Buffer Overflow Example Slides done by Magnus Almgren.
-
Upload
alana-algood -
Category
Documents
-
view
225 -
download
0
Transcript of Buffer Overflow Example Slides done by Magnus Almgren.
![Page 1: Buffer Overflow Example Slides done by Magnus Almgren.](https://reader035.fdocuments.in/reader035/viewer/2022062318/551c5b775503469d6a8b5121/html5/thumbnails/1.jpg)
Buffer Overflow Example
Slides done by Magnus Almgren
![Page 2: Buffer Overflow Example Slides done by Magnus Almgren.](https://reader035.fdocuments.in/reader035/viewer/2022062318/551c5b775503469d6a8b5121/html5/thumbnails/2.jpg)
Source code of program example#include <string.h> void sub2(char *str) { char buf[8]; strcpy(buf,str);} void sub1() { char str[] = "Code"; sub2(str);} int main() { sub1(); return 0;}
![Page 3: Buffer Overflow Example Slides done by Magnus Almgren.](https://reader035.fdocuments.in/reader035/viewer/2022062318/551c5b775503469d6a8b5121/html5/thumbnails/3.jpg)
int main() { sub1(); return 0;}
void sub1() { char str[] = "Code"; sub2(str);}
void sub2(char *str) { char buf[8]; strcpy(buf,str);}
Code Stack
![Page 4: Buffer Overflow Example Slides done by Magnus Almgren.](https://reader035.fdocuments.in/reader035/viewer/2022062318/551c5b775503469d6a8b5121/html5/thumbnails/4.jpg)
9690
9680
9670
9660
9650
int main() { sub1(); return 0;}
void sub1() { char str[] = "Code"; sub2(str);}
void sub2(char *str) { char buf[8]; strcpy(buf,str);}
4 bytes
Stack grows downward (on this system).
Code Stack
Memory address
![Page 5: Buffer Overflow Example Slides done by Magnus Almgren.](https://reader035.fdocuments.in/reader035/viewer/2022062318/551c5b775503469d6a8b5121/html5/thumbnails/5.jpg)
9690
9680
9670
9660
9650
int main() { sub1(); return 0;}
void sub1() { char str[] = "Code"; sub2(str);}
void sub2(char *str) { char buf[8]; strcpy(buf,str);}
![Page 6: Buffer Overflow Example Slides done by Magnus Almgren.](https://reader035.fdocuments.in/reader035/viewer/2022062318/551c5b775503469d6a8b5121/html5/thumbnails/6.jpg)
ip = 0804 840d
9690
9680
9670
9660
9650
int main() { sub1(); return 0;}
void sub1() { char str[] = "Code"; sub2(str);}
void sub2(char *str) { char buf[8]; strcpy(buf,str);}
![Page 7: Buffer Overflow Example Slides done by Magnus Almgren.](https://reader035.fdocuments.in/reader035/viewer/2022062318/551c5b775503469d6a8b5121/html5/thumbnails/7.jpg)
bp = bfa0 9698sp = bfa0 9690ip = 0804 840d
9690
9680
9670
9660
9650
int main() { sub1(); return 0;}
void sub1() { char str[] = "Code"; sub2(str);}
void sub2(char *str) { char buf[8]; strcpy(buf,str);}
…
![Page 8: Buffer Overflow Example Slides done by Magnus Almgren.](https://reader035.fdocuments.in/reader035/viewer/2022062318/551c5b775503469d6a8b5121/html5/thumbnails/8.jpg)
bp = bfa0 9698sp = bfa0 9690ip = 0804 840d
9690
9680
9670
9660
9650
int main() { sub1(); return 0;}
void sub1() { char str[] = "Code"; sub2(str);}
void sub2(char *str) { char buf[8]; strcpy(buf,str);}
When calling a function:(0) Setup fcn parameters.(1) Push ip of next instruction(2) Jump to new fcn(3) Update bp(4) Update sp(5) Setup local vars.
![Page 9: Buffer Overflow Example Slides done by Magnus Almgren.](https://reader035.fdocuments.in/reader035/viewer/2022062318/551c5b775503469d6a8b5121/html5/thumbnails/9.jpg)
bp = bfa0 9698sp = bfa0 9690ip = 0804 840d
9690
9680
9670
9660
9650
int main() { sub1(); return 0;}
void sub1() { char str[] = "Code"; sub2(str);}
void sub2(char *str) { char buf[8]; strcpy(buf,str);}
840d84120
When calling a function:(1) Push ip of next instruction
(1) Next instr address?(2) Increase sp(3) Store address
(2) …
![Page 10: Buffer Overflow Example Slides done by Magnus Almgren.](https://reader035.fdocuments.in/reader035/viewer/2022062318/551c5b775503469d6a8b5121/html5/thumbnails/10.jpg)
bp = bfa0 9698sp = bfa0 968cip = 0804 840d
9690
9680
9670
9660
9650
int main() { sub1(); return 0;}
void sub1() { char str[] = "Code"; sub2(str);}
void sub2(char *str) { char buf[8]; strcpy(buf,str);}
840d84120
When calling a function:(1) Push ip of next instruction
(1) Next instr address?(2) Increase sp(3) Store address
(2) …
![Page 11: Buffer Overflow Example Slides done by Magnus Almgren.](https://reader035.fdocuments.in/reader035/viewer/2022062318/551c5b775503469d6a8b5121/html5/thumbnails/11.jpg)
bp = bfa0 9698sp = bfa0 968cip = 0804 840d 8412
9690
9680
9670
9660
9650
int main() { sub1(); return 0;}
void sub1() { char str[] = "Code"; sub2(str);}
void sub2(char *str) { char buf[8]; strcpy(buf,str);}
840d
0
84120
When calling a function:(1) Push ip of next instruction
(1) Next instr address?(2) Increase sp(3) Store address
(2) …
![Page 12: Buffer Overflow Example Slides done by Magnus Almgren.](https://reader035.fdocuments.in/reader035/viewer/2022062318/551c5b775503469d6a8b5121/html5/thumbnails/12.jpg)
bp = bfa0 9698sp = bfa0 968cip = 0804 840d 8412
9690
9680
9670
9660
9650
int main() { sub1(); return 0;}
void sub1() { char str[] = "Code"; sub2(str);}
void sub2(char *str) { char buf[8]; strcpy(buf,str);}
840d
0
84120
When calling a function:(0) Setup fcn parameters.(1) Push ip of next instruction(2) Jump to new fcn(3) Update bp(4) Update sp(5) Setup local vars.
![Page 13: Buffer Overflow Example Slides done by Magnus Almgren.](https://reader035.fdocuments.in/reader035/viewer/2022062318/551c5b775503469d6a8b5121/html5/thumbnails/13.jpg)
bp = bfa0 9698sp = bfa0 968cip = 0804 83de 8412
9690
9680
9670
9660
9650
int main() { sub1(); return 0;}
void sub1() { char str[] = "Code"; sub2(str);}
void sub2(char *str) { char buf[8]; strcpy(buf,str);}
840d
0
84120
When calling a function:(0) Setup fcn parameters.(1) Push ip of next instruction(2) Jump to new fcn(3) Update bp(4) Update sp(5) Setup local vars.
![Page 14: Buffer Overflow Example Slides done by Magnus Almgren.](https://reader035.fdocuments.in/reader035/viewer/2022062318/551c5b775503469d6a8b5121/html5/thumbnails/14.jpg)
bp = bfa0 9698sp = bfa0 968cip = 0804 83de 8412
9690
9680
9670
9660
9650
int main() { sub1(); return 0;}
void sub1() { char str[] = "Code"; sub2(str);}
void sub2(char *str) { char buf[8]; strcpy(buf,str);}
840d
0
84120
When calling a function:(0) Setup fcn parameters.(1) Push ip of next instruction(2) Jump to new fcn(3) Update bp(4) Update sp(5) Setup local vars.
![Page 15: Buffer Overflow Example Slides done by Magnus Almgren.](https://reader035.fdocuments.in/reader035/viewer/2022062318/551c5b775503469d6a8b5121/html5/thumbnails/15.jpg)
8412
bp0 9698
9690
9680
9670
9660
9650
int main() { sub1(); return 0;}
void sub1() { char str[] = "Code"; sub2(str);}
void sub2(char *str) { char buf[8]; strcpy(buf,str);}
840d84120
0
bp = bfa0 9698sp = bfa0 9688ip = 0804 83de
8696
When calling a function:(3) Update bp
(1) Save old bp(2) Setup new bp
(4) …
![Page 16: Buffer Overflow Example Slides done by Magnus Almgren.](https://reader035.fdocuments.in/reader035/viewer/2022062318/551c5b775503469d6a8b5121/html5/thumbnails/16.jpg)
bp = bfa0 9698sp = bfa0 9688ip = 0804 83df 8412
bp0 9698
9690
9680
9670
9660
9650
int main() { sub1(); return 0;}
void sub1() { char str[] = "Code"; sub2(str);}
void sub2(char *str) { char buf[8]; strcpy(buf,str);}
840d84120
0
When calling a function:(3) Update bp
(1) Save old bp(2) Setup new bp
(4) …
![Page 17: Buffer Overflow Example Slides done by Magnus Almgren.](https://reader035.fdocuments.in/reader035/viewer/2022062318/551c5b775503469d6a8b5121/html5/thumbnails/17.jpg)
bp = bfa0 9688sp = bfa0 9688ip = 0804 83df 8412
bp0 9698
9690
9680
9670
9660
9650
int main() { sub1(); return 0;}
void sub1() { char str[] = "Code"; sub2(str);}
void sub2(char *str) { char buf[8]; strcpy(buf,str);}
840d84120
0
When calling a function:(3) Update bp
(1) Save old bp(2) Setup new bp
(4) …
![Page 18: Buffer Overflow Example Slides done by Magnus Almgren.](https://reader035.fdocuments.in/reader035/viewer/2022062318/551c5b775503469d6a8b5121/html5/thumbnails/18.jpg)
bp = bfa0 9688sp = bfa0 9688ip = 0804 83e1 8412
bp0 9698
9690
9680
9670
9660
9650
int main() { sub1(); return 0;}
void sub1() { char str[] = "Code"; sub2(str);}
void sub2(char *str) { char buf[8]; strcpy(buf,str);}
840d84120
0
When calling a function:(0) Setup fcn parameters.(1) Push ip of next instruction(2) Jump to new fcn(3) Update bp(4) Update sp(5) Setup local vars.
![Page 19: Buffer Overflow Example Slides done by Magnus Almgren.](https://reader035.fdocuments.in/reader035/viewer/2022062318/551c5b775503469d6a8b5121/html5/thumbnails/19.jpg)
bp = bfa0 9688sp = bfa0 9670ip = 0804 83e1 8412
bp0 9698
9690
9680
9670
9660
9650
int main() { sub1(); return 0;}
void sub1() { char str[] = "Code"; sub2(str);}
void sub2(char *str) { char buf[8]; strcpy(buf,str);}
840d84120
0
When calling a function:(0) Setup fcn parameters.(1) Push ip of next instruction(2) Jump to new fcn(3) Update bp(4) Update sp(5) Setup local vars.
![Page 20: Buffer Overflow Example Slides done by Magnus Almgren.](https://reader035.fdocuments.in/reader035/viewer/2022062318/551c5b775503469d6a8b5121/html5/thumbnails/20.jpg)
bp = bfa0 9688sp = bfa0 9670ip = 0804 83e1 8412
bp0 9698
9690
9680
9670
9660
9650
int main() { sub1(); return 0;}
void sub1() { char str[] = "Code"; sub2(str);}
void sub2(char *str) { char buf[8]; strcpy(buf,str);}
840d84120
0
When calling a function:(0) Setup fcn parameters.(1) Push ip of next instruction(2) Jump to new fcn(3) Update bp(4) Update sp(5) Setup local vars.
![Page 21: Buffer Overflow Example Slides done by Magnus Almgren.](https://reader035.fdocuments.in/reader035/viewer/2022062318/551c5b775503469d6a8b5121/html5/thumbnails/21.jpg)
str : bfa0 9683buf : .... ....
bp = bfa0 9688sp = bfa0 9670ip = 0804 83e4 8412
bp0 96980065646f\0 e d o43ed6f f4C
9690
9680
9670
9660
9650
int main() { sub1(); return 0;}
void sub1() { char str[] = "Code"; sub2(str);}
void sub2(char *str) { char buf[8]; strcpy(buf,str);}
840d84120
0
When calling a function:(0) Setup fcn parameters.(1) Push ip of next instruction(2) Jump to new fcn(3) Update bp(4) Update sp(5) Setup local vars.
![Page 22: Buffer Overflow Example Slides done by Magnus Almgren.](https://reader035.fdocuments.in/reader035/viewer/2022062318/551c5b775503469d6a8b5121/html5/thumbnails/22.jpg)
str : bfa0 9683buf : .... ....
bp = bfa0 9688sp = bfa0 9670ip = 0804 83ef 8412
bp0 96980065646f\0 e d o43ed6f f4C
9690
9680
9670
9660
9650
int main() { sub1(); return 0;}
void sub1() { char str[] = "Code"; sub2(str);}
void sub2(char *str) { char buf[8]; strcpy(buf,str);}
840d84120
0
![Page 23: Buffer Overflow Example Slides done by Magnus Almgren.](https://reader035.fdocuments.in/reader035/viewer/2022062318/551c5b775503469d6a8b5121/html5/thumbnails/23.jpg)
str : bfa0 9683buf : .... ....
bp = bfa0 9688sp = bfa0 9670ip = 0804 83ef 8412
bp0 96980065646f\0 e d o43ed6f f4C
9690
9680
9670
9660
9650
int main() { sub1(); return 0;}
void sub1() { char str[] = "Code"; sub2(str);}
void sub2(char *str) { char buf[8]; strcpy(buf,str);}
840d84120
0
…
8412
bp0 96980065646f\0 e d o43ed6f f4C
0
Parameters to function = (…)Return address to ”old” fcn
”Old” frame pointer
Local variables in fcn
Temporary values
Stack Frame:
bp
sp
![Page 24: Buffer Overflow Example Slides done by Magnus Almgren.](https://reader035.fdocuments.in/reader035/viewer/2022062318/551c5b775503469d6a8b5121/html5/thumbnails/24.jpg)
str : bfa0 9683buf : .... ....
bp = bfa0 9688sp = bfa0 9670ip = 0804 83ef 8412
bp0 96980065646f\0 e d o43ed6f f4C
9690
9680
9670
9660
9650
int main() { sub1(); return 0;}
void sub1() { char str[] = "Code"; sub2(str);}
void sub2(char *str) { char buf[8]; strcpy(buf,str);}
840d84120
0
sub1
![Page 25: Buffer Overflow Example Slides done by Magnus Almgren.](https://reader035.fdocuments.in/reader035/viewer/2022062318/551c5b775503469d6a8b5121/html5/thumbnails/25.jpg)
str : bfa0 9683buf : .... ....
bp = bfa0 9688sp = bfa0 966cip = 0804 83f5 8412
bp0 96980065646f\0 e d o43ed6f f4C
str: 9683
83fa
9690
9680
9670
9660
9650
int main() { sub1(); return 0;}
void sub1() { char str[] = "Code"; sub2(str);}
void sub2(char *str) { char buf[8]; strcpy(buf,str);}
840d84120
0
1
sub1
1 83fa
![Page 26: Buffer Overflow Example Slides done by Magnus Almgren.](https://reader035.fdocuments.in/reader035/viewer/2022062318/551c5b775503469d6a8b5121/html5/thumbnails/26.jpg)
83fa
str : bfa0 9683buf : .... ....
bp = bfa0 9688sp = bfa0 966cip = 0804 83c4 8412
bp0 96980065646f\0 e d o43ed6f f4C
str: 9683
9690
9680
9670
9660
9650
int main() { sub1(); return 0;}
void sub1() { char str[] = "Code"; sub2(str);}
void sub2(char *str) { char buf[8]; strcpy(buf,str);}
840d84120
0
1
sub1
1 83fa
![Page 27: Buffer Overflow Example Slides done by Magnus Almgren.](https://reader035.fdocuments.in/reader035/viewer/2022062318/551c5b775503469d6a8b5121/html5/thumbnails/27.jpg)
83fa
str : bfa0 9683buf : bfa0 9660
bp = bfa0 9668sp = bfa0 9650ip = 0804 83ca 8412
bp0 96980065646f\0 e d o43ed6f f4C
str: 9683
bp1 9688
<buf>
<buf>
9690
9680
9670
9660
9650
int main() { sub1(); return 0;}
void sub1() { char str[] = "Code"; sub2(str);}
void sub2(char *str) { char buf[8]; strcpy(buf,str);}
840d84120
0
1
sub1
sub2
1 83fa
![Page 28: Buffer Overflow Example Slides done by Magnus Almgren.](https://reader035.fdocuments.in/reader035/viewer/2022062318/551c5b775503469d6a8b5121/html5/thumbnails/28.jpg)
83fa
str : bfa0 9683buf : bfa0 9660
bp = bfa0 9668sp = bfa0 9650ip = 0804 83d7 8412
bp0 96980065646f\0 e d o43ed6f f4C
str: 9683
bp1 9688
<buf>
<buf>
str: 9683
buf: 9660
9690
9680
9670
9660
9650
int main() { sub1(); return 0;}
void sub1() { char str[] = "Code"; sub2(str);}
void sub2(char *str) { char buf[8]; strcpy(buf,str);}
840d84120
0
1
sub1
sub2
1 83fa
![Page 29: Buffer Overflow Example Slides done by Magnus Almgren.](https://reader035.fdocuments.in/reader035/viewer/2022062318/551c5b775503469d6a8b5121/html5/thumbnails/29.jpg)
83fa
str : bfa0 9683buf : bfa0 9660
bp = bfa0 9668sp = bfa0 9650ip = 0804 83dc 8412
bp0 96980065646f\0 e d o43ed6f f4C
str: 9683
bp1 9688.. .. .. 00.. .. .. \065646f 43e d o C
str: 9683
buf: 9660
9690
9680
9670
9660
9650
int main() { sub1(); return 0;}
void sub1() { char str[] = "Code"; sub2(str);}
void sub2(char *str) { char buf[8]; strcpy(buf,str);}
840d84120
0
1
sub1
sub2
1 83fa
![Page 30: Buffer Overflow Example Slides done by Magnus Almgren.](https://reader035.fdocuments.in/reader035/viewer/2022062318/551c5b775503469d6a8b5121/html5/thumbnails/30.jpg)
str : bfa0 9683buf : bfa0 9660
bp = bfa0 9668sp = bfa0 9650ip = 0804 83dc 8412
bp0 96980065646f\0 e d o43ed6f f4C
str: 9683
83fa
bp1 9688.. .. .. 00.. .. .. \065646f 43e d o C
str: 9683
buf: 9660
9690
9680
9670
9660
9650
int main() { sub1(); return 0;}
void sub1() { char str[] = "Code"; sub2(str);}
void sub2(char *str) { char buf[8]; strcpy(buf,str);}
840d84120
0
1
sub1
1 83fasub2
What if the string str was longer than 5 characters?
(4 characters + ending ’\0’-character)
Let’s back up a few steps …
![Page 31: Buffer Overflow Example Slides done by Magnus Almgren.](https://reader035.fdocuments.in/reader035/viewer/2022062318/551c5b775503469d6a8b5121/html5/thumbnails/31.jpg)
83fa
str : bfa0 9683buf : bfa0 9660
bp = bfa0 9668sp = bfa0 9650ip = 0804 83d7 8412
bp0 96980065646f\0 e d o43ed6f f4C
str: 9683
bp1 9688
<buf>
<buf>
str: 9683
buf: 9660
9690
9680
9670
9660
9650
int main() { sub1(); return 0;}
void sub1() { char str[] = "CodeABCDEFGHIJKL"; sub2(str);}
void sub2(char *str) { char buf[8]; strcpy(buf,str);}
840d84120
0
1
sub1
sub2
1 83fa
![Page 32: Buffer Overflow Example Slides done by Magnus Almgren.](https://reader035.fdocuments.in/reader035/viewer/2022062318/551c5b775503469d6a8b5121/html5/thumbnails/32.jpg)
83fa
str : bfa0 9683buf : bfa0 9660
bp = bfa0 9668sp = bfa0 9650ip = … 8412
bp0 96980065646f\0 e d o43ed6f f4C
str: 9683
bp1 968844434241D C B A65646f 43e d o C
str: 9683
buf: 9660
9690
9680
9670
9660
9650
int main() { sub1(); return 0;}
void sub2(char *str) { char buf[8]; strcpy(buf,str);}
840d84120
0
1
sub1
sub2
void sub1() { char str[] = "CodeABCDEFGHIJKL"; sub2(str);} 1 83fa
![Page 33: Buffer Overflow Example Slides done by Magnus Almgren.](https://reader035.fdocuments.in/reader035/viewer/2022062318/551c5b775503469d6a8b5121/html5/thumbnails/33.jpg)
83fa
str : bfa0 9683buf : bfa0 9660
bp = bfa0 9668sp = bfa0 9650ip = … 8412
bp0 96980065646f\0 e d o43ed6f f4C
str: 9683
48474645H G F E44434241D C B A65646f 43e d o C
str: 9683
buf: 9660
9690
9680
9670
9660
9650
int main() { sub1(); return 0;}
void sub2(char *str) { char buf[8]; strcpy(buf,str);}
840d84120
0
1
sub1
sub2
void sub1() { char str[] = "CodeABCDEFGHIJKL"; sub2(str);} 1 83fa
![Page 34: Buffer Overflow Example Slides done by Magnus Almgren.](https://reader035.fdocuments.in/reader035/viewer/2022062318/551c5b775503469d6a8b5121/html5/thumbnails/34.jpg)
str : bfa0 9683buf : bfa0 9660
bp = bfa0 9668sp = bfa0 9650ip = 0804 83dc 8412
bp0 96980065646f\0 e d o43ed6f f4C
str: 960052515049
48474645H G F E44434241D C B A65646f 43e d o C
str: 9683
buf: 9660
9690
9680
9670
9660
9650
int main() { sub1(); return 0;}
void sub2(char *str) { char buf[8]; strcpy(buf,str);}
840d84120
0
?
sub1
sub2
void sub1() { char str[] = "CodeABCDEFGHIJKL"; sub2(str);} 1 83fa
![Page 35: Buffer Overflow Example Slides done by Magnus Almgren.](https://reader035.fdocuments.in/reader035/viewer/2022062318/551c5b775503469d6a8b5121/html5/thumbnails/35.jpg)
str : bfa0 9683buf : bfa0 9660
bp = bfa0 9668sp = bfa0 9650ip = 0804 83dc 8412
bp0 96980065646f\0 e d o43ed6f f4C
str: 9600
48474645H G F E44434241D C B A65646f 43e d o C
str: 9683
buf: 9660
9690
9680
9670
9660
9650
int main() { sub1(); return 0;}
void sub2(char *str) { char buf[8]; strcpy(buf,str);}
840d84120
0
sub1
void sub1() { char str[] = "CodeABCDEFGHIJKL"; sub2(str);} 1 83fa
sub2
52515049?
The return address has been overwritten. In this
example, probably an invalid address so the
program will crash.
![Page 36: Buffer Overflow Example Slides done by Magnus Almgren.](https://reader035.fdocuments.in/reader035/viewer/2022062318/551c5b775503469d6a8b5121/html5/thumbnails/36.jpg)
str : bfa0 9683buf : bfa0 9660
bp = bfa0 9668sp = bfa0 9650ip = 0804 83dc 8412
bp0 96980065646f\0 e d o43ed6f f4C
str: 960052515049
48474645H G F E44434241D C B A65646f 43e d o C
str: 9683
buf: 9660
9690
9680
9670
9660
9650
int main() { sub1(); return 0;}
void sub2(char *str) { char buf[8]; strcpy(buf,str);}
840d84120
0
?
sub1
sub2
void sub1() { char str[] = "CodeABCDEFGHIJKL"; sub2(str);} 1 83fa
Trick: Jump back into your buffer
52515049
48474645H G F E44434241D C B A65646f 43e d o C9660
?