Mercurial Mercurial > hg > sen-material / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
handouts/ho03.tex
changeset 238 6ba55ba5b588
parent 237 b784175a69dc
child 240 4b2eeb0ddd81
equal deleted inserted replaced
237:b784175a69dc 238:6ba55ba5b588 
   328 After the encryption had been made stronger, hackers used
 
   328 After the encryption had been made stronger, hackers used
 
   329 buffer overflow attacks as shown above to jump directly to
 
   329 buffer overflow attacks as shown above to jump directly to
 
   330 the part of the program that was intended to be only available
 
   330 the part of the program that was intended to be only available
 
   331 after the correct key was typed in. 
   331 after the correct key was typed in. 
   332 
   332 
   333 \subsection*{Paylods}
 
   333 \subsection*{Payloads}
 
   334 
   334 
   335 Unfortunately, much more harm can be caused by buffer overflow
 
   335 Unfortunately, much more harm can be caused by buffer overflow
 
   336 attacks. This is achieved by injecting code that will be run
 
   336 attacks. This is achieved by injecting code that will be run
 
   337 once the return address is appropriately modified. Typically
 
   337 once the return address is appropriately modified. Typically
 
   338 the code that will be injected starts a shell. This gives the
 
   338 the code that will be injected starts a shell. This gives the
 
   438   \draw (-2, 3) node[anchor=north east] {\LARGE \color{codegreen}{``}};
 
   438   \draw (-2, 3) node[anchor=north east] {\LARGE \color{codegreen}{``}};
 
   439   \draw ( 2,-0.9) node[anchor=west] {\LARGE\color{codegreen}{''}};
 
   439   \draw ( 2,-0.9) node[anchor=west] {\LARGE\color{codegreen}{''}};
 
   440   \end{tikzpicture}
 
   440   \end{tikzpicture}
 
   441 \end{center}
 
   441 \end{center}
 
   442 
   442 
   443 \noindent Then we can fill up the gray part of the string with
 
   443 \noindent Then we can fill up the grey part of the string with
 
   444 \pcode{NOP} operations. The code for this operation is
 
   444 \pcode{NOP} operations. The code for this operation is
 
   445 \code{\\0x90}. It is available on every architecture and its
 
   445 \code{\\0x90}. It is available on every architecture and its
 
   446 purpose in a CPU is to do nothing apart from waiting a small
 
   446 purpose in a CPU is to do nothing apart from waiting a small
 
   447 amount of time. If we now use an address that lets us jump to
 
   447 amount of time. If we now use an address that lets us jump to
 
   448 any address in the gray area we are done. The target machine
 
   448 any address in the grey area we are done. The target machine
 
   449 will execute these \pcode{NOP} operations until it reaches the
 
   449 will execute these \pcode{NOP} operations until it reaches the
 
   450 shellcode. A moment of thought can convince you that this
 
   450 shellcode. A moment of thought can convince you that this
 
   451 trick can hugely improve our odds of finding the right
 
   451 trick can hugely improve our odds of finding the right
 
   452 address---depending on the size of the buffer, it might only
 
   452 address---depending on the size of the buffer, it might only
 
   453 take a few tries to get the shellcode to run. And then we are
 
   453 take a few tries to get the shellcode to run. And then we are
sen-material