--- a/progs/C1.c Tue Oct 07 00:26:40 2014 +0100
+++ b/progs/C1.c Tue Oct 07 00:52:18 2014 +0100
@@ -13,9 +13,7 @@
}
int main(int argc, char **argv) {
-
foo(argv[1]);
-
return 1;
}
--- a/progs/C4.c Tue Oct 07 00:26:40 2014 +0100
+++ b/progs/C4.c Tue Oct 07 00:52:18 2014 +0100
@@ -5,9 +5,9 @@
// on the command line
-main(int argc, char **argv)
+int main(int argc, char **argv)
{
- char *string = "This is a secret string\n";
+ char *string = "This is a secret string\n";
- printf(argv[1]);
+ printf(argv[1]);
}
Binary file slides/slides03.pdf has changed
--- a/slides/slides03.tex Tue Oct 07 00:26:40 2014 +0100
+++ b/slides/slides03.tex Tue Oct 07 00:52:18 2014 +0100
@@ -206,7 +206,18 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
-\frametitle{``A Login Function'' (1)}
+\frametitle{Printing Out Zombies}
+\mbox{}\\[-10mm]
+
+\footnotesize
+\lstinputlisting[language=C,xleftmargin=4mm]{../progs/C1.c}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{A ``Login'' Function (1)}
\mbox{}\\[-10mm]
\footnotesize
@@ -217,7 +228,7 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
-\frametitle{``A Login Function'' (2)}
+\frametitle{A ``Login'' Function (2)}
\mbox{}\\[-10mm]
\footnotesize
@@ -330,6 +341,130 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
+\frametitle{Overwriting the Stack}
+
+\begin{textblock}{7}(1,2)
+ \begin{tikzpicture}[scale=0.8]
+ %\draw[step=1cm] (-3,-1) grid (3,8);
+ \draw[gray!20,fill=gray!20] (-1, 0) rectangle (1,-1);
+ \draw[line width=1mm] (-1,-1.2) -- (-1,6.4);
+ \draw[line width=1mm] ( 1,-1.2) -- ( 1,6.4);
+ \draw (0,-1) node[anchor=south] {\tt main};
+ \draw[line width=1mm] (-1,0) -- (1,0);
+ \draw (0,0) node[anchor=south] {\tt arg$_3$=3};
+ \draw[line width=1mm] (-1,1) -- (1,1);
+ \draw (0,1) node[anchor=south] {\tt arg$_2$=2};
+ \draw[line width=1mm] (-1,2) -- (1,2);
+ \draw (0,2) node[anchor=south] {\tt arg$_1$=1};
+ \draw[line width=1mm] (-1,3) -- (1,3);
+ \draw (0,3.1) node[anchor=south] {\tt ret};
+ \draw[line width=1mm] (-1,4) -- (1,4);
+ \draw (0,4) node[anchor=south] {\small\tt last sp};
+ \draw[line width=1mm] (-1,5) -- (1,5);
+ \draw (0,5) node[anchor=south] {\tt buf};
+ \draw[line width=1mm] (-1,6) -- (1,6);
+ \draw (2,5.1) node[anchor=south] {\code{$esp}};
+ \draw[<-,line width=0.5mm] (1.1,6) -- (2.5,6);
+
+ \draw[->,line width=0.5mm] (1,4.5) -- (1.8,4.5);
+ \draw (2.5,4.1) node[anchor=south] {\code{??}};
+
+ \draw[->,line width=0.5mm] (1,3.5) -- (2.5,3.5);
+ \draw (2.6,3.1) node[anchor=south west] {\tt jump to \code{\\x080483f4}};
+\end{tikzpicture}
+\end{textblock}
+
+\begin{textblock}{7}(1,13.5)
+\code{char buf[8] = "AAAAAAAABBBB\\xf4\\x83\\x04\\x08\\x00"}
+\end{textblock}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Payloads}
+
+\begin{itemize}
+\item the idea is that you store some code in the buffer (the payload)
+\item you then override the return address to execute this payload\medskip
+\item normally you start a root-shell\pause
+\item difficulty is to guess the right place where to ``jump''
+\end{itemize}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Payloads (2)}
+
+\begin{itemize}
+\item another difficulty is that the code is not allowed to contain \texttt{$\backslash$x00}:
+
+\begin{center}
+\texttt{xorl \%eax, \%eax}
+\end{center}
+\end{itemize}\bigskip\bigskip
+
+{\small
+\lstinputlisting[language=C,numbers=none]{../progs/app5.c}}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Variants}
+
+There are many variants:
+
+\begin{itemize}
+\item return-to-lib-C attacks
+\item heap-smashing attacks\\
+\textcolor{gray}{\small(Slammer Worm in 2003 infected 90\% of vulnerable systems within 10 minutes)}\bigskip
+
+\item ``zero-days-attacks'' (new unknown vulnerability)
+\end{itemize}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Format String Vulnerability}
+
+\small
+\texttt{string} is nowhere used:\bigskip
+
+{\footnotesize\lstinputlisting[language=C]{../progs/C4.c}}\bigskip
+
+this vulnerability can be used to read out the stack
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Protections against\\ Buffer Overflow Attacks\end{tabular}}
+
+\begin{itemize}
+\item use safe library functions
+\item stack caneries
+\item ensure stack data is not executable (can be defeated)
+\item address space randomisation (makes one-size-fits-all more difficult)
+\item choice of programming language (one of the selling points of Java)
+
+\end{itemize}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}}
@@ -426,107 +561,6 @@
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Variants}
-
-There are many variants:
-
-\begin{itemize}
-\item return-to-lib-C attacks
-\item heap-smashing attacks\\
-\textcolor{gray}{\small(Slammer Worm in 2003 infected 90\% of vulnerable systems within 10 minutes)}\bigskip
-
-\item ``zero-days-attacks'' (new unknown vulnerability)
-\end{itemize}
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-
-{\small\lstinputlisting[language=C]{../progs/C2.c}}
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%\mode<presentation>{
-%\begin{frame}[c]
-%
-%\small
-%A programmer might be careful, but still introduce vulnerabilities:\bigskip
-%
-%{\lstset{language=Java}\footnotesize
-%\texttt{\lstinputlisting{../progs/C2a.c}}}
-%
-%
-%\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Payloads}
-
-\begin{itemize}
-\item the idea is you store some code to the buffer
-\item you then override the return address to execute this payload\medskip
-\item normally you start a root-shell\pause
-\item difficulty is to guess the right place where to ``jump''
-\end{itemize}
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Payloads (2)}
-
-\begin{itemize}
-\item another difficulty is that the code is not allowed to contain \texttt{$\backslash$x00}:
-
-\begin{center}
-\texttt{xorl \%eax, \%eax}
-\end{center}
-\end{itemize}\bigskip\bigskip
-
-{\small
-\lstinputlisting[language=C]{../progs/app5.c}}
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Format String Vulnerability}
-
-\small
-\texttt{string} is nowhere used:\bigskip
-
-{\footnotesize\lstinputlisting[language=C]{../progs/C4.c}}\bigskip
-
-this vulnerability can be used to read out the stack
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Protections against\\ Buffer Overflow Attacks\end{tabular}}
-
-\begin{itemize}
-\item use safe library functions
-\item stack caneries
-\item ensure stack data is not executable (can be defeated)
-\item address space randomisation (makes one-size-fits-all more difficult)
-\item choice of programming language (one of the selling points of Java)
-
-\end{itemize}
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]