Mercurial Mercurial > hg > sen-material / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
handouts/ho03.tex
changeset 228 4f7c7997b68b
parent 227 7807863c4196
child 229 ea921d6a1819 
--- a/handouts/ho03.tex	Thu Oct 09 14:41:36 2014 +0100
+++ b/handouts/ho03.tex	Thu Oct 09 15:49:21 2014 +0100
@@ -358,7 +358,7 @@
 encoded, but produces a zero byte on the stack. 
 
 Having removed the zero bytes we can craft the string that 
-will be send to our target computer. It is typically of the 
+will be send to the target computer. It is typically of the 
 form
 
 \begin{center}
@@ -369,11 +369,43 @@
   \draw[line width=1mm,fill=black] (0.3, -1) rectangle (2,-0.7);
   \draw[->,line width=0.3mm] (1.05, -1) -- (1.05,-1.7) --
   (-3,-1.7) -- (-3, 3.7) -- (-1.9, 3.7) -- (-1.9, 3.1);
-  \draw (-2, 3) node[anchor=north east] {\LARGE\tt "};
-  \draw ( 2,-0.9) node[anchor=west] {\LARGE\tt "};
+  \draw (-2, 3) node[anchor=north east] {\LARGE \color{codegreen}{``}};
+  \draw ( 2,-0.9) node[anchor=west] {\LARGE\color{codegreen}{''}};
   \end{tikzpicture}
 \end{center}
 
+\noindent This of course requires that the buffer we are
+trying to attack can at least contain the shellcode we want to
+run. But as you can see this is only 47 bytes, which is a very
+low bar to jump over. More formidable is the choice of finding
+the right address to jump to. As indicated in the picture we
+need to be very precise with the address with which we will
+overwrite the buffer. It has to be precisely the first byte of
+the shellcode. While this is easy withe the help of a
+debugger, we typically cannot run anything on the machine yet
+we target. And the address is very specific to the setup of
+the target machine. One way of finding out what the right
+address is to try out one by one until we get lucky. With
+large memories available today, however, the odds are long.
+And if we try out too many possible candidates to quickly, we
+might be detected by the system administrator of the target
+system.
+
+We can improve our odds considerably, by the following clever 
+trick. Instead of adding the shellcode at the beginning of the
+string, we should add it at the end, just before we overflow 
+the buffer, like
+
+\begin{center}
+  \begin{tikzpicture}[scale=0.7]
+  \draw[line width=1mm] (-2, -1) rectangle (2,3);
+  \draw[line width=1mm] (-2,1.9) -- (2,1.9);
+  \draw (0,2.5) node {\large\tt shell code};
+  \draw[line width=1mm,fill=black] (0.3, -1) rectangle (2,-0.7);
+  \draw (-2, 3) node[anchor=north east] {\LARGE \color{codegreen}{``}};
+  \draw ( 2,-0.9) node[anchor=west] {\LARGE\color{codegreen}{''}};
+  \end{tikzpicture}
+\end{center}
 
 \bigskip\bigskip
 \subsubsection*{A Crash-Course for GDB}
sen-material