# HG changeset patch # User Christian Urban # Date 1444074131 -3600 # Node ID 60f64793266fd9ad6d745008053ece21306fd000 # Parent ea1ee786d5a7579894069a8e77656ca91929b39c added assembly programs diff -r ea1ee786d5a7 -r 60f64793266f handouts/ho03.pdf Binary file handouts/ho03.pdf has changed diff -r ea1ee786d5a7 -r 60f64793266f handouts/ho03.tex --- a/handouts/ho03.tex Mon Oct 05 12:47:56 2015 +0100 +++ b/handouts/ho03.tex Mon Oct 05 20:42:11 2015 +0100 @@ -49,10 +49,11 @@ \end{tikzpicture} \end{center} -\noindent This statistics indicates that in the last -five years or so the number of buffer overflow attacks is -around 10\% of all attacks (whereby the absolute numbers of -attacks grow each year). +\noindent This statistics shows that in the last seven years +or so the number of buffer overflow attacks is around 10\% of +all attacks (whereby the absolute numbers of attacks grow each +year). So you can see buffer overflow attacks are very +relevant today. To understand how buffer overflow attacks work, we have to have @@ -67,10 +68,10 @@ then better you get to know the details too. For buffer overflow attacks to work, a number of innocent -design decisions, which are really benign on their own, need -to conspire against you. All these decisions were taken at a -time when there was no Internet: C was introduced around 1973; -the Internet TCP/IP protocol was standardised in 1982 by which +design decisions, which are really benign on their own, have +to come together. All these decisions were taken at a time +when there was no Internet: C was introduced around 1973; the +Internet TCP/IP protocol was standardised in 1982 by which time there were maybe 500 servers connected (and all users were well-behaved, mostly academics); Intel's first 8086 CPUs arrived around 1977. So nobody of the ``forefathers'' can @@ -110,7 +111,7 @@ with the control flow of the program. Notice that the stack grows from higher addresses to lower addresses (i.e.~from the back to the front). That means that older items on the stack -will be stored behind, or after, newer items. Let's look a bit +are stored behind, or after, newer items. Let's look a bit closer what happens with the stack when a program is running. Consider the following simple C program. @@ -121,8 +122,8 @@ two (local) buffers, but does not do anything interesting with them. The only purpose of this program is to illustrate what happens behind the scenes with the stack. The interesting -question is what will the stack be after Line 3 has been -executed? The answer can be illustrated as follows: +question is what will the stack look like after Line 3 has +been executed? The answer can be illustrated as follows: \begin{center} \begin{tikzpicture}[scale=0.65] @@ -188,10 +189,14 @@ How to do this will be explained later.} \begin{center}\small -\begin{tabular}[t]{@{}c@{\hspace{8mm}}c@{}} +\begin{tabular}[t]{p{10cm}} {\lstinputlisting[language={[x86masm]Assembler}, morekeywords={movl},xleftmargin=5mm] - {../progs/example1a.s}} & + {../progs/example1a.s}} +\end{tabular} +\end{center} +\begin{center}\small +\begin{tabular}[t]{p{10cm}} {\lstinputlisting[language={[x86masm]Assembler}, morekeywords={movl,movw},xleftmargin=5mm] {../progs/example1b.s}} diff -r ea1ee786d5a7 -r 60f64793266f progs/README --- a/progs/README Mon Oct 05 12:47:56 2015 +0100 +++ b/progs/README Mon Oct 05 20:42:11 2015 +0100 @@ -4,8 +4,63 @@ The programs are under - cu$> test/app-material/progs + cu$> app-material/progs + + +Programs can be updated using + + hg pull + hg update + hg revert --all + +Emacs can be used to edit files + + emacs -nw ...file.... (is also an alias) + + +C0.c +==== + +Add the bigger string and the long is printed out differently. + +C1.c +==== + +needs to be called using + + ./C1 `args1-good` + ./C1 `args1-bad` + +or in gdb using + gdb --args ./C1 `args1-bad` + + +C2.c +==== + +called with + + ./args2-good | ./C2 + ./args2-bad | ./C2 + +C3.c +==== +(shell injection) + +called with + + ./C3 + +opens a new shell + + +C4.c +==== +Format string attack + + ./C4 "%s" + ./C4 `./args4` diff -r ea1ee786d5a7 -r 60f64793266f progs/example1a.s --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/progs/example1a.s Mon Oct 05 20:42:11 2015 +0100 @@ -0,0 +1,10 @@ +_main: + push %ebp + mov %esp,%ebp + sub %0xc,%esp + movl $0x3,0x8(%esp) + movl $0x2,0x4(%esp) + movl $0x1,(%esp) + call 0x8048394 + leave + ret \ No newline at end of file diff -r ea1ee786d5a7 -r 60f64793266f progs/example1b.s --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/progs/example1b.s Mon Oct 05 20:42:11 2015 +0100 @@ -0,0 +1,11 @@ +_foo: + push %ebp + mov %esp,%ebp + sub $0x10,%esp + movl $0x64636261,-0x6(%ebp) + movw $0x65,-0x2(%ebp) + movl $0x34333231,-0x10(%ebp) + movl $0x38373635,-0xc(%ebp) + movw $0x39,-0x8(%ebp) + leave + ret \ No newline at end of file