Fall 2013: Computer Science 347 - buffer overflows

Keywords: buffer overflows/overruns, stack, gdb.

Make sure you have RH7.2 working before this tutorial. Look at week1 lecture notes to set it up. All of this source code can be found in /home/hacker/bufferoverruns/examples/ directory in the VM.

---

1. Modify internalHack.c so that hacked is executed upon return from f()
   1. Draw a picture of the stack right after c[0]='A' is executed. Your picture should look like the one in last weeks tutorial.
   2. Find the address of function hacked
   3. Determine how to reference the return address on the stack via c[]
   4. Explain the following lines of code... ref=(int *)(c+99); printf("%x\n",ref); *ref=&hacked; including why 'Hacked' is printed when 99 is modified appropriately.
2. Modify target1.c so that hacked is executed upon return from foo(). Your modifications are limited to shellcode.
3. Modify target1.c so that /bin/sh is executed upon return from foo(). Your modifications are limited to shellcode. Hint: See shellcode notes very bottom.
4. For the last exploit, explain what would happen if target1 was running as root?




---

Additional notes:

• Let's for example look at the stack.c.
• In general, you will need to perform at least the following steps for this lab:

0. Compile and run the program. (gcc -o stack -g stack.c, gdb stack)
1. Find a function and its local variable that can be used to reference difference parts of the memory. Use 'list' command in gdb. (String?, char?, pointer?).
2. Break somewhere within this function. (break LINE_NUMBER)
3. Find the address of the variable. (print &var_name)
4. Find the address of the base pointer. (print $ebp)
5. Calculate the offset between the address of the base pointer and the address of the variable. (Simple subtraction. Don't forget to convert to decimal)
6. Add 4 to this offset, since the return address from the function is stored 4 memory locations below the base pointer.
7. Find the address of the function that will be called upon the exploit. In our case, the function is hacked. (disassemble &hacked or print &hacked)
8. Modify the code. That is, use the variable to change the return address from the function to the exploit function. For example, if I choose to use variable c, which is 44 memory locations from the return address in the function, and the address of the function hacked is 0x08048bf4. Then I need to set c[44]=0xf4, c[45]=0x8b, c[46]=0x04, c[47]=0x08.