University of Minnesota
Machine Architecture and Organization (sec 010)
index.php

CSCI 2021 lab0x7


Buffer Overflow Attacks

This weeks lab will focus mainly on buffer overflow attacks. Essentially, you will be creating input for a function that causes the return address to be overwritten as well as other internal variables.


Completing The Lab

To get the files to use in lab, run the command:

cp /web/classes/Fall-2018/csci2021-010/labs/0x7/{Makefile,hex_echo.c} .

To compile hex_echo.c, we have provided a Makefile for you. Thus to compile, execute the command make in the terminal.

To see what hex_echo does run the executable hex_echo with the following value: 48656c6c6f726c6421. Also, when looking at the C code you'll notice we added a function called overflow_target that is never actuall called. It is your goal in this lab to get the overflow_target to run when calling hex_echo.

The first question in trying to complete this lab is to first figure out what you need to accomplish in order to get the overflow_target function to run. If you remember from class, functions can have vulnerabilities such as buffer overflows. This means that if your input is too large and you try to put it into a buffer that is too small, it starts to overwrite other parts of memory. In this case we will be trying to overwrite the part of memory that relates to the return address of hex_echo. The idea is that we can overwrite this value and instead of returning the normal value for the function, instead we overwrite it with the address to the overflow_target.

In order to do this we will use gdb and some new commands to investigate our function and see how it lays out in memory in order to acquire the information we need to overwrite the return address and have the overflow_target execute.

For a refresher in running gdb and some basic commands, refer back to labs 0x5 and 0x6. You can also look on moodle for the pdf that has a list of many useful commands for gdb. The new commands you may find useful in this lab will be:

info frame: shows information relate to the stack frame
p &variable: prints memory address of a variable in the code
function_name: print the function (this will also give you an address)
dissass function_name: gives assembly of the given function
(Hint! You can also do arithmetic in print: i.e print a-b)

For on the command line, you can get the address of hex_echo with the following command:
nm hex_echo | fgrep target

As a hint to get you going, the information you will need to find is the address of overflow_target and the size of your input (Hint! You'll need a buffer AND the lab machines are little endian).