1 / 16

Buffer-overflow Lab

Buffer-overflow Lab. Zutao Zhu 09/18/2009. Outline. GDB and SetUID GDB tutorial Stack frame Lab. GDB and SetUID.

hafwen
Download Presentation

Buffer-overflow Lab

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Buffer-overflow Lab Zutao Zhu 09/18/2009

  2. Outline • GDB and SetUID • GDB tutorial • Stack frame • Lab

  3. GDB and SetUID • One unfortunate interaction between gdb and setuid program execution surfaces when you attempt to debug a program that is setuid or forks setuid child processes. Within gdb, execution of setuid processes is not allowed. gdb will have trouble with an app that is setuid or one that attempts to fork a setuid program such as sendmail as a child process using system() or its relatives like popen() and execl() . If you try to debug a program like this, you'll get the error message “sh: privileges disabled because of outstanding IPC access to task” and the program or child process won't execute.

  4. GDB and SetUID • The technical explanation has to do with privileges and exception ports. When gdb is debugging a process, it owns the exception ports of that process. When that process forks a child process, gdb would own the exception ports of that child process as well. But, for security the kernel disallows gdb from owning the exceptions ports of a child process that is setuid. When you attempt this, the kernel generates the privileges disabled error message and the system() call fails

  5. GDB Tutorial • Compilation flag: -g • Basic commands • Examine values

  6. Basic Commands • Run (r) • Break (b) • Continue (c) • Step (s, n) • Backtrace (bt) • List code (l [line #]) • Info breakepoints/frame/proc

  7. Basic Commands • Print (p) • Quit (q) • Shell (shell ls –la ./) • Help (help stack) • Complete (complete i) • Show (show version) • Set (set prompt $; set var x=3)

  8. Basic Commands • Clear (current breakpoint) • Delete (d) • Enable/disable • Condition breakpoint (break main; condition 1 something==val) • Finish (return from a function)

  9. Examine Values • Print (p) • x/i • x/8wx • x/s

  10. Stack Frame • Each stack frame corresponds to a call to a subroutine which has not yet terminated with a return. For example, if a subroutine named DrawLine is currently running, having just been called by a subroutine DrawSquare, the top part of the call stack might be laid out like this (where the stack is growing towards the top):

  11. Stack Frame

  12. Stack Frame

  13. Stack Frame • In every stack frame, ebp -> current stack bottom, esp -> stack top, eip -> return address

  14. Lab • Security setting

  15. Reference • http://www.cs.wright.edu/~tkprasad/courses/cs781/alephOne.html • http://www.unknownroad.com/rtfm/gdbtut/gdbtoc.html • http://www.cs.cmu.edu/~gilpin/tutorial/

  16. (gdb) x/24wx 0xbfed9fb0 • 0xbfed9fb0: 0xbfed9fc8 0x002973a5 0xbfedb8cd 0x00000002 • 0xbfed9fc0: 0x00000003 0x00000005 0xbfed9ff8 0x08048420 • 0xbfed9fd0: 0x00000002 0x00000003 0xbfed9fe8 0x080482b9 • 0xbfed9fe0: 0x00ae4fb4 0x00000002 0x00000003 0x0804845e • 0xbfed9ff0: 0xbfeda010 0x00392ff4 0xbfeda038 0x002822f0 • 0xbfeda000: 0x00ae4ca0 0x08048444 0xbfeda038 0x002822f0 • (gdb) p &a[0] • $6 = (int *) 0xbfed9fbc • (gdb) info frame • Stack level 0, frame at 0xbfed9fd0: • eip = 0x80483cf in func1 (temp.c:10); saved eip 0x8048420 • called by frame at 0xbfeda000 • source language c. • Arglist at 0xbfed9fc8, args: x=2, y=3 • Locals at 0xbfed9fc8, Previous frame's sp is 0xbfed9fd0 • Saved registers: • ebp at 0xbfed9fc8, eip at 0xbfed9fcc • (gdb) p &y • $7 = (int *) 0xbfed9fd4 • (gdb) p &x • $8 = (int *) 0xbfed9fd0 • (gdb)

More Related