CS 213, Fall 2001Lab Assignment L3: The Buffer BombAssigned: Sep. 27, Due: Thurs., Oct. 4, 11:59PMRandy Bryant ([email protected]) is the lead person for this assignment.IntroductionThis assignment helps you develop a detailed understanding of the calling stack organization on an IA32processor. It involves applying a series of buffer overflow attacks on an executable file bufbomb in the labdirectory.Note: In this lab, you will gain firsthand experience with one of the methods commonly used to exploitsecurity weaknesses in operating systems and network servers. Our purpose is to help you learn about theruntime operation of programs and to understand the nature of this form of security weakness so that youcan avoid it when you write system code. We do not condone the use of these or any other form of attack togain unauthorized access to any system resources. There are criminal statutes governing such activities.LogisticsYou may work in a group of up to two people in solving the problems for this assignment. The only“hand-in” will be an automated logging of your successful attacks. Any clarifications and revisions to theassignment will be posted on the course Web page.Hand Out InstructionsIn the directory/afs/cs.cmu.edu/academic/class/15213-f01/L3you will see the files for three programs:MAKECOOKIE: Generates a “cookie” based on your team name.1BUFBOMB: The code you will attack.SENDSTRING: A utility to help convert between string formats.All of these programs are compiled to run on the Fish machines.In the following, we will assume that you have defined the lab directory to be on your execution path. Youcan do this by executing the following command:unix> setenv PATH /afs/cs.cmu.edu/academic/class/15213-f01/L3:$PATHTeam Name and CookieYou should create a team name for the one or two people in your group of the following form:“ ” where is your Andrew ID, if you are working alone, or“ + ” where is the Andrew ID of the first team member and is the Andrew ID of thesecond team member.You should choose a consistent ordering of the IDs in the second form of team name. Teams “ac00+bovik”and “bovik+ac00” are considered distinct. You must follow this scheme for generating your teamname. Our grading program will only give credit to those people whose Andrew IDs can be extractedfrom the team names.A cookie is a string of eight hexadecimal digits that is (with high probability) unique to your team. Youcan generate your cookie with the makecookie program giving your team name as the argument. Forexample:unix> makecookie ac00+bovik0x78327b66In three of your four buffer attacks, your objective will be to make your cookie show up in places where itordinarily would not.The BUFBOMB ProgramThe BUFBOMB program reads a string from standard input with a function getbuf having the following Ccode:1 int getbuf()2 {3 char buf[12];4 Gets(buf);5 return 1;6 }2The function Gets is similar to the standard library function gets—it reads a string from standard input(terminated by ‘\n’ or end-of-file) and stores it (along with a null terminator) at the specified destination.In this code, the destination is an array buf having sufficient space for 12 characters.Neither Gets nor gets have any way to determine whether there is enough space at the destination to storethe entire string. Instead, they simply copy the entire string, possibly overrunning the bounds of the storageallocated at the destination.If the string typed by the user to getbuf is no more than 11 characters long, it is clear that getbuf willreturn 1, as shown by the following execution example:unix> bufbombType string: howdy doodyDud: getbuf returned 0x1If we type a longer string, typically an error occurs:unix> bufbombType string: This string is too longOuch!: You caused a segmentation fault!As the error message indicates, overrunning the buffer typically causes the program state to be corrupted,leading to a memory access error. Your task is to be more clever with the strings you feed BUFBOMB so thatit does more interesting things. These are called exploit strings.BUFBOMB takes several different command line arguments:-t TEAM: Operate the bomb for the indicated team. You should always provide this argument for severalreasons:It is required to log your successful attacks.BUFBOMB determines the cookie you will be using based on your team name, just as does theprogram MAKECOOKIE.We have built features into BUFBOMB so that some of the key stack addresses you will need touse depend on your team’s cookie.-h: Print list of possible command line arguments-n: Operate in “Nitro” mode, as is used in Level 3 below.Your exploit strings will typically contain byte values that do not correspond to the ASCII values for printingcharacters. The program SENDSTRING can help you generate these raw strings. It takes as input a hex-formatted string. In this format, each byte value is represented by two hex digits. For example, the string“012345” could be entered in hex format as “30 31 32 33 34 35,” since the ASCII code for decimaldigitis 0x3. Non-hex digit characters are ignored, including the blanks in the example shown.If you generate a hex-formatted exploit string in the file exploit.txt, you can apply the raw string toBUFBOMB in several different ways:31. You can set up a series of pipes to pass the string through SENDSTRING.unix> cat exploit.txt | sendstring | bufbomb -t bovik2. You can store the raw string in a file and use I/O redirection to supply it to BUFBOMB:unix> sendstring < exploit.txt > exploit-raw.txtunix> bufbomb -t bovik < exploit-raw.txtThis approach can also be used when running BUFBOMB from within GDB:unix> gdb /afs/cs.cmu.edu/academic/class/15213-f01/L3/bufbomb(gdb) run -t bovik < exploit-raw.txtOne important point: your exploit string must not contain byte value 0x0A at any intermediate position,since this is the ASCII code for newline (‘\n’). When Gets encounters this byte, it will assume youintended to terminate the string. SENDSTRING will warn you if it encounters this byte value.When you correctly solve one of the levels, BUFBOMB will automatically send an email notification to ourgrading server. The server will test your exploit string to make sure it really works, and it will update thelab web page indicating that your team (listed by cookie) has completed this level.Unlike the bomb lab, there is no penalty for
View Full Document