--- a/programs/C0.c Tue Oct 08 02:22:53 2013 +0100
+++ b/programs/C0.c Tue Oct 08 05:53:21 2013 +0100
@@ -17,7 +17,7 @@
int main (int argc, char **argv)
{
foo("my string is too long !!!!! "); // all is normal
- foo("my string is too long !!!!! \x10\x10\xc0\x42"); // overwrites my_float
+ //foo("my string is too long !!!!! \x10\x10\xc0\x42"); // overwrites my_float
return 0;
}
--- a/programs/C1.c Tue Oct 08 02:22:53 2013 +0100
+++ b/programs/C1.c Tue Oct 08 05:53:21 2013 +0100
@@ -2,7 +2,6 @@
#include <stdio.h>
#include <stdlib.h>
-// for installation notes see C0.c
void foo (char *bar)
{
@@ -10,9 +9,7 @@
char buffer[28];
printf("my float value = %f\n", my_float);
-
- strcpy(buffer, bar);
-
+ strcpy(buffer, bar);
printf("my float value = %f\n", my_float);
}
@@ -21,7 +18,7 @@
// only float overwritten
foo("my string is too long !!!!! \x10\x10\xc0\x42");
// also calls can_never_run
- //foo("my string is too long !!!!! \x10\x10\xc0\x42\x90\x90\x90\x90\x55\x84\x04\x08");
+ foo("my string is too long !!!!! \x10\x10\xc0\x42\x90\x90\x90\x90\x55\x84\x04\x08");
return 0;
}
--- a/progs/C1.c Tue Oct 08 02:22:53 2013 +0100
+++ b/progs/C1.c Tue Oct 08 05:53:21 2013 +0100
@@ -1,6 +1,6 @@
void foo (char *bar)
{
- float my_float = 10.5; // in hex: \x41\x28\x00\x00
+ float my_float = 10.5; // in hex: \x41\x28\x00\x00
char buffer[28];
printf("my float value = %f\n", my_float);
Binary file slides/slides03.pdf has changed
--- a/slides/slides03.tex Tue Oct 08 02:22:53 2013 +0100
+++ b/slides/slides03.tex Tue Oct 08 05:53:21 2013 +0100
@@ -162,17 +162,34 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
+\frametitle{A Float Printed ``Twice''}
+
+{\lstset{language=Java}
+\footnotesize
+\lstinputlisting{../progs/C1.c}}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
\frametitle{\begin{tabular}{c}The Problem\end{tabular}}
\begin{itemize}
\item The basic problem is that library routines in C look as follows:
+
\begin{center}
-{\lstset{language=Java}\fontsize{8}{10}\selectfont%
-\texttt{\lstinputlisting{../progs/app5.c}}}
+{\lstset{language=Java}
+\footnotesize
+\lstinputlisting{../progs/app5.c}}
\end{center}
+
\item the resulting problems are often remotely exploitable
-\item can be used to circumvents all access control
-(botnets for further attacks)
+\item can be used to circumvents all access control\\
+(for grooming botnets for further attacks)
\end{itemize}
\end{frame}}
@@ -196,22 +213,6 @@
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-
-\small
-\texttt{my\_float} is printed twice:\bigskip
-
-{\lstset{language=Java}\fontsize{8}{10}\selectfont%
-\texttt{\lstinputlisting{../progs/C1.c}}}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
@@ -257,7 +258,7 @@
\frametitle{\begin{tabular}{c}Payloads\end{tabular}}
\begin{itemize}
-\item the idea is you store some code as part to the buffer
+\item the idea is you store some code to the buffer
\item you then override the return address to execute this payload\medskip
\item normally you start a root-shell\pause
\item difficulty is to guess the right place where to ``jump''
@@ -279,7 +280,7 @@
\end{center}
\end{itemize}\bigskip\bigskip
-{\lstset{language=Java}\fontsize{8}{10}\selectfont%
+{\lstset{language=Java}\small
\texttt{\lstinputlisting{../progs/app5.c}}}
\end{frame}}
@@ -305,7 +306,7 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Protections against BO Attacks\end{tabular}}
+\frametitle{\begin{tabular}{c}Protections against\\ BO Attacks\end{tabular}}
\begin{itemize}
\item use safe library functions