Scribd
Upload
27 views11 pages

Buffer Overflow

Uploaded by

Hawking Charles
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
27 views11 pages

Buffer Overflow

Uploaded by

Hawking Charles
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

10/12/24, 9:26 AM Buffer overflow

Buffer overflow Tổng điểm 130/175

Giả thiết sử dụng CPU 32 bit.

Email của người trả lời ([email protected]) đã được ghi lại khi họ gửi biểu mẫu này.

https://docs.google.com/forms/d/e/1FAIpQLSfYq5oIIcsnpeqGQXSFi7m_NoDD180P3N369IsXTtYHaMYBMg/viewscore?viewscore=AE0zAgCdSNY6x… 1/11
10/12/24, 9:26 AM Buffer overflow

To write a shellcode, we need to know the address of the string "/bin/sh". If


we have to hardcode the address in the code, it will become difficult if ASLR is
turned on. Shellcode solved that problem without hardcoding the address of the
string in the code. Please explain how the shellcode in exploit.c achieved that.

shellcode= (
"\x31\xc0" # xorl %eax,%eax
"\x50" # pushl %eax
"\x68""//sh" # pushl $0x68732f2f
"\x68""/bin" # pushl $0x6e69622f
"\x89\xe3" # movl %esp,%ebx
"\x50" # pushl %eax
"\x53" # pushl %ebx
"\x89\xe1" # movl %esp,%ecx
"\x99" # cdq
"\xb0\x0b" # movb $0x0b,%al
"\xcd\x80" # int $0x80
).encode('latin-1')

True False Điểm số

String "/bin/sh" is
stored in an
5/5
environment
variable

String "/bin/sh" is
pushed into the 5/5
stack

Stack pointer esp


points to address 5/5
of "/bin/sh"

Address of
"/bin/sh" is
5/5
hardcoded in the
shellcode

https://docs.google.com/forms/d/e/1FAIpQLSfYq5oIIcsnpeqGQXSFi7m_NoDD180P3N369IsXTtYHaMYBMg/viewscore?viewscore=AE0zAgCdSNY6x… 2/11
10/12/24, 9:26 AM Buffer overflow

In which memory segments are the variables in the following code located?

int i = 0;

void func(char *str) {

char *ptr = malloc(sizeof(int));

char buf[1024];

int j;

static int y;
}

Data Stack Heap BSS


Điểm số
segment segment segment segment

i 5/5

str 5/5

ptr 5/5

buf 5/5

j 5/5

y 5/5

*ptr 5/5

https://docs.google.com/forms/d/e/1FAIpQLSfYq5oIIcsnpeqGQXSFi7m_NoDD180P3N369IsXTtYHaMYBMg/viewscore?viewscore=AE0zAgCdSNY6x… 3/11
10/12/24, 9:26 AM Buffer overflow

Please draw the function stack frame for the following C function.

int bof(char *str) {

char buffer[24];

strcpy(buffer,str);

return 1;

ebp + 8 ebp + 4 ebp ebp - 4 ebp - 23 ebp - 88 Điểm số

str 5/5

buffer[0] 0/5

buffer[23] 5/5

Câu trả lời đúng

ebp + 8 ebp + 4 ebp ebp - 4 ebp - 23 ebp - 88

buffer[0]

In the buffer overflow example shown in Listing 4.1, the buffer overflow 5/5
occurs inside the strcpy() function, so the jumping to the malicious code
occurs when strcpy() returns, not when foo() returns. Is this true or false?

True

False

https://docs.google.com/forms/d/e/1FAIpQLSfYq5oIIcsnpeqGQXSFi7m_NoDD180P3N369IsXTtYHaMYBMg/viewscore?viewscore=AE0zAgCdSNY6x… 4/11
10/12/24, 9:26 AM Buffer overflow

The buffer overflow example was fixed as below. Is this safe ? 0/5

int bof(char *str, int size)


{
char buffer = (char ) malloc(size);
strcpy(buffer, str);
return 1;
}

Yes, it is safe

No, it is not safe

Câu trả lời đúng

Yes, it is safe

https://docs.google.com/forms/d/e/1FAIpQLSfYq5oIIcsnpeqGQXSFi7m_NoDD180P3N369IsXTtYHaMYBMg/viewscore?viewscore=AE0zAgCdSNY6x… 5/11
10/12/24, 9:26 AM Buffer overflow

The following function is called in a remote server program. The argument str
points to a string that is entirely provided by users (the size of the string is up to
300 bytes). The size of the buffer is X, which is unknown to us (we cannot debug
the remote server program). However, somehow we know that the address of the
buffer array is 0xAABBCC10, and the distance between the end of the buffer and
the memory holding the function’s return address is 8. Although we do not know
the exact value of X, we do know that its range is between 20 and 100.

Please write down the string that you would feed into the program, so when this
string is copied to buffer and when the bof() function returns, the server program
will run your code. You only have one chance, so you need to construct the string in
a way such that you can succeed without knowing the exactly value of X. In your
answer, you don’t need to write down the injected code, but the offsets of the key
elements in your string need to be correct.

int bof(char *str) {

char buffer[X];

strcpy(buffer,str);

return 1;

True False Điểm số

The buffer starts


5/5
at 0xAABBCC10

The return
address is at 0/5
0xAABBCC18+X

X is in the range
5/5
of [20...100]

Spray the first


112 bytes with 0/5
the return addr

Spray the
beginning of
https://docs.google.com/forms/d/e/1FAIpQLSfYq5oIIcsnpeqGQXSFi7m_NoDD180P3N369IsXTtYHaMYBMg/viewscore?viewscore=AE0zAgCdSNY6x… 6/11
10/12/24, 9:26 AM Buffer overflow
beginning of
buffer with 28
Spray the
return addr
beginning of
0/5
buffer with 28
The smallest
return addr
return address is
0xAABBCC1C
The smallest
return address is 5/5
0xAABBCC1C

Câu trả lời đúng

True False

The return address is at


0xAABBCC18+X

Spray the first 112 bytes with


the return addr

Spray the beginning of buffer


with 28 return addr

How are the addresses decided for the following variables a and i, i.e., during the
runtime, how does the program know the address of these two variables?

void foo(int a) { int x; }

ebp - 8 ebp - 4 ebp ebp + 4 ebp + 8 Điểm số

a 5/5

x 5/5

https://docs.google.com/forms/d/e/1FAIpQLSfYq5oIIcsnpeqGQXSFi7m_NoDD180P3N369IsXTtYHaMYBMg/viewscore?viewscore=AE0zAgCdSNY6x… 7/11
10/12/24, 9:26 AM Buffer overflow

Several students had issue with the buffer overflow attack. Their badfile was
constructed properly where shell code is at the end of badfile, but when they try
different return addresses, some do not work. Can you tell which addresses work
and which do not?

May work Does not work Điểm số

long retAddr =
5/5
0xbffff250

long retAddr =
5/5
0xbffff280

long retAddr =
0/5
0xbffff300

long retAddr =
0/5
0xbffff310

long retAddr =
5/5
0xbffff400

Câu trả lời đúng

May work Does not work

long retAddr = 0xbffff300

long retAddr = 0xbffff310

https://docs.google.com/forms/d/e/1FAIpQLSfYq5oIIcsnpeqGQXSFi7m_NoDD180P3N369IsXTtYHaMYBMg/viewscore?viewscore=AE0zAgCdSNY6x… 8/11
10/12/24, 9:26 AM Buffer overflow

The following function is called in a privileged program. The argument str 0/5
points to a string that is entirely provided by users (the size of the string is
up to 300 bytes). When this function is invoked, the address of the buffer
array is 0xAABB0010, while the return address is stored in 0xAABB0050.
When you construct the attack string you have many choices when
deciding what value to put in the return address field. What is the smallest
value that you can use? Write the answer in hexa format starting with 0x...

int bof(char *str) {

char buffer[24];

strcpy(buffer,str);

return 1;

0xAABB0010

Câu trả lời đúng

0xAABB0104

A student proposes to change how the stack grows. Instead of growing 0/5
from high address to low address, the student proposes to let the stack
grow from low address to high address. This way, the buffer will be
allocated above the return address, so overflowing the buffer will not be
able to affect the return address. Please comment on this proposal.

Yes, it definitely eliminates bufferoverflow vulnerability

No, it still overwrite the return address of the function

Buffer of the outer function may overwrite the return address of an inner function

Câu trả lời đúng

Buffer of the outer function may overwrite the return address of an inner function

https://docs.google.com/forms/d/e/1FAIpQLSfYq5oIIcsnpeqGQXSFi7m_NoDD180P3N369IsXTtYHaMYBMg/viewscore?viewscore=AE0zAgCdSNY6x… 9/11
10/12/24, 9:26 AM Buffer overflow

Why does ASLR make buffer-overflow attack more difficult?

True False Điểm số

ASLR detects
when a
5/5
bufferoverflow
happens

It's much harder


to guess the 5/5
value of ebp

ASLR randomizes
stack and heap 5/5
location

ASLR only
randomizes stack 5/5
location

Biểu mẫu này đã được tạo ra bên trong Hanoi University of Science. Báo cáo Lạm dụng

Biểu mẫu

https://docs.google.com/forms/d/e/1FAIpQLSfYq5oIIcsnpeqGQXSFi7m_NoDD180P3N369IsXTtYHaMYBMg/viewscore?viewscore=AE0zAgCdSNY6… 10/11
10/12/24, 9:26 AM Buffer overflow

https://docs.google.com/forms/d/e/1FAIpQLSfYq5oIIcsnpeqGQXSFi7m_NoDD180P3N369IsXTtYHaMYBMg/viewscore?viewscore=AE0zAgCdSNY6… 11/11

You might also like