CIS 458 Lab 9: Buffer Overflow

This lab may be done individually, but it is recommended that you work in groups of 2.

Objective: The objective of this lab is to gain insight into how buffer overflow attacks work.


This lab is based on an original lab written by Wenliang Du of Syracuse University for the SEED project. While the goals of the lab are similar, these instructions are completely rewritten.


Setup

In this lab we will be implementing a buffer overflow attack on a simple program. The goal of the buffer overflow is to get a program to run a shell. If the program runs at setuid root, this is a significant vulnerability, as the shell will have root permissions.

This lab needs to be done on the SEED virtual machines. They, like most linux machines, by default have some protections against buffer overflow. These make our simple attack more difficult, so we will be turning them off:


Shellcode example

First, lets take a look at a program that launches some shellcode. Download call_shellcode.c, and read the code. This code works by putting machine code into a character array (which is a string in C), and then casting that array as a function and calling the function. If you do not understand this code, please ask about it. Run it and verify it works. We will not use this file in the attack, it is simply an example to show that it is possible to run code from a string.


The attack

Now that we understand shellcode, lets prepare an attack. We will be attacking the program in stack.c. Download and read this code. Basically, it reads 517 bytes from a file, calls a function which copies those bytes into a buffer, and exits. This buffer is much less than 517 bytes, leading to the vulnerability.

The program exploit.c will create the file to use as input to attack stack.c. However, exploit.c is not complete. It contains the shell code, but does not actually write it to the output file.

Your task is to complete exploit.c so that that file it writes can be used to attack stack.c, when stack.c tries to read it. You will need to get the shellcode into an appropriate place in the buffer, and cause program execution to jump to the buffer.

While in a real attack, you may not have access to the code you are attacking, in this exercise, feel free to modify stack.c to learn from it, as long as you ensure your exploit works on the original. Remember, your goal is to transfer execution to the shellcode. Consider what information you need to accomplish this and how you can get it.

When completed, turn in your code and a short paragraph or two explaining how your attack code works. You will also be required to demonstrate your attack in action.