Transcript Some explaination on project 1

Several Tips on Project 1
1. Be sure to use the Makefile to generate executable of both
exploit program and target program
2. Be sure to use “setarch i686 -R” in front of every execution,
including both Gdb and ./exploit
3. You can use “x/b address” under gdb to know the byte content
saved on the specified address. This is helpful to determine bigedian or little-edian of memory (how to overwrite return address).
4. You can use “break foo” to set breakpoint upon entering foo()
function.
5. Fill the shell executable code (in the string array shellcode[ ])
byte-by-byte into the buffer for your modified return address to
execute.
6. The deadline will not be changed, but penalty for one week late
submission is now 10% off.
NOPs
• Most CPUs have a No-Operation
instruction – it does nothing but advance
the instruction pointer.
• Usually we can put a bunch of these
ahead of our program (in the string).
• As long as the new return-address points
to a NOP we are OK.
Using NOPs
new return address
Real program
(exec /bin/ls or whatever)
nop instructions
Estimating the stack size
• We can also guess at the location of the
return address relative to the overflowed
buffer.
• Put in a bunch of new return addresses!
Estimating the Location
new return address
new return address
new return address
new return address
new return address
new return address
Real program
nop instructions