Lab 8 Stack Dumps and Exploits

| categories: Labs

Due Monday 7 November before class.

In this assignment, you will work with the stack of a C program. You will print sections of memory to gain an understanding of how the stack is utilized by modern x86 programs. The program that we are providing also contains a common vulnerability. You will identify the vulnerability and construct an exploit to redirect the flow of execution for the program.

Download lab8.c and study it. The program itself is very simple and is intended to give more insights into the memory layout of a running program on a modern computer. This skeleton program contains numerous places that should be completed using techniques learned in the previous labs.

VERY IMPORTANT

You MUST compile the application with the gcc flag -fno-stack-protector, for example
gcc -fno-stack-protector lab8.c -o lab8
It will also be easiest if you use a 64-bit linux machine to avoid any OS discrepancies. (e.g. login.cs.unc.edu)

Exercise 1. Fill in the skeleton with appropriate print statements (50 points)

Using the skeleton, print out segments of the stack in HEX, DECIMAL and ASCII and all of the memory addresses of functions and arguments. Your program should print all of the appropriate information and the output should look similar to the snippet shown below:

---- Function Info ----
main is at 0x400a15
stack_function is at 0x400702
print_memory is at 0x400662
hack_function is at 0x400634
---- Argument Info ----
argc is at 0x7fff47dd25ec with value 1(1)
args is at 0x7fff47dd25e0 with value 1205675864(47dd2758)
---- Variable Info (main) ----
buffer is at 0x7fff47dd25f0 with value AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
---- Variable Info (stack_function) ----
firstVariable is at 0x7fff47dd25b0 with the value -1(ffffffffffffffff)
firstString is at 0x7fff47dd2570 with the value 'This is the first thing on the stack' and length 36
intA is at 0x7fff47dd256c with the value -1431655766(aaaaaaaa)
intB is at 0x7fff47dd2568 with the value -1145324613(bbbbbbbb)
longC is at 0x7fff47dd2560 with the value -3689348814741910324(cccccccccccccccc)
staticInt is at 0x601494 with the value -286331154(eeeeeeee)
---- Argument Info (stack_function) ----
The argument that you passed is at 0x7fff47dd25f0
ADDRESS:            HEX	DECIMAL	ASCII
0x7fff47dd2558:  9999999999999999   -7378697629483820647  ????????
0x7fff47dd2560:  cccccccccccccccc   -3689348814741910324  ????????
0x7fff47dd2568:  aaaaaaaabbbbbbbb   -6148914690950186053  ????????
0x7fff47dd2570:  2073692073696854    2338328219631577172  This is 
0x7fff47dd2578:  7372696620656874    8318827349057824884  the firs
0x7fff47dd2580:  20676e6968742074    2334956330817953908  t thing 
0x7fff47dd2588:  7320656874206e6f    8295742012915740271  on the s
0x7fff47dd2590:          6b636174             1801675124  tack
0x7fff47dd2598:                 0                      0  
0x7fff47dd25a0:        30ac180000           209045684224  ?0
0x7fff47dd25a8:                1e                     30  
0x7fff47dd25b0:  ffffffffffffffff                     -1  ????????
0x7fff47dd25b8:        30abe67f63           209042440035  c?0
0x7fff47dd25c0:      7fff47dd25e0        140734399063520  ?%?G?
0x7fff47dd25c8:      7fff47dd25e0        140734399063520  ?%?G?
0x7fff47dd25d0:      7fff47dd2670        140734399063664  p&?G?
0x7fff47dd25d8:            400be0                4197344  ?
                                                           @
0x7fff47dd25e0:      7fff47dd2758        140734399063896  X'?G?
0x7fff47dd25e8:         147dd262e             5500642862  .&?G
0x7fff47dd25f0:  4141414141414141    4702111234474983745  AAAAAAAA
0x7fff47dd25f8:  4141414141414141    4702111234474983745  AAAAAAAA
0x7fff47dd2600:  4141414141414141    4702111234474983745  AAAAAAAA
0x7fff47dd2608:  4141414141414141    4702111234474983745  AAAAAAAA
0x7fff47dd2610:  4141414141414141    4702111234474983745  AAAAAAAA
0x7fff47dd2618:  4141414141414141    4702111234474983745  AAAAAAAA
0x7fff47dd2620:              4141                  16705  AA
0x7fff47dd2628:                 0                      0  
0x7fff47dd2630:                 0                      0  
0x7fff47dd2638:                 0                      0  
0x7fff47dd2640:                 0                      0  
0x7fff47dd2648:                 0                      0  
0x7fff47dd2650:                 0                      0  
0x7fff47dd2658:            400550                4195664  P@
0x7fff47dd2660:      7fff47dd2750        140734399063888  P'?G?
0x7fff47dd2668:                 0                      0  
---- After 'strcpy' (stack_function) ----
firstVariable is at 0x7fff47dd25b0 with the value -1(ffffffffffffffff)
ADDRESS:            HEX	DECIMAL	ASCII
0x7fff47dd2558:  9999999999999999   -7378697629483820647  ????????
0x7fff47dd2560:  cccccccccccccccc   -3689348814741910324  ????????
0x7fff47dd2568:  aaaaaaaabbbbbbbb   -6148914690950186053  ????????
0x7fff47dd2570:  4141414141414141    4702111234474983745  AAAAAAAA
0x7fff47dd2578:  4141414141414141    4702111234474983745  AAAAAAAA
0x7fff47dd2580:  4141414141414141    4702111234474983745  AAAAAAAA
0x7fff47dd2588:  4141414141414141    4702111234474983745  AAAAAAAA
0x7fff47dd2590:  4141414141414141    4702111234474983745  AAAAAAAA
0x7fff47dd2598:  4141414141414141    4702111234474983745  AAAAAAAA
0x7fff47dd25a0:        30ac004141           209044128065  AA?0
0x7fff47dd25a8:                1e                     30  
0x7fff47dd25b0:  ffffffffffffffff                     -1  ????????
0x7fff47dd25b8:        30abe67f63           209042440035  c?0
0x7fff47dd25c0:      7fff47dd25e0        140734399063520  ?%?G?
0x7fff47dd25c8:      7fff47dd25e0        140734399063520  ?%?G?
0x7fff47dd25d0:      7fff47dd2670        140734399063664  p&?G?
0x7fff47dd25d8:            400be0                4197344  ?
                                                           @
0x7fff47dd25e0:      7fff47dd2758        140734399063896  X'?G?
0x7fff47dd25e8:         147dd262e             5500642862  .&?G
0x7fff47dd25f0:  4141414141414141    4702111234474983745  AAAAAAAA
0x7fff47dd25f8:  4141414141414141    4702111234474983745  AAAAAAAA
0x7fff47dd2600:  4141414141414141    4702111234474983745  AAAAAAAA
0x7fff47dd2608:  4141414141414141    4702111234474983745  AAAAAAAA
0x7fff47dd2610:  4141414141414141    4702111234474983745  AAAAAAAA
0x7fff47dd2618:  4141414141414141    4702111234474983745  AAAAAAAA
0x7fff47dd2620:              4141                  16705  AA
0x7fff47dd2628:                 0                      0  
0x7fff47dd2630:                 0                      0  
0x7fff47dd2638:                 0                      0  
0x7fff47dd2640:                 0                      0  
0x7fff47dd2648:                 0                      0  
0x7fff47dd2650:                 0                      0  
0x7fff47dd2658:            400550                4195664  P@
0x7fff47dd2660:      7fff47dd2750        140734399063888  P'?G?
0x7fff47dd2668:                 0                      0  
---- Additional Information (stack_function) ----
The return address is at [find this] and has value [find this]

Run the program a few times and take note of the memory addresses. Do you notice anything strange? Explain what you think is happening and why. Where is the staticly defined integer 'staticInt'? Why do you think it is stored differently?

Exercise 2. Identify the return address on the stack and incorporate it into the output. (20 points)

How did you identify that this is the return address? Try varying the amount of memory that is printed. Do you see any other interesting values on the stack?

Exercise 3. Identify the vulnerability in this program (20 points)

Try different inputs and see if you can crash the program. Why do you think the program crashed? What porition of the code is causing the crash?

Exercise 4. Describe the exploit. (10 points)

Knowing what we've learned about function calls and the return address, how do you think we could use this vulnerability to exploit the program?

EXTRA CREDIT: Exploit the program. (20 points)

Redirect execution of the program to hack_function WITHOUT calling it directly and by only manipulating the value of buffer. Why does this work? Can this be done from the command-line? If not, why not? Try compiling the program without the flag in Exercise 0. What happens when you try to run your exploit? What do you think this flag does?

Submit your modified C code, your output, and your answers to the questions.