Courses/Computer Science/CPSC 601.29.ISSA/20110307CodeSession
From wiki.ucalgary.ca
< Courses | Computer Science | CPSC 601.29.ISSA
/***************************************************************************
* Host-based Reactive Defense System
* Copyright (C) 2006-2007 Michael E. Locasto
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the:
* Free Software Foundation, Inc.
* 59 Temple Place, Suite 330
* Boston, MA 02111-1307 USA
*
* $Id: aover.c,v 1.2 2007/07/04 20:25:46 locasto Exp $
**************************************************************************/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#define printstack(a) do{ \
printf("===================================\n"); \
stackvalue = &a; \
stackvalue = stackvalue + 8; \
printf("mem[%p] 40(%%ebp) = %x\n", stackvalue, *stackvalue); \
stackvalue = stackvalue - 1; \
printf("mem[%p] 36(%%ebp) = %x\n", stackvalue, *stackvalue); \
stackvalue = stackvalue - 1; \
printf("mem[%p] 32(%%ebp) = %x\n", stackvalue, *stackvalue); \
stackvalue = stackvalue - 1; \
printf("mem[%p] 28(%%ebp) = %x\n", stackvalue, *stackvalue); \
stackvalue = stackvalue - 1; \
printf("mem[%p] 24(%%ebp) = %x\n", stackvalue, *stackvalue); \
stackvalue = stackvalue - 1; \
printf("mem[%p] 20(%%ebp) = %x\n", stackvalue, *stackvalue); \
stackvalue = stackvalue - 1; \
printf("mem[%p] 16(%%ebp) = %x\n", stackvalue, *stackvalue); \
stackvalue = stackvalue - 1; \
printf("mem[%p] 12(%%ebp) = %x\n", stackvalue, *stackvalue); \
stackvalue = &a; \
printf("mem[%p] 8(%%ebp) = %x\n", stackvalue, *stackvalue); \
stackvalue = stackvalue - 1; \
printf("mem[%p] 4(%%ebp) = %x\n", stackvalue, *stackvalue); \
stackvalue = stackvalue - 1; \
printf("mem[%p] 0(%%ebp) = %x\n", stackvalue, *stackvalue); \
stackvalue = stackvalue - 1; \
printf("mem[%p] -4(%%ebp) = %x\n", stackvalue, *stackvalue); \
stackvalue = stackvalue - 1; \
printf("mem[%p] -8(%%ebp) = %x\n", stackvalue, *stackvalue); \
stackvalue = stackvalue - 1; \
printf("mem[%p] -12(%%ebp) = %x\n", stackvalue, *stackvalue); \
stackvalue = stackvalue - 1; \
printf("mem[%p] -16(%%ebp) = %x\n", stackvalue, *stackvalue); \
stackvalue = stackvalue - 1; \
printf("mem[%p] -20(%%ebp) = %x\n", stackvalue, *stackvalue); \
stackvalue = stackvalue - 1; \
printf("mem[%p] -24(%%ebp) = %x\n", stackvalue, *stackvalue); \
stackvalue = stackvalue - 1; \
printf("mem[%p] -28(%%ebp) = %x\n", stackvalue, *stackvalue); \
stackvalue = stackvalue - 1; \
printf("mem[%p] -32(%%ebp) = %x\n", stackvalue, *stackvalue); \
stackvalue = stackvalue - 1; \
printf("mem[%p] -36(%%ebp) = %x\n", stackvalue, *stackvalue); \
stackvalue = stackvalue - 1; \
printf("mem[%p] -40(%%ebp) = %x\n", stackvalue, *stackvalue); \
stackvalue = stackvalue - 1; \
printf("mem[%p] -44(%%ebp) = %x\n", stackvalue, *stackvalue); \
stackvalue = stackvalue - 1; \
printf("mem[%p] -48(%%ebp) = %x\n", stackvalue, *stackvalue); \
stackvalue = stackvalue - 1; \
printf("mem[%p] -52(%%ebp) = %x\n", stackvalue, *stackvalue); \
stackvalue = stackvalue - 1; \
printf("mem[%p] -56(%%ebp) = %x\n", stackvalue, *stackvalue); \
printf("===================================\n"); \
fflush(stdout); \
}while(0); \
//----------------------------------------- GLOBALS
int* stackvalue = 0;
int counter = 0;
/* This program corrupts the return address of one of its routines. This
* program helps demonstrate how STEM can use a shadow stack to prevent
* such corruption.
*/
/*
* The stack looks like:
8(%ebp) - int a: first function parameter
4(%ebp) - old %EIP (the function's "return address")
0(%ebp) - old %EBP (previous function's base pointer)
-4(%ebp) - int param0: first local variable
-8(%ebp) - int* param1: second local variable
-12(%ebp) - int* eip: third local variable
-16(%ebp) - int* stackvalue: fourth local variable
*/
int exploitme(int x,
int y,
long data,
char buf)
{
long param0 = 0x100;
int i = 0;
//char a = 0xEE;
int mydata[5];
//int* mydata = 0;
//mydata = 0xFFFFFFFF;
mydata[0] = 0xa;
mydata[1] = 0xb;
mydata[2] = 0xc;
mydata[3] = 0xd;
mydata[4] = 0xe;
//stackvalue = &x;
printstack(x);
for(counter=0;counter<21;counter++)
{
mydata[counter] = data;
printstack(x);
fprintf(stdout, "counter = %d\n", counter);
fflush(stdout);
}
//fprintf(stdout, "i=%d\n", i);
param0 = 0xDEADBEEF;
printstack(x);
buf = 'A';
printstack(x);
i = 0x1000;
printstack(x);
return 17;
}
void wrapper(int a)
{
int value = 0xF;
//printstack(a);
//value = exploitme(0x1, 0x2, 0xdeadbeef, 'X');
value = exploitme(0x3, 0x2, 0xdeadbeef, 'X');
printf("a = %x, value = %d\n", a, value);
}
/**
0x08048622 <main+108>: push $0x1
0x08048624 <main+110>: call 0x80483dc <exploitme>
0x08048629 <main+115>: add $0x10,%esp
0x0804862c <main+118>: mov %eax,0xfffffff8(%ebp)
0x0804862f <main+121>: movl $0x1,0xfffffffc(%ebp)
0x08048636 <main+128>: sub $0x8,%esp
*/
int main(int argc, char* argv[])
{
printf("addressof exploitme() = %p\n", exploitme);
printf("addressof main() = %p\n", &main);
wrapper(0xAAAAAAAA);
return 0;
}
