427 \draw[line width=1mm] (-2, -1) rectangle (2,3); |
428 \draw[line width=1mm] (-2, -1) rectangle (2,3); |
428 \draw[line width=1mm] (-2,0.3) -- (2,0.3); |
429 \draw[line width=1mm] (-2,0.3) -- (2,0.3); |
429 \draw[line width=1mm] (-2,-0.7) -- (2,-0.7); |
430 \draw[line width=1mm] (-2,-0.7) -- (2,-0.7); |
430 \draw (0,-0.2) node {\large\tt shell code}; |
431 \draw (0,-0.2) node {\large\tt shell code}; |
431 \draw[line width=1mm,fill=black] (0.3, -1) rectangle (2,-0.7); |
432 \draw[line width=1mm,fill=black] (0.3, -1) rectangle (2,-0.7); |
|
433 \draw [line width=0.5,decoration={brace,amplitude=2mm},decorate] |
|
434 (2.3,3) -- (2.3,0.3); |
|
435 \draw[line width=0.3mm] (1.05, -1) -- (1.05,-1.7) -- |
|
436 (3,-1.7) -- (3,1.65) -- (2.6, 1.65); |
432 \draw (-2, 3) node[anchor=north east] {\LARGE \color{codegreen}{``}}; |
437 \draw (-2, 3) node[anchor=north east] {\LARGE \color{codegreen}{``}}; |
433 \draw ( 2,-0.9) node[anchor=west] {\LARGE\color{codegreen}{''}}; |
438 \draw ( 2,-0.9) node[anchor=west] {\LARGE\color{codegreen}{''}}; |
434 \end{tikzpicture} |
439 \end{tikzpicture} |
435 \end{center} |
440 \end{center} |
436 |
441 |
442 any address in the gray area we are done. The target machine |
447 any address in the gray area we are done. The target machine |
443 will execute these \pcode{NOP} operations until it reaches the |
448 will execute these \pcode{NOP} operations until it reaches the |
444 shellcode. A moment of thought can convince you that this |
449 shellcode. A moment of thought can convince you that this |
445 trick can hugely improve our odds of finding the right |
450 trick can hugely improve our odds of finding the right |
446 address---depending on the size of the buffer, it might only |
451 address---depending on the size of the buffer, it might only |
447 take a few tries to get the shellcode to run. And then |
452 take a few tries to get the shellcode to run. And then we are |
448 we are in. The code for such an attack is show in |
453 in. The code for such an attack is shown in Figure~\ref{C3}. |
449 Figure~\ref{overflow}. |
454 It is directly taken from the original paper about ``Smashing |
|
455 the Stack for Fun and Profit'' (see pointer given at the end). |
450 |
456 |
451 \begin{figure}[p] |
457 \begin{figure}[p] |
452 \lstinputlisting[language=C]{../progs/overflow.c} |
458 \lstinputlisting[language=C]{../progs/C3.c} |
453 \caption{Overwriting a buffer with a paylod.\label{overflow}} |
459 \caption{Overwriting a buffer with a string containing a |
|
460 payload.\label{C3}} |
454 \end{figure} |
461 \end{figure} |
|
462 |
|
463 \subsubsection*{Format String Attacks} |
|
464 |
|
465 A question might arise, where do we get all this information |
|
466 about addresses necessary for mounting a buffer overflow |
|
467 attack without having yet access to the system? The answer are |
|
468 \emph{format string attacks}. While technically they are |
|
469 programming mistakes (and they are pointed out as warning by |
|
470 modern compilers), they can be easily made and therefore an |
|
471 easy target. Let us look at the simplest version of a |
|
472 vulnerable program. |
|
473 |
|
474 \lstinputlisting[language=C]{../progs/C4.c} |
|
475 |
|
476 \subsubsection*{Caveats} |
455 |
477 |
456 \bigskip\bigskip |
478 \bigskip\bigskip |
457 \subsubsection*{A Crash-Course for GDB} |
479 \subsubsection*{A Crash-Course for GDB} |
458 |
480 |
459 \begin{itemize} |
481 \begin{itemize} |