Due Date: Th February 23, 2012, 11:59pm.
This assignment explores a variety of different types of "overflows" in C programs to learn the mechanics of such attacks.
Follow these instructions:
Obtain the tarfile from here.
Unpack the tarfile in some appropriate directory on a UNIX system (there are many available at CSE -- see Notes below). You will only need this code and access to a debugger, such as GDB.
You task is to complete four (4) programs: (1) cse443-data-attack.c; (2) cse443-fn-attack.c; (3) cse443-buf-attack.c; and (4) cse443-heap-attack.c. There are comments in the files to guide you to implement the proper functionality. The techniques required build from (1) to (4) (although there is also some conceptual overlap), so you should do them in order.
All the attacks will be launched against functions in the program in the file cse443-file-victim.c. There are functions data_victim, function_victim, buffer_victim, and heap_victim. These functions correspond to the similarly named program files above. The goal is to configure the attack programs to produce a buffer that when read by the victim will produce overflows in the corresponding functions. The expected attack behaviors in each case are described below.
The following tasks must be completed on the machine schuylkill.cse.psu.edu. Since attacks are quite system-specific, we will test your attacks on this one system.
For cse443-data-attack.c, you need to configure the function main to produce an attack buffer for the function data_victim. The attack here is to overflow the variable buf in this function, such that the value of teh variable tmp will be changed to enable the execution of a new shell. To do this, you will need to determihe how many bytes long the attack buffer should be (assigning to the variable len in cse443-data-attack.c) and assigning bytes to the end of this buffer to cause the desired overflow (using as many char variables rtn_i as necessary). You build cse443-data-attack.c using make gen-data-attack to create an executable gen-data-attack to produce the attack buffer.
For cse443-fn-attack.c, you need to configure the function main to produce an attack buffer for the function function_victim. This attack also overflows the variable buf, but here the overflow assigns a function pointer functionPtr to point to the function shell. You should run file_victim under GDB to find the address of the function shell and assign that to the location in the attack buffer you build such that functionPtr gets assigned to that value as a result of the overflow. You build cse443-fn-attack.c using make gen-fn-attack to create an executable gen-fn-attack to produce the attack buffer.
For cse443-buf-attack.c, you need to configure the function main to produce an attack buffer for the function buffer_victim. The attack also overflows the variable buf, but in this case this overflow must set the value of the return address on the stack to refer to the function shell in the program. You should run file_victim under GDB to find the return address on the stack and assign that to the location in the attack buffer you build such that the return address gets assigned to that value as a result of the overflow. You build cse443-buf-attack.c using make gen-buf-attack to create an executable gen-buf-attack to produce the attack buffer.
For cse443-heap-attack.c, you need to configure the function main to produce an attack buffer for the function heap_victim. The attack also overflows the variable buf, but in this case this overflow occurs on the heap. The goal is to set the value of the heap variable foo->fnPtr to the function shell in the program. You should run file_victim under GDB to find the location of these variables on the heap and assign that to the location in the attack buffer. You build cse443-heap-attack.c using make gen-heap-attack to create an executable gen-heap-attack to produce the attack buffer.
Each of these attacks must result in the opening on a new shell (i.e., you should see a shell prompt). If you exit the shell, the likely result is a segfault, so do not worry about that. I want to see that all these attacks work on schuylkill.
When you have completed the code, test it on schuylkill to verify its result. I will provide a drop box for submitting this project. The project is due on Th February 23 at 11:59pm. Please attach a tar file containing all the source, including your additions. You can build this tar file using the command make tar from the source directory.
You are to complete this on your own. Any sharing of code or help during the coding of this project is expressly forbidden. Do not discuss this project with anyone.
A Makefile has been created to help you build the applications. To build the victim, simply type "make file-victim" in the target directory. Do not modify the file-victim program.
To perform this project, you will have to become familiar with the use of the GNU Debugger GDB. Also, some useful background for overflow attacks is provided at this site. Later, I will present how to find the return address using GDB in class.
Why must the values of OVERFLOW_SIZE get progressively smaller from the first attack (data) to the last (heap)
What functions are used in file-victim to cause the overflows? Why do these cause overflow problems?
Without adding bounds checking for buf or changing languages, how could you prevent the buffer overflow attack (i.e., provide a system solution)?