Code layout: C code: http.c: -handles http and socket connections zookld: -launcher: launches a server based on zook.conf -starts the dispatch demon, and other services zookd: -dispatcher: handles dispatching http requests to the right service; zookfs: -file server: an example service -started by zookld Other: -zook*.conf: configuration file that lists which services to run, port number, etc -exploit-template.py: code to encode your exploit, and send over http -shellcode.S: sample asm file to run shell code For later labs: -zoobar: contains application python code C and function calls: stack: -holds function arguments, local variables, temporary storage, etc -used to save registers relevant registers: -esp: points to top of the stack -ebp: points to base of the stack; arguments and other states are referenced from ebp -eax: where return value is stored -eax, ecx, edx: caller saved registers; registers callee can use for computation -ebx, esi, edi: callee saved registers; registers caller expects to be same on return -eip: program counter important x86 commands -mov reg1, reg2: move content of reg2 to reg1 -pop reg: move content at address esp to reg, increment esp by 4 -push reg: move content of reg to address at esp-4, decrement esp by 4 high address up, stack grows down stack right before cat_file is called: -save the caller save registers -push the args, starting with the right most arg -call function, push the return program addr (call cat_file = push eip; jmp cat_file) +------------------+ main %ebp--> | ... | +------------------+ | caller save regs | +------------------+ | arg1 = fd | +------------------+ %esp ------> | return addr | | to main | +------------------+ stack right after cat_file is called: -save main's ebp (push ebp) -set the new ebp (mov ebp, esp) +------------------+ | ... | +------------------+ | caller save regs | +------------------+ %ebp+8 ----> | arg1 = fd | +------------------+ %ebp+4 ----> | return addr | | to main | +------------------+ %esp=%ebp -> | main's %ebp | +------------------+ next state of stack after cat_file is called: -add space for the local variables from ebp (sub esp, n) -(optional) allocate space for temporary storage -save callee save regs +------------------+ | ... | +------------------+ | arg1=fd | +------------------+ | return addr | | to main | +------------------+ %ebp ------> | main's %ebp | +------------------+ %ebp-4 ----> | ptr | +------------------+ buf ------> | buf[255] | | ... | | buf[0] | +------------------+ | callee save regs | +------------------+ | ... | %esp ------> +------------------+ right before cat_file returns: -set eax to return value (could happen well before the actual return) -restore callee save regs -set esp to ebp and restore ebp (leave = mov esp, ebp; pop ebp) -same state as right before cat_file is called when you return: -set eip (ret = pop eip) +------------------+ main %ebp -> | ... | +------------------+ | caller save regs | +------------------+ %esp ------> | arg1 = fd | +------------------+ | ... | +------------------+