# HG changeset patch # User Christian Urban # Date 1412866161 -3600 # Node ID 4f7c7997b68b3885e62b51ed5fafee7cc7625487 # Parent 7807863c41968497f1a8b644ced6a98ae3e2246c updated diff -r 7807863c4196 -r 4f7c7997b68b handouts/ho03.pdf Binary file handouts/ho03.pdf has changed diff -r 7807863c4196 -r 4f7c7997b68b handouts/ho03.tex --- a/handouts/ho03.tex Thu Oct 09 14:41:36 2014 +0100 +++ b/handouts/ho03.tex Thu Oct 09 15:49:21 2014 +0100 @@ -358,7 +358,7 @@ encoded, but produces a zero byte on the stack. Having removed the zero bytes we can craft the string that -will be send to our target computer. It is typically of the +will be send to the target computer. It is typically of the form \begin{center} @@ -369,11 +369,43 @@ \draw[line width=1mm,fill=black] (0.3, -1) rectangle (2,-0.7); \draw[->,line width=0.3mm] (1.05, -1) -- (1.05,-1.7) -- (-3,-1.7) -- (-3, 3.7) -- (-1.9, 3.7) -- (-1.9, 3.1); - \draw (-2, 3) node[anchor=north east] {\LARGE\tt "}; - \draw ( 2,-0.9) node[anchor=west] {\LARGE\tt "}; + \draw (-2, 3) node[anchor=north east] {\LARGE \color{codegreen}{``}}; + \draw ( 2,-0.9) node[anchor=west] {\LARGE\color{codegreen}{''}}; \end{tikzpicture} \end{center} +\noindent This of course requires that the buffer we are +trying to attack can at least contain the shellcode we want to +run. But as you can see this is only 47 bytes, which is a very +low bar to jump over. More formidable is the choice of finding +the right address to jump to. As indicated in the picture we +need to be very precise with the address with which we will +overwrite the buffer. It has to be precisely the first byte of +the shellcode. While this is easy withe the help of a +debugger, we typically cannot run anything on the machine yet +we target. And the address is very specific to the setup of +the target machine. One way of finding out what the right +address is to try out one by one until we get lucky. With +large memories available today, however, the odds are long. +And if we try out too many possible candidates to quickly, we +might be detected by the system administrator of the target +system. + +We can improve our odds considerably, by the following clever +trick. Instead of adding the shellcode at the beginning of the +string, we should add it at the end, just before we overflow +the buffer, like + +\begin{center} + \begin{tikzpicture}[scale=0.7] + \draw[line width=1mm] (-2, -1) rectangle (2,3); + \draw[line width=1mm] (-2,1.9) -- (2,1.9); + \draw (0,2.5) node {\large\tt shell code}; + \draw[line width=1mm,fill=black] (0.3, -1) rectangle (2,-0.7); + \draw (-2, 3) node[anchor=north east] {\LARGE \color{codegreen}{``}}; + \draw ( 2,-0.9) node[anchor=west] {\LARGE\color{codegreen}{''}}; + \end{tikzpicture} +\end{center} \bigskip\bigskip \subsubsection*{A Crash-Course for GDB}