handouts/ho03.tex
changeset 232 abc45724b267
parent 230 603cbd28e988
child 233 5a5729358afc
--- a/handouts/ho03.tex	Fri Oct 10 12:16:15 2014 +0100
+++ b/handouts/ho03.tex	Fri Oct 10 12:17:49 2014 +0100
@@ -1,6 +1,7 @@
 \documentclass{article}
 \usepackage{../style}
 \usepackage{../langs}
+\usetikzlibrary{patterns,decorations.pathreplacing}
 
 \begin{document}
 
@@ -429,6 +430,10 @@
   \draw[line width=1mm] (-2,-0.7) -- (2,-0.7);
   \draw (0,-0.2) node {\large\tt shell code};
   \draw[line width=1mm,fill=black] (0.3, -1) rectangle (2,-0.7);
+  \draw [line width=0.5,decoration={brace,amplitude=2mm},decorate] 
+    (2.3,3) -- (2.3,0.3);
+  \draw[line width=0.3mm] (1.05, -1) -- (1.05,-1.7) --
+  (3,-1.7) -- (3,1.65) -- (2.6, 1.65);
   \draw (-2, 3) node[anchor=north east] {\LARGE \color{codegreen}{``}};
   \draw ( 2,-0.9) node[anchor=west] {\LARGE\color{codegreen}{''}};
   \end{tikzpicture}
@@ -444,15 +449,32 @@
 shellcode. A moment of thought can convince you that this
 trick can hugely improve our odds of finding the right
 address---depending on the size of the buffer, it might only
-take a few tries to get the shellcode to run. And then
-we are in. The code for such an attack is show in 
-Figure~\ref{overflow}.
+take a few tries to get the shellcode to run. And then we are
+in. The code for such an attack is shown in Figure~\ref{C3}.
+It is directly taken from the original paper about ``Smashing
+the Stack for Fun and Profit'' (see pointer given at the end).
 
 \begin{figure}[p]
-\lstinputlisting[language=C]{../progs/overflow.c}
-\caption{Overwriting a buffer with a paylod.\label{overflow}}
+\lstinputlisting[language=C]{../progs/C3.c}
+\caption{Overwriting a buffer with a string containing a
+payload.\label{C3}}
 \end{figure}
 
+\subsubsection*{Format String Attacks}
+
+A question might arise, where do we get all this information
+about addresses necessary for mounting a buffer overflow
+attack without having yet access to the system? The answer are
+\emph{format string attacks}. While technically they are
+programming mistakes (and they are pointed out as warning by
+modern compilers), they can be easily made and therefore an
+easy target. Let us look at the simplest version of a 
+vulnerable program.
+
+\lstinputlisting[language=C]{../progs/C4.c}
+
+\subsubsection*{Caveats}
+
 \bigskip\bigskip
 \subsubsection*{A Crash-Course for GDB}