# HG changeset patch # User Christian Urban # Date 1412939869 -3600 # Node ID abc45724b267ceca76399f08687cc9b3beeec495 # Parent 60e046ab6c94f76e4d1c5360f197af2af643e3f7 updated diff -r 60e046ab6c94 -r abc45724b267 handouts/ho03.pdf Binary file handouts/ho03.pdf has changed diff -r 60e046ab6c94 -r abc45724b267 handouts/ho03.tex --- a/handouts/ho03.tex Fri Oct 10 12:16:15 2014 +0100 +++ b/handouts/ho03.tex Fri Oct 10 12:17:49 2014 +0100 @@ -1,6 +1,7 @@ \documentclass{article} \usepackage{../style} \usepackage{../langs} +\usetikzlibrary{patterns,decorations.pathreplacing} \begin{document} @@ -429,6 +430,10 @@ \draw[line width=1mm] (-2,-0.7) -- (2,-0.7); \draw (0,-0.2) node {\large\tt shell code}; \draw[line width=1mm,fill=black] (0.3, -1) rectangle (2,-0.7); + \draw [line width=0.5,decoration={brace,amplitude=2mm},decorate] + (2.3,3) -- (2.3,0.3); + \draw[line width=0.3mm] (1.05, -1) -- (1.05,-1.7) -- + (3,-1.7) -- (3,1.65) -- (2.6, 1.65); \draw (-2, 3) node[anchor=north east] {\LARGE \color{codegreen}{``}}; \draw ( 2,-0.9) node[anchor=west] {\LARGE\color{codegreen}{''}}; \end{tikzpicture} @@ -444,15 +449,32 @@ shellcode. A moment of thought can convince you that this trick can hugely improve our odds of finding the right address---depending on the size of the buffer, it might only -take a few tries to get the shellcode to run. And then -we are in. The code for such an attack is show in -Figure~\ref{overflow}. +take a few tries to get the shellcode to run. And then we are +in. The code for such an attack is shown in Figure~\ref{C3}. +It is directly taken from the original paper about ``Smashing +the Stack for Fun and Profit'' (see pointer given at the end). \begin{figure}[p] -\lstinputlisting[language=C]{../progs/overflow.c} -\caption{Overwriting a buffer with a paylod.\label{overflow}} +\lstinputlisting[language=C]{../progs/C3.c} +\caption{Overwriting a buffer with a string containing a +payload.\label{C3}} \end{figure} +\subsubsection*{Format String Attacks} + +A question might arise, where do we get all this information +about addresses necessary for mounting a buffer overflow +attack without having yet access to the system? The answer are +\emph{format string attacks}. While technically they are +programming mistakes (and they are pointed out as warning by +modern compilers), they can be easily made and therefore an +easy target. Let us look at the simplest version of a +vulnerable program. + +\lstinputlisting[language=C]{../progs/C4.c} + +\subsubsection*{Caveats} + \bigskip\bigskip \subsubsection*{A Crash-Course for GDB} diff -r 60e046ab6c94 -r abc45724b267 progs/args2-bad --- a/progs/args2-bad Fri Oct 10 12:16:15 2014 +0100 +++ b/progs/args2-bad Fri Oct 10 12:17:49 2014 +0100 @@ -1,3 +1,3 @@ #!/bin/sh -perl -e 'print "test\nAAAAAAAABBBB\n"' \ No newline at end of file +perl -e 'print "test\nAAAAAAAABBBB\x2c\x85\x04\x08\n"' \ No newline at end of file