Académique Documents
Professionnel Documents
Culture Documents
Action Plan
System Organization Basics Memory Organization Basics Buffer Overflow Basics Demo Heap Overflow Basics Demo
Memory
I/O Devices
Numbering Systems
Binary: Octal: Decimal: Hexadecimal:
11011
33 27 1B
Data Representations
Bit: 1 bit (0/1) Nibble: 4 bits (0-15) Byte: 8 bits (0-255) Word: 16 bits (0-65535) Double Word(DWORD): 32 bits (0-4294967295) Quad Word(QWORD): 64 bits (0-18446744073709551615)
0 10110000 01001011101100 1 0 1 0 0 1 0 1 0 33,373 16bits WORD 148 8bits BYTE 10 4bits NIBBLE
0x6D 0x20
0x20 0x6D
0x2A Motorola
C P U R E G I S T E R S
EBX Base, used to store pointers to data ECX Counter, used to count up or down EDX Data, used as an I/O pointer ESP Stack Pointer, points to the top of the stack frame EBP Base Pointer, points to the base of the stack frame ESI Source Index, points to the source for data EDI Destination Index, points to the data destination Flag Provides result for the latest operation EIP Instruction Pointer, points to the next instruction CS Code Segment, points to the source of code segment DS Data Segment, points to the source of data segment SS Stack Segment, points to the source of stack segment CS Extra Segment, points to the source of extra segment
. .HIGH
S E G M E N T A T I O N
ES
SS
0x300
ESP, EBP
0x300
DS
0x200
CS
0x100
EIP
0x100
. LOW .
EBP
ESP
main()
main() fun1()
main() fun1()
main()
LOW
56 52 48 44 40 36 32 28 24 20 16 12 8 4 0
EBP
ESP
int fun (int arg1, int arg2){ int lvar1 = arg1 + arg2; } int main () { int local_var1; fun (arg1, arg2); }
56 52 48 44 40 36 32 28 24 20 16 12 8 4 0
EBP
ESP
int add (int a, int b) { int c = a + b; } int main () { int x = 18; add (3, 6); }
EBP
int vuln (char *argv) { char buf[80]; int a = 9; strcpy (buf, argv); } int main (int argc, char **argv) { int x = 6; vuln (argv[1]); }
buf[80] a=9
ESP
EBP
EBP
EBP
So, you can overflow a buffer... now what? Sky is the limit...! Well, not really :) Let's just dig deep and see what exactly the scope of such a vulnerability is
220
90909090 a=9
Thats all folks!!! Ready with your questions? Start firing them, now...