485 \code{\\0x90}. It is available on every architecture and its |
485 \code{\\0x90}. It is available on every architecture and its |
486 purpose in a CPU is to do nothing apart from waiting a small |
486 purpose in a CPU is to do nothing apart from waiting a small |
487 amount of time. If we now use an address that lets us jump to |
487 amount of time. If we now use an address that lets us jump to |
488 any address in the grey area we are done. The target machine |
488 any address in the grey area we are done. The target machine |
489 will execute these \pcode{NOP} operations until it reaches the |
489 will execute these \pcode{NOP} operations until it reaches the |
490 shellcode. A moment of thought should convince you that this |
490 shellcode. That is why this NOP-part is often called |
491 trick can hugely improve our odds of finding the right |
491 \emph{NOP-sledge}. A moment of thought should convince you |
492 address---depending on the size of the buffer, it might only |
492 that this trick can hugely improve our odds of finding the |
493 take a few tries to get the shellcode to run. And then we are |
493 right address---depending on the size of the buffer, it might |
494 in. The code for such an attack is shown in Figure~\ref{C3}. |
494 only take a few tries to get the shellcode to run. And then we |
495 It is directly taken from the original paper about ``Smashing |
495 are in. The code for such an attack is shown in |
496 the Stack for Fun and Profit'' (see pointer given at the end). |
496 Figure~\ref{C3}. It is directly taken from the original paper |
|
497 about ``Smashing the Stack for Fun and Profit'' (see pointer |
|
498 given at the end). |
497 |
499 |
498 \begin{figure}[p] |
500 \begin{figure}[p] |
499 \lstinputlisting[language=C]{../progs/C3.c} |
501 \lstinputlisting[language=C]{../progs/C3.c} |
500 \caption{Overwriting a buffer with a string containing a |
502 \caption{Overwriting a buffer with a string containing a |
501 payload.\label{C3}} |
503 payload.\label{C3}} |