0 x 9 ffffe 60)
- Slides: 7