Problem $6.(12$ points$)$:

Recently, Microsoft's SQL Server was hit by the SQL Slammer worm, which exploits a known buffer

overflow in the SQL Resolution Service. Today, we'll be writing our own $213$ Slammer that exploits the

vulnerability introduced in bufbomb, the executable used in your Lab $3$ assignment. And as such, Gets

has the same functionality as in Lab $3$ except that it strips off the newline character before storing the input

string.

Consider the following exploit code, which runs the program into an infinite loop:

infinite.o: file format elf$32-1386$

Disassembly of section $.$text:

text$>$:

$0$:$,68$ fc b$2$ ff be push $$0$xbfffb$2$fc

$5$: c$3$ ret

$6$: $8916$ mov sesi, besi

Here is a disassembled version of the getbuf function in bufbomb, along with the values of the relevant

registers and a printout of the stack before the call to Gets $().$

$($gclb$)$ disas

Dump of assembler code for function getbuf:

$08048a4408048a45$:$08048a4708048a4a08048a5008048a5108048a5b08048a5d$:$08048a5e0xbffb2fc,0x000$ esp $0xbffb2e0,$ebp,$0xbfffb308$ esi Oxfffffff $\frac{x}{20}xb\frac{\frac{?}{?}}{0}(0x00)$Problem $7.(10$ points$)$:

This problem tests your understanding of both control flow and multidimensional array layout. Consider

the following assembly code for a procedure moo $()$ :

moo:

push$1$ebp

mov $1$sp$,$ebp

push$1$ itedi

push$1$esi

push $1$ ivebx

mov $1$$$0,$ secx

mov$1$ $arr$1,$ sedi

mov$1$ $arr$2+8,$ qesi

mov $1($qebp$),$ qeax

leal $,$eax$,4),$ qebx

$.$ L$5$:

leal $($secx$,$ secx$,2),$ seax

sal$1$ $$2,$ seax

mov$1$ itebx, $1x$

mov$1$ iedx, $($seax$,$ sedi$)$

incl $$ecx

cmpl $$10,$ gecx

jle $.$L$5$

mov$1$ fecx, feax

pop$1$ iebx

pop$1$ iesi

pop$1$ isedi

popl itebp

ret

Page $9$ of $11$

Based on the assembly code, fill in the blanks below in moo's C source code. $($Note: you may only use

symbolic variables from the source code in your expressions below$-$do not use register names.$)$ Hint: First

figure out what the loop variable $($i$)$ is in the assembly and what the value of $M$ is$.$

fdefine $M$

fiefine $N$

int arrl$[$M$][$N$]$;

int arr$2[$M$][$N$]$;

int moo $($int $x)$

i

int i;

for

i

arr $1$

I$]$

$=$ arr$2$

$11$

$\}$

return

;

$\}$int $x,y$;

unsigned $u,v$;

and initialized to some unknown value. You should formulate your counterexamples in

terms of the word size $w.$ We have given the first answer as an example. You may assume

right shift is arithmetical.