295 \end{frame} |
295 \end{frame} |
296 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
296 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
297 |
297 |
298 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
298 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
299 \begin{frame}[c] |
299 \begin{frame}[c] |
|
300 \frametitle{C-Library Functions} |
|
301 |
|
302 \begin{itemize} |
|
303 \item copy everything up to the zero byte |
|
304 \end{itemize}\medskip |
|
305 |
|
306 {\small |
|
307 \lstinputlisting[language=C,numbers=none]{../progs/app5.c}} |
|
308 |
|
309 |
|
310 \end{frame} |
|
311 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
312 |
|
313 |
|
314 |
|
315 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
316 \begin{frame}[c] |
300 \frametitle{Payloads} |
317 \frametitle{Payloads} |
301 |
318 |
302 \begin{itemize} |
319 \begin{itemize} |
303 \item the idea is that you store some code in the buffer (the payload) |
320 \item the idea is that you store some code in the buffer (the payload) |
304 \item you then override the return address to execute this payload\medskip |
321 \item you then override the return address to execute this payload\medskip |
305 \item normally you start a root-shell\pause |
322 \item normally you want to start a shell\pause |
306 \item difficulty is to guess the right place where to ``jump'' |
323 \item difficulty is to guess the right place where to ``jump'' |
307 \end{itemize} |
324 \end{itemize} |
308 |
325 |
309 \end{frame} |
326 \end{frame} |
310 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
327 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
390 (Intel \texttt{$\backslash$x90})} |
407 (Intel \texttt{$\backslash$x90})} |
391 |
408 |
392 \end{frame} |
409 \end{frame} |
393 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
410 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
394 |
411 |
|
412 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
413 \begin{frame}[c] |
|
414 \frametitle{Why BOAs Work?} |
|
415 |
|
416 \begin{itemize} |
|
417 \item stack grows from higher addresses to lower addresses |
|
418 \item library functions copy memory until a zero-byte is |
|
419 encountered |
|
420 \end{itemize} |
|
421 |
|
422 \begin{center} |
|
423 \begin{tabular}{@{\hspace{-7mm}}c@{\hspace{2mm}}c@{}} |
|
424 \small |
|
425 \begin{tikzpicture}[scale=0.45] |
|
426 %\draw[step=1cm] (-3,-3) grid (3,3); |
|
427 \draw[line width=1mm] (-2, -3) rectangle (2,3); |
|
428 \draw[line width=1mm] (-2,1) -- (2,1); |
|
429 \draw[line width=1mm] (-2,-1) -- (2,-1); |
|
430 \draw (0,2) node {\tt text}; |
|
431 \draw (0,0) node {\tt heap}; |
|
432 \draw (0,-2) node {\tt stack}; |
|
433 |
|
434 \draw (-2.7,3) node[anchor=north east] |
|
435 {\tt\begin{tabular}{@{}l@{}}lower\\ address\end{tabular}}; |
|
436 \draw (-2.7,-3) node[anchor=south east] |
|
437 {\tt\begin{tabular}{@{}l@{}}higher\\ address\end{tabular}}; |
|
438 \draw[->, line width=1mm] (-2.5,3) -- (-2.5,-3); |
|
439 |
|
440 \draw (2.7,-3) node[anchor=south west] {\tt\footnotesize older}; |
|
441 \draw (2.7,-1) node[anchor=north west] {\tt\footnotesize newer}; |
|
442 \draw[|->, line width=1mm] (2.5,-3.09) -- (2.5,-1); |
|
443 \end{tikzpicture} |
|
444 & |
|
445 \raisebox{1.3cm}{\footnotesize |
|
446 \lstinputlisting[language=C,numbers=none]{../progs/app5.c}} |
|
447 \end{tabular} |
|
448 \end{center} |
|
449 |
|
450 \end{frame} |
|
451 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
395 |
452 |
396 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
453 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
397 \begin{frame}[c] |
454 \begin{frame}[c] |
398 \frametitle{Variants} |
455 \frametitle{Variants} |
399 |
456 |
460 \end{frame} |
517 \end{frame} |
461 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
518 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
462 |
519 |
463 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
520 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
464 \begin{frame}[c] |
521 \begin{frame}[c] |
|
522 \frametitle{In my Examples I Cheated} |
|
523 |
|
524 I compiled the programs with |
|
525 |
|
526 \begin{center} |
|
527 \begin{tabular}{l@{\hspace{1mm}}l} |
|
528 \pcode{/usr/bin/gcc} & \pcode{-ggdb -O0}\\ |
|
529 & \pcode{-fno-stack-protector}\\ |
|
530 & \pcode{-mpreferred-stack-boundary=2}\\ |
|
531 & \pcode{-z execstack} |
|
532 \end{tabular} |
|
533 \end{center} |
|
534 |
|
535 \end{frame} |
|
536 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
537 |
|
538 |
|
539 |
|
540 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
541 \begin{frame}[c] |
465 \frametitle{NIST Statistics about BOA} |
542 \frametitle{NIST Statistics about BOA} |
466 |
543 |
467 \begin{center} |
544 \begin{center} |
468 \begin{tikzpicture} |
545 \begin{tikzpicture} |
469 \begin{axis}[ |
546 \begin{axis}[ |