You don’t have the authorization to feed any of this content to any online LLM
for any purpose. If for some reason, you need to interact with a LLM,
you may use an open-source model on your local machine to feed the course
content. See llama.cpp to install a CPU efficient
LLM inference and use your own computer to ask your questions.
In the first practical session, we studied common bugs that arise when programming in memory-unsafe programming languages. Notably, we saw how misuse of C buffers can lead to buffer overflows . We’ll delve deeper into them and see how an adversary can exploit such a vulnerability.
As a quick reminder, and because it’s easier than using words, let’s visualize how the x86 stack works. Use the buttons below to navigate instruction by instruction.
#include <stdint.h>
void function(int32_t a) {
int32_t b[] = { 3, a, 5 };
}
int main(void) {
int32_t a = 1;
int32_t b = 2;
function(4);
return 0;
}
function:
pushl %ebp
movl %esp, %ebp
subl $16, %esp
movl $3, -12(%ebp)
movl 8(%ebp), %eax
movl %eax, -8(%ebp)
movl $5, -4(%ebp)
movl %ebp, %esp
popl %ebp
ret
main:
pushl %ebp
movl %esp, %ebp
subl $16, %esp
movl $1, -4(%ebp)
movl $2, -8(%ebp)
pushl $4
call function
addl $4, %esp
movl $0, %eax
movl %ebp, %esp
popl %ebp
ret
Previous
Next
ebp = ????????
esp = ffffe000
eax = ????????
esp ffffe000 ???????? <main's return address>
ffffdffc ????????
ffffdff8 ????????
ffffdff4 ????????
ffffdff0 ????????
ffffdfec ????????
ffffdfe8 ????????
ffffdfe4 ????????
ffffdfe0 ????????
ffffdfdc ????????
ffffdfd8 ????????
ffffdfd4 ????????
ffffdfd0 ????????
ebp = ????????
esp = ffffdffc
eax = ????????
ffffe000 ???????? <main's return address>
esp ffffdffc ???????? <main's stored ebp>
ffffdff8 ????????
ffffdff4 ????????
ffffdff0 ????????
ffffdfec ????????
ffffdfe8 ????????
ffffdfe4 ????????
ffffdfe0 ????????
ffffdfdc ????????
ffffdfd8 ????????
ffffdfd4 ????????
ffffdfd0 ????????
ebp = ffffdffc
esp = ffffdffc
eax = ????????
ffffe000 ???????? <main's return address>
ebp esp ffffdffc ???????? <main's stored ebp>
ffffdff8 ????????
ffffdff4 ????????
ffffdff0 ????????
ffffdfec ????????
ffffdfe8 ????????
ffffdfe4 ????????
ffffdfe0 ????????
ffffdfdc ????????
ffffdfd8 ????????
ffffdfd4 ????????
ffffdfd0 ????????
ebp = ffffdffc
esp = ffffdfec
eax = ????????
ffffe000 ???????? <main's return address>
ebp ffffdffc ???????? <main's stored ebp>
ffffdff8 ????????
ffffdff4 ????????
ffffdff0 ????????
esp ffffdfec ????????
ffffdfe8 ????????
ffffdfe4 ????????
ffffdfe0 ????????
ffffdfdc ????????
ffffdfd8 ????????
ffffdfd4 ????????
ffffdfd0 ????????
ebp = ffffdffc
esp = ffffdfec
eax = ????????
ffffe000 ???????? <main's return address>
ebp ffffdffc ???????? <main's stored ebp>
ffffdff8 00000001 a
ffffdff4 ????????
ffffdff0 ????????
esp ffffdfec ????????
ffffdfe8 ????????
ffffdfe4 ????????
ffffdfe0 ????????
ffffdfdc ????????
ffffdfd8 ????????
ffffdfd4 ????????
ffffdfd0 ????????
ebp = ffffdffc
esp = ffffdfec
eax = ????????
ffffe000 ???????? <main's return address>
ebp ffffdffc ???????? <main's stored ebp>
ffffdff8 00000001 a
ffffdff4 00000002 b
ffffdff0 ????????
esp ffffdfec ????????
ffffdfe8 ????????
ffffdfe4 ????????
ffffdfe0 ????????
ffffdfdc ????????
ffffdfd8 ????????
ffffdfd4 ????????
ffffdfd0 ????????
ebp = ffffdffc
esp = ffffdfe8
eax = ????????
ffffe000 ???????? <main's return address>
ebp ffffdffc ???????? <main's stored ebp>
ffffdff8 00000001 a
ffffdff4 00000002 b
ffffdff0 ????????
ffffdfec ????????
esp ffffdfe8 00000004 a
ffffdfe4 ????????
ffffdfe0 ????????
ffffdfdc ????????
ffffdfd8 ????????
ffffdfd4 ????????
ffffdfd0 ????????
ebp = ffffdffc
esp = ffffdfe4
eax = ????????
ffffe000 ???????? <main's return address>
ebp ffffdffc ???????? <main's stored ebp>
ffffdff8 00000001 a
ffffdff4 00000002 b
ffffdff0 ????????
ffffdfec ????????
ffffdfe8 00000004 a
esp ffffdfe4 ???????? <function's return address>
ffffdfe0 ????????
ffffdfdc ????????
ffffdfd8 ????????
ffffdfd4 ????????
ffffdfd0 ????????
ebp = ffffdffc
esp = ffffdfe0
eax = ????????
ffffe000 ???????? <main's return address>
ebp ffffdffc ???????? <main's stored ebp>
ffffdff8 00000001 a
ffffdff4 00000002 b
ffffdff0 ????????
ffffdfec ????????
ffffdfe8 00000004 a
ffffdfe4 ???????? <function's return address>
esp ffffdfe0 ffffdffc <function's stored ebp>
ffffdfdc ????????
ffffdfd8 ????????
ffffdfd4 ????????
ffffdfd0 ????????
ebp = ffffdfe0
esp = ffffdfd0
eax = ????????
ffffe000 ???????? <main's return address>
ffffdffc ???????? <main's stored ebp>
ffffdff8 00000001 a
ffffdff4 00000002 b
ffffdff0 ????????
ffffdfec ????????
ffffdfe8 00000004 a
ffffdfe4 ???????? <function's return address>
ebp esp ffffdfe0 ffffdffc <function's stored ebp>
ffffdfdc ????????
ffffdfd8 ????????
ffffdfd4 ????????
ffffdfd0 ????????
ebp = ffffdfe0
esp = ffffdfd0
eax = ????????
ffffe000 ???????? <main's return address>
ffffdffc ???????? <main's stored ebp>
ffffdff8 00000001 a
ffffdff4 00000002 b
ffffdff0 ????????
ffffdfec ????????
ffffdfe8 00000004 a
ffffdfe4 ???????? <function's return address>
ebp ffffdfe0 ffffdffc <function's stored ebp>
ffffdfdc ????????
ffffdfd8 ????????
ffffdfd4 ????????
esp ffffdfd0 ????????
ebp = ffffdfe0
esp = ffffdfd0
eax = ????????
ffffe000 ???????? <main's return address>
ffffdffc ???????? <main's stored ebp>
ffffdff8 00000001 a
ffffdff4 00000002 b
ffffdff0 ????????
ffffdfec ????????
ffffdfe8 00000004 a
ffffdfe4 ???????? <function's return address>
ebp ffffdfe0 ffffdffc <function's stored ebp>
ffffdfdc ????????
ffffdfd8 ????????
ffffdfd4 00000003 b[0]
esp ffffdfd0 ????????
ebp = ffffdfe0
esp = ffffdfd0
eax = 00000004
ffffe000 ???????? <main's return address>
ffffdffc ???????? <main's stored ebp>
ffffdff8 00000001 a
ffffdff4 00000002 b
ffffdff0 ????????
ffffdfec ????????
ffffdfe8 00000004 a
ffffdfe4 ???????? <function's return address>
ebp ffffdfe0 ffffdffc <function's stored ebp>
ffffdfdc ????????
ffffdfd8 ????????
ffffdfd4 00000003 b[0]
esp ffffdfd0 ????????
ebp = ffffdfe0
esp = ffffdfd0
eax = 00000004
ffffe000 ???????? <main's return address>
ffffdffc ???????? <main's stored ebp>
ffffdff8 00000001 a
ffffdff4 00000002 b
ffffdff0 ????????
ffffdfec ????????
ffffdfe8 00000004 a
ffffdfe4 ???????? <function's return address>
ebp ffffdfe0 ffffdffc <function's stored ebp>
ffffdfdc ????????
ffffdfd8 00000004 b[1]
ffffdfd4 00000003 b[0]
esp ffffdfd0 ????????
ebp = ffffdfe0
esp = ffffdfd0
eax = 00000004
ffffe000 ???????? <main's return address>
ffffdffc ???????? <main's stored ebp>
ffffdff8 00000001 a
ffffdff4 00000002 b
ffffdff0 ????????
ffffdfec ????????
ffffdfe8 00000004 a
ffffdfe4 ???????? <function's return address>
ebp ffffdfe0 ffffdffc <function's stored ebp>
ffffdfdc 00000005 b[2]
ffffdfd8 00000004 b[1]
ffffdfd4 00000003 b[0]
esp ffffdfd0 ????????
ebp = ffffdfe0
esp = ffffdfe0
eax = 00000004
ffffe000 ???????? <main's return address>
ffffdffc ???????? <main's stored ebp>
ffffdff8 00000001 a
ffffdff4 00000002 b
ffffdff0 ????????
ffffdfec ????????
ffffdfe8 00000004 a
ffffdfe4 ???????? <function's return address>
ebp esp ffffdfe0 ffffdffc <function's stored ebp>
ffffdfdc 00000005 b[2]
ffffdfd8 00000004 b[1]
ffffdfd4 00000003 b[0]
ffffdfd0 ????????
ebp = ffffdffc
esp = ffffdfe4
eax = 00000004
ffffe000 ???????? <main's return address>
ebp ffffdffc ???????? <main's stored ebp>
ffffdff8 00000001 a
ffffdff4 00000002 b
ffffdff0 ????????
ffffdfec ????????
ffffdfe8 00000004 a
esp ffffdfe4 ???????? <function's return address>
ffffdfe0 ffffdffc <function's stored ebp>
ffffdfdc 00000005 b[2]
ffffdfd8 00000004 b[1]
ffffdfd4 00000003 b[0]
ffffdfd0 ????????
ebp = ffffdffc
esp = ffffdfe8
eax = 00000004
ffffe000 ???????? <main's return address>
ebp ffffdffc ???????? <main's stored ebp>
ffffdff8 00000001 a
ffffdff4 00000002 b
ffffdff0 ????????
ffffdfec ????????
esp ffffdfe8 00000004 a
ffffdfe4 ???????? <function's return address>
ffffdfe0 ffffdffc <function's stored ebp>
ffffdfdc 00000005 b[2]
ffffdfd8 00000004 b[1]
ffffdfd4 00000003 b[0]
ffffdfd0 ????????
ebp = ffffdffc
esp = ffffdfec
eax = 00000004
ffffe000 ???????? <main's return address>
ebp ffffdffc ???????? <main's stored ebp>
ffffdff8 00000001 a
ffffdff4 00000002 b
ffffdff0 ????????
esp ffffdfec ????????
ffffdfe8 00000004 a
ffffdfe4 ???????? <function's return address>
ffffdfe0 ffffdffc <function's stored ebp>
ffffdfdc 00000005 b[2]
ffffdfd8 00000004 b[1]
ffffdfd4 00000003 b[0]
ffffdfd0 ????????
ebp = ffffdffc
esp = ffffdfec
eax = 00000000
ffffe000 ???????? <main's return address>
ebp ffffdffc ???????? <main's stored ebp>
ffffdff8 00000001 a
ffffdff4 00000002 b
ffffdff0 ????????
esp ffffdfec ????????
ffffdfe8 00000004 a
ffffdfe4 ???????? <function's return address>
ffffdfe0 ffffdffc <function's stored ebp>
ffffdfdc 00000005 b[2]
ffffdfd8 00000004 b[1]
ffffdfd4 00000003 b[0]
ffffdfd0 ????????
ebp = ffffdffc
esp = ffffdffc
eax = 00000000
ffffe000 ???????? <main's return address>
ebp esp ffffdffc ???????? <main's stored ebp>
ffffdff8 00000001 a
ffffdff4 00000002 b
ffffdff0 ????????
ffffdfec ????????
ffffdfe8 00000004 a
ffffdfe4 ???????? <function's return address>
ffffdfe0 ffffdffc <function's stored ebp>
ffffdfdc 00000005 b[2]
ffffdfd8 00000004 b[1]
ffffdfd4 00000003 b[0]
ffffdfd0 ????????
ebp = ????????
esp = ffffe000
eax = 00000000
esp ffffe000 ???????? <main's return address>
ffffdffc ???????? <main's stored ebp>
ffffdff8 00000001 a
ffffdff4 00000002 b
ffffdff0 ????????
ffffdfec ????????
ffffdfe8 00000004 a
ffffdfe4 ???????? <function's return address>
ffffdfe0 ffffdffc <function's stored ebp>
ffffdfdc 00000005 b[2]
ffffdfd8 00000004 b[1]
ffffdfd4 00000003 b[0]
ffffdfd0 ????????
See the return address stored very close to the b buffer? That’s an interesting target for an adversary to overwrite.