X 86 Assembly Buffer Overflow III 1 Admin
X 86 Assembly – Buffer Overflow III: 1
Admin ¢ Link to “buffer overflow demo” § http: //nsfsecurity. pr. erau. edu/bom/ ¢ ASM quick-reference from Larry Zhang (thanks!) § http: //www. cs. uaf. edu/2010/fall/cs 301/support/x 86/gcc. html § Need a operand argument summary too? ¢ Best tool (so far) for C and ASM exploration ddd (Linux) § We will use this later in labs too III: 2
IA 32 Linux Memory Layout ¢ ¢ not drawn to scale FF Stack § Runtime stack (8 MB limit) Heap § Dynamically allocated storage § When call malloc(), calloc(), new() Data § Statically allocated data § E. g. , arrays & strings declared in code Text § Executable machine instructions § Read-only Upper 2 hex digits = 8 bits of address Stack 8 MB 08 00 Heap Data Text III: 4
Memory Allocation Example not drawn to scale FF Stack char big_array[1<<24]; /* 16 MB */ char huge_array[1<<28]; /* 256 MB */ int beyond; char *p 1, *p 2, *p 3, *p 4; int useless() { int { p 1 p 2 p 3 p 4 /* } return 0; } main() = malloc(1 Some print <<28); /* << 8); /* statements Where does everything go? 256 256. . . MB B */ */ */ 08 00 Heap Data Text III: 5
IA 32 Example Addresses not drawn to scale FF Stack address range ~232 $esp p 3 p 1 p 4 p 2 &p 2 beyond big_array huge_array main() useless() final malloc() 0 xffffbcd 0 0 x 65586008 0 x 55585008 0 x 1904 a 110 0 x 1904 a 008 0 x 18049760 0 x 08049744 0 x 18049780 0 x 08049760 0 x 080483 c 6 0 x 08049744 0 x 006 be 166 malloc() is dynamically linked address determined at runtime 80 Heap 08 00 Data Text III: 6
Pointers How about some pointers to deal with the new boss? Sure. Try 0 x 0000 A 4 F 5, 0 x 00008 EEF and 0 x 0000 B 32 A. III: 7
C operators Operators () [] ->. ! ~ ++ -- + - * & (type) sizeof * / % + << >> < <= > >= == != & ^ | && || ? : = += -= *= /= %= &= ^= != <<= >>= , ¢ ¢ ¢ Associativity left to right to left to right left to right left to right to left right to left to right -> has very high precedence () has very high precedence monadic * just below III: 8
C Pointer Declarations: Test Yourself! int *p p is a pointer to int *p[13] p is an array[13] of pointer to int *(p[13]) p is an array[13] of pointer to int **p p is a pointer to an int (*p)[13] p is a pointer to an array[13] of int *f() f is a function returning a pointer to int (*f)() f is a pointer to a function returning int (*(*f())[13])() f is a function returning ptr to an array[13] of pointers to functions returning int (*(*x[3])())[5] x is an array[3] of pointers to functions returning pointers to array[5] of ints III: 9
C Pointer Declarations: Test Yourself! int *p p is a pointer to int *p[13] p pisisananarray[13]ofofpointertotointint *(p[13]) p is an array[13] of pointer to int **p p is a pointer to an int (*p)[13] p is a pointer to an array[13] of int *f() f is a function returning a pointer to int (*f)() f is a pointer to a function returning int (*(*f())[13])() f is a function returning ptr to an array[13] of pointers to functions returning int (*(*x[3])())[5] x is an array[3] of pointers to functions returning pointers to array[5] of ints III: 10
C Pointer Declarations: Test Yourself! int *p p is a pointer to int *p[13] p pisisananarray[13]ofofpointertotointint *(p[13]) p pisisananarray[13]ofofpointertotointint **p p is a pointer to an int (*p)[13] p is a pointer to an array[13] of int *f() f is a function returning a pointer to int (*f)() f is a pointer to a function returning int (*(*f())[13])() f is a function returning ptr to an array[13] of pointers to functions returning int (*(*x[3])())[5] x is an array[3] of pointers to functions returning pointers to array[5] of ints III: 11
C Pointer Declarations: Test Yourself! int *p p is a pointer to int *p[13] p pisisananarray[13]ofofpointertotointint *(p[13]) p pisisananarray[13]ofofpointertotointint **p p is a pointer to an int (*p)[13] p pisisa apointertotoananarray[13]ofofintint *f() f is a function returning a pointer to int (*f)() f is a pointer to a function returning int (*(*f())[13])() f is a function returning ptr to an array[13] of pointers to functions returning int (*(*x[3])())[5] x is an array[3] of pointers to functions returning pointers to array[5] of ints III: 12
C Pointer Declarations: Test Yourself! int *p p is a pointer to int *p[13] p pisisananarray[13]ofofpointertotointint *(p[13]) p pisisananarray[13]ofofpointertotointint **p p is a pointer to an int (*p)[13] p pisisa apointertotoananarray[13]ofofintint *f() f is a function returning a pointer to int (*f)() f is a pointer to a function returning int (*(*f())[13])() f fisisaafunctionreturningptr ptrtotoan anarray[13] of ofpointerstotofunctionsreturningintint (*(*x[3])())[5] x is an array[3] of pointers to functions returning pointers to array[5] of ints III: 13
C Pointer Declarations int *p p is a pointer to int *p[13] p is an array[13] of pointer to int *(p[13]) p is an array[13] of pointer to int **p p is a pointer to an int (*p)[13] p is a pointer to an array[13] of int *f() f is a function returning a pointer to int (*f)() f is a pointer to a function returning int (*(*f())[13])() f is a function returning ptr to an array[13] of pointers to functions returning int (*(*x[3])())[5] x is an array[3] of pointers to functions returning pointers to array[5] of ints III: 14
Avoiding Complex Declarations ¢ Use typedef to build up the declaration ¢ Instead of int (*(*x[3])())[5] : typedef int fiveints[5]; typedef fiveints* p 5 i; typedef p 5 i (*f_of_p 5 is)(); f_of_p 5 is x[3]; ¢ x is an array of 3 elements, each of which is a pointer to a function returning an array of 5 ints III: 15
Internet Worm and IM War ¢ November, 1988 § Internet Worm attacks thousands of Internet hosts. § How did it happen? ¢ July, 1999 § Microsoft launches MSN Messenger (instant messaging system). § Messenger clients can access popular AOL Instant Messaging Service (AIM) servers AIM client MSN server MSN client AIM server AIM client III: 16
Internet Worm and IM War (cont. ) ¢ August 1999 § Mysteriously, Messenger clients can no longer access AIM servers. § Microsoft and AOL begin the IM war: AOL changes server to disallow Messenger clients § Microsoft makes changes to clients to defeat AOL changes. § At least 13 such skirmishes. § How did it happen? § ¢ The Internet Worm and AOL/Microsoft War were both based on stack buffer overflow exploits! many Unix functions do not check argument sizes. § allows target buffers to overflow. § III: 17
String Library Code ¢ Implementation of Unix function gets() /* Get string from stdin */ char *gets(char *dest) { int c = getchar(); char *p = dest; while (c != EOF && c != 'n') { *p++ = c; c = getchar(); } *p = '