Академический Документы
Профессиональный Документы
Культура Документы
Machine Organization
Section Notes
Fall 2009 Week 2
Week of Sept 21 to Sept 25
Outline for this week:
Quiz
Arrays
Structs
Out of bounds Memory Access
Buffer Overruns & Stack Exploits
Arrays
Pointer Arithmetic
C allows arithmetic on pointers. The value is scaled according to the size of the data type
referenced by the pointer.
Exercise 1: Say we have the following C code:
int *p = (int )0x8048750;
int val = (int) (p + 3);
What is the numeric value of val in the above code?
Nested Arrays:
int A[4][3];
Element
Address
Value
A[0][0]
xa
A[0][1]
xa+4
A[0][2]
xa+8
A[1][0]
xa+12
A[1][1]
xa+16
A[1][2]
xa+20
A[2][0]
xa+24
A[2][1]
xa+28
A[2][2]
xa+32
A[3][0]
xa+36
A[3][1]
xa+40
10
A[3][2]
xa+44
11
A+36 =
A[3][-1] =
A[0][-1] =
Structures:
Exercise 3:
Consider the following structure:
struct prob {
int *p;
struct {
int x;
int y;
} s;
struct prob *next;
}
The following procedure (with some expressions omitted) operates on this structure:
void sp_init(struct prob *sp)
{
sp->s.x = ________;
sp->p = ________;
sp->next = ________;
}
A: What are the offsets (in bytes) of the following fields?
p:
s.x:
s.y:
next:
B. How many total bytes does this structure require?
C: The compiler generates the following assembly code for the body of sp_init:
movl 8(%ebp), %eax
movl 8(%eax), %edx
3
Function calls
Exercise 5:
Lets say we are given the following assembly code for a function.
1
2
3
4
5
6
7
8
9
...
20
21
22
pushl %edi
pushl %esi
pushl %ebx
movl 24(%ebp), %eax
imull 16(%ebp), %eax
movl 24(%ebp), %ebx
leal 0(, %eax, 4), %ecx
addl 8(%ebp), %ecx
movl %ebx, %edx
popl %ebx
popl %esi
popl %edi
4
a. Why are %edi, %esi, and %ebx the only registers saved and restored by this
piece of code? What about %eax, %edx, and %ecx?
b. What do 24(%ebp) and 16(%ebp)refer to?
How many bytes do you think will be allocated to the some_chars string?
<some_function+0>:
<some_function+1>:
<some_function+3>:
<some_function+6>:
<some_function+13>:
push
mov
sub
movl
call
%ebp
%esp,%ebp
$0x18,%esp
$0x80484ec,(%esp)
0x80482d4 <printf@plt>
0x080483a6
0x080483a9
0x080483ac
0x080483b1
0x080483b4
0x080483b8
0x080483bf
0x080483c4
0x080483c5
<some_function+18>:
<some_function+21>:
<some_function+24>:
<some_function+29>:
<some_function+32>:
<some_function+36>:
<some_function+43>:
<some_function+48>:
<some_function+49>:
lea
mov
call
lea
mov
movl
call
leave
ret
0xfffffff8(%ebp),%eax
%eax,(%esp)
0x80482b4 <gets@plt>
0xfffffff8(%ebp),%eax
%eax,0x4(%esp)
$0x8048511,(%esp)
0x80482d4 <printf@plt>
Suppose we have another function called my_function in the program that is not called by
some_function. How can we exploit the stack to execute this function?
The corresponding assembly is:
void my_function(int i)
{
printf("parameter passed using buffer overun: 0x%x \n",i);
return;
}
0x080483c6
0x080483c7
0x080483c9
0x080483cc
0x080483cf
0x080483d3
0x080483da
0x080483df
0x080483e0
<my_function+0>:
<my_function+1>:
<my_function+3>:
<my_function+6>:
<my_function+9>:
<my_function+13>:
<my_function+20>:
<my_function+25>:
<my_function+26>:
push
mov
sub
mov
mov
movl
call
leave
ret
%ebp
%esp,%ebp
$0x8,%esp
0x8(%ebp),%eax
%eax,0x4(%esp)
$0x8048524,(%esp)
0x80482d4 <printf@plt>
Exercise 6:
What will the following exploit string do, if given as an input to the gets function? (Note
that this isn't what you'd typethese are the hex values of the bytes)
31 31 31 31 32 32 32 32 33 33 33 33 c6 83 04 08 ef be ad de aa bb cc dd
Question Answers:
#1: Since p is of type int *, p+3 would evaluate (in C) to:
0x8048750 + (3 * sizeof(int)) =
0x8048750 + 12 =
0x804875C
#2:
A[2][0] = 6
A+36 = 9
A[3][-1] = 8
A[0][-1] = Unknown. Not a valid memory reference.
#3:
A: The layout of the structure is as follows:
Offset
Contents
4
p
8
s.x
12
s.y
next
B: 16 bytes
C: The assembly code with annotations:
movl 8(%ebp), %eax # get sp
movl 8(%eax), %edx # get sp->s.y
movl %edx, 4(%eax) # copy to sp->s.x
leal 4(%eax), %edx # get &(sp->s.x)
movl %edx, (%eax) # copy to sp->p
movl %eax, 12(%eax) # sp->next = sp
So the C code looks as follows:
void sp_init(struct prob *sp)
{
sp->s.x = sp->s.y;
sp->p = &(sp->s.x);
sp->next = sp;
}
7
b. After the ret instruction, my_function will push the (corrupted) old ebp onto the stack,
and then use 8(%ebp) to access its argumentthis will be the 0xDDCCBBAA word.
c. Yes. We just need to use gdb to figure out what the address of buf is, and then change
the return address bytes to be that address.