90 likes | 285 Views
CS 155 Section 1 PP1. Eu-Jin Goh. Setting up Environment. Demo. target1.c. int foo( char *arg, char *out ) { strcpy( out, arg ); return 0; } int main( int argc, char *argv[] ) { char buf[64]; if ( argc != 2 ) { … } foo( argv[1], buf ); return 0; }.
E N D
CS 155 Section 1PP1 Eu-Jin Goh
target1.c int foo( char *arg, char *out ) { strcpy( out, arg ); return 0; } int main( int argc, char *argv[] ) { char buf[64]; if ( argc != 2 ) { … } foo( argv[1], buf ); return 0; }
Stack in target1 – layout argv[1] == <shellcode + buf’s addy> argv[0] == “/tmp/target1” argc $ra – to which main() will return $fp – for main’s stack frame buf[64] ptr to buf == “out” // args to foo() ptr to argv[1] == “arg” // args to foo()
sploit1 Need: • Location of return address • addr on stack for $ra to overwrite • need main()’s $ra (not foo()’s) • Address of the buffer (“buf” in target1) • address we want to force the program to jump to • Distance between buffer and $ra • Size of overflow buffer
Buf addr • addr of the target1 buf depends exploit overflow buffer size • since exploit string lives above target1 buf on stack • Once exploit buffer buf fixed, addr of target1 buf won’t change.
Details • Size of overflow buffer • Buf addr = 0x9ffffb80 • reg ebp = 0x9ffffbc8 • Difference is 0x48 = 72 • Buffer size = 72 + 4 + 4 + 1 = 81 • Addr of buf • Buf = 0x9ffffe60
Crafting the exploit string • Want target to jump to start of buf, • place shellcode (size 45 bytes) at the start of the string • $ra exists at offset 76 • need exploit string[76] to contain the addr target1 buf (0x9ffffe60)
Hints • Various ways of seizing program flow control without overwriting return address • Learn what registers esp, ebp point to during stages of program execution • Learn what happens to registers and memory during LEAVE and RET calls