Check Stack Memory - Malware and Software Vulnerability Analysis - Lecture Slides, Slides of Software Engineering

During the last semester of our degree program, we study Malware and Software Vulnerability Analysis. These lecture slides are very informative for me. The major points which are core of course are:Check Stack Memory, Parameters, Return Address, Calling Stack Pointer, Added Protection, Local Variables, Stack Frame, Commands, Function, Address of Arguments

Typology: Slides

2012/2013

Uploaded on 04/25/2013

ayushmati
ayushmati 🇮🇳

4.4

(130)

159 documents

1 / 16

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Buffer Overflow : Example of Using GDB to Check Stack
Memory
Docsity.com
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff

Partial preview of the text

Download Check Stack Memory - Malware and Software Vulnerability Analysis - Lecture Slides and more Slides Software Engineering in PDF only on Docsity!

Buffer Overflow : Example of Using GDB to Check Stack

Memory

A Stack Frame

Parameters

Return Address

Calling Stack Pointer

Added Protection

Local Variables

Addresses

SP

SP+ offset

SP: stack pointer BP: base/frame pointer

Calling stack pointer: previous function’s SP

BP

  • Related Gdb Commands:
    • List: list the source code and each execution’s corresponding line number
    • Break linenumber: set breakpoint at the linenumber
    • Break test.c:foo break when program run in the foo() function in test.c file.
    • Run argv: run the execution code with the parameter argv
    • Next: execute the next line of code
    • Backtrace: show trace of all function calls in stack
    • Info frame : List address, language, address of arguments/local variables and

which registers were saved in frame.

  • This will show where the return address is saved
  • Return address is in Register EIP
  • Calling stack pointer is in Register EBP
  • x &variable: show the address and value of a local variable (in hex format)
  • x address : print binary representation of 4 bytes of memory pointed to by

address.

Example of Using GDB

#include <stdio.h>

void foo(char * input){

int a1=11;

int a2=22;

char buf[7];

strcpy(buf, input);

void main(int argc, char **argv){

foo(argv[1]);

Question: What does the stack look like before strcpy()?

(gdb) info frame
Stack level 0, frame at 0xbffff620:
eip = 0x8048459 in foo (gdb-example.c:6); saved eip 0x
called by frame at 0xbffff
source language c.
Arglist at 0xbffff618, args: input=0xbffff82d "what is this? a book"
Locals at 0xbffff618, Previous frame's sp is 0xbffff
Saved registers:
ebp at 0xbffff618, eip at 0xbffff61c
(gdb) x &a
0xbffff5fc: 0x0000000b
(gdb) x &a
0xbffff600: 0x
(gdb) x buf
0xbffff605: 0xf

Two Techniques for Generating Stack

Overflow Codes

Using NOPs

Real program

(exec /bin/ls or whatever)

new return address

nop instructions

Estimating the stack size

• We can also guess at the location of the return

address relative to the overflowed buffer.

• Put in a bunch of new return addresses!

Explanation of Project 1

  • Target.c code vulnerability:
int foo(char* arg, short arglen)
char buf[100];
int i, maxlen = 100;
int len;
if (arglen < maxlen)
len = strlen(arg);
strncpy(buf, arg, len);
  • If input to foo(*arg, Big_Value) where Big_Value overflows ‘short’, then arglen could

be negative value and passes the if() security check.

Explanation of Project 1

• In the exploit.c code:

  • #define TARGET “/home/czou/buffer-code/targets/target”
    • Need to be changed to point to your own target executable code
  • Change args[1] = "hi there";
    • args[1] needs to point to a large buffer that can cause overflow to
target code
  • You can define such a large buffer in exploit.c and make args[1]
points to it.
  • Your main task is to:
    • Find out where in stack stores the return address
    • Find out where is the starting address of ‘buf’ in foo() in target
code
  • Fill the shellcode[] into the large buffer in your exploit code (which
will fill the ‘buf’ variable in target code)
  • Assign the starting address of buf to the right place in the large
buffer in your exploit code in order to overwrite the return address,
then CPU will run the shellcode you put at the start of buf variable.

Several Tips on Project 1

As an example, suppose we know that:

1.The address of ‘buf’ in target.c is: 0xbfff

2.The address of the function’s return address (eip) is

3.We put the shellcode[] at the beginning of ‘buf’.

How to Overwrite the return address to execute shellcode?

1.0xbfff0100 – 0xbfff0000 = 0x100 = 256 in decimal

2.Since address in 32-bit machine is 4 bytes and Eustis is a

little-endian machine:

buf[256] = 0x00; buf[257] = 0x00;

buf[258] = 0xff; buf[259] = 0xbf;

In this way, we have changed the flow to the beginning of

shellcode!