COSC 458 – 647 Buffer Overflow Lab solution

$29.99

Original Work ?
Category: You will Instantly receive a download link for .ZIP solution file upon Payment

Description

5/5 - (4 votes)

Overview
badfile ./stack
– – – –
– – – –
– – – –
1. ./stack is a precompiled program that has two string buffers str_main[517]
in main(), and buff[24] in bof() methods.
2. It main task is to open and read data from a file named badfile.
3. ./stack then copies the read data to its own string buffer str_main,
and then, to its smaller string buffer buff.
1. This creates a chance for buffer overflow (How ?)
4. If badfile contains malicious data/code, this BOF can trigger ./stack to intentionally
execute that code.
This is what we will explore in this lab.
Overview
badfile ./stack
– – – –
– – – –
– – – –
1. ./stack is a precompiled program that has two string buffers str_main[517]
in main(), and buff[24] in bof() methods.
2. It main task is to open and read data from a file named badfile.
3. ./stack then copies the read data to its own string buffer str_main,
and then, to its smaller string buffer buff.
1. This creates a chance for buffer overflow (How ?)
4. If badfile contains malicious data/code, this BOF can trigger ./stack to intentionally
execute that code.
This is what we will explore in this lab.
Overview
badfile ./stack
– – – –
– – – –
– – – –
1. ./stack is a precompiled program that has two string buffers str_main[517]
in main(), and buff[24] in bof() methods.
2. It main task is to open and read data from a file named badfile.
3. ./stack then copies the read data to its own string buffer str_main,
and then, to its smaller string buffer buff.
1. This creates a chance for buffer overflow (How ?)
4. If badfile contains malicious data/code, this BOF can trigger ./stack to intentionally
execute that code.
This is what we will explore in this lab.
Overview
badfile ./stack
– – – –
– – – –
– – – –
1. ./stack is a precompiled program that has two string buffers str_main[517]
in main(), and buff[24] in bof() methods.
2. It main task is to open and read data from a file named badfile.
3. ./stack then copies the read data to its own string buffer str_main,
and then, to its smaller string buffer buff.
1. This creates a chance for buffer overflow (How ?)
4. If badfile contains malicious data/code, this BOF can trigger ./stack to intentionally
execute that code.
This is what we will explore in this lab.
Overview
badfile ./stack
– – – –
– – – –
– – – –
1. ./stack is a precompiled program that has two string buffers str_main[517]
in main(), and buff[24] in bof() methods.
2. It main task is to open and read data from a file named badfile.
3. ./stack then copies the read data to its own string buffer str_main,
and then, to its smaller string buffer buff.
1. This creates a chance for buffer overflow (How ?)
4. If badfile contains malicious data/code, this BOF can trigger ./stack to intentionally
execute that code.
This is what we will explore in this lab.
Overview
./stack
str_main [517]
str_bof [24]
badfile
– – – –
– – – –
– – – –
1. fopen()
2. fscanf()
3. strcpy()
in “bof” func
Buffer
overflow
root
Overview
badfile
– – – –
– – – –
– – – –
Buffer
overflow
./stack
root
BOF – Explained
/* stack.c */
int bof(char *str) {
char buffer[24];
strcpy(buffer, str);
return 1;
}
int main(int argc, char **argv) {
char str[517];
FILE *badfile;
badfile = fopen(“badfile”, “r”);
fread(str, 1, 517, badfile);
bof(str);
printf(“Returned Properly\n”);
return 1;
}
BOF
– Explained
ret_add (main)
saved_ebp (main)
str_main [515
– 517]
str_main [0
– 3]
str_main [4
– 7]

badfile
ret_add
(bof)
saved_ebp
(bof)
buff [16
– 19]
buff [0
– 3]

buff [20
– 23]
main()’s
stack frame
bof()’s
stack frame
Before
strcpy()
/* stack.c */
int bof(char *str) {
char buffer[24];
strcpy(buffer, str);
return 1;
}
int main(int argc, char **argv) {
char str[517];
FILE *badfile
;
badfile = fopen(“badfile”, “r”);
fread
(str, 1, 517, badfile);
bof
(str);
printf(“Returned Properly
\n”);
return 1;
}
BOF
– Explained
ret_add
saved_ebp
str_main [515
– 517]
str_main [0
– 3]
str_main [4
– 7]

badfile
ret_add
saved_ebp
buff [16
– 19]
buff [0
– 3]

buff [20
– 23]
main()’s
stack frame
bof()’s
stack frame

ret_add (main)
saved_ebp (main)
str_main [515
– 517]
str_main [xx
– yy
]

badfile
str_main [28
– 31]
str_main [24
– 27]
str_main [16
– 19]
str_main [0
– 3]

str_main [20
– 23]
Before
strcpy()
After
strcpy()
/* stack.c */
int bof(char *str) {
char buffer[24];
strcpy(buffer, str);
return 1;
}
int main(int argc, char **argv) {
char str[517];
FILE *badfile
;
badfile = fopen(“badfile”, “r”);
fread
(str, 1, 517, badfile);
bof
(str);
printf(“Returned Properly
\n”);
return 1;
}
What should badfile contain?
• Bad data/code – Of course
• Can it be both data and code?
• If yes, do we want the code to be executed automatically?
• How do we do that?
• What should it actually contain?
Nop Nop Nop Nop
Nop Nop Nop Nop
Nop Nop Nop Nop
Nop Nop Nop Nop
Nop Nop Nop Nop
Nop Nop Nop Nop
0xbfffabcd
Nop Nop Nop Nop
Nop Nop Nop Nop
Nop Nop Nop Nop
Nop Nop Nop Nop
….
0xbfffabcd
ret_add (main)
saved_ebp (main)
str_main [515
– 517]
str_main [0
– 3]
str_main [4
– 7]

badfile
ret_add
(bof)
saved_ebp
(bof)
buff [16
– 19]
buff [0
– 3]

buff [20
– 23]
main()’s
stack frame
bof()’s
stack frame

ret_add (main)
saved_ebp (main)
str_main [515
– 517]
str_main [xx
– yy
]

badfile
str_main [28
– 31]
str_main [24
– 27]
str_main [16
– 19]
str_main [0
– 3]

str_main [20
– 23]
Before After Attack
vector
Shellcode
Nop Nop Nop Nop
Nop Nop Nop Nop
Nop Nop Nop Nop
Nop Nop Nop Nop
Nop Nop Nop Nop
Nop Nop Nop Nop
0xbfffabcd
Nop Nop Nop Nop
Nop Nop Nop Nop
Nop Nop Nop Nop
Nop Nop Nop Nop
….
0xbfffabcd
bof()’s
stack frame

str_main [28
– 31]
str_main [24
– 27]
str_main [16
– 19]
str_main [0
– 3]

str_main [20
– 23]
After
exploit.c
Shellcode
Distance from
buffer[] to RET?
NUM1
Copy shellcode to
the end of buffer[]
buffer[]
Steps
1. Debug stack in gdb, find the addresses of buffer[] and ebp in
bof()
2. Estimate the distance between buffer[] and the return address
3. In exploit.c
1. pick a return address of your choice and copy it in the right
place in the buffer.
2. Copy the shellcode to the buffer once you have set the attack
return address
Attack vector – 3 things
1. The address
• “0xa1b2c3d4” will not work – it is just an example
• This can be found by debugging the relative address of “ret_add (bof)”.
2. NUM1: Try multiple numbers greater than 24.
3. NUM2: Try multiple numbers greater than 20.