Professional Documents
Culture Documents
0x41 BufferOverflow
0x41 BufferOverflow
1
Content
Intel Architecture
C Arrays
BoF Exploit
Assembler
Remote Exploit
Shellcode
Exploit Mitigations
Function Calls
3
Buffalo Overflow
4
Buffer Overflow
▪ Challenge9
# ./challenge9 <username> <password>
5
Buffer Overflow
isAdmin = checkPassword(password);
strcpy(firstname, username);
if(isAdmin > 0) {
printf("Hello %s.\nYou are admin!\n”, name);
printf(“isAdmin: 0x%x\n", isAdmin);
} else {
printf("Hello %s.\nYou are not admin.\n”, name);
printf(“isAdmin: 0x%x\n", isAdmin);
}
}
6
Buffer Overflow
if (strcmp(hash, adminHash) == 0) {
return 1;
} else {
return 0;
}
}
7
Buffer Overflow
&password
&username
SIP
SFP Stack Frame
<handleData>
isAdmin
firstname[16]
push pop
8
Buffer Overflow - Basic Layout
9
Buffer Overflow - Basic Layout
Write up
10
Buffer Overflow: handleData()
11
Buffer Overflow
12
Buffer Overflow
0 <undefined> <undef>
13
Buffer Overflow
0 <undefined> <undef>
1 <undefined> 0x00000000
14
Buffer Overflow
0 <undefined> <undef>
1 <undefined> 0x00000000
2 AAAAAAAAAAAAAAAAAAAAA 0x00000000
15
Buffer Overflow
0 <undefined> <undef>
1 <undefined> 0x00000000
2 AAAAAAAAAAAAAAAAAAAAA 0x00000000
2 AAAAAAAAAAAAAAAAAAAAA 0x00000041
16
Buffer Overflow
17
Buffer Overflow
2 AAAAAAAAAAAAAAA A 0 0 0
18
Buffer Overflow
2 AAAAAAAAAAAAAAA A 0 0 0
19
Buffer Overflow
20
Buffer Overflow
Recap:
▪ Local variables of a function (buffers) are allocated adjectant to each other
▪ One after another, as written in the source code (first initialized first allocated)
21
Buffer Overflow
22
References
References:
▪ https://www.uperesia.com/buffer-overflow-explained
▪ https://www.youtube.com/watch?v=1S0aBV-Waeo Buffer Overflow Attack - Computerphile
23