堆栈溢出调试-gdb-例子.ppt

1、CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack MemoryCliff ZouSpring 2011,2,A Stack Frame,Parameters Return Address Calling Stack Pointer Local Variables,00000000,Addresses,SP,SP+offset,SP: stack pointer BP: base/frame pointer Calling stack

2、 pointer: previous functions SP,BP,Using GDB to Check Stack,GDB tutorial: When compile the c code, use “gcc g .” so that Gdb can match source code line number with code Some knowledge: /wiki/X86_assembly_language Register eip: instruction pointer, the current position of next e

3、xecutable instruction Register ebp: stack pointer, the top of the current stack, used for addressing local variable,3,Related Gdb Commands: List: list the source code and each executions corresponding line number Break linenumber: set breakpoint at the linenumber Run argv: run the execution code wit

4、h the parameter argv Next: execute the next line of code Backtrace: show trace of all function calls in stack Info frame: List address, language, address of arguments/local variables and which registers were saved in frame. This will show where the return address is saved Return address is in Regist

5、er EIP Calling stack pointer is in Register EBP x int a2=22; char buf7; strcpy(buf, input); void main(int argc, char *argv) foo(argv1); Question: What does the stack look like before strcpy()?,5,czoueustis:/buffer-code$ setarch i686 R gdb ./gdb-example (gdb) list 1 #include 2 void foo(char * input)

6、3 int a1=11; 4 int a2=22; 5 char buf7; 6 strcpy(buf, input); 7 8 void main(int argc, char *argv) 9 foo(argv1); 10 (gdb) break 6 Breakpoint 1 at 0 x8048388: file gdb-example.c, line 6. (gdb) run “whatever” Starting program: /home/czou/buffer-code/gdb-example whatever Breakpoint 1, foo (input=0 xbffff

7、92e whatever) at gdb-example.c: 6 strcpy(buf, input);,6,Remove address randomization used in Unix (will talk in next lecture),(gdb) info frame Stack level 0, frame at 0 xbffff750: eip = 0 x8048388 in foo (gdb-example.c:6); saved eip 0 x80483bd called by frame at 0 xbffff760 source language c. Arglis

8、t at 0 xbffff748, args: input=0 xbffff92e whatever Locals at 0 xbffff748, Previous frames sp is 0 xbffff750 Saved registers: ebp at 0 xbffff748, eip at 0 xbffff74c (gdb) x int i, maxlen = 100; int len; if (arglen maxlen) len = strlen(arg); strncpy(buf, arg, len); If input to foo(*arg, Big_Value) whe

9、re Big_Value overflows short, then arglen could be negative value and passes the if() security check.,Explanation of Project 1,14,In the exploit.c code: #define TARGET /home/jobert/cap6135/1/proj1-fa08/targets/target Need to be changed to point to your own target code Change args1 = hi there; args1

10、needs to point to a large buffer that can cause overflow to target code You can define such a large buffer here and make args1 points to it. Your main task is to: Find out the where in stack stores the return address Find out where is the starting point of buf in foo() in target code Fill the shellc

11、ode into the large buffer in your exploit code (which will fill the buf variable in target code) Assign the starting address of buf to the right place in the large buffer in your exploit code in order to overwrite the return address, then CPU will run the shellcode you put at the start of buf variab

12、le.,Several Tips on Project 1,Be sure to use the Makefile to generate executable of both exploit program and target program Be sure to use “setarch i686 -R” in front of every execution, including both Gdb and ./exploit You can use “break foo” to set breakpoint upon entering foo() function. Fill the

13、shell executable code (in the string array shellcode) byte-by-byte into the buffer for your modified return address to execute, do not use strcpy() because shellcode is not an ASCII string.,Several Tips on Project 1,16,Given that: We know the address of buf in target.c is: 0 xbfff0000 We know the address of the functions return address (eip) is 0 xbfff0100 We put the shellcode at the beginning of buf. How to Overwrite the return address to execute shellcode? 0 xbfff0100 0 xbfff0000 = 0 x100 = 256 in decimal