CS 213 Fall 2001 Lab Assignment L3 The Buffer Bomb Assigned Sep 27 Due Thurs Oct 4 11 59PM Randy Bryant Randy Bryant cs cmu edu is the lead person for this assignment Introduction This assignment helps you develop a detailed understanding of the calling stack organization on an IA32 processor It involves applying a series of buffer overflow attacks on an executable file bufbomb in the lab directory Note In this lab you will gain firsthand experience with one of the methods commonly used to exploit security weaknesses in operating systems and network servers Our purpose is to help you learn about the runtime operation of programs and to understand the nature of this form of security weakness so that you can avoid it when you write system code We do not condone the use of these or any other form of attack to gain unauthorized access to any system resources There are criminal statutes governing such activities Logistics You may work in a group of up to two people in solving the problems for this assignment The only hand in will be an automated logging of your successful attacks Any clarifications and revisions to the assignment will be posted on the course Web page Hand Out Instructions In the directory afs cs cmu edu academic class 15213 f01 L3 you will see the files for three programs MAKECOOKIE Generates a cookie based on your team name 1 BUFBOMB The code you will attack SENDSTRING A utility to help convert between string formats All of these programs are compiled to run on the Fish machines In the following we will assume that you have defined the lab directory to be on your execution path You can do this by executing the following command unix setenv PATH afs cs cmu edu academic class 15213 f01 L3 PATH Team Name and Cookie You should create a team name for the one or two people in your group of the following form where is your Andrew ID if you are working alone or where second team member is the Andrew ID of the first team member and is the Andrew ID of the You should choose a consistent ordering of the IDs in the second form of team name Teams ac00 bovik and bovik ac00 are considered distinct You must follow this scheme for generating your team name Our grading program will only give credit to those people whose Andrew IDs can be extracted from the team names A cookie is a string of eight hexadecimal digits that is with high probability unique to your team You can generate your cookie with the makecookie program giving your team name as the argument For example unix makecookie ac00 bovik 0x78327b66 In three of your four buffer attacks your objective will be to make your cookie show up in places where it ordinarily would not The B UFBOMB Program The BUFBOMB program reads a string from standard input with a function getbuf having the following C code 1 2 3 4 5 6 int getbuf char buf 12 Gets buf return 1 2 The function Gets is similar to the standard library function gets it reads a string from standard input terminated by n or end of file and stores it along with a null terminator at the specified destination In this code the destination is an array buf having sufficient space for 12 characters Neither Gets nor gets have any way to determine whether there is enough space at the destination to store the entire string Instead they simply copy the entire string possibly overrunning the bounds of the storage allocated at the destination If the string typed by the user to getbuf is no more than 11 characters long it is clear that getbuf will return 1 as shown by the following execution example unix bufbomb Type string howdy doody Dud getbuf returned 0x1 If we type a longer string typically an error occurs unix bufbomb Type string This string is too long Ouch You caused a segmentation fault As the error message indicates overrunning the buffer typically causes the program state to be corrupted leading to a memory access error Your task is to be more clever with the strings you feed BUFBOMB so that it does more interesting things These are called exploit strings B UFBOMB takes several different command line arguments t TEAM Operate the bomb for the indicated team You should always provide this argument for several reasons It is required to log your successful attacks B UFBOMB determines the cookie you will be using based on your team name just as does the program MAKECOOKIE We have built features into BUFBOMB so that some of the key stack addresses you will need to use depend on your team s cookie h Print list of possible command line arguments n Operate in Nitro mode as is used in Level 3 below Your exploit strings will typically contain byte values that do not correspond to the ASCII values for printing characters The program SENDSTRING can help you generate these raw strings It takes as input a hexformatted string In this format each byte value is represented by two hex digits For example the string 012345 could be entered in hex format as 30 31 32 33 34 35 since the ASCII code for decimal digit is 0x3 Non hex digit characters are ignored including the blanks in the example shown If you generate a hex formatted exploit string in the file exploit txt you can apply the raw string to BUFBOMB in several different ways 3 1 You can set up a series of pipes to pass the string through SENDSTRING unix cat exploit txt sendstring bufbomb t bovik 2 You can store the raw string in a file and use I O redirection to supply it to BUFBOMB unix sendstring exploit txt exploit raw txt unix bufbomb t bovik exploit raw txt This approach can also be used when running BUFBOMB from within GDB unix gdb afs cs cmu edu academic class 15213 f01 L3 bufbomb gdb run t bovik exploit raw txt One important point your exploit string must not contain byte value 0x0A at any intermediate position since this is the ASCII code for newline n When Gets encounters this byte it will assume you intended to terminate the string S ENDSTRING will warn you if it encounters this byte value When you correctly solve one of the levels BUFBOMB will automatically send an email notification to our grading server The server will test your exploit string to make sure it really works and it will update the lab web page indicating that your team listed by cookie has completed this level Unlike the bomb lab there is no penalty for making mistakes in this lab Feel free to fire away at BUFBOMB with any string you like Level 0 Sparkler 15 pts The function getbuf is called within BUFBOMB by a function test having the following C code 1 2 3 4 5 6
View Full Document
Unlocking...