diff -r 6d552ef3b435 -r f05368d007dd handouts/ho03.tex --- a/handouts/ho03.tex Wed Oct 07 18:03:32 2015 +0100 +++ b/handouts/ho03.tex Thu Oct 08 12:08:10 2015 +0100 @@ -426,20 +426,22 @@ \lstinputlisting[language=C,numbers=none]{../progs/shell.c} -\noindent Once compiled, we can use the debugger to obtain -the machine code, or even the ready-made encoding as character +\noindent Once compiled, we can use the debugger to obtain the +machine code, or even get the ready-made encoding as character sequence. +\lstinputlisting[language=C,numbers=none]{../progs/o2.c} + While not too difficult, obtaining this string is not entirely trivial using \pcode{gdb}. Remember the functions in C that copy or fill buffers work such that they copy everything until the zero byte is reached. Unfortunately the ``vanilla'' output -from the debugger for the shell-program above will contain -such zero bytes. So a post-processing phase is needed to -rewrite the machine code in a way that it does not contain any -zero bytes. This is like some works of literature that have -been written so that the letter e, for example, is avoided. -The technical term for such a literature work is +from the debugger for the shell-program above contains such +zero bytes. So a post-processing phase is needed to rewrite +the machine code in a way that it does not contain any zero +bytes. This is like some works of literature that have been +written so that the letter e, for example, is avoided. The +technical term for such a literature work is \emph{lipogram}.\footnote{The most famous example of a lipogram is a 50,000 words novel titled Gadsby, see \url{https://archive.org/details/Gadsby}, which avoids the @@ -531,7 +533,10 @@ \begin{figure}[p] \lstinputlisting[language=C]{../progs/C3.c} \caption{Overwriting a buffer with a string containing a -payload.\label{C3}} +payload. Lines 14 and 15 write the address of the buffer +into \pcode{large\_string}. The payload is copied in +Lines 17 and 18. Line 20 copies the (too large) string +into the buffer.\label{C3}} \end{figure} By the way you might naw have the question how do attackers @@ -808,6 +813,8 @@ \texttt{n}, the number can be omitted \item \texttt{disassemble fun-name} -- show the assembly code of a function +\item \texttt{info registers} -- prints out the current +content of all registers \item \texttt{run args} -- starts the program, potential arguments can be given \item \texttt{(b)reak line-number} -- sets break point @@ -817,6 +824,7 @@ from address \pcode{addr}, the address could be \code{$esp} for looking at the content of the stack \item \texttt{x/nxb addr} -- prints out \texttt{n} bytes +\item \texttt{q} -- quits the debugger \end{itemize}