CSE 466: Project 1
(Buffer overflows on Linux)
Due Date: 
Sept 19 2017, end of class
Method of submission: Print out only
Projects to be done in groups of two (
enforced)
(use discussion board or in-class interaction to find partners)

 

The following C code is for experimenting with buffer overflow attacks. This project is harmless. 

To run the code below use (Intel architecture, 32 bit) Ubuntu 14.04 on a virtual machine, Ubuntu 14.04 can be downloaded from here  (this image has all libraries configured).

 

Notes:

1.     Ubuntu and other Linux distros use canaries for stack protection and to make this attach work, you need to disable canaries. Use the following gcc option:
% gcc –fno-stack-protector   // typo fixed

2.     The locations where the code address and arguments need to be placed will be different from the demo in class. You will have to discover these locations. Please read these instructions for details

//Code for the program to experiment with:

#include<stdio.h>
#include<stdlib.h>

int i, n;
void confused(int i) {
  printf("**Who called me? Why am I here?? *** %x\n ", i);
  ;
}

void shell_call(char *c) {
  printf(" ***Now calling \"%s\" shell command *** \n", c);
  system(c);
}

void victim_func(){
  int a[4];
  printf("\nEnter n:  ");  scanf("%d",&n);
  printf("~~~~~~~~~~~~~ values and address of n locations ~~~~~~~~~~");
  for (i = 0;i <n ;i++) 
    printf ("\n a[%d] = %x, address = %x", i, a[i], &a[i]);
  printf("\nEnter %d HEX Values \n", n);

  // Buffer Overflow vulnerability HERE!

     for (i=0;i<n;i++)  scanf("%x",&a[i]);
       printf("Done reading junk numbers\n");


 // add stack printing code here, for Q1 below      

 }

int main() {
printf("\n ~~~~~~~~~~~~~~~~~ Info Menu ~~~~~~~~~~~~"); 
printf("\n addrss of main %x", main); 
printf("\n addrss of shell_cal %x", shell_call); 
printf("\n addrss of confused %x", confused); 
victim_func();
printf("\n done");
}

Tasks: (for submission instructions see end of the assignment).

1.      Set the value of n to 4, input 4 integers and then print the stack of the process at the location marked in the code for “victim function”. Note that the stack should be printed top item first, and stack addresses go higher as you go deeper into the stack. Two cases:

a.      Print first 12 items of the stack, each item being an integer. Use HEX format.

b.      Print first 48 items of the stack, each item being a byte. Use HEX format.

For both a and b, identify what the printed items really are, that is what do the values represent

2.      Execute buffer overflow attacks to:

a.      Crash the process

b.      Jump into the confused routine (program will segment fault)

c.       Jump to the beginning of the main program from the victim function.

d.      Jump into the shell_call routine and provide arguments to execute – cal, ls, ps, cat, firefox, grep for some text in a file

e.      Jump from the shell_call routine to the main routine

 

3.      Can you remove the main routine and replace it with the one below, and perform the tricks above, use utilities like objdump to determine addresses on the binary:

int main() {
    victim_func();
    printf(“\n done”);
    return 0; }

 

4.      If the attack in 3 was successful, read up ASLR briefly and explain why stack relocation does not help with this class of attacks in 3 above.

5.      Can you call “confused” and return clean – that is the call returns to main and prints “Done, Thank you” from the printf in main?

6.      Can you call the system function without having to use the shell_call routine?

 

Note: 
1. May need heavy use of gdb and/or hex editors to find more information, and also may need diagnostic changes to the attack program and/or assembly programming.  
2. In the Intel architecture, everything is little endian.  Even the arguments you may want to place on the stack

 Submission: -- Submit a hard copy report, by the end of class

Q1 - show what the contents and interpretations of the stack.
Q2 – Briefly state how you did the attacks
Q3-6: Real brief report on what you found.