Main navigation | Main content
This weeks lab will focus mainly on buffer overflow attacks. Essentially,
you will be creating input for a function that causes the return address to be
overwritten as well as other internal variables.
To get the files to use in lab, run the command:
cp /web/classes/Fall-2018/csci2021-010/labs/0x7/{Makefile,hex_echo.c} .
To compile hex_echo.c, we have provided a Makefile for you. Thus to compile, execute the command make in the terminal.
To see what hex_echo
does run the executable hex_echo
with the following
value: 48656c6c6f726c6421. Also, when looking at the C code you'll notice
we added a function called overflow_target
that is never actuall called. It
is your goal in this lab to get the overflow_target
to run when calling
hex_echo
.
The first question in trying to complete this lab is to first figure out
what you need to accomplish in order to get the overflow_target
function to
run. If you remember from class, functions can have vulnerabilities such as
buffer overflows. This means that if your input is too large and you try to
put it into a buffer that is too small, it starts to overwrite other parts
of memory. In this case we will be trying to overwrite the part of memory
that relates to the return address of hex_echo
. The idea is that we can
overwrite this value and instead of returning the normal value for the
function, instead we overwrite it with the address to the overflow_target
.
In order to do this we will use gdb and some new commands to investigate
our function and see how it lays out in memory in order to acquire the information we
need to overwrite the return address and have the overflow_target
execute.
For a refresher in running gdb and some basic commands, refer back to labs 0x5 and 0x6. You can also look on moodle for the pdf that has a list of many useful commands for gdb. The new commands you may find useful in this lab will be:
info frame: shows information relate to the stack frame
p &variable: prints memory address of a variable in the code
function_name: print the function (this will also give you an address)
dissass function_name: gives assembly of the given function
(Hint! You can also do arithmetic in print: i.e print a-b)
For on the command line, you can get the address of hex_echo with the
following command:
nm hex_echo | fgrep target
As a hint to get you going, the information you will need to find is the
address of overflow_target
and the size of your input (Hint! You'll need a
buffer AND the lab machines are little endian).