Computer Security and Networks: Exercise 5
This final exercise looks at buffer overflow attacks.
For this exercise you should log into the new VM as the Bob user: bobpark, password: redfiveworldequal.
The file nameCheck (in Bob’s home directory) was compiled using the command: gcc -fno-stack-protector -z execstack -o nameCheck nameCheck.c -m32
and the following code:
#include
void function1(void) {
printf(“Enter your name:\n”);
char buffer[64];
gets(buffer);
printf(“No token for you %s!\n”,buffer);
printf(“By the way buffer was at: %p”,buffer);
}
void function2(void) {
// Open file
FILE *fptr;
fptr = fopen(“overflowToken1”, “r”);
// Read contents from file
char c = fgetc(fptr);
while (c != EOF)
{
printf (“%c”, c);
c = fgetc(fptr);
}
fflush(stdout);
fclose(fptr);
}
int main(void) {
function1();
return 0; }
i.e. all the memory protections have been turned off. Additionally, ASLR has been disabled on the VM.
Find a buffer overflow attack against the above code that will let you read the contents of the file overflowToken1. N.B. the program executes with root permissions and the tokens are only readable by root. For this question do not try to execute code on the stack.
You may find it helpful to sketch the layout of the stack before and after your attack. Once you have the token submit it to the token submission site as the question “Buffer Overflow 1.0”.
1
Hints
Before starting you should review the lecture videos and make sure you understand every- thing I did in lectures and how the x86-64 function call works.
When you execute a program in gdb it always executes with your permissions, therefore you cannot access the tokens when running the program in gdb.
A program can have different stack offsets when executed in gdb vs when it is executed normally.
The commands while read -r line; do echo -e $line; done | ./nameCheck will let you run a program and enter bytes using hex notation, e.g. using these commands in the input \x00 will enter a byte of 0s into memory, instead of the ascii characters for “\” “x” “0” and “0” as you would normally get.
gdb uses stdin for inputting gdb commands. If you want to use stdin for input into the program being debugged, use the gdb-command run <
The command cat can be more reliable than more for viewing files, as more will try to display exactly one page and may fail if it can’t work out what a page is.
2