Time
14 hours 26 minutes
Difficulty
Advanced
CEU/CPE
15

Video Description

This lesson covers stack frames for functions. Participants receive step by step instructions using string copy commands to create stack frames for functions. This lesson also covers balance checking.

Video Transcription

00:04
Okay, We are in our 1 to 8 point Ken virtual machine
00:09
and actually have the source code
00:12
that we want already in here. So we just go Thio applications, accessories and in terminal.
00:20
I make this a little bit bigger,
00:24
and you don't have to do this, of course, but just make it a little bit bigger. Think up more screens, face. We've spent a lot of time looking at the tiny journal and Callie after all.
00:35
All right, so we actually already have the source code and hear from using my VM. I've encouraged you to do so.
00:42
Download it and we haven't already set up. But if not, the source code is in the slides.
00:49
And he also just read it off the video, Of course. So we have overflow test that C.
00:56
And it is a simple see program with a little bit of a problem, as we will see.
01:02
So it's pretty much as simple as a program conjugate. It doesn't do very much. We have main. We learned about a little bit about sea in an earlier section, like a Section three.
01:15
We learned a little bit of programming, including see, I don't really have to know much. See, for this class. But Main will be called in. The program starts, and it does take command line arguments.
01:27
The first thing that happens when we start main is called a Function called Function,
01:34
and it passes the first command line argument RV one og. The zero is the name of the program itself. RV one is going to be the first argument supplied by the user of the command line.
01:47
So we call function. If you remember our picture and our slides will put that return address so the next instructions be executed. Which, one would assume would be the first assembly instruction of this print. F would be pushed onto the stack, and then we would create a stack for him for function.
02:05
It does take
02:07
an argument.
02:08
The inside of a function. We create a character Ray called Buffer.
02:13
Call it whatever you want, of course, an itch five characters long, so we will have five characters
02:19
of space inside of the stack frame for function. Well, see, we actually have a bit more wiggle room in there that will be extra space for
02:28
function to do its work, but we won't have unlimited space. Certainly
02:34
we have string copy or str Cp. Why?
02:38
So that is one of our
02:39
bad functions and see. There's certainly not a rule that says you can't use this just if we want to use string copy correctly,
02:47
we would need to do some extra work on our own. And there are functions that
02:53
do not have the same issues. A string copy well in particular string Copy doesn't do any bounds. Checking string copy takes
03:01
our source here and puts it into our destination. Tow it, copied it, bite by bite into our destination, and it doesn't care whether it fits or not. We have, say, five characters to work with. We have no problem or street coffee has a problem copying 1000 characters into the five characters. Well,
03:22
I might not be such a bad thing, right? We would
03:23
copying the 1st 1 the 2nd 1/3 1 fourth, one the 5th 1 When we go back to the 1st 1 and basically just loop around, right?
03:30
Well, no, it's not what happens at all. In fact, it just keeps writing down adjacent memory that we will overwrite memory
03:39
next to buffer. We could even right out of the stack frame,
03:45
maybe even override that return address and even part of Maine. And we could even write all the way to the bottom of this. I can make the program crashed with an access violation. Drink coffee does not care.
03:55
So
03:57
again, we could use that properly.
04:00
We could do bounce checking ourselves. We just added a little bit of code checks to make sure our input is less than five characters.
04:08
But in this case, the developer doesn't do that.
04:12
So
04:13
that is going to be our simple buffer. Overflow example she might have imagined this was
04:17
very similar to wait. I was first taught August. It wasn't how I was first thought it was the first time it made sense to me so that I have started teaching at the same way.
04:30
And we will, of course, move on two examples that
04:33
are more real world. Hopefully, people write programs that are a little more complicated than this one,
04:41
but we will see some real programs in the rest of our exploit development. But this is just, you know, pretty much as simple as it gets. We can get an idea of what's going on and also see Olympics example, since the rest of our examples will be in Windows. But our main problem here again is the string copy str Seafood. Why
05:00
so after the string, coffee finishes function
05:02
finishes and we returned to Maine,
05:05
which is the return address is intact.
05:08
Should send us to this print F, which will print out to the screen executed. Normally
05:15
noticed there is 1/3 function overflowed, which just prints out execution hijacked of screen.
05:23
But notice that under normal *** circumstances overflowed has never called. We start with main main cause function. Function just returns
05:33
and then we print if executed normally on and that's the end. Overflowed never gets cold, so it's like debugging code that just got left there or something. So you might get Imagine our goal is going to be to call Overflowed, so that's exactly what we're going to try and do

Up Next

Advanced Penetration Testing

The Advanced Penetration Testing course teaches the cyber attack lifecycle from the perspective of an adversary. Become more familiar with the most widely used penetration-testing tools, manipulate network traffic, and perform web application attacks such as cross-site scripting and SQL injection.

Instructed By

Instructor Profile Image
Georgia Weidman
Founder and CTO at Shevirah and Bulb Security
Instructor