echo line void echo char buf4 getsbuf putsbuf ebp esp

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: ington Buffer Overflow Stack Before call to gets Stack Frame for main Return Address Saved %ebp %ebp Saved %ebx [3] [2] [1] [0] buf buf echo: pushl movl pushl leal subl movl call . . . /* Echo Line */ void echo() { char buf[4]; gets(buf); puts(buf); } %ebp %esp, %ebp %ebx -8(%ebp),%ebx $20, %esp %ebx, (%esp) gets Buffer Overflow /* Way too small! */ # Save %ebp on stack # # # # # Save %ebx Compute buf as %ebp-8 Allocate stack space Push buf addr on stack Call gets 11 University of Washington Buffer Overflow Stack Example Before call to gets Before call to gets Stack Frame for main Stack Frame for main Return Address Saved %ebp Saved %ebx [3] [2] [1] [0] buf buf 0xffffc658 f7 85 04 08 58 c6 ff ff 0xffffc638 Saved %ebx xx xx xx xx buf 0xffffc630 80485f2: call 80484f0 <echo> 80485f7: mov 0xfffffffc(%ebp),%ebx # Return Point Buffer Overflow 12 University of Washington Buffer Overflow Example #1 Input 1234567 Before call to gets Stack Frame for main 0xffffc658 f7 85 04 08 58 c6 ff ff 0xffffc638 Saved %ebx xx xx xx xx buf Stack Frame for main f7 58 00 34 85 c6 37 33 04 ff 36 32 0xffffc658 08 ff 0xffffc638 35 31 buf 0xffffc630 0xffffc630 Overflow buf, and corrupt saved %ebx, but no problem Buffer Overflow 13 University of Washington Buffer Overflow Example #2 Input 12345678 Before call to gets Stack Frame for main Stack Frame for main 0xffffc658 f7 85 04 08 58 c6 ff ff 0xffffc638 Saved %ebx xx xx xx xx buf f7 58 38 34 04 ff 36 32 08 00 0xffffc638 35 31 buf 0xffffc630 0xffffc630 . . . 804850a: 804850d: 804850e: 804850f: 85 c6 37 33 0xffffc658 Frame pointer corrupted 83 c4 14 5b c9 c3 add pop leave ret $0x14,%esp %ebx Buffer Overflow # # # # deallocate space restore %ebx movl %ebp, %esp; popl %ebp Return 14 University of Washington Buffer Overflow Example #3 Before call to gets Stack Frame for main 0xffffc658 f7 85 04 08 58 c6 ff ff 0xffffc638 Saved %ebx xx xx xx xx buf Input 123456789ABC Stack Frame 0xffffc658 for main f7 43 38 34 85 42 37 33 04 41 36 32 00 39 0xffffc638 35 31 buf 0xffffc630 0xffffc630 Return address corrupted 080485f2: call 80484f0 <echo> 080485f7: mov 0xfffffffc(%ebp),%ebx # Return...
View Full Document

{[ snackBarMessage ]}

Ask a homework question - tutors are online