# HG changeset patch # User Christian Urban # Date 1381208001 -3600 # Node ID 0711775cb6b086243fde3721af398d8e42d1b71e # Parent 677179c76e353256d407e0cba3cd64c4f2388684 added diff -r 677179c76e35 -r 0711775cb6b0 programs/C0.c --- a/programs/C0.c Tue Oct 08 02:22:53 2013 +0100 +++ b/programs/C0.c Tue Oct 08 05:53:21 2013 +0100 @@ -17,7 +17,7 @@ int main (int argc, char **argv) { foo("my string is too long !!!!! "); // all is normal - foo("my string is too long !!!!! \x10\x10\xc0\x42"); // overwrites my_float + //foo("my string is too long !!!!! \x10\x10\xc0\x42"); // overwrites my_float return 0; } diff -r 677179c76e35 -r 0711775cb6b0 programs/C1.c --- a/programs/C1.c Tue Oct 08 02:22:53 2013 +0100 +++ b/programs/C1.c Tue Oct 08 05:53:21 2013 +0100 @@ -2,7 +2,6 @@ #include #include -// for installation notes see C0.c void foo (char *bar) { @@ -10,9 +9,7 @@ char buffer[28]; printf("my float value = %f\n", my_float); - - strcpy(buffer, bar); - + strcpy(buffer, bar); printf("my float value = %f\n", my_float); } @@ -21,7 +18,7 @@ // only float overwritten foo("my string is too long !!!!! \x10\x10\xc0\x42"); // also calls can_never_run - //foo("my string is too long !!!!! \x10\x10\xc0\x42\x90\x90\x90\x90\x55\x84\x04\x08"); + foo("my string is too long !!!!! \x10\x10\xc0\x42\x90\x90\x90\x90\x55\x84\x04\x08"); return 0; } diff -r 677179c76e35 -r 0711775cb6b0 progs/C1.c --- a/progs/C1.c Tue Oct 08 02:22:53 2013 +0100 +++ b/progs/C1.c Tue Oct 08 05:53:21 2013 +0100 @@ -1,6 +1,6 @@ void foo (char *bar) { - float my_float = 10.5; // in hex: \x41\x28\x00\x00 + float my_float = 10.5; // in hex: \x41\x28\x00\x00 char buffer[28]; printf("my float value = %f\n", my_float); diff -r 677179c76e35 -r 0711775cb6b0 slides/slides03.pdf Binary file slides/slides03.pdf has changed diff -r 677179c76e35 -r 0711775cb6b0 slides/slides03.tex --- a/slides/slides03.tex Tue Oct 08 02:22:53 2013 +0100 +++ b/slides/slides03.tex Tue Oct 08 05:53:21 2013 +0100 @@ -162,17 +162,34 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] +\frametitle{A Float Printed ``Twice''} + +{\lstset{language=Java} +\footnotesize +\lstinputlisting{../progs/C1.c}} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] \frametitle{\begin{tabular}{c}The Problem\end{tabular}} \begin{itemize} \item The basic problem is that library routines in C look as follows: + \begin{center} -{\lstset{language=Java}\fontsize{8}{10}\selectfont% -\texttt{\lstinputlisting{../progs/app5.c}}} +{\lstset{language=Java} +\footnotesize +\lstinputlisting{../progs/app5.c}} \end{center} + \item the resulting problems are often remotely exploitable -\item can be used to circumvents all access control -(botnets for further attacks) +\item can be used to circumvents all access control\\ +(for grooming botnets for further attacks) \end{itemize} \end{frame}} @@ -196,22 +213,6 @@ \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] - -\small -\texttt{my\_float} is printed twice:\bigskip - -{\lstset{language=Java}\fontsize{8}{10}\selectfont% -\texttt{\lstinputlisting{../progs/C1.c}}} - - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] @@ -257,7 +258,7 @@ \frametitle{\begin{tabular}{c}Payloads\end{tabular}} \begin{itemize} -\item the idea is you store some code as part to the buffer +\item the idea is you store some code to the buffer \item you then override the return address to execute this payload\medskip \item normally you start a root-shell\pause \item difficulty is to guess the right place where to ``jump'' @@ -279,7 +280,7 @@ \end{center} \end{itemize}\bigskip\bigskip -{\lstset{language=Java}\fontsize{8}{10}\selectfont% +{\lstset{language=Java}\small \texttt{\lstinputlisting{../progs/app5.c}}} \end{frame}} @@ -305,7 +306,7 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] -\frametitle{\begin{tabular}{c}Protections against BO Attacks\end{tabular}} +\frametitle{\begin{tabular}{c}Protections against\\ BO Attacks\end{tabular}} \begin{itemize} \item use safe library functions