cs app lab3 缓冲区溢出攻击 bufbomb

The BUFBOMB Program

The BUFBOMB program reads a string from standard input with a function getbuf having the following C code:

1 int getbuf()

2 {

3 char buf[12];

4 Gets(buf);

5 return 1;

6 }

The function Gets is similar to the standard library function gets—it reads a string from standard input (terminated by ‘\n’ or end-of-file) and stores it (along with a null terminator) at the specified destination. In this code, the destination is an array buf having sufficient space for 12 characters. Neither Gets nor gets has any way to determine whether there is enough space at the destination to storethe entire string. Instead, they simply copy the entire string, possibly overrunning the bounds of the storage allocated at the destination. If the string typed by the user to getbuf is no more than 11 characters long, it is clear that getbuf will return 1, as shown by the following execution example:

unix> ./bufbomb

Type string: howdy doody

Dud: getbuf returned 0x1

Typically an error occurs if we type a longer string:

unix> ./bufbomb

Type string: This string is too long

Ouch!: You caused a segmentation fault!

As the error message indicates, overrunning the buffer typically causes the program state to be corrupted, leading to a memory access error. Your task is to be more clever with the strings you feed BUFBOMB so that it does more interesting things. These are called exploit strings.

BUFBOMB takes several different command line arguments:

-t NAME: Operate the bomb for the indicated name. You should always provide this argument for several reasons:

� It is required to log your successful attacks.� BUFBOMB determines the cookie you will be using based on your name, just as does the program MAKECOOKIE. � We have built features into BUFBOMB so that some of the key stack addresses you will need to use depend on your cookie.

-h: Print list of possible command line arguments

-n: Operate in “Nitro” mode, as is used in Level 4 below.

Your exploit strings will typically contain byte values that do not correspond to the ASCII values for printing characters. The program SENDSTRING can help you generate theseraw strings. It takes as input a hexformatted string. In this format, each byte value is represented by two hex digits. For example, the string “012345” could be entered in hex format as “30 31 32 33 34 35.” (Recall that the ASCII code fordecimal digit is 0x3x). Non-hex digit characters are ignored, including the blanks in the example shown.If you generate a hex-formatted exploit string in the file exploit.txt, you can apply the raw string to BUFBOMB in several different ways:

1. You can set up a series of pipes to pass the string through SENDSTRING.

unix> cat exploit.txt | ./sendstring | ./bufbomb -t bovik

2. You can store the raw string in a file and use I/O redirection to supply it to BUFBOMB:

unix> ./sendstring < exploit.txt > exploit-raw.txt

unix> ./bufbomb -t bovik < exploit-raw.txt

This approach can also be used when running BUFBOMB from within GDB:

unix> gdb bufbomb

(gdb) run -t bovik < exploit-raw.txt

One important point: your exploit string must not contain byte