Mercurial Mercurial > hg > sen-material / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
handouts/ho03.tex
changeset 400 f05368d007dd
parent 399 6d552ef3b435
child 403 92c49c160b24 
--- a/handouts/ho03.tex	Wed Oct 07 18:03:32 2015 +0100
+++ b/handouts/ho03.tex	Thu Oct 08 12:08:10 2015 +0100
@@ -426,20 +426,22 @@
 
 \lstinputlisting[language=C,numbers=none]{../progs/shell.c} 
 
-\noindent Once compiled, we can use the debugger to obtain 
-the machine code, or even the ready-made encoding as character
+\noindent Once compiled, we can use the debugger to obtain the
+machine code, or even get the ready-made encoding as character
 sequence. 
 
+\lstinputlisting[language=C,numbers=none]{../progs/o2.c}
+
 While not too difficult, obtaining this string is not entirely
 trivial using \pcode{gdb}. Remember the functions in C that
 copy or fill buffers work such that they copy everything until
 the zero byte is reached. Unfortunately the ``vanilla'' output
-from the debugger for the shell-program above will contain
-such zero bytes. So a post-processing phase is needed to
-rewrite the machine code in a way that it does not contain any
-zero bytes. This is like some works of literature that have
-been written so that the letter e, for example, is avoided.
-The technical term for such a literature work is
+from the debugger for the shell-program above contains such
+zero bytes. So a post-processing phase is needed to rewrite
+the machine code in a way that it does not contain any zero
+bytes. This is like some works of literature that have been
+written so that the letter e, for example, is avoided. The
+technical term for such a literature work is
 \emph{lipogram}.\footnote{The most famous example of a
 lipogram is a 50,000 words novel titled Gadsby, see
 \url{https://archive.org/details/Gadsby}, which avoids the
@@ -531,7 +533,10 @@
 \begin{figure}[p]
 \lstinputlisting[language=C]{../progs/C3.c}
 \caption{Overwriting a buffer with a string containing a
-payload.\label{C3}}
+payload. Lines 14 and 15 write the address of the buffer
+into \pcode{large\_string}. The payload is copied in 
+Lines 17 and 18. Line 20 copies the (too large) string
+into the buffer.\label{C3}}
 \end{figure}
 
 By the way you might naw have the question how do attackers
@@ -808,6 +813,8 @@
 \texttt{n}, the number can be omitted 
 \item \texttt{disassemble fun-name} -- show the assembly code 
 of a function
+\item \texttt{info registers} -- prints out the current 
+content of all registers
 \item \texttt{run args} -- starts the program, potential 
 arguments can be given
 \item \texttt{(b)reak line-number} -- sets break point
@@ -817,6 +824,7 @@
 from address \pcode{addr}, the address could be \code{$esp} 
 for looking at the content of the stack
 \item \texttt{x/nxb addr} -- prints out \texttt{n} bytes 
+\item \texttt{q} -- quits the debugger
 \end{itemize}
sen-material