How did it happen the internet worm was based on stack

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: instruc9ons both stored in the same memory ¢  November, 1988 §  Internet Worm aZacks thousands of Internet hosts. §  How did it happen? ¢  The Internet Worm was based on stack buffer overflow exploits! §  Many Unix func9ons do not check argument sizes §  Allows target buffers to overflow Buffer Overflow 6 University of Washington String Library Code ¢  ImplementaOon of Unix funcOon gets() /* Get string from stdin */ char *gets(char *dest) { int c = getchar(); char *p = dest; while (c != EOF && c != '\n') { *p++ = c; c = getchar(); } *p = '\0'; return dest; } §  What could go wrong in this code? Buffer Overflow 7 University of Washington String Library Code ¢  ImplementaOon of Unix funcOon gets() /* Get string from stdin */ char *gets(char *dest) { int c = getchar(); char *p = dest; while (c != EOF && c != '\n') { *p++ = c; c = getchar(); } *p = '\0'; return dest; } §  No way to specify limit on number of characters to read ¢  Similar problems with other Unix funcOons §  strcpy: Copies string of arbitrary length §  scanf, fscanf, sscanf, when given %s conversion specifica9on Buffer Overflow 8 University of Washington Vulnerable Buffer Code /* Echo Line */ void echo() { char buf[4]; gets(buf); puts(buf); } /* Way too small! */ int main() { printf("Type a string:"); echo(); return 0; } unix>./bufdemo Type a string:1234567 1234567 unix>./bufdemo Type a string:12345678 Segmentation Fault unix>./bufdemo Type a string:123456789ABC Segmentation Fault Buffer Overflow 9 University of Washington Buffer Overflow Disassembly 080484f0 <echo>: 80484f0: 55 80484f1: 89 e5 80484f3: 53 80484f4: 8d 5d 80484f7: 83 ec 80484fa: 89 1c 80484fd: e8 ae 8048502: 89 1c 8048505: e8 8a 804850a: 83 c4 804850d: 5b 804850e: c9 804850f: c3 80485f2: 80485f7: 80485fa: 80485fb: 80485fd: f8 14 24 ff ff ff 24 fe ff ff 14 push mov push lea sub mov call mov call add pop leave ret %ebp %esp,%ebp %ebx 0xfffffff8(%ebp),%ebx $0x14,%esp %ebx,(%esp) 80484b0 <gets> %ebx,(%esp) 8048394 <puts@plt> $0x14,%esp %ebx e8 f9 fe ff ff 8b 5d fc c9 31 c0 c3 call mov leave xor ret 80484f0 <echo> 0xfffffffc(%ebp),%ebx Buffer Overflow %eax,%eax 10 University of Wash...
View Full Document

Ask a homework question - tutors are online