Description
In this assignment you are going to exploit a buffer overflow vulnerability in a very simple but
badly written program. This assignment assumes background knowledge of Linux process
memory layout, Stack ABI and familiarity with x86 architecture and GDB.
The vulnerable program of this assignment is Greeter. It simply asks for your name and kindly
greets you. Initially, it asks the name of the user and calls the readString function, readString
uses gets function in order to place the name of the user in a local buffer (placed in the stack).
Then, the local buffer is copied in a global buffer and the readString function returns. Finally,
the program calls printf function with the global buffer as an argument in order to print “Hello
, have a nice day.”.
However, the developer of the greeter program did not take into account that gets function
does not check if the size of the input string is larger than the size of the buffer. Thus, if a large
string is provided, gets will write past the local buffer and overwrite adjacent memory areas.
This will likely result in a Segmentation fault.
Given the above situation, a sophisticated user with malicious intent will be able to provide
specially crafted input that will overwrite the return address of the readString function and
divert the execution, anywhere in the Greeter program. The malicious user, can also introduce
new functionality in the greeter program by providing machine instructions as input while
overwriting the return address to point at the address the provided input is stored by the
program. This type of attack is called Arbitrary Code Execution. For more information visit:
https://en.wikipedia.org/wiki/Arbitrary_code_execution
For this assignment you have to force the greeter program to spawn a terminal shell. In order
to accomplish this, you have to provide a specially crafted input that will make the greeter
program execute arbitrary code.
Proposed steps for the assignment
1. Finding the buffer and the return address location.
For this step you can use GDB (https://www.cprogramming.com/gdbtutorial.html). Run the
greeter program using the debugger, the size of the buffer is 32 bytes. What happens when you
provide a long string of A characters? (Hint: look at the segmentation fault address, what is the
ascii hex number of character ‘A’). For simplicity, the provided binary is compiled with debug
symbols, you can easily find the address of buffers using GDB.
2. Payload generation and test.
Your goal for this assignment is to make the Greeter program spawn a terminal shell. A simple C
code snippet that would return such a shell is:
char *args[2];
args[0] = “/bin/bash”;
args[1] = NULL;
execve(args[0], args, NULL);
You can generate the shellcode by compiling the above example in order to obtain the machine
code. You can find numerous examples of shellcode online (binary form), it is not required to
generate your own from source. Find a way to test the shellcode before trying to exploit the
greeter program. Create a simple test program to try this (Hint: Look at “-z execstack”
compilation flag in gcc, how can you make a memory page executable in Linux?, how can you
execute machine code using C programming language). A successful run of the test program will
spawn a terminal shell.
3. Input file generation.
It is not advisable to type characters in hex form as input. Thus, you must create a simple script
(preferably in python), that will create the exploit (i.e. input file that results in arbitrary code
execution). The input shall contain the payload (i.e. machine code for shell spawning) and the
address of the buffer the input will be stored. The address must be accurately placed in the
input file in order to overwrite the return address when the stack buffer overflows. You may
need some padding between the shellcode and the address (Hint: check what “0x90” is in x86
architecture). Do not forget that the input file must contain bytes, not characters.
4. Testing the exploit.
Run the greeter program with the file containing the exploit as input. When the shell is
spawned run some commands (e.g. ls, whoami, etc.). By redirecting the input however you will
not be able to enter any commands in the spawned shell. A very nice solution is described in:
https://reverseengineering.stackexchange.com/questions/13928/managing-inputs-for-payloadinjection
Notes
1. Preferably use the precompiled version of the Greeter program. It is compiled statically
without position independence, thus, your generated exploit input is likely to work in
any machine you test it. Moreover, the addresses of the buffers will not change each
time you run the program. The binary is compiled with “-m32” (32-bit addressing mode)
in order to be easier to reverse engineer Greeter (find addresses of buffers, etc.).
2. A lot of compiler features are disabled in order to make Greeter as vulnerable as
possible, check the compilation flags in the Makefile.
3. You need to write a generator program that will generate the input that exploits the
Greeter program (preferably written in Python).
4. There are numerous onlines tutorials with techniques and tricks that will help you
develop a successful exploit.
5. You need to create a README with your name, your AM and a description of how you
developed the exploit of this assignment.
6. You must submit the following files: README, generator script, shellcode test program,
exploit input file.
7. You should place all these files in a folder named _assign8 and then compress it as
a .zip file. For example, if your login is 2020123456 the folder should be named
2020123456_assign8 you should commit 2020123456_assign8.zip.
8. Use the tab “Συζήτηση” in courses for questions.
