![int gcd(int a, int b)
{
while (b) {
int r = a % b;
a = b;
b = r;
}
return a;
}
gcd:
push ebp
mov ebp, esp
sub esp, 16
jmp .L2
.L3:
mov eax, [ebp+8]
cdq
idiv [ebp+12]
mov [ebp-4], edx
mov eax, [ebp+12]
mov [ebp+8], eax
mov eax, [ebp-4]
mov [ebp+12], eax
.L2:
cmp [ebp+12], 0
jne .L3
mov eax, [ebp+8]
leave
ret](https://image.slidesharecdn.com/filonovprotectingcppcorehard-191130174319/85/Protecting-C-7-320.jpg)
![Address Machine Codes
00000000 6655
00000002 6689E5
00000005 6683EC10
00000009 EB25
0000000B 66678B4508
00000010 6699
00000012 6667F77D0C
00000017 66678955FC
0000001C 66678B450C
00000021 6667894508
00000026 66678B45FC
0000002B 666789450C
00000030 6667837D0C00
00000036 75D3
00000038 66678B4508
0000003D C9
0000003E C3
gcd:
push ebp
mov ebp, esp
sub esp, 16
jmp .L2
.L3:
mov eax, [ebp+8]
cdq
idiv [ebp+12]
mov [ebp-4], edx
mov eax, [ebp+12]
mov [ebp+8], eax
mov eax, [ebp-4]
mov [ebp+12], eax
.L2:
cmp [ebp+12], 0
jne .L3
mov eax, [ebp+8]
leave
ret](https://image.slidesharecdn.com/filonovprotectingcppcorehard-191130174319/85/Protecting-C-8-320.jpg)
![push 169
push 39
call gcd
add esp, 8
169
39
return address
gcd:
push ebp
mov ebp, esp
sub esp, 16
jmp .L2
.L3:
mov eax, [ebp+8]
cdq
idiv [ebp+12]
mov [ebp-4], edx
;…
.L2:
cmp [ebp+12], 0
jne .L3
mov eax, [ebp+8]
leave
ret
saved ebp
r
ebp-4
ebp
ebp+8
ebp+12
ebp+4
esp](https://image.slidesharecdn.com/filonovprotectingcppcorehard-191130174319/85/Protecting-C-10-320.jpg)
![const size_t BUFF_SIZE = 80;
void greetings(const char* str) {
char name[BUFF_SIZE];
strcpy(name, str);
printf("Hello, %sn", name);
}
int main(int argc, char* argv[]) {
greetings(argv[1]);
return 0;
}](https://image.slidesharecdn.com/filonovprotectingcppcorehard-191130174319/85/Protecting-C-12-320.jpg)
![void greetings(const char* str)
{
char name[BUFF_SIZE];
strcpy(name, str);
printf("Hello, %sn", name);
}
greetings(char const*):
push ebp
mov ebp, esp
sub esp, 104
mov eax, [ebp+8]
mov [esp+4], eax
lea eax, [ebp-88]
mov [esp], eax
call strcpy
lea eax, [ebp-88]
mov [esp+4], eax
mov [esp], OFFSET FLAT:.LC0
call printf
leave
ret](https://image.slidesharecdn.com/filonovprotectingcppcorehard-191130174319/85/Protecting-C-14-320.jpg)
![greetings(char const* str):
push ebp
mov ebp, esp
sub esp, 104
mov eax, [ebp+8]
mov [esp+4], eax
lea eax, [ebp-88]
mov [esp], eax
call strcpy
lea eax, [ebp-88]
mov [esp+4], eax
mov [esp], OFFSET FLAT:.LC0
call printf
leave
ret
return address
saved ebp
str
ebp
ebp-88
ebp+4
ebp+8
A A A A
A A A A
A A A A
A A A A
A A A A
A A A A
esp](https://image.slidesharecdn.com/filonovprotectingcppcorehard-191130174319/85/Protecting-C-15-320.jpg)
![greetings(char const* str):
push ebp
mov ebp, esp
sub esp, 104
mov eax, [ebp+8]
mov [esp+4], eax
lea eax, [ebp-88]
mov [esp], eax
call strcpy
lea eax, [ebp-88]
mov [esp+4], eax
mov [esp], OFFSET FLAT:.LC0
call printf
leave
ret
return address
saved ebp
str
ebp
ebp-88
ebp+4
ebp+8
0x315913EB
0x3104B0C0
0xD23143DB
0x90909090
0x90909090
ebp-88
esp](https://image.slidesharecdn.com/filonovprotectingcppcorehard-191130174319/85/Protecting-C-16-320.jpg)
![Address Machine Code
----------------------
00000000 EB16
00000002 5B
00000003 31C0
00000005 884307
00000008 895B08
0000000B 89430C
0000000E 8D4B08
00000011 8D530C
00000014 B00B
00000016 CD80
00000018 E8E5FFFFFF
0000001D 2F62696E2F736858
00000025 4141414142424242
Assembly
---------------
jmp short L1
L2:
; int execve(const char *filename, char *const argv[]
, char *const envp[])
pop ebx
xor eax, eax
mov [ebx + 7], al
mov [ebx + 8], ebx
mov [ebx + 12], eax
lea ecx, [ebx + 8]
lea edx, [ebx + 12]
mov al, 11
int 0x80
L1:
call L2
db '/bin/shX’
db ‘AAAABBBB'](https://image.slidesharecdn.com/filonovprotectingcppcorehard-191130174319/85/Protecting-C-19-320.jpg)
![void foo() {
char buff[80];
printf("buff: %pn", buff);
}
int main() {
foo();
}](https://image.slidesharecdn.com/filonovprotectingcppcorehard-191130174319/85/Protecting-C-25-320.jpg)
![greetings(char const* str):
push ebp
mov ebp, esp
sub esp, 104
mov eax, [ebp+8]
mov [esp+4], eax
lea eax, [ebp-88]
mov [esp], eax
call strcpy
lea eax, [ebp-88]
mov [esp+4], eax
mov [esp], OFFSET FLAT:.LC0
call printf
leave
ret
greetings(char const*):
push ebp
mov ebp, esp
sub esp, 120
mov eax, [ebp+8]
mov [ebp-108], eax
mov eax, gs:20
mov [ebp-12], eax
xor eax, eax
mov eax, [ebp-108]
mov [esp+4], eax
lea eax, [ebp-92]
mov [esp], eax
call strcpy
lea eax, [ebp-92]
mov [esp+4], eax
mov [esp], OFFSET FLAT:.LC0
call printf
mov eax, [ebp-12]
xor eax, gs:20
je .L2
call __stack_chk_fail
.L2:
leave
ret](https://image.slidesharecdn.com/filonovprotectingcppcorehard-191130174319/85/Protecting-C-27-320.jpg)
Protecting C++
- 3. • • • • • •
- 7. int gcd(int a, int b) { while (b) { int r = a % b; a = b; b = r; } return a; } gcd: push ebp mov ebp, esp sub esp, 16 jmp .L2 .L3: mov eax, [ebp+8] cdq idiv [ebp+12] mov [ebp-4], edx mov eax, [ebp+12] mov [ebp+8], eax mov eax, [ebp-4] mov [ebp+12], eax .L2: cmp [ebp+12], 0 jne .L3 mov eax, [ebp+8] leave ret
- 8. Address Machine Codes 00000000 6655 00000002 6689E5 00000005 6683EC10 00000009 EB25 0000000B 66678B4508 00000010 6699 00000012 6667F77D0C 00000017 66678955FC 0000001C 66678B450C 00000021 6667894508 00000026 66678B45FC 0000002B 666789450C 00000030 6667837D0C00 00000036 75D3 00000038 66678B4508 0000003D C9 0000003E C3 gcd: push ebp mov ebp, esp sub esp, 16 jmp .L2 .L3: mov eax, [ebp+8] cdq idiv [ebp+12] mov [ebp-4], edx mov eax, [ebp+12] mov [ebp+8], eax mov eax, [ebp-4] mov [ebp+12], eax .L2: cmp [ebp+12], 0 jne .L3 mov eax, [ebp+8] leave ret
- 10. push 169 push 39 call gcd add esp, 8 169 39 return address gcd: push ebp mov ebp, esp sub esp, 16 jmp .L2 .L3: mov eax, [ebp+8] cdq idiv [ebp+12] mov [ebp-4], edx ;… .L2: cmp [ebp+12], 0 jne .L3 mov eax, [ebp+8] leave ret saved ebp r ebp-4 ebp ebp+8 ebp+12 ebp+4 esp
- 12. const size_t BUFF_SIZE = 80; void greetings(const char* str) { char name[BUFF_SIZE]; strcpy(name, str); printf("Hello, %sn", name); } int main(int argc, char* argv[]) { greetings(argv[1]); return 0; }
- 14. void greetings(const char* str) { char name[BUFF_SIZE]; strcpy(name, str); printf("Hello, %sn", name); } greetings(char const*): push ebp mov ebp, esp sub esp, 104 mov eax, [ebp+8] mov [esp+4], eax lea eax, [ebp-88] mov [esp], eax call strcpy lea eax, [ebp-88] mov [esp+4], eax mov [esp], OFFSET FLAT:.LC0 call printf leave ret
- 15. greetings(char const* str): push ebp mov ebp, esp sub esp, 104 mov eax, [ebp+8] mov [esp+4], eax lea eax, [ebp-88] mov [esp], eax call strcpy lea eax, [ebp-88] mov [esp+4], eax mov [esp], OFFSET FLAT:.LC0 call printf leave ret return address saved ebp str ebp ebp-88 ebp+4 ebp+8 A A A A A A A A A A A A A A A A A A A A A A A A esp
- 16. greetings(char const* str): push ebp mov ebp, esp sub esp, 104 mov eax, [ebp+8] mov [esp+4], eax lea eax, [ebp-88] mov [esp], eax call strcpy lea eax, [ebp-88] mov [esp+4], eax mov [esp], OFFSET FLAT:.LC0 call printf leave ret return address saved ebp str ebp ebp-88 ebp+4 ebp+8 0x315913EB 0x3104B0C0 0xD23143DB 0x90909090 0x90909090 ebp-88 esp
- 17. Address Machine code ---------------------- 00000000 EB13 00000002 59 00000003 31C0 00000005 B004 00000007 31DB 00000009 43 0000000A 31D2 0000000C B214 0000000E CD80 00000010 B001 00000012 4B 00000013 CD80 00000015 E8E8FFFFFF 0000001A 596F75277665206265 00000023 656E206861636B6564210A Assembly ------------------ jmp short L1 L2: ; ssize_t write(int fd, const void* buf, size_t count) pop ecx ; get return address from stack xor eax, eax ; eax = 0 mov al, 4 xor ebx, ebx ; ebx = 0 inc ebx ; ++ebx xor edx, edx ; edx = 0 mov dl, 20 int 0x80 ; void _exit(int status) mov al, 1 dec ebx ; ebx = 0 int 0x80 L1: call L2 ; store following address on stack db "You've be" db "en hacked!", 10
- 18. � �� � Ҳ̀� ̀����� ���������������������������������������
- 19. Address Machine Code ---------------------- 00000000 EB16 00000002 5B 00000003 31C0 00000005 884307 00000008 895B08 0000000B 89430C 0000000E 8D4B08 00000011 8D530C 00000014 B00B 00000016 CD80 00000018 E8E5FFFFFF 0000001D 2F62696E2F736858 00000025 4141414142424242 Assembly --------------- jmp short L1 L2: ; int execve(const char *filename, char *const argv[] , char *const envp[]) pop ebx xor eax, eax mov [ebx + 7], al mov [ebx + 8], ebx mov [ebx + 12], eax lea ecx, [ebx + 8] lea edx, [ebx + 12] mov al, 11 int 0x80 L1: call L2 db '/bin/shX’ db ‘AAAABBBB'
- 20. � �� �� �� � ̀����� ������������� �������������������������������� ������
- 22. � �� �� �� � ̀����� ������ ������������������������� ���������������� ���
- 23. 0x90909090 0x90909090 0x80482f0 int main() { system(); } ebp ebp-88 /bin/sh ebp-88 FAKE ebp+4 return address str
- 25. void foo() { char buff[80]; printf("buff: %pn", buff); } int main() { foo(); }
- 26. � �� �� �� � ̀����� ����������������� ���
- 27. greetings(char const* str): push ebp mov ebp, esp sub esp, 104 mov eax, [ebp+8] mov [esp+4], eax lea eax, [ebp-88] mov [esp], eax call strcpy lea eax, [ebp-88] mov [esp+4], eax mov [esp], OFFSET FLAT:.LC0 call printf leave ret greetings(char const*): push ebp mov ebp, esp sub esp, 120 mov eax, [ebp+8] mov [ebp-108], eax mov eax, gs:20 mov [ebp-12], eax xor eax, eax mov eax, [ebp-108] mov [esp+4], eax lea eax, [ebp-92] mov [esp], eax call strcpy lea eax, [ebp-92] mov [esp+4], eax mov [esp], OFFSET FLAT:.LC0 call printf mov eax, [ebp-12] xor eax, gs:20 je .L2 call __stack_chk_fail .L2: leave ret
- 30. extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { greetings(reinterpret_cast<const char*>(Data)); return 0; } $./hello ================================================================= ==6777==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x602000000011at pc 0x0000004f1c54bp 0x7ffef7cc7ed0 sp 0x7ffef7cc7680 READ of size 2 at 0x602000000011thread T0 #0 0x4f1c53in __interceptor_strcpy.part.262 (/root/a.out+0x4f1c53) #1 0x564251 in greetings(char const*) /root/hello.cpp:12:5 #2 0x564370 in LLVMFuzzerTestOneInput /root/hello.cpp:18:3 #3 0x43121d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/root/a.out+0x43121d)