Buffer Overflows

Build-Up

First, disable ASLR. The easiest way to do this is to just turn it off for everything:

echo 0 > /proc/sys/kernel/randomize_va_space

You will need to do this as root. If you only want to do it for a specific program prog, running that program this way also works:

setarch linux32 -R ./prog

You do not need to be root, but you do need to run the program as above.

Now on to the buffer overflows!

The Basics

Here is some information about buffer overflows, and a couple of programs to practice on. These programs are vulnerable to return-to-libc (or ARC) attacks, and your job is to exploit them!

First, you'll need a good understanding of how the stack is laid out. Here are two very helpful web pages:

If you’ve not seen this before, it’s best to read and understand how the 32-bit processor lays out its stack, and then go to the 64-bit layout.

When you compile and run these programs, you must disable any canaries on the stack. For example, with the gcccompiler, give the option -fno-stack-protector. But you don't have to worry about a non-executable stack, as the return address branches back into the code.

Here are the programs. You can do them on either 32-bit or 64-bit systems. Do them in order as the second builds on the first.

Calling a Function Using a Buffer Overflow Attack

This problem asks you to implement a buffer overflow attack on a program. Here is a program called bad.c. This program contains a buffer overflow vulnerability; see the call to gets(3) in the getstr function. Your job is to exploit the overflow by providing input to the running process that will cause the program to invoke the function trap (which, you may notice, is not called anywhere else). You will know you’ve succeeded when you run the program, give it your input, and it prints ”Gotcha!”. The following questions will help guide you.

What is the address of the function trap()? How did you determine this?
What is the address on the stack that your input must overwrite (please give both the address of the memory location(s), and their contents)? How did you locate this address?
What is the address of buf?
The sled is the input you give to alter the return address stored on the stack. What is the minimum length your sled must be?

Calling a Function with Parameters Using a Buffer Overflow Attack

Now extend what you did to include an argument for the function you jump to. Here is another program called realbad.c. Structurally, it’s the same as bad.c, except that trap is replaced by runcom, which — unlike trap — takes an argument. Your job is to exploit the overflow by providing input to the running process that will cause the program to invoke the function runcom and cause the system(3) function to be executed with a command embedded in the input you have given. You must pass in a parameter that is a Linux command, which the program will then execute. (I recommend the command id(1).)

Here is a detailed script working through the first part. I strongly recommend doing it yourself, and using this only if you feel hopelessly stuck. If you can do that, you should have no problem with the second part.

Credit: these are adapted from an exercise in ECS 153 and 235A.

ECS 198, Preparation for Capture-the-Flag via Exploits
Fall Quarter 2018