Buffer Overflow program

Consider the following program "vuln.c" ( I recommend you use Linux for this exercise):
//Buffer overflow vulnerability illustration

void func(char *str) {

char buffer[24];

int *ret;

strcpy(buffer,str);

}

int main(int argc, char **argv) {

int x;

x = 0;

func(argv[1]);

x = 1;

printf("x is 1");

printf("x is 0");

}

//END

This program has a static buffer overflow vulnerability. In this exercise, try to modify the regular execution flow of the program in such a way that the instruction {printf("X is 1");} is skipped. You can use two different techniques to achieve this:

Assume you have write access to the program, i.e., you can modify the source code. Modify the function func(.) in such a way that the address to which the program returns after executing "func(.)" is changed so that the instruction {printf("X is 1");} is skipped. Use the pointer *ret defined in funct() to modify the return address.
b. Assume you don't have write access to the program, but have access to the executable (you are able to run it). Now exploit the buffer overflow vulnerability and execute the program by passing an argument "argv[1]" in such a way that the return address is modified so that the instruction {printf("X is 1");} is skipped. You can fill up the buffer with NOP instruction (opcode 0x90) wherever needed. You can write a so called exploit program that runs the above program ("vuln.c") with an arbitrary input of your choice (use execl() function to do so), for testing.
Instructions

You can use the objdump utility to get a map of the code section of the executable file. Use "objdump -d executable_file_name>". This will list all the address locations, opcodes and assembly code of the instructions, for all functions the program calls. For the exercise, you are mainly interested in the main function and the address locations of its various instructions.
rgosai6149Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ozoCommented:
Do you have a question?

The particular input to accomplish the stated goal would depend on the particular way that the program gets compiled.
0
rgosai6149Author Commented:
How would I try to modify the regular execution flow of the program in such a way that the instruction {printf("X is 1");} is skipped. ? Please suggest me something..

Thanks in advance.
0
ozoCommented:
look at where buffer[24] resides in physical memory when the program is run.
See if there is anything beyond the end of buffer[24] which the program depends on for its regular execution flow,
and figure out how you can change it to alter its execution.

your original post gives some suggestions on ways to do this.
0
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

Russell_VenableCommented:
I would actually recommend that you read these 2 books.

The art of assembly

The first tutorial goes over the subject of basic static executables and how to implement a buffer overrun and how to make it "jmp" to the required address in memory. These are 2 of the best ways to show you how to do this. Tutorial is Linux so it's easy to follow.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rgosai6149Author Commented:
Hi Russell,

Your link is not working. I believe it might be broken link. Please send me working link.
Thanks for your help.

0
Russell_VenableCommented:
They where working before I posted. Do you have a way I can email the link to you? I think it got moderated even though it is a legal finding. It's taught in several university's.
0
TommySzalapskiCommented:
Russell's link was supposed to look like this:
http://www.freeinfosociety.com/media/pdf/2834.pdf
EE Mobile may have messed it up.
0
TommySzalapskiCommented:
Although it looks more like a copy paste error.
0
Russell_VenableCommented:
I posted 2 links, but yes that is right.
0
rgosai6149Author Commented:
Thanks Tommy..got it working..
0
Russell_VenableCommented:
The second link got filtered I believe I would have to send it to you via email instead.
0
Russell_VenableCommented:
I'll try this again just incase. Here is the link again.

http://inst.eecs.berkeley.edu/~cs161/fa08/papers/stack_smashing.pdf
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
C

From novice to tech pro — start learning today.