Assignments of day 2 in week #2

Buffer Overflow Examples

Last Updated : Monday, 13-May-2002 10:54:13 HKT
  1. Understand how the return address of a fucntion can be overwritten in a stack

    1. copy the example programs to your home directory 
       cp /usr/local2/wsh/bo/*.c $HOME

    2. compile the example programs with debug option 
      gcc -o example1 -ggdb -static example1.c
gcc -o example2 -ggdb -static example2.c
gcc -o example3 -ggdb -static example3.c
gcc -o testsc -ggdb -static testsc.c

    3. run GNU Debugger to examin the flow control and stack status of these programs
      E.g.
      
csh> gdb example2
GNU gdb 19991004
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
(gdb) break main
Breakpoint 1 at 0x80481c1: file example2.c, line 11.
(gdb) break function
Breakpoint 2 at 0x80481a6: file example2.c, line 4.
(gdb) run
Starting program: /mnt2/data/shlam/bo/example2 

Breakpoint 1, main () at example2.c:11
11        for( i = 0; i < 255; i++)
(gdb) disass
Dump of assembler code for function main:
0x80481b8 
      :       push   %ebp
0x80481b9 :     mov    %esp,%ebp
0x80481bb :     sub    $0x104,%esp
0x80481c1 :     nop    
0x80481c2 :    movl   $0x0,0xfffffefc(%ebp)
0x80481cc :    lea    0x0(%esi,1),%esi
0x80481d0 :    cmpl   $0xfe,0xfffffefc(%ebp)
0x80481da :    jle    0x80481e0 
0x80481dc :    jmp    0x80481f8 
0x80481de :    mov    %esi,%esi
0x80481e0 :    lea    0xffffff00(%ebp),%eax
0x80481e6 :    mov    0xfffffefc(%ebp),%edx
0x80481ec :    movb   $0x41,(%edx,%eax,1)
0x80481f0 :    incl   0xfffffefc(%ebp)
0x80481f6 :    jmp    0x80481d0 
0x80481f8 :    lea    0xffffff00(%ebp),%eax
0x80481fe :    push   %eax
0x80481ff :    call   0x80481a0 
0x8048204 :    add    $0x4,%esp
0x8048207 :    leave  
0x8048208 :    ret    
End of assembler dump.
(gdb) info reg
eax            0x0      0
ecx            0x80481b8        134513080
edx            0x807b228        134722088
ebx            0xbffffaa4       -1073743196
esp            0xbffff954       -1073743532
ebp            0xbffffa58       -1073743272
esi            0x1      1
edi            0x0      0
eip            0x80481c1        134513089
eflags         0x282    642
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
cwd            0xffff037f       -64641
swd            0xffff0000       -65536
twd            0xffffffff       -1
fip            0x0      0
fcs            0x0      0
fopo           0xbffffa3c       -1073743300
fos            0x0      0
(gdb) cont
Continuing.

Breakpoint 2, function (str=0xbffff958 'A' ...) at example2.c:4
4          strcpy(buffer,str);
(gdb) disass
Dump of assembler code for function function:
0x80481a0 :   push   %ebp
0x80481a1 : mov    %esp,%ebp
0x80481a3 : sub    $0x10,%esp
0x80481a6 : mov    0x8(%ebp),%eax
0x80481a9 : push   %eax
0x80481aa :        lea    0xfffffff0(%ebp),%eax
0x80481ad :        push   %eax
0x80481ae :        call   0x804cf10 
0x80481b3 :        add    $0x8,%esp
0x80481b6 :        leave  
0x80481b7 :        ret    
End of assembler dump.
(gdb) info reg
eax            0xbffff958       -1073743528
ecx            0x80481b8        134513080
edx            0xfe     254
ebx            0xbffffaa4       -1073743196
esp            0xbffff938       -1073743560
ebp            0xbffff948       -1073743544
esi            0x1      1
edi            0x0      0
eip            0x80481a6        134513062
eflags         0x282    642
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
cwd            0xffff037f       -64641
swd            0xffff0000       -65536
twd            0xffffffff       -1
fip            0x0      0
fcs            0x0      0
fopo           0xbffffa3c       -1073743300
fos            0x0      0
(gdb) cont
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) info reg
eax            0xbffff938       -1073743560
ecx            0xffffffdf       -33
edx            0xbffffa62       -1073743262
ebx            0xbffffaa4       -1073743196
esp            0xbffff950       -1073743536
ebp            0x41414141       1094795585
esi            0x1      1
edi            0x0      0
eip            0x41414141       1094795585
eflags         0x282    642
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
cwd            0xffff037f       -64641
swd            0xffff0000       -65536
twd            0xffffffff       -1
fip            0x0      0
fcs            0x0      0
fopo           0xbffffa3c       -1073743300
fos            0x0      0
(gdb) The program is running.  Exit anyway? (y or n) y
      Why ebp show all "41" (equivalent to "A" is ASCII)?

    4. Exam the example programs by GNU Debugger and answer the following questions

      • Why example2 give "Segmentation fault (core dumped)" ?

      • Why the output of example3 remain to 0 no matter how we change the assignment value of x in line 15?

      • What is the consequency of retruning the shellcode address in testsc program?

      Explain your answers with data support and post them on your web pages.

References: