• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 824
  • Last Modified:

Buffer Overflow program

Consider the following program "vuln.c" ( I recommend you use Linux for this exercise):
//Buffer overflow vulnerability illustration

void func(char *str) {

char buffer[24];

int *ret;

strcpy(buffer,str);

}

int main(int argc, char **argv) {

int x;

x = 0;

func(argv[1]);

x = 1;

printf("x is 1");

printf("x is 0");

}

//END

This program has a static buffer overflow vulnerability. In this exercise, try to modify the regular execution flow of the program in such a way that the instruction {printf("X is 1");} is skipped. You can use two different techniques to achieve this:

Assume you have write access to the program, i.e., you can modify the source code. Modify the function func(.) in such a way that the address to which the program returns after executing "func(.)" is changed so that the instruction {printf("X is 1");} is skipped. Use the pointer *ret defined in funct() to modify the return address.
b. Assume you don't have write access to the program, but have access to the executable (you are able to run it). Now exploit the buffer overflow vulnerability and execute the program by passing an argument "argv[1]" in such a way that the return address is modified so that the instruction {printf("X is 1");} is skipped. You can fill up the buffer with NOP instruction (opcode 0x90) wherever needed. You can write a so called exploit program that runs the above program ("vuln.c") with an arbitrary input of your choice (use execl() function to do so), for testing.
Instructions

You can use the objdump utility to get a map of the code section of the executable file. Use "objdump -d executable_file_name>". This will list all the address locations, opcodes and assembly code of the instructions, for all functions the program calls. For the exercise, you are mainly interested in the main function and the address locations of its various instructions.
0
rgosai6149
Asked:
rgosai6149
  • 5
  • 3
  • 2
  • +1
1 Solution
 
ozoCommented:
Do you have a question?

The particular input to accomplish the stated goal would depend on the particular way that the program gets compiled.
0
 
rgosai6149Author Commented:
How would I try to modify the regular execution flow of the program in such a way that the instruction {printf("X is 1");} is skipped. ? Please suggest me something..

Thanks in advance.
0
 
ozoCommented:
look at where buffer[24] resides in physical memory when the program is run.
See if there is anything beyond the end of buffer[24] which the program depends on for its regular execution flow,
and figure out how you can change it to alter its execution.

your original post gives some suggestions on ways to do this.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
Russell_VenableCommented:
I would actually recommend that you read these 2 books.

The art of assembly

The first tutorial goes over the subject of basic static executables and how to implement a buffer overrun and how to make it "jmp" to the required address in memory. These are 2 of the best ways to show you how to do this. Tutorial is Linux so it's easy to follow.
0
 
rgosai6149Author Commented:
Hi Russell,

Your link is not working. I believe it might be broken link. Please send me working link.
Thanks for your help.

0
 
Russell_VenableCommented:
They where working before I posted. Do you have a way I can email the link to you? I think it got moderated even though it is a legal finding. It's taught in several university's.
0
 
TommySzalapskiCommented:
Russell's link was supposed to look like this:
http://www.freeinfosociety.com/media/pdf/2834.pdf
EE Mobile may have messed it up.
0
 
TommySzalapskiCommented:
Although it looks more like a copy paste error.
0
 
Russell_VenableCommented:
I posted 2 links, but yes that is right.
0
 
rgosai6149Author Commented:
Thanks Tommy..got it working..
0
 
Russell_VenableCommented:
The second link got filtered I believe I would have to send it to you via email instead.
0
 
Russell_VenableCommented:
I'll try this again just incase. Here is the link again.

http://inst.eecs.berkeley.edu/~cs161/fa08/papers/stack_smashing.pdf
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

  • 5
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now