Exploit Development (part 3) Stack Frame for Function

00:04

Okay, We are in our 1 to 8 point Ken virtual machine

00:09

and actually have the source code

00:12

that we want already in here. So we just go Thio applications, accessories and in terminal.

00:20

I make this a little bit bigger,

00:24

and you don't have to do this, of course, but just make it a little bit bigger. Think up more screens, face. We've spent a lot of time looking at the tiny journal and Callie after all.

00:35

All right, so we actually already have the source code and hear from using my VM. I've encouraged you to do so.

00:42

Download it and we haven't already set up. But if not, the source code is in the slides.

00:49

And he also just read it off the video, Of course. So we have overflow test that C.

00:56

And it is a simple see program with a little bit of a problem, as we will see.

01:02

So it's pretty much as simple as a program conjugate. It doesn't do very much. We have main. We learned about a little bit about sea in an earlier section, like a Section three.

01:15

We learned a little bit of programming, including see, I don't really have to know much. See, for this class. But Main will be called in. The program starts, and it does take command line arguments.

01:27

The first thing that happens when we start main is called a Function called Function,

01:34

and it passes the first command line argument RV one og. The zero is the name of the program itself. RV one is going to be the first argument supplied by the user of the command line.

01:47

So we call function. If you remember our picture and our slides will put that return address so the next instructions be executed. Which, one would assume would be the first assembly instruction of this print. F would be pushed onto the stack, and then we would create a stack for him for function.

02:05

It does take

02:07

an argument.

02:08

The inside of a function. We create a character Ray called Buffer.

02:13

Call it whatever you want, of course, an itch five characters long, so we will have five characters

02:19

of space inside of the stack frame for function. Well, see, we actually have a bit more wiggle room in there that will be extra space for

02:28

function to do its work, but we won't have unlimited space. Certainly

02:34

we have string copy or str Cp. Why?

02:38

So that is one of our

02:39

bad functions and see. There's certainly not a rule that says you can't use this just if we want to use string copy correctly,

02:47

we would need to do some extra work on our own. And there are functions that

02:53

do not have the same issues. A string copy well in particular string Copy doesn't do any bounds. Checking string copy takes

03:01

our source here and puts it into our destination. Tow it, copied it, bite by bite into our destination, and it doesn't care whether it fits or not. We have, say, five characters to work with. We have no problem or street coffee has a problem copying 1000 characters into the five characters. Well,

03:22

I might not be such a bad thing, right? We would

03:23

copying the 1st 1 the 2nd 1/3 1 fourth, one the 5th 1 When we go back to the 1st 1 and basically just loop around, right?

03:30

Well, no, it's not what happens at all. In fact, it just keeps writing down adjacent memory that we will overwrite memory

03:39

next to buffer. We could even right out of the stack frame,

03:45

maybe even override that return address and even part of Maine. And we could even write all the way to the bottom of this. I can make the program crashed with an access violation. Drink coffee does not care.

03:55

So

03:57

again, we could use that properly.

04:00

We could do bounce checking ourselves. We just added a little bit of code checks to make sure our input is less than five characters.

04:08

But in this case, the developer doesn't do that.

04:12

So

04:13

that is going to be our simple buffer. Overflow example she might have imagined this was

04:17

very similar to wait. I was first taught August. It wasn't how I was first thought it was the first time it made sense to me so that I have started teaching at the same way.

04:30

And we will, of course, move on two examples that

04:33

are more real world. Hopefully, people write programs that are a little more complicated than this one,

04:41

but we will see some real programs in the rest of our exploit development. But this is just, you know, pretty much as simple as it gets. We can get an idea of what's going on and also see Olympics example, since the rest of our examples will be in Windows. But our main problem here again is the string copy str Seafood. Why

05:00

so after the string, coffee finishes function

05:02

finishes and we returned to Maine,

05:05

which is the return address is intact.

05:08

Should send us to this print F, which will print out to the screen executed. Normally

05:15

noticed there is 1/3 function overflowed, which just prints out execution hijacked of screen.

05:23

But notice that under normal *** circumstances overflowed has never called. We start with main main cause function. Function just returns