CS 208 s21 — Learning Block #16
Table of Contents
1 Exercise
vulnerable: subq $0x40, %rsp ... leaq 0x10(%rsp), %rdi call gets ...
What is the minimum number of characters that gets must read in order for us to change the return address to a stack address?
For example, change 0x00 00 00 00 00 40 05 D1 to 0x00 00 7F FF CA FE F0 0D 1
2 Practice
CSPP practice problem 3.46 (p. 282)
- Return address of
0x400776 %rbxhas0x0123456789ABCDEF- input is "0123456789012345678901234"
char *get_line() { char buf[4]; char *result; gets(buf); result = malloc(strlen(buf)); strcpy(result, buf); return result; }
get_line: 400720: push %rbx 400721: sub $0x10, %rsp // diagram the stack at this point 400725: mov %rsp, %rdi 400728: callq gets // modify your diagram to show stack contents at this point
3 Starting Lab 3
Like lab 2, your goal is to analyze compile programs in order to devise the right input strings.
In this case, the compiled programs have buffer overflow vulnerabilites.
The string you input can overflow a char array on the stack and overwrite the return address, as well as writing other data to the stack as necessary for the attack.
3.1 Getting a target
Go to http://awb66333.mathcs.carleton.edu:15513/, enter your Carleton username and email, download the tar file. This lab must be done on Linux, and working on mantis is probably the easiest option. Use VS Code or go to https://mantis.mathcs.carleton.edu:9595/ and upload the tar file. Extract it using the terminal.
3.2 Stages
The target tar file includes two vulnerable programs ctarget and rtarget.
You can analyze the assembly code for these using objdump and gdb, though the only relevant function is getbuf which contains the buffer overflow vulnerability you will exploit.
The real work of the lab is thinking carefully about how the stack and ret instructions work, and designing the right input strings.
The lab consists of five phases, three for ctarget and two for rtarget.
The first (ctarget level 1) is a simple stack-smashing attack (i.e., just overwrite the return address to execute the desired function).
The second and third (ctarget levels 2 and 3) require code injection (i.e., putting your own code on the stack via buffer overflow and causing it to execute).
The final two (rtarget levels 2 and 3) involve a technique called return-oriented programming (see the writeup for a description).
Progress will be automatically recorded, like lab 2 (requires a campus-internet connection).
See http://awb66333.mathcs.carleton.edu:15513/progress for live progress, run ctarget and rtarget with -q to work offline.
3.3 Tools
3.3.1 hex2raw
You will want to write specific hex values to the stack.
Your input, however, is an ASCII string.
If you want to write the bytes 40, 51, and 2b to the stack, your input will need to include '@', 'Q', and '+'.
The tool hex2raw has been provided to do this conversion for you.
You put the hex values you want to be written to the buffer in a text file (e.g., type 40 51 2b into ctarget.phase1), and then run
cat ctarget.phase1 | ./hex2raw | ./ctarget
to convert the hex values into the corresponding ASCII and use that as input to ctarget.
See Appendix A of the lab writeup for more information.
3.3.2 Generating machine code
For ctarget levels 2 and 3 you will need to write the hex values for specific assembly instructions to the stack.
See Appendix B for how to generate these hex values from a file with hand-written assembly.
Footnotes:
gets would need to read in 54 character (bytes) to overwrite
the return address with a stack address. subq 0x40, %rsp tells us
that the stack frame for the function is 64 bytes. leaq 0x10(%rsp),
%rdi tells us that the start of the buffer passed to gets is 16
bytes above the top of the stack, making it 48 bytes from the start of
the stack frame. The stack address we want to replace the return
address with is 6 non-zero bytes, so we need to pass 48 bytes of
filler followed by 6 bytes of address to gets in order to execute
this part of our attack, for a total of 54 bytes.