Lab 1 : Butter Overflow

Lab 1 : Butter Overflow

Lab Environment Setup

Ubuntu 12.04 ( 64 bits )

---

Brief introduction

This is a experiment of Information Security, about 10 exercises and challenges in this blog. May be a lot mistakes here, if you find it, please contact me.

---

Part A：Butter Overflow Principal

Stack layout and Buffers

                 +------------------+ high address
                 |       ...        |
                 |  stack frame of  |
                 |   main           |
                 |       ...        |
                 +------------------+
                 |  str(a pointer)  | (4 bytes)
                 |  return address  | (4 bytes)
       %ebp----> |    saved %ebp    | (4 bytes)
                 +------------------+
                 |       buf[11]    |
                 |       ...        | (12 bytes)
        buf----> |       buf[0]     |
                 |     variable_a   | (4 bytes)
                 |       ...        |
                 +------------------+ low address

We use BF ( address of the Small Buffer ) to change the RET. So it will execute from BF after completed the function calling.

Our goal is very simple, change the return address of a function, and execute the shell code to do something what we want.

---

Exercise 1 :

Now, you can write some code. Your job is to print the address of the variable buffer, in the C program stack1.c, and compile the C program as above.
Run it three times, observe and write down the output addresses in address.txt, are these 3 addresses the same or not?

These 3 addresses are not same ! We can use

printf("buffer = %p\n", buffer)

to get this address. We can see the addresses in the picture.

---

Challenge ！

Read the file /proc/pid/maps on your machine (pid is the process id), observe the value of [stack].

$ sudo vim /proc/2100/maps

---

Exercise 2 :

Use gdb to debug the program, as the following. You may find the online gdb documentation useful.

---

Address Space Layout Randomization

In order to protect against buffer overflows, most recent operating systems introduce many protection mechanisms, among which the most important one is address space layout randomization (ASLR).For the purpose of this lab, you should simply turn off ASLR (in lab 2, you’ll perform attacks when ASLR is effective), which will make your attack easier to achieve. To turn off ASLR, you can run these commands:

$ su root
Password : ( enter root password )
# sysctl -w kernel.randomize_va_space=0

---

Exercise 3 :

Turn off the address space layout randomization, and then do exercise 1 again, write down the three addresses in args.txt, are tho se three addresses same or not?

These 3 addresses are same ! We can see these addresses in the picture.

---

Buffer Overflow and Shellcode

A buffer overflow occurs when data written to a buffer exceeds the length of the buffer, so that corrupting data values in memory addresses adjacent the end of the buffer. This often occurs when copying data into a buffer without sufficient bounds checking.

---

Exercise 4 :

Use gdb, to print the value of the register %eip when the program crashes. How does the program run to this address?

---

When this program crashes, we can use i r $eip to get the value of %eip, and it’s 0xf7e070a9 in my laptop.

As follows:

eip            0xf7e070a9       0xf7e070a9

• Why the program run to this address? I cut some codes from the result of disassemb