First, disable ASLR. The easiest way to do this is to just turn it off for everything:
echo 0 > /proc/sys/kernel/randomize_va_space
You will need to do this as root. If you only want to do it for a specific program prog, running that program this way also works:
setarch linux32 -R ./prog
You do not need to be root, but you do need to run the program as above.
Now on to the buffer overflows!
Here is some information about buffer overflows, and a couple of programs to practice on. These programs are vulnerable to return-to-libc (or ARC) attacks, and your job is to exploit them!
First, you'll need a good understanding of how the stack is laid out. Here are two very helpful web pages:
When you compile and run these programs, you must disable any canaries on the stack. For example, with the gcccompiler, give the option -fno-stack-protector. But you don't have to worry about a non-executable stack, as the return address branches back into the code.
Here are the programs. You can do them on either 32-bit or 64-bit systems. Do them in order as the second builds on the first.
This problem asks you to implement a buffer overflow attack on a program. Here is a program called bad.c. This program contains a buffer overflow vulnerability; see the call to gets(3) in the getstr function. Your job is to exploit the overflow by providing input to the running process that will cause the program to invoke the function trap (which, you may notice, is not called anywhere else). You will know you’ve succeeded when you run the program, give it your input, and it prints ”Gotcha!”. The following questions will help guide you.
Now extend what you did to include an argument for the function you jump to.
Here is another program called realbad.c.
Structurally, it’s the same as bad.c, except that trap is replaced by
runcom, which — unlike
Credit: these are adapted from an exercise in ECS 153 and 235A.
|ECS 198, Preparation for Capture-the-Flag via Exploits
Fall Quarter 2018