# HG changeset patch # User Christian Urban # Date 1412639538 -3600 # Node ID 74772c30e0f48a379e2c587af6789109f1751682 # Parent c2ac0cb1d00bde07529ac856ae1e5ba9f6a06d4e updated diff -r c2ac0cb1d00b -r 74772c30e0f4 progs/C1.c --- a/progs/C1.c Tue Oct 07 00:26:40 2014 +0100 +++ b/progs/C1.c Tue Oct 07 00:52:18 2014 +0100 @@ -13,9 +13,7 @@ } int main(int argc, char **argv) { - foo(argv[1]); - return 1; } diff -r c2ac0cb1d00b -r 74772c30e0f4 progs/C4.c --- a/progs/C4.c Tue Oct 07 00:26:40 2014 +0100 +++ b/progs/C4.c Tue Oct 07 00:52:18 2014 +0100 @@ -5,9 +5,9 @@ // on the command line -main(int argc, char **argv) +int main(int argc, char **argv) { - char *string = "This is a secret string\n"; + char *string = "This is a secret string\n"; - printf(argv[1]); + printf(argv[1]); } diff -r c2ac0cb1d00b -r 74772c30e0f4 slides/slides03.pdf Binary file slides/slides03.pdf has changed diff -r c2ac0cb1d00b -r 74772c30e0f4 slides/slides03.tex --- a/slides/slides03.tex Tue Oct 07 00:26:40 2014 +0100 +++ b/slides/slides03.tex Tue Oct 07 00:52:18 2014 +0100 @@ -206,7 +206,18 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] -\frametitle{``A Login Function'' (1)} +\frametitle{Printing Out Zombies} +\mbox{}\\[-10mm] + +\footnotesize +\lstinputlisting[language=C,xleftmargin=4mm]{../progs/C1.c} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{A ``Login'' Function (1)} \mbox{}\\[-10mm] \footnotesize @@ -217,7 +228,7 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] -\frametitle{``A Login Function'' (2)} +\frametitle{A ``Login'' Function (2)} \mbox{}\\[-10mm] \footnotesize @@ -330,6 +341,130 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] +\frametitle{Overwriting the Stack} + +\begin{textblock}{7}(1,2) + \begin{tikzpicture}[scale=0.8] + %\draw[step=1cm] (-3,-1) grid (3,8); + \draw[gray!20,fill=gray!20] (-1, 0) rectangle (1,-1); + \draw[line width=1mm] (-1,-1.2) -- (-1,6.4); + \draw[line width=1mm] ( 1,-1.2) -- ( 1,6.4); + \draw (0,-1) node[anchor=south] {\tt main}; + \draw[line width=1mm] (-1,0) -- (1,0); + \draw (0,0) node[anchor=south] {\tt arg$_3$=3}; + \draw[line width=1mm] (-1,1) -- (1,1); + \draw (0,1) node[anchor=south] {\tt arg$_2$=2}; + \draw[line width=1mm] (-1,2) -- (1,2); + \draw (0,2) node[anchor=south] {\tt arg$_1$=1}; + \draw[line width=1mm] (-1,3) -- (1,3); + \draw (0,3.1) node[anchor=south] {\tt ret}; + \draw[line width=1mm] (-1,4) -- (1,4); + \draw (0,4) node[anchor=south] {\small\tt last sp}; + \draw[line width=1mm] (-1,5) -- (1,5); + \draw (0,5) node[anchor=south] {\tt buf}; + \draw[line width=1mm] (-1,6) -- (1,6); + \draw (2,5.1) node[anchor=south] {\code{$esp}}; + \draw[<-,line width=0.5mm] (1.1,6) -- (2.5,6); + + \draw[->,line width=0.5mm] (1,4.5) -- (1.8,4.5); + \draw (2.5,4.1) node[anchor=south] {\code{??}}; + + \draw[->,line width=0.5mm] (1,3.5) -- (2.5,3.5); + \draw (2.6,3.1) node[anchor=south west] {\tt jump to \code{\\x080483f4}}; +\end{tikzpicture} +\end{textblock} + +\begin{textblock}{7}(1,13.5) +\code{char buf[8] = "AAAAAAAABBBB\\xf4\\x83\\x04\\x08\\x00"} +\end{textblock} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Payloads} + +\begin{itemize} +\item the idea is that you store some code in the buffer (the payload) +\item you then override the return address to execute this payload\medskip +\item normally you start a root-shell\pause +\item difficulty is to guess the right place where to ``jump'' +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Payloads (2)} + +\begin{itemize} +\item another difficulty is that the code is not allowed to contain \texttt{$\backslash$x00}: + +\begin{center} +\texttt{xorl \%eax, \%eax} +\end{center} +\end{itemize}\bigskip\bigskip + +{\small +\lstinputlisting[language=C,numbers=none]{../progs/app5.c}} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Variants} + +There are many variants: + +\begin{itemize} +\item return-to-lib-C attacks +\item heap-smashing attacks\\ +\textcolor{gray}{\small(Slammer Worm in 2003 infected 90\% of vulnerable systems within 10 minutes)}\bigskip + +\item ``zero-days-attacks'' (new unknown vulnerability) +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Format String Vulnerability} + +\small +\texttt{string} is nowhere used:\bigskip + +{\footnotesize\lstinputlisting[language=C]{../progs/C4.c}}\bigskip + +this vulnerability can be used to read out the stack + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{\begin{tabular}{c}Protections against\\ Buffer Overflow Attacks\end{tabular}} + +\begin{itemize} +\item use safe library functions +\item stack caneries +\item ensure stack data is not executable (can be defeated) +\item address space randomisation (makes one-size-fits-all more difficult) +\item choice of programming language (one of the selling points of Java) + +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] \frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}} @@ -426,107 +561,6 @@ \end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] -\frametitle{Variants} - -There are many variants: - -\begin{itemize} -\item return-to-lib-C attacks -\item heap-smashing attacks\\ -\textcolor{gray}{\small(Slammer Worm in 2003 infected 90\% of vulnerable systems within 10 minutes)}\bigskip - -\item ``zero-days-attacks'' (new unknown vulnerability) -\end{itemize} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] - -{\small\lstinputlisting[language=C]{../progs/C2.c}} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%\mode{ -%\begin{frame}[c] -% -%\small -%A programmer might be careful, but still introduce vulnerabilities:\bigskip -% -%{\lstset{language=Java}\footnotesize -%\texttt{\lstinputlisting{../progs/C2a.c}}} -% -% -%\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] -\frametitle{Payloads} - -\begin{itemize} -\item the idea is you store some code to the buffer -\item you then override the return address to execute this payload\medskip -\item normally you start a root-shell\pause -\item difficulty is to guess the right place where to ``jump'' -\end{itemize} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] -\frametitle{Payloads (2)} - -\begin{itemize} -\item another difficulty is that the code is not allowed to contain \texttt{$\backslash$x00}: - -\begin{center} -\texttt{xorl \%eax, \%eax} -\end{center} -\end{itemize}\bigskip\bigskip - -{\small -\lstinputlisting[language=C]{../progs/app5.c}} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] -\frametitle{Format String Vulnerability} - -\small -\texttt{string} is nowhere used:\bigskip - -{\footnotesize\lstinputlisting[language=C]{../progs/C4.c}}\bigskip - -this vulnerability can be used to read out the stack - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] -\frametitle{\begin{tabular}{c}Protections against\\ Buffer Overflow Attacks\end{tabular}} - -\begin{itemize} -\item use safe library functions -\item stack caneries -\item ensure stack data is not executable (can be defeated) -\item address space randomisation (makes one-size-fits-all more difficult) -\item choice of programming language (one of the selling points of Java) - -\end{itemize} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c]