Solved

BufBomb Firecracker

Posted on 2012-03-10
4
2,169 Views
1 Endorsement
Last Modified: 2012-03-11
Could someone walk me through the steps to solve the following problems? I would really like to understand how to solve this problem as opposed to just knowing the answer. So far I have been able to figure out the assembly/byte code needed to put my cookie into global_variable.

Thanks.




Level 2: Firecracker (30 pts)

A much more sophisticated form of buffer attack involves supplying a string that encodes actual machine instructions. The exploit string then overwrites the return pointer with the starting address of these instructions. When the calling function (in this case getbuf()) executes its ret instruction, the program will start executing the instructions on the stack rather than returning. With this form of attack, you can get the program to do almost anything. The code you place on the stack is called the exploit code. This style of attack is tricky, though, because you must get machine code onto the stack and set the return pointer to the start of this code.
Within the file bufbomb there is a function bang() having the following C code:

int global_value = 0;
void bang(int val)
{
entry_check(2); /* Make sure entered this function properly */
if (global_value == cookie) {
printf("Bang!: You set global_value to 0x%x\n", global_value);
validate(2);
}
else
printf("Misfire: global_value = 0x%x\n", global_value);
exit(0);
}
Similar to Levels 0 and 1, your task is to get bufbomb to execute the code for bang() rather than returning to test. Before this, however, you must set global variable global_value to your teams cookie. Your exploit code should set global_value, push the address of bang() on the stack, and then execute a return instruction to cause a jump to the code for bang().
Some Advice:

You can use GDB to get the information you need to construct your exploit string. Set a breakpoint within getbuf() and run to this breakpoint. Determine parameters such as the address of global_value and the location of the buffer.
Determining the byte encoding of instruction sequences by hand is tedious and prone to errors. You can let tools do all of the work by writing an assembly code file containing the instructions and data you want to put on the stack. Assemble this file with gcc and disassemble it with objdump. You should be able to get the exact byte sequence that you will type at the prompt. (A brief example of how to do this is included at the end of this writeup.)
Keep in mind that your exploit string depends on your machine, your compiler, and even your teams cookie. Do all of your work on the machine cs367.vsnet.gmu.edu, and make sure you include the proper team name on the command line to bufbomb.
Our solution requires 16 bytes of exploit code. Fortunately, there is sufficient space on the stack, because we can overwrite the stored value of %ebp. This stack corruption will not cause any problems, since bang causes the program to exit directly.
Watch your use of address modes when writing assembly code. Note that movl $0x4, %eax moves the value 0x00000004 into register %eax; whereas movl 0x4, %eax moves the value at memory location 0x00000004into %eax. Since that memory location is usually undefined, the second instruction will cause a segfault!
Do not attempt to use either a jmp or a call instruction to jump to the code for bang. These instructions uses PC-relative addressing, which is very tricky to set up correctly. Instead, push an address on the stack and use the ret instruction.
1
Comment
Question by:novice214
  • 2
  • 2
4 Comments
 
LVL 53

Expert Comment

by:Infinity08
ID: 37706677
Having the bytecode is an important step already.

What are you stuck on right now ?
0
 

Author Comment

by:novice214
ID: 37706887
I am having issues with the return address. When running through the code with GDB, I believe that the return address is at $ebp+4. If I do x/bx $ebp+4 I do see the start of my exploit code.

I really think I need an explanation on how to actually string together my exploit code, fillers, and the return address.

I think I need to input...

01 02 03 04 ... 32 90 90 90 90 [fillers]
c7 05 e8 c1 04 08 43 a3 53 76 68 23 90 04 08 c3 [16-bit exploit code]

then...

either more more fillers and then my return address, but honestly this is kind of where I get stuck. Could you help me logically walk through how my input string and how it is executed?
0
 
LVL 53

Accepted Solution

by:
Infinity08 earned 500 total points
ID: 37707253
The return address is pushed on the stack when the function is called, ie. right before the function saves the old base pointer (ebp) on the stack.

Inside the function, the current base pointer points to the base of the current stack frame - ie. to the saved old base pointer.

So, you're right that the return address is at (ebp + 4). Your buffer overflow should overwrite this return address with the start of your exploit code. From what you explain, it seems you've succesfully done so.

The positioning of the exploit code within the buffer is up to you. Adding NOP instructions before the start of the exploit code makes it easier to determine a correct return address, because any address between the start of the NOPs and the start of the exploit code is fine.
If you can exactly determine the address of the start of the exploit code though, that doesn't really matter.

If you can get your exploit code to execute, follow it with gdb, and see what's going wrong, if anything.
0
 

Author Comment

by:novice214
ID: 37707330
Thank you so much. I've spent so much time on this already. I will go back and walk through GDB again. Hopefully I will be able to figure this out.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
find our where the exe is being aborted with abort() 11 4,519
Show semaphore name in Pascal 12 644
Binary Bomb/GDB Questions 10 1,918
Crystal Report for VS2013 17 129
If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
This article describes how to reset your Windows 10 password when you've forgotten it.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question