Courses/Computer Science/CPSC 601.29.ISSA/20110307CodeSession

From wiki.ucalgary.ca
Jump to: navigation, search 
/***************************************************************************
 *  Host-based Reactive Defense System
 *  Copyright (C) 2006-2007 Michael E. Locasto
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful, but
 *  WITHOUT ANY WARRANTY; without even the implied warranty of 
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU 
 *  General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the:
 *       Free Software Foundation, Inc.
 *       59 Temple Place, Suite 330 
 *       Boston, MA  02111-1307  USA
 *
 * $Id: aover.c,v 1.2 2007/07/04 20:25:46 locasto Exp $
 **************************************************************************/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#define printstack(a) do{ \
  printf("===================================\n"); \
  stackvalue = &a; \
  stackvalue = stackvalue + 8; \
  printf("mem[%p]  40(%%ebp) = %x\n", stackvalue, *stackvalue); \
  stackvalue = stackvalue - 1; \
  printf("mem[%p]  36(%%ebp) = %x\n", stackvalue, *stackvalue); \
  stackvalue = stackvalue - 1; \
  printf("mem[%p]  32(%%ebp) = %x\n", stackvalue, *stackvalue); \
  stackvalue = stackvalue - 1; \
  printf("mem[%p]  28(%%ebp) = %x\n", stackvalue, *stackvalue); \
  stackvalue = stackvalue - 1; \
  printf("mem[%p]  24(%%ebp) = %x\n", stackvalue, *stackvalue); \
  stackvalue = stackvalue - 1; \
  printf("mem[%p]  20(%%ebp) = %x\n", stackvalue, *stackvalue); \
  stackvalue = stackvalue - 1; \
  printf("mem[%p]  16(%%ebp) = %x\n", stackvalue, *stackvalue); \
  stackvalue = stackvalue - 1; \
  printf("mem[%p]  12(%%ebp) = %x\n", stackvalue, *stackvalue); \
  stackvalue = &a; \
  printf("mem[%p]   8(%%ebp) = %x\n", stackvalue, *stackvalue); \
  stackvalue = stackvalue - 1; \
  printf("mem[%p]   4(%%ebp) = %x\n", stackvalue, *stackvalue); \
  stackvalue = stackvalue - 1; \
  printf("mem[%p]   0(%%ebp) = %x\n", stackvalue, *stackvalue); \
  stackvalue = stackvalue - 1; \
  printf("mem[%p]  -4(%%ebp) = %x\n", stackvalue, *stackvalue); \
  stackvalue = stackvalue - 1; \
  printf("mem[%p]  -8(%%ebp) = %x\n", stackvalue, *stackvalue); \
  stackvalue = stackvalue - 1; \
  printf("mem[%p] -12(%%ebp) = %x\n", stackvalue, *stackvalue); \
  stackvalue = stackvalue - 1; \
  printf("mem[%p] -16(%%ebp) = %x\n", stackvalue, *stackvalue); \
  stackvalue = stackvalue - 1; \
  printf("mem[%p] -20(%%ebp) = %x\n", stackvalue, *stackvalue); \
  stackvalue = stackvalue - 1; \
  printf("mem[%p] -24(%%ebp) = %x\n", stackvalue, *stackvalue); \
  stackvalue = stackvalue - 1; \
  printf("mem[%p] -28(%%ebp) = %x\n", stackvalue, *stackvalue); \
  stackvalue = stackvalue - 1; \
  printf("mem[%p] -32(%%ebp) = %x\n", stackvalue, *stackvalue); \
  stackvalue = stackvalue - 1; \
  printf("mem[%p] -36(%%ebp) = %x\n", stackvalue, *stackvalue); \
  stackvalue = stackvalue - 1; \
  printf("mem[%p] -40(%%ebp) = %x\n", stackvalue, *stackvalue); \
  stackvalue = stackvalue - 1; \
  printf("mem[%p] -44(%%ebp) = %x\n", stackvalue, *stackvalue); \
  stackvalue = stackvalue - 1; \
  printf("mem[%p] -48(%%ebp) = %x\n", stackvalue, *stackvalue); \
  stackvalue = stackvalue - 1; \
  printf("mem[%p] -52(%%ebp) = %x\n", stackvalue, *stackvalue); \
  stackvalue = stackvalue - 1; \
  printf("mem[%p] -56(%%ebp) = %x\n", stackvalue, *stackvalue); \
  printf("===================================\n"); \
  fflush(stdout); \
}while(0); \
//----------------------------------------- GLOBALS
int* stackvalue = 0;
int counter = 0;
/* This program corrupts the return address of one of its routines. This
 * program helps demonstrate how STEM can use a shadow stack to prevent
 * such corruption.
 */
/*
 * The stack looks like:
  8(%ebp)       - int a: first function parameter
  4(%ebp)       - old %EIP (the function's "return address")
  0(%ebp)       - old %EBP (previous function's base pointer)
 -4(%ebp)       - int param0:      first local variable
 -8(%ebp)       - int* param1:     second local variable
-12(%ebp)       - int* eip:        third local variable
-16(%ebp)       - int* stackvalue: fourth local variable
 */
int exploitme(int x, 
              int y, 
              long data,
              char buf)
{
   long param0 = 0x100;
   int i = 0;
   //char a = 0xEE;
   int mydata[5];
   //int* mydata = 0;
   //mydata = 0xFFFFFFFF;
   mydata[0] = 0xa;
   mydata[1] = 0xb;
   mydata[2] = 0xc;
   mydata[3] = 0xd;
   mydata[4] = 0xe;
   //stackvalue = &x;
   printstack(x);
   for(counter=0;counter<21;counter++)
   {
      mydata[counter] = data;
      printstack(x);
      fprintf(stdout, "counter = %d\n", counter);
      fflush(stdout);
   }
   //fprintf(stdout, "i=%d\n", i);
   param0 = 0xDEADBEEF;
   printstack(x);
   buf = 'A';
   printstack(x);
   i = 0x1000;
   printstack(x);
   return 17;
}
void wrapper(int a)
{
   int value = 0xF;
   //printstack(a);
   //value = exploitme(0x1, 0x2, 0xdeadbeef, 'X');
   value = exploitme(0x3, 0x2, 0xdeadbeef, 'X');
   printf("a = %x, value = %d\n", a, value);
}
/**
    0x08048622 <main+108>:  push   $0x1
    0x08048624 <main+110>:  call   0x80483dc <exploitme>
    0x08048629 <main+115>:  add    $0x10,%esp
    0x0804862c <main+118>:  mov    %eax,0xfffffff8(%ebp)
    0x0804862f <main+121>:  movl   $0x1,0xfffffffc(%ebp)
    0x08048636 <main+128>:  sub    $0x8,%esp 
 */
int main(int argc, char* argv[])
{
   printf("addressof exploitme()  = %p\n", exploitme);
   printf("addressof main()       = %p\n", &main);
   wrapper(0xAAAAAAAA);
   return 0;
}
Retrieved from "http://wiki.ucalgary.ca/index.php?title=Courses/Computer_Science/CPSC_601.29.ISSA/20110307CodeSession&oldid=63971"