# HG changeset patch # User Christian Urban # Date 1444209244 -3600 # Node ID b183036ba67575b0a1a2b685bd61d980161e5022 # Parent 93affa1ebd6f4320044f86d077c888fd4941b19f updated slides diff -r 93affa1ebd6f -r b183036ba675 slides/slides03.pdf Binary file slides/slides03.pdf has changed diff -r 93affa1ebd6f -r b183036ba675 slides/slides03.tex --- a/slides/slides03.tex Wed Oct 07 00:44:12 2015 +0100 +++ b/slides/slides03.tex Wed Oct 07 10:14:04 2015 +0100 @@ -297,12 +297,29 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] +\frametitle{C-Library Functions} + +\begin{itemize} +\item copy everything up to the zero byte +\end{itemize}\medskip + +{\small +\lstinputlisting[language=C,numbers=none]{../progs/app5.c}} + + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] \frametitle{Payloads} \begin{itemize} \item the idea is that you store some code in the buffer (the payload) \item you then override the return address to execute this payload\medskip -\item normally you start a root-shell\pause +\item normally you want to start a shell\pause \item difficulty is to guess the right place where to ``jump'' \end{itemize} @@ -392,6 +409,46 @@ \end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Why BOAs Work?} + +\begin{itemize} +\item stack grows from higher addresses to lower addresses +\item library functions copy memory until a zero-byte is +encountered +\end{itemize} + +\begin{center} +\begin{tabular}{@{\hspace{-7mm}}c@{\hspace{2mm}}c@{}} +\small +\begin{tikzpicture}[scale=0.45] + %\draw[step=1cm] (-3,-3) grid (3,3); + \draw[line width=1mm] (-2, -3) rectangle (2,3); + \draw[line width=1mm] (-2,1) -- (2,1); + \draw[line width=1mm] (-2,-1) -- (2,-1); + \draw (0,2) node {\tt text}; + \draw (0,0) node {\tt heap}; + \draw (0,-2) node {\tt stack}; + + \draw (-2.7,3) node[anchor=north east] + {\tt\begin{tabular}{@{}l@{}}lower\\ address\end{tabular}}; + \draw (-2.7,-3) node[anchor=south east] + {\tt\begin{tabular}{@{}l@{}}higher\\ address\end{tabular}}; + \draw[->, line width=1mm] (-2.5,3) -- (-2.5,-3); + + \draw (2.7,-3) node[anchor=south west] {\tt\footnotesize older}; + \draw (2.7,-1) node[anchor=north west] {\tt\footnotesize newer}; + \draw[|->, line width=1mm] (2.5,-3.09) -- (2.5,-1); + \end{tikzpicture} +& +\raisebox{1.3cm}{\footnotesize +\lstinputlisting[language=C,numbers=none]{../progs/app5.c}} +\end{tabular} +\end{center} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] @@ -462,6 +519,26 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] +\frametitle{In my Examples I Cheated} + +I compiled the programs with + +\begin{center} +\begin{tabular}{l@{\hspace{1mm}}l} +\pcode{/usr/bin/gcc} & \pcode{-ggdb -O0}\\ + & \pcode{-fno-stack-protector}\\ + & \pcode{-mpreferred-stack-boundary=2}\\ + & \pcode{-z execstack} +\end{tabular} +\end{center} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] \frametitle{NIST Statistics about BOA} \begin{center}