CSE 351: Week 6 Tom Bergan, TA 1 Today Questions on the midterm? - - PowerPoint PPT Presentation

cse 351 week 6
SMART_READER_LITE
LIVE PREVIEW

CSE 351: Week 6 Tom Bergan, TA 1 Today Questions on the midterm? - - PowerPoint PPT Presentation

Mar 17, 2023 145 likes •243 views

CSE 351: Week 6 Tom Bergan, TA 1 Today Questions on the midterm? Lab 3 2 Lab 3: Buffer Overflow This has a buffer overflow The Stack in getbuf() : int getbuf() { : char buf[36]; Gets(buf); return addr return 1; } saved regs

slide-1
SLIDE 1

CSE 351: Week 6

Tom Bergan, TA

1

slide-2
SLIDE 2

Today

  • Questions on the midterm?
  • Lab 3

2

slide-3
SLIDE 3

Lab 3: Buffer Overflow

3

int getbuf() { char buf[36]; Gets(buf); return 1; }

The Stack in getbuf()

return addr

: :

saved regs (if any) local vars

This has a buffer overflow Why?

  • Gets() doesn’t check the length
  • f the buffer
slide-4
SLIDE 4

Lab 3: Buffer Overflow

4

int getbuf() { char buf[36]; Gets(buf); return 1; }

The Stack in getbuf()

return addr

: :

saved regs (if any) local vars

This has a buffer overflow Why?

  • Gets() doesn’t check the length
  • f the buffer
slide-5
SLIDE 5

Lab 3: Buffer Overflow

5

int getbuf() { char buf[36]; Gets(buf); return 1; }

The Stack in getbuf()

return addr

: :

saved regs (if any)

This has a buffer overflow Why?

  • Gets() doesn’t check the length
  • f the buffer

: buf [35] : buf [0] :

36 bytes{

slide-6
SLIDE 6

6

int getbuf() { char buf[36]; Gets(buf); return 1; }

Goal: call the smoke() function from getbuf() The Stack in getbuf()

return addr

: :

saved regs (if any) : buf [35] : buf [0] :

36 bytes{

Level 0: Call smoke()

How?

  • overwrite the return address

so we “return” to smoke()

slide-7
SLIDE 7

7

Goal: call fizz() with a special parameter (your “cookie”)

Level 1: Call fizz()

int getbuf() { char buf[36]; Gets(buf); return 1; }

The Stack in getbuf()

return addr

: :

saved regs (if any) : buf [35] : buf [0] :

36 bytes{

slide-8
SLIDE 8

8

Goal: call fizz() with a special parameter (your “cookie”)

Level 1: Call fizz()

How?

  • 1. overwrite the return address
  • 2. jump inside the buffer
  • 3. write x86 code in the buffer

(the write-up tells you which instructions to use)

int getbuf() { char buf[36]; Gets(buf); return 1; }

The Stack in getbuf()

return addr

: :

saved regs (if any) :

: : (your code here)

:

slide-9
SLIDE 9

9

Level 2: Call bang()

How? Same as before!

  • 1. overwrite the return address
  • 2. jump inside the buffer
  • 3. write x86 code in the buffer

int getbuf() { char buf[36]; Gets(buf); return 1; }

Goal: call bang() after writing your “cookie” to a global variable The Stack in getbuf()

return addr

: :

saved regs (if any) :

: : (your code here)

: