|
There are three parts to this assignment. They make use of the files contained in this zip file. You can do this exercise using either the LCC-Win32 compiler or Microsoft's Visual C/C++ compiler.
In the zip file there is a C source file called mischief.c. For the first part of this assignment, follow the instructions contained in that source code file. The main idea is that you are to write a function that modifies the return address stored in its stack frame so that the function returns somewhere other than it is supposed to (this is the main idea behind "buffer overflow attacks" or "smashing the stack").
In the zip file there is a C program called sittingDuck.c. Also in the zip file is an executable sittingDuck.exe and a data file called exploit.bin. Do not compile the program. Use the executable given in the zip file. Run the executable with the data file as its input (using I/O redirection) by using the following command line
C:\hw2> sittingDuck <exploit.bin
The program will run, produce some lines of output, and then the program crashes. The data file causes a "buffer overflow" in the program and the buffer overflow causes the crash. The second part of your assignment is to give a detailed explanation of how the buffer overflow leads to the crash. In particular, figure out which line of the program causes the crash and why. Your explanation should make specific references to the assembly language listing of the program (which is also provided in the zip file) and to the way the program creates its stack frames.
The third part of your assignment is to construct your own exploit2.bin input that, when read in by sittingDuck.exe, corrupts the stack of the function vulnerable() (in sittingDuck.c) in such a way that when vulnerable() returns, it returns to the call to the printf() function in the else part in the main() function (just like in the first part of this assignment). Do not modify or recompile the program sittingDuck.c. Your exploit should work with the executable contained in the zip file. Test your exploit against the executable with a command line like the following:
C:\hw2> sittingDuck <exploit2.bin
To create your exploit file, you may need a hex file editor. Here is a link to a fairly good free one (and if you know of a better one, please let me know).
Freeware Hex Editor XVI32
If you want, you can also experiment with the demo version of Hiew, a hex editor/disassembler that has a great number of features but is not all that easy to use.
The best strategy for doing the second and third parts of this assignment is to use the sittingDuck.asm assembly language listing and the disassembly window in the Visual Studio debugger to create a very detailed drawing of the running program's stack frames. (Such a drawing should be part of what you turn in for the second part.)
Turn in a zip file containing your version of mischief.c from the first part of this assignment, your explanation of the second part, and your exploit2.bin file for the third part. If you want to know if your explanation is on track and sufficiently detailed, send me a copy before the due date and I'll let you know how you are doing.
This assignment is due Wednesday, January 31.
For more information about the use of the system stack for function calls, see these lecture notes from the operating systems course (15-410) at Carnegie Mellon University and these lecture notes from their archtecture course.
Here are some references about buffer overflows.
|
