02 Buffer PDF

CLASSIC 
MEMORY ATKS & DEFS

CMSC 414
JAN 30 2018
TODAY’S RESOURCES
REFRESHER
• How is program data laid out in memory?
• What does the stack look like?
• What effect does calling (and returning from) a

function have on memory?
• We are focusing on the Linux process model

• Similar to other operating systems
ALL PROGRAMS ARE STORED IN MEMORY
4G
0
4G 0xffffffff
0 0x00000000
4G 0xffffffff
The process’s view

of memory is that
it owns all of it
0 0x00000000
4G 0xffffffff
The process’s view In reality, these are

of memory is that virtual addresses;
it owns all of it the OS/CPU map
them to physical
addresses
0 0x00000000
THE INSTRUCTIONS THEMSELVES ARE STORED IN MEMORY
4G 0xffffffff
Text
0 0x00000000
THE INSTRUCTIONS THEMSELVES ARE STORED IN MEMORY
4G 0xffffffff
...
0x4c2 sub $0x224,%esp
0x4c1 push %ecx
0x4bf mov %esp,%ebp
0x4be push %ebp
...
Text
0 0x00000000
DATA’S LOCATION DEPENDS ON HOW IT’S CREATED
4G 0xffffffff
Text
0 0x00000000
4G 0xffffffff
Init’d data static const int y=10;
Text
0 0x00000000
4G 0xffffffff
Uninit’d data static int x;
Init’d data static const int y=10;
Text
0 0x00000000
4G 0xffffffff

Known at Init’d data static const int y=10;
compile time
Text
0 0x00000000
4G 0xffffffff
cmdline & env

compile time
Text
0 0x00000000
4G 0xffffffff
Set when 
cmdline & env
process starts

compile time
Text
0 0x00000000
4G 0xffffffff
Set when 
cmdline & env
process starts int f() { 
Stack int x;
…

compile time
Text
0 0x00000000
4G 0xffffffff
Set when 
cmdline & env
Stack int x;
…
Heap malloc(sizeof(long));

compile time
Text
0 0x00000000
4G 0xffffffff
Set when 
cmdline & env
Stack int x;
Dynamically  …
sized at runtime

compile time
Text
0 0x00000000
4G 0xffffffff
Set when 
cmdline & env
Stack int x;
Dynamically  …
sized at runtime

compile time
Text
0 0x00000000
WE ARE GOING TO FOCUS ON RUNTIME ATTACKS
Stack and heap grow in opposite directions
0x00000000 0xffffffff
Heap Stack
Compiler provides instructions that 

adjusts the size of the stack at runtime
Heap Stack

Heap Stack
Stack
pointer

Heap Stack
Stack push 1 
push 2 
pointer push 3

Heap Stack
Stack push 1 
push 2 
pointer push 3

Heap Stack
Stack push 1 
pointer push 2 
push 3

Heap 1 Stack
Stack push 1 
pointer push 2 
push 3

Heap 1 Stack
Stack push 1 
pointer push 2 
push 3

Heap 2 1 Stack
Stack push 1 
pointer push 2 
push 3

Heap 2 1 Stack
Stack push 1 
pointer push 2 
push 3

Heap 3 2 1 Stack
Stack push 1 
pointer push 2 
push 3

Heap 3 2 1 Stack
Stack push 1 
pointer push 2 
push 3
return

Heap 3 2 1 Stack
Stack push 1 
pointer push 2 
push 3
return

Heap 3 2 1 Stack
{
apportioned by the OS; Stack push 1 
managed in-process pointer push 2 
push 3
by malloc return

Heap 3 2 1 Stack
{
apportioned by the OS; Stack push 1 
managed in-process pointer push 2 
push 3
by malloc return
Focusing on the stack for now

STACK LAYOUT WHEN CALLING FUNCTION
void func(char *arg1, int arg2, int arg3)
{
char loc1[4]
int loc2;
int loc3;
...
}
caller’s data
{
char loc1[4]
int loc2;
int loc3;
...
}
arg1 arg2 arg3 caller’s data
Arguments 
pushed in 
reverse order
of code
{
char loc1[4]
int loc2;
int loc3;
...
}
… loc2 loc1 arg1 arg2 arg3 caller’s data
Local variables  Arguments 
pushed in the pushed in 
same order as reverse order
they appear  of code
in the code
{
char loc1[4]
int loc2;
int loc3;
...
}
… loc2 loc1 ??? ??? arg1 arg2 arg3 caller’s data
in the code
{
char loc1[4]
int loc2;
int loc3;
...
}
Two values between the arguments 
0x00000000 and the local variables 0xffffffff
in the code
{
char loc1[4]
int loc2;
int loc3;
...
}
caller’s data
{
char loc1[4]
int loc2;
int loc3;
...
}
Arguments 
pushed in 
reverse order
of code
{
char loc1[4]
int loc2;
int loc3;
...
}
loc2 loc1 arg1 arg2 arg3 caller’s data
in the code
{
char loc1[4]
int loc2;
int loc3;
...
}
loc2 loc1 ??? ??? arg1 arg2 arg3 caller’s data
in the code
{
char loc1[4]
int loc2;
int loc3;
...
}
Two values between the arguments 
0x00000000 and the local variables 0xffffffff
… loc3 loc2 loc1 ??? ??? arg1 arg2 arg3 caller’s data …
in the code
STACK FRAMES
{
char loc1[4]
int loc2;
int loc3;
...
}
caller’s data
STACK FRAMES
{
char loc1[4]
int loc2;
int loc3;
...
}
STACK FRAMES
{
char loc1[4]
int loc2;
int loc3;
...
}
loc2 loc1 arg1 arg2 arg3 caller’s data
STACK FRAMES
{
char loc1[4]
int loc2;
int loc3;
...
}
… loc3 loc2 loc1 ??? ??? arg1 arg2 arg3 caller’s data …
The part of the stack corresponding to 

this particular invocation of 
this particular function
STACK FRAMES
void main() { countUp(3); }
void countUp(int n) { 
if(n > 1)
countUp(n-1);
printf(“%d\n”, n);
}
main( ) …
STACK FRAMES
if(n > 1)
countUp(n-1);
}
main( ) …
Stack
pointer
STACK FRAMES
if(n > 1)
countUp(n-1);
}
countUp(3) main( ) …
Stack
pointer
STACK FRAMES
if(n > 1)
countUp(n-1);
}
countUp(2) countUp(3) main( ) …
Stack
pointer
STACK FRAMES
if(n > 1)
countUp(n-1);
}
countUp(1) countUp(2) countUp(3) main( ) …
Stack
pointer
STACK FRAMES
if(n > 1)
countUp(n-1);
}
countUp(1) countUp(2) main( ) …
Stack
pointer
STACK FRAMES
if(n > 1)
countUp(n-1);
}
countUp(1) main( ) …
Stack
pointer
STACK FRAMES
if(n > 1)
countUp(n-1);
}
main( ) …
Stack
pointer
ACCESSING VARIABLES
{
char loc1[4]
int loc2;
int loc3;
loc2++;
}
ACCESSING VARIABLES
{
char loc1[4]
int loc2; Q: Where is (this) loc2?
int loc3;
loc2++;
}
ACCESSING VARIABLES
{
char loc1[4]
int loc3;
loc2++;
}
0xbffff323
ACCESSING VARIABLES
{
char loc1[4]
int loc3;
loc2++;
}
0xbffff323
Undecidable at 
compile time
ACCESSING VARIABLES
{
char loc1[4]
int loc3;
loc2++;
}
0xbffff323
Undecidable at  - I don’t know where loc2 is,
compile time
ACCESSING VARIABLES
{
char loc1[4]
int loc3;
loc2++;
}
Variable args?
0xbffff323
compile time - and I don’t know how many args
ACCESSING VARIABLES
{
char loc1[4]
int loc3;
loc2++;
}
4B 4B 4B 4B Variable args?
0xbffff323
ACCESSING VARIABLES
{
char loc1[4]
int loc3;
loc2++;
}
4B 4B 4B 4B Variable args?
0xbffff323
- but loc2 is always 8B before “???”s
ACCESSING VARIABLES
{
char loc1[4]
int loc3;
loc2++;
}
- I don’t know where loc2 is,

- and I don’t know how many args
ACCESSING VARIABLES
{
char loc1[4]
int loc3;
loc2++;
}
%ebp
Frame pointer - I don’t know where loc2 is,
ACCESSING VARIABLES
{
char loc1[4]
int loc3;
loc2++;
A: -8(%ebp)
}
%ebp
Frame pointer - I don’t know where loc2 is,
NOTATION
%ebp A memory address
(%ebp) The value at memory address %ebp 

(like dereferencing a pointer)
NOTATION
%ebp A memory address

NOTATION
0xbfff03b8 %ebp A memory address

NOTATION

0xbfff03b8
%ebp
NOTATION
0xbfff0720 (%ebp) The value at memory address %ebp 

0xbfff03b8
0xbfff0720
%ebp
NOTATION

pushl %ebp
0xbfff03b8
0xbfff0720
%ebp
NOTATION

pushl %ebp
%esp
0xbfff03b8
0xbfff0720
%ebp
NOTATION

pushl %ebp
%esp
0xbfff03b8
0xbfff0720
%ebp
NOTATION

pushl %ebp
%esp
0xbfff03b8
0xbfff0720
%ebp
NOTATION

pushl %ebp
%esp
0xbfff03b8
0xbfff03b8 0xbfff0720
%ebp
NOTATION

pushl %ebp
movl %esp %ebp /* %ebp = %esp */
%esp
0xbfff03b8
%ebp
NOTATION

pushl %ebp
%esp
0xbfff03b8
%ebp
NOTATION

pushl %ebp
0xbfff0200 %esp
0xbfff03b8
%ebp
NOTATION
0xbfff0200
pushl %ebp
0xbfff0200 %esp
0xbfff03b8
%ebp
NOTATION
0xbfff0200
0xbfff03b8
pushl %ebp
0xbfff0200 %esp
0xbfff03b8
%ebp
NOTATION
0xbfff0200
0xbfff03b8
pushl %ebp
movl (%ebp) %ebp /* %ebp = (%ebp) */
0xbfff0200 %esp
0xbfff03b8
%ebp
NOTATION
0xbfff0200
0xbfff03b8
pushl %ebp
movl (%ebp) %ebp /* %ebp = (%ebp) */
0xbfff0200 %esp
0xbfff03b8
%ebp
RETURNING FROM FUNCTIONS
int main()
{
...
func(“Hey”, 10, -3);
...
}
Stack frame 
%ebp for this call to func
int main()
{
...
func(“Hey”, 10, -3);
...
}
Stack frame 
%ebp for this call to func
int main()
{
...
func(“Hey”, 10, -3);
...
}
Stack frame 
%ebp for this call to func %ebp
int main()
{
...
func(“Hey”, 10, -3);
...
} Q: How do we restore %ebp?
Stack frame 
int main()
{
...
func(“Hey”, 10, -3);
...
… ??? arg1 arg2 arg3 caller’s data
Stack frame 
for this call to func %ebp
int main()
{
...
func(“Hey”, 10, -3);
...
0x00000000 %esp 0xffffffff

… ??? arg1 arg2 arg3 caller’s data
Stack frame 
int main()
{
...
func(“Hey”, 10, -3);
...

… %ebp ??? arg1 arg2 arg3 caller’s data
Stack frame 
1. Push %ebp before locals
int main()
{
...
func(“Hey”, 10, -3);
...

Stack frame 
2. Set %ebp to current %esp
int main()
{
...
func(“Hey”, 10, -3);
...

Stack frame 
2. Set %ebp to current %esp
3. Set %ebp to(%ebp) at return
int main()
{
...
func(“Hey”, 10, -3);
...
}
… loc2 loc1 %ebp ??? arg1 arg2 arg3 caller’s data
Stack frame 
int main()
{
...
func(“Hey”, 10, -3);
}
...
Q: How do we resume here?
Stack frame 
INSTRUCTIONS THEMSELVES ARE IN MEMORY
4G 0xffffffff
...
0x4a7 mov $0x0,%eax
0x4a2 call <func>
0x49b movl $0x804..,(%esp)
0x493 movl $0xa,0x4(%esp)
...
Text
0 0x00000000
4G 0xffffffff
...
0x4a7 mov $0x0,%eax
0x4a2 call <func>
0x49b movl $0x804..,(%esp)
0x493 movl $0xa,0x4(%esp) %eip
...
Text
0 0x00000000
4G 0xffffffff
...
0x4a7 mov $0x0,%eax
0x4a2 call <func>
0x49b movl $0x804..,(%esp) %eip
...
Text
0 0x00000000
4G 0xffffffff
...
0x4a7 mov $0x0,%eax
0x4a2 call <func> %eip
0x49b movl $0x804..,(%esp)
...
Text
0 0x00000000
4G 0xffffffff
...
0x5bf mov %esp,%ebp
0x5be push %ebp
...
...
0x4a7 mov $0x0,%eax
0x4a2 call <func> %eip
0x49b movl $0x804..,(%esp)
...
Text
0 0x00000000
4G 0xffffffff
...
0x5bf mov %esp,%ebp
0x5be push %ebp %eip
...
...
0x4a7 mov $0x0,%eax
0x4a2 call <func>
0x49b movl $0x804..,(%esp)
...
Text
0 0x00000000
4G 0xffffffff
... %eip
0x5bf mov %esp,%ebp
0x5be push %ebp
...
...
0x4a7 mov $0x0,%eax
0x4a2 call <func>
0x49b movl $0x804..,(%esp)
...
Text
0 0x00000000
4G 0xffffffff
...
0x5bf mov %esp,%ebp
0x5be push %ebp
...
...
0x4a7 mov $0x0,%eax %eip
0x4a2 call <func>
0x49b movl $0x804..,(%esp)
...
Text
0 0x00000000
int main()
{
...
func(“Hey”, 10, -3);
... Q: How do we resume here?
}
Stack frame 
int main()
{
...
func(“Hey”, 10, -3);
}
Stack frame 
Push next %eip 

before call
int main()
{
...
func(“Hey”, 10, -3);
}
… loc2 loc1 %ebp %eip
??? arg1 arg2 arg3 caller’s data
Stack frame 
Push next %eip 

before call
int main()
{
...
func(“Hey”, 10, -3);
}
… loc2 loc1 %ebp %eip
??? arg1 arg2 arg3 caller’s data
Stack frame 
Set %eip to 4(%ebp) Push next %eip 

at return before call
RETURNING FROM A FUNCTION
In C In compiled assembly
leave: mov %esp %ebp
return; pop %ebp
ret: pop %eip
Current stack frame Caller’s stack frame
text ... loc2 loc1 %ebp %eip arg1
%eip %esp %ebp

return; pop %ebp
ret: pop %eip
%eip %esp %ebp

Old frame pointer
return; pop %ebp
ret: pop %eip
Caller’s code
%eip %esp %ebp

Old frame pointer
return; pop %ebp
ret: pop %eip
Caller’s code
%eip %esp %ebp

Old frame pointer
return; pop %ebp
ret: pop %eip
%eip %ebp
%esp
return; pop %ebp
ret: pop %eip
%eip %ebp %esp

return; pop %ebp
ret: pop %eip
%eip %esp %ebp

return; pop %ebp
ret: pop %eip
%eip %esp %ebp

return; pop %ebp
ret: pop %eip
%eip %esp %ebp

The next instruction is to “remove” 
the arguments off the stack
return; pop %ebp
ret: pop %eip
%eip %esp %ebp

The next instruction is to “remove”  And now we’re 
the arguments off the stack back where we started
STACK & FUNCTIONS: SUMMARY
Calling function (before calling):
1.Push arguments onto the stack (in reverse)
2.Push the return address, i.e., the address of the instruction you want run after
control returns to you: e.g., %eip + 2
3.Jump to the function’s address
Called function (when called):

4.Push the old frame pointer onto the stack: push %ebp
5.Set frame pointer %ebp to where the end of the stack is right now: %ebp=%esp
6.Push local variables onto the stack; access them as offsets from %ebp

Called function (when returning):

7.Reset the previous stack frame: %esp = %ebp; pop %ebp
8.Jump back to return address: pop %eip


Calling function (after return):

9.Remove the arguments off of the stack: %esp = %esp + number of bytes of args
BUFFER OVERFLOW
ATTACKS
BUFFER OVERFLOWS: HIGH LEVEL
• Buffer =
• Contiguous set of a given data type
• Common in C
- All strings are buffers of char’s
• Overflow =
• Put more into the buffer than it can hold
• Where does the extra data go?
• Well now that you’re experts in memory layouts…

A BUFFER OVERFLOW EXAMPLE
void func(char *arg1)
{
char buffer[4];
strcpy(buffer, arg1);
...
}
int main()
{
char *mystr = “AuthMe!”;
func(mystr);
...
}
{
char buffer[4];
...
}
int main()
{
func(mystr);
...
}
{
char buffer[4];
...
}
int main()
{
func(mystr);
...
}
&arg1
{
char buffer[4];
...
}
int main()
{
func(mystr);
...
}
%eip &arg1
{
char buffer[4];
...
}
int main()
{
func(mystr);
...
}
%ebp %eip &arg1

{
char buffer[4];
...
}
int main()
{
func(mystr);
...
}
00 00 00 00 %ebp %eip &arg1

buffer
{
char buffer[4];
...
}
int main()
{
func(mystr);
...
}
00
A 00
u 00
t 00
h %ebp %eip &arg1
buffer
{
char buffer[4];
...
}
int main()
{
func(mystr);
...
}
M e ! \0
00
A 00
u 00
t 00
h 4d %ebp
65 21 00 %eip &arg1
buffer
{
char buffer[4];
...
}
int main()
{
func(mystr);
...
}
Upon return, sets %ebp to 0x0021654d

M e ! \0
00
A 00
u 00
t 00
h 4d %ebp
65 21 00 %eip &arg1
buffer
{
char buffer[4];
...
}
int main()
{
func(mystr);
...
}
Upon return, sets %ebp to 0x0021654d

M e ! \0
00
A 00
u 00
t 00
h 4d %ebp
65 21 00 %eip &arg1
buffer SEGFAULT (0x00216551)
{
int authenticated = 0;
char buffer[4];
if(authenticated) { ...
}
int main()
{
func(mystr);
...
}
{
char buffer[4];
}
int main()
{
func(mystr);
...
}
{
char buffer[4];
}
int main()
{
func(mystr);
...
}
&arg1
{
char buffer[4];
}
int main()
{
func(mystr);
...
}
%eip &arg1
{
char buffer[4];
}
int main()
{
func(mystr);
...
}
%ebp %eip &arg1

{
char buffer[4];
}
int main()
{
func(mystr);
...
}
00 00 00 00 %ebp %eip &arg1

authenticated
{
char buffer[4];
}
int main()
{
func(mystr);
...
}
00 00 00 00 00 00 00 00 %ebp %eip &arg1

buffer authenticated
{
char buffer[4];
}
int main()
{
func(mystr);
...
}
00
A 00
u 00 h 00 00 00 00
t 00 %ebp %eip &arg1
{
char buffer[4];
}
int main()
{
func(mystr);
...
}
M e ! \0
00
A 00
u 00 h 4d
t 00 00 65
00 21
00 00 %ebp %eip &arg1
{
char buffer[4];
}
int main()
{
func(mystr);
...
}
Code still runs; user now ‘authenticated’

M e ! \0
00
A 00
u 00 h 4d
t 00 00 65
00 21
00 00 %ebp %eip &arg1
void vulnerable()
{
char buf[80];
gets(buf);
}
void vulnerable()
{
char buf[80];
gets(buf);
}
void still_vulnerable()
{
char *buf = malloc(80);
gets(buf);
}
void safe()
{
char buf[80];
fgets(buf, 64, stdin);
}
void safe()
{
char buf[80];
fgets(buf, 64, stdin);
}
void safer()
{
char buf[80];
fgets(buf, sizeof(buf), stdin);
}
USER-SUPPLIED STRINGS
• In these examples, we were providing our own strings
• But they come from users in myriad aways

• Text input
• Network packets
• Environment variables
• File input…
WHAT’S THE WORST THAT CAN HAPPEN?
{
char buffer[4];
...
}
00 00 00 00 %ebp %eip &mystr

buffer
{
char buffer[4];
...
}
00 00 00 00 %ebp %eip &mystr

buffer
strcpy will let you write as much as you want (til a ‘\0’)
{
char buffer[4];
...
}
All ours!
00 00 00 00 %ebp %eip &mystr
buffer
{
char buffer[4];
...
}
All ours!
00 00 00 00 %ebp %eip &mystr
buffer
What could you write to memory to wreak havoc?

FIRST A RECAP: ARGS
#include <stdio.h>

{
printf(“arg1 is at %p\n”, &arg1);
}
int main()
{
func(“Hello”, 10, -3);
return 0;
}
FIRST A RECAP: ARGS
#include <stdio.h>

{
}
int main()
{
func(“Hello”, 10, -3);
return 0;
}
What will happen?

&arg1 < &arg2 < &arg3? &arg1 > &arg2 > &arg3?
FIRST A RECAP: LOCALS
#include <stdio.h>
void func()
{
char loc1[4];
int loc2;
int loc3;
printf(“loc1 is at %p\n”, &loc1);
}
int main()
{
func();
return 0;
}
FIRST A RECAP: LOCALS
#include <stdio.h>
void func()
{
char loc1[4];
int loc2;
int loc3;
}
int main()
{
func();
return 0;
}
What will happen?

&loc1 < &loc2 < &loc3? &loc1 > &loc2 > &loc3?
2.Push the return address, i.e., the address of the instruction you want run after control
returns to you: e.g., %eip + 2


%eip %ebp
~0x0
0x0
code caller’s data



%eip %ebp
~0x0
0x0
code arg2 caller’s data



%eip %ebp
~0x0
0x0
code arg1 arg2 caller’s data



%eip %ebp
~0x0
0x0
code %eip+… arg1 arg2 caller’s data



%eip %ebp
~0x0
0x0



%eip %ebp
~0x0
0x0



%eip %ebp
~0x0
0x0
code %ebp %eip+… arg1 arg2 caller’s data



%eip %ebp
~0x0
0x0



%eip %ebp
~0x0
0x0



%eip %ebp
~0x0
0x0
code loc1 %ebp %eip+… arg1 arg2 caller’s data



%eip %ebp
~0x0
0x0
code loc2 loc1 %ebp %eip+… arg1 arg2 caller’s data



%eip %ebp
~0x0
0x0



%eip %ebp
~0x0
0x0

GDB: YOUR NEW BEST FRIEND
Run the program with input as the 
run <input>
command-line arguments
print <var>  Print the value of variable var 

(or just “p <var>”) (Can also do some operations: p &x)
b <function> Set a breakpoint at function
s  step through execution (into calls) 

c continue execution (no more stepping)
GDB: YOUR NEW BEST FRIEND
info frame  Show info about the current frame 
(or just “i f”) (prev. frame, locals/args, %ebp/%eip)
info reg  Show info about registers 

(or just “i r”) (%ebp, %eip, %esp, etc.)
Examine <n> bytes of memory 

x/<n> <addr>
starting at address <addr>
BUFFER OVERFLOW
char loc1[4];
BUFFER OVERFLOW
char loc1[4];
gets(loc1); 
strcpy(loc1, <user input>);
memcpy(loc1, <user input>);
etc.
BUFFER OVERFLOW
char loc1[4];
code loc2 loc1 Input
%ebpwrites fromarg1
%eip+… arg2addresses
low to high caller’s data
gets(loc1); 
etc.
BUFFER OVERFLOW
char loc1[4];
Input writes from low to high addresses
gets(loc1); 
etc.
BUFFER OVERFLOW
Can over-write other data (“AuthMe!”)
char loc1[4];
gets(loc1); 
etc.
BUFFER OVERFLOW
Can over-write other data (“AuthMe!”)
Can over-write the program’s control flow (%eip)
char loc1[4];
gets(loc1); 
etc.
CODE
INJECTION
HIGH-LEVEL IDEA
{
char buffer[4];
sprintf(buffer, arg1);
...
}
... 00 00 00 00 %ebp %eip &arg1 …

buffer
HIGH-LEVEL IDEA
{
char buffer[4];
...
}
... 00 00 00 00 %ebp %eip &arg1 … Haxx0r c0d3

buffer
(1) Load our own code into memory

HIGH-LEVEL IDEA
{
char buffer[4];
...
}
%eip
text ... 00 00 00 00 %ebp %eip &arg1 … Haxx0r c0d3

buffer

(2) Somehow get %eip to point to it
HIGH-LEVEL IDEA
{
char buffer[4];
...
}
%eip

buffer

HIGH-LEVEL IDEA
{
char buffer[4];
...
}
%eip

buffer

THIS IS NONTRIVIAL
• Pulling off this attack requires getting a few things

really right (and some things sorta right)
• Think about what is tricky about the attack

• The key to defending it will be to make the hard parts
really hard
CHALLENGE 1: LOADING CODE INTO MEMORY
• It must be the machine code instructions 
(i.e., already compiled and ready to run)
• We have to be careful in how we construct it:

• It can’t contain any all-zero bytes
- Otherwise, sprintf / gets / scanf / … will stop copying
- How could you write assembly to never contain a full zero byte?
• It can’t make use of the loader (we’re injecting)
• It can’t use the stack (we’re going to smash it)
WHAT KIND OF CODE WOULD WE WANT TO RUN?
• Goal: full-purpose shell

• The code to launch a shell is called “shell code”
• It is nontrivial to it in a way that works as injected code
- No zeroes, can’t use the stack, no loader dependence
• There are many out there
- And competitions to see who can write the smallest
• Goal: privilege escalation

• Ideally, they go from guest (or non-user) to root
SHELLCODE
#include <stdio.h>
int main( ) {
char *name[2];
name[0] = “/bin/sh”;
name[1] = NULL;
execve(name[0], name, NULL);
}
SHELLCODE
#include <stdio.h>
int main( ) {
char *name[2];
name[1] = NULL;
}
xorl %eax, %eax

pushl %eax
Assembly
pushl $0x68732f2f
pushl $0x6e69622f
movl %esp,%ebx
pushl %eax
...
SHELLCODE
#include <stdio.h>
int main( ) {
char *name[2];
name[1] = NULL;
}
xorl %eax, %eax

pushl %eax
Assembly
pushl $0x68732f2f
pushl $0x6e69622f
movl %esp,%ebx
pushl %eax
...
SHELLCODE
#include <stdio.h>
int main( ) {
char *name[2];
name[1] = NULL;
}
xorl %eax, %eax “\x31\xc0”
Machine code
pushl %eax “\x50”
Assembly
pushl $0x68732f2f “\x68””//sh”

pushl $0x6e69622f “\x68””/bin”
movl %esp,%ebx “\x89\xe3”
... ...
SHELLCODE
#include <stdio.h>
int main( ) {
char *name[2];
name[1] = NULL;
}
xorl %eax, %eax “\x31\xc0”
Machine code
Assembly
pushl $0x68732f2f “\x68””//sh”

(Part of)
pushl $0x6e69622f “\x68””/bin” your
movl %esp,%ebx “\x89\xe3” input
... ...
PRIVILEGE ESCALATION
• More on Unix permissions later, but for now…
• Recall that each file has:

• Permissions: read / write / execute
• For each of: owner / group / everyone else
• Permissions are defined over userid’s and groupid's

• Every user has a userid
• root’s userid is 0
• Consider a service like passwd

• Owned by root (and needs to do root-y things)
• But you want any user to be able to execute it
REAL VS EFFECTIVE USERID
• (Real) Userid = the user who ran the process
• Effective userid = what is used to determine what

permissions/access the process has
• Consider passwd: root owns it, but users can run it

• getuid() will return who ran it (real userid)
• seteuid(0) to set the effective userid to root
- It’s allowed to because root is the owner
• What is the potential attack?

REAL VS EFFECTIVE USERID
• (Real) Userid = the user who ran the process
• Effective userid = what is used to determine what

permissions/access the process has
• Consider passwd: root owns it, but users can run it

• getuid() will return who ran it (real userid)
• seteuid(0) to set the effective userid to root
- It’s allowed to because root is the owner
• What is the potential attack?

If you can get a root-owned process to run 
setuid(0)/seteuid(0), then you get root permissions
CHALLENGE 2: GETTING OUR INJECTED CODE TO RUN
• All we can do is write to memory from buffer onward

• With this alone we want to get it to jump to our code
• We have to use whatever code is already running
... 00 00 00 00 %ebp %eip &arg1 …

buffer
Thoughts?

... 00 00 00 00 %ebp %eip &arg1 …

buffer
Thoughts?

... 00 00 00 00 %ebp %eip &arg1 … \x0f \x3c \x2f ...
buffer
Thoughts?

%eip
text ... 00 00 00 00 %ebp %eip &arg1 … \x0f \x3c \x2f ...
buffer
Thoughts?

%eip
buffer
Thoughts?

%eip
buffer
Thoughts?


Calling function (after return):

9.Remove the arguments off of the stack: %esp = %esp + number of bytes of args
HIJACKING THE SAVED %EIP
%eip %ebp
buffer
0xbff
%eip %ebp
text ... 00 00 00 00 %ebp %eip

0xbff &arg1 … \x0f \x3c \x2f ...
buffer
0xbff
%ebp %eip
text ... 00 00 00 00 %ebp %eip

buffer
0xbff
%ebp %eip
text ... 00 00 00 00 %ebp %eip

buffer
0xbff
But how do we know the address?

What if we are wrong?
%eip %ebp
text ... 00 00 00 00 %ebp %eip

buffer
0xbff
%eip %ebp
text ... 00 00 00 00 %ebp %eip

0xbff &arg1 …
0xbdf \x0f \x3c \x2f ...
buffer
0xbff
%ebp %eip
text ... 00 00 00 00 %ebp %eip

0xbff &arg1 …
buffer
0xbff
%ebp %eip
text ... 00 00 00 00 %ebp %eip

0xbff &arg1 …
buffer
0xbff
This is most likely data,

so the CPU will panic
(Invalid Instruction)
CHALLENGE 3: FINDING THE RETURN ADDRESS
• If we don’t have access to the code, we don’t know how
far the buffer is from the saved %ebp
• One approach: just try a lot of different values!

• Worst case scenario: it’s a 32 (or 64) bit memory space,

which means 232 (264) possible answers
• Worst case scenario: it’s a 32 (or 64) bit memory space,

which means 232 (264) possible answers
• But without address randomization:

• The stack always starts from the same, fixed address
• The stack will grow, but usually it doesn’t grow very deeply
(unless the code is heavily recursive)
IMPROVING OUR CHANCES: NOP SLEDS
nop is a single-byte instruction
(just moves to the next instruction)
%eip %ebp
text ... 00 00 00 00 %ebp %eip

0xbff &arg1 …
buffer
0xbff
%eip %ebp
text ... 00 00 00 00 %ebp %eip &arg1

0xbff nop
0xbdf nop nop …
… \x0f \x3c \x2f ...
buffer
0xbff
Jumping anywhere
%eip %ebp here will work
text ... 00 00 00 00 %ebp %eip &arg1

0xbff nop
0xbdf nop nop …
… \x0f \x3c \x2f ...
buffer
0xbff
Jumping anywhere
text ... 00 00 00 00 %ebp %eip &arg1

0xbff nop
0xbdf nop nop …
… \x0f \x3c \x2f ...
buffer
Jumping anywhere
text ... 00 00 00 00 %ebp %eip &arg1

0xbff nop
0xbdf nop nop …
… \x0f \x3c \x2f ...
buffer
Now we improve our chances 

of guessing by a factor of #nops
BUFFER OVERFLOWS: PUTTING IT ALL TOGETHER
%eip
text ... 00 00 00 00 %ebp %eip &arg1 …

buffer
%eip padding
text ... 00 00 00 00 %ebp %eip &arg1 …

buffer
But it has to be something; 
we have to start writing wherever 
the input to gets/etc. begins.
%eip padding
text ... 00 00 00 00 %ebp %eip &arg1 …

buffer
good 
padding
%eip guess
text ... 00 00 00 00 %ebp %eip

0xbdf &arg1 …
buffer
good 
padding
%eip guess
text ... 00 00 00 00 %ebp %eip &arg1

0xbdf nop nop nop …
…
buffer
nop sled
good 
padding
%eip guess
text ... 00 00 00 00 %ebp %eip &arg1

… \x0f \x3c \x2f ...
buffer
nop sled malicious code

good 
padding
guess %eip
text ... 00 00 00 00 %ebp %eip &arg1

… \x0f \x3c \x2f ...
buffer

good 
padding
guess %eip
text ... 00 00 00 00 %ebp %eip &arg1

… \x0f \x3c \x2f ...
buffer

02 Buffer PDF

Uploaded by

Copyright:

Available Formats

02 Buffer PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

02 Buffer PDF

Uploaded by

Copyright:

Available Formats

CLASSIC

MEMORY ATKS & DEFS

• What does the stack look like?

• What effect does calling (and returning from) a

• We are focusing on the Linux process model

The process’s view

The process’s view In reality, these are

Init’d data static const int y=10;

Uninit’d data static int x;

Init’d data static const int y=10;

Uninit’d data static int x;

Uninit’d data static int x;

Uninit’d data static int x;

Uninit’d data static int x;

Uninit’d data static int x;

Uninit’d data static int x;

Uninit’d data static int x;

Compiler provides instructions that

Compiler provides instructions that

Compiler provides instructions that

Compiler provides instructions that

Compiler provides instructions that

Compiler provides instructions that

Compiler provides instructions that

Compiler provides instructions that

Compiler provides instructions that

Compiler provides instructions that

Compiler provides instructions that

Compiler provides instructions that

Compiler provides instructions that

Compiler provides instructions that

Focusing on the stack for now

The part of the stack corresponding to

- I don’t know where loc2 is,

(%ebp) The value at memory address %ebp

(%ebp) The value at memory address %ebp

(%ebp) The value at memory address %ebp

(%ebp) The value at memory address %ebp

0xbfff0720 (%ebp) The value at memory address %ebp

0xbfff0720 (%ebp) The value at memory address %ebp

0xbfff0720 (%ebp) The value at memory address %ebp

0xbfff0720 (%ebp) The value at memory address %ebp

0xbfff0720 (%ebp) The value at memory address %ebp

0xbfff0720 (%ebp) The value at memory address %ebp

0xbfff0720 (%ebp) The value at memory address %ebp

0xbfff0720 (%ebp) The value at memory address %ebp

0xbfff0720 (%ebp) The value at memory address %ebp

movl (%ebp) %ebp /* %ebp = (%ebp) */

movl (%ebp) %ebp /* %ebp = (%ebp) */

0x00000000 %esp 0xffffffff

0x00000000 %esp 0xffffffff

0x00000000 %esp 0xffffffff

0x00000000 %esp 0xffffffff

Push next %eip

Push next %eip

Set %eip to 4(%ebp) Push next %eip

Current stack frame Caller’s stack frame

text ... loc2 loc1 %ebp %eip arg1

%eip %esp %ebp

CLASSIC 

Compiler provides instructions that 

Compiler provides instructions that 

Compiler provides instructions that 

Compiler provides instructions that 

Compiler provides instructions that 

Compiler provides instructions that 

Compiler provides instructions that 

Compiler provides instructions that 

Compiler provides instructions that 

Compiler provides instructions that 

Compiler provides instructions that 

Compiler provides instructions that 

Compiler provides instructions that 

Compiler provides instructions that 

The part of the stack corresponding to 

(%ebp) The value at memory address %ebp 

(%ebp) The value at memory address %ebp 

(%ebp) The value at memory address %ebp 

(%ebp) The value at memory address %ebp 

0xbfff0720 (%ebp) The value at memory address %ebp 

0xbfff0720 (%ebp) The value at memory address %ebp 

0xbfff0720 (%ebp) The value at memory address %ebp 

0xbfff0720 (%ebp) The value at memory address %ebp 

0xbfff0720 (%ebp) The value at memory address %ebp 

0xbfff0720 (%ebp) The value at memory address %ebp 

0xbfff0720 (%ebp) The value at memory address %ebp 

0xbfff0720 (%ebp) The value at memory address %ebp 

0xbfff0720 (%ebp) The value at memory address %ebp 

Push next %eip 

Push next %eip 

Set %eip to 4(%ebp) Push next %eip 