Courses/Computer Science/CPSC 601.29.ISSA/20110307CodeSession

/*************************************************************************** *  Host-based Reactive Defense System * Copyright (C) 2006-2007 Michael E. Locasto * *  This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by  *  the Free Software Foundation; either version 2 of the License, or  *  (at your option) any later version. * *  This program is distributed in the hope that it will be useful, but * WITHOUT ANY WARRANTY; without even the implied warranty of   *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * General Public License for more details. * *  You should have received a copy of the GNU General Public License * along with this program; if not, write to the: *      Free Software Foundation, Inc.  *       59 Temple Place, Suite 330 *      Boston, MA  02111-1307  USA * * $Id: aover.c,v 1.2 2007/07/04 20:25:46 locasto Exp $ **************************************************************************/  printf("===================================\n"); \ stackvalue = &a; \ stackvalue = stackvalue + 8; \ printf("mem[%p] 40(%%ebp) = %x\n", stackvalue, *stackvalue); \ stackvalue = stackvalue - 1; \ printf("mem[%p] 36(%%ebp) = %x\n", stackvalue, *stackvalue); \ stackvalue = stackvalue - 1; \ printf("mem[%p] 32(%%ebp) = %x\n", stackvalue, *stackvalue); \ stackvalue = stackvalue - 1; \ printf("mem[%p] 28(%%ebp) = %x\n", stackvalue, *stackvalue); \ stackvalue = stackvalue - 1; \ printf("mem[%p] 24(%%ebp) = %x\n", stackvalue, *stackvalue); \ stackvalue = stackvalue - 1; \ printf("mem[%p] 20(%%ebp) = %x\n", stackvalue, *stackvalue); \ stackvalue = stackvalue - 1; \ printf("mem[%p] 16(%%ebp) = %x\n", stackvalue, *stackvalue); \ stackvalue = stackvalue - 1; \ printf("mem[%p] 12(%%ebp) = %x\n", stackvalue, *stackvalue); \ stackvalue = &a; \ printf("mem[%p]  8(%%ebp) = %x\n", stackvalue, *stackvalue); \ stackvalue = stackvalue - 1; \ printf("mem[%p]  4(%%ebp) = %x\n", stackvalue, *stackvalue); \ stackvalue = stackvalue - 1; \ printf("mem[%p]  0(%%ebp) = %x\n", stackvalue, *stackvalue); \ stackvalue = stackvalue - 1; \ printf("mem[%p] -4(%%ebp) = %x\n", stackvalue, *stackvalue); \ stackvalue = stackvalue - 1; \ printf("mem[%p] -8(%%ebp) = %x\n", stackvalue, *stackvalue); \ stackvalue = stackvalue - 1; \ printf("mem[%p] -12(%%ebp) = %x\n", stackvalue, *stackvalue); \ stackvalue = stackvalue - 1; \ printf("mem[%p] -16(%%ebp) = %x\n", stackvalue, *stackvalue); \ stackvalue = stackvalue - 1; \ printf("mem[%p] -20(%%ebp) = %x\n", stackvalue, *stackvalue); \ stackvalue = stackvalue - 1; \ printf("mem[%p] -24(%%ebp) = %x\n", stackvalue, *stackvalue); \ stackvalue = stackvalue - 1; \ printf("mem[%p] -28(%%ebp) = %x\n", stackvalue, *stackvalue); \ stackvalue = stackvalue - 1; \ printf("mem[%p] -32(%%ebp) = %x\n", stackvalue, *stackvalue); \ stackvalue = stackvalue - 1; \ printf("mem[%p] -36(%%ebp) = %x\n", stackvalue, *stackvalue); \ stackvalue = stackvalue - 1; \ printf("mem[%p] -40(%%ebp) = %x\n", stackvalue, *stackvalue); \ stackvalue = stackvalue - 1; \ printf("mem[%p] -44(%%ebp) = %x\n", stackvalue, *stackvalue); \ stackvalue = stackvalue - 1; \ printf("mem[%p] -48(%%ebp) = %x\n", stackvalue, *stackvalue); \ stackvalue = stackvalue - 1; \ printf("mem[%p] -52(%%ebp) = %x\n", stackvalue, *stackvalue); \ stackvalue = stackvalue - 1; \ printf("mem[%p] -56(%%ebp) = %x\n", stackvalue, *stackvalue); \ printf("===================================\n"); \ fflush(stdout); \ }while(0); \ //- GLOBALS int* stackvalue = 0; int counter = 0; /* This program corrupts the return address of one of its routines. This * program helps demonstrate how STEM can use a shadow stack to prevent * such corruption. */ /* * The stack looks like: 8(%ebp)      - int a: first function parameter 4(%ebp)      - old %EIP (the function's "return address") 0(%ebp)      - old %EBP (previous function's base pointer) -4(%ebp)      - int param0:      first local variable -8(%ebp)      - int* param1:     second local variable -12(%ebp)      - int* eip:        third local variable -16(%ebp)      - int* stackvalue: fourth local variable */ int exploitme(int x,               int y,                long data,               char buf) {   long param0 = 0x100; int i = 0; //char a = 0xEE; int mydata[5]; //int* mydata = 0; //mydata = 0xFFFFFFFF; mydata[0] = 0xa; mydata[1] = 0xb; mydata[2] = 0xc; mydata[3] = 0xd; mydata[4] = 0xe; //stackvalue = &x; printstack(x); for(counter=0;counter<21;counter++) {      mydata[counter] = data; printstack(x); fprintf(stdout, "counter = %d\n", counter); fflush(stdout); }   //fprintf(stdout, "i=%d\n", i); param0 = 0xDEADBEEF; printstack(x); buf = 'A'; printstack(x); i = 0x1000; printstack(x); return 17; } void wrapper(int a) { int value = 0xF; //printstack(a); //value = exploitme(0x1, 0x2, 0xdeadbeef, 'X'); value = exploitme(0x3, 0x2, 0xdeadbeef, 'X'); printf("a = %x, value = %d\n", a, value); } /**    0x08048622 :  push   $0x1 0x08048624 : call   0x80483dc 0x08048629 : add    $0x10,%esp 0x0804862c : mov    %eax,0xfffffff8(%ebp) 0x0804862f : movl   $0x1,0xfffffffc(%ebp) 0x08048636 : sub    $0x8,%esp */ int main(int argc, char* argv[]) {   printf("addressof exploitme  = %p\n", exploitme); printf("addressof main      = %p\n", &main); wrapper(0xAAAAAAAA); return 0; }
 * 1) include 
 * 2) include 
 * 3) include 
 * 4) define printstack(a) do{ \