CS 155 Section 1 PP 1 EuJin Goh
- Slides: 9
CS 155 Section 1 PP 1 • Eu-Jin Goh
Setting up Environment Demo
target 1. c int foo( char *arg, char *out ) { strcpy( out, arg ); return 0; } int main( int argc, char *argv[] ) { char buf[64]; if ( argc != 2 ) { … } foo( argv[1], buf ); return 0; }
Stack in target 1 – layout argv[1] == <shellcode + buf’s addy> argv[0] == “/tmp/target 1” argc $ra – to which main() will return $fp – for main’s stack frame buf[64] ptr to buf == “out” // args to foo() ptr to argv[1] == “arg” // args to foo()
sploit 1 Need: 1. Location of return address • • addr on stack for $ra to overwrite need main()’s $ra (not foo()’s) 2. Address of the buffer (“buf” in target 1) • address we want to force the program to jump to 3. Distance between buffer and $ra – Size of overflow buffer
Buf addr • addr of the target 1 buf depends exploit overflow buffer size • since exploit string lives above target 1 buf on stack • Once exploit buffer buf fixed, addr of target 1 buf won’t change.
Details 1. Size of overflow buffer • • Buf addr = 0 x 9 ffffb 80 reg ebp = 0 x 9 ffffbc 8 Difference is 0 x 48 = 72 Buffer size = 72 + 4 + 1 = 81 2. Addr of buf • Buf = 0 x 9 ffffe 60
Crafting the exploit string • Want target to jump to start of buf, • place shellcode (size 45 bytes) at the start of the string • $ra exists at offset 76 • need exploit string[76] to contain the addr target 1 buf (0 x 9 ffffe 60)
Hints 1. Various ways of seizing program flow control without overwriting return address 2. Learn what registers esp, ebp point to during stages of program execution 3. Learn what happens to registers and memory during LEAVE and RET calls