2022年bufbomb,缓冲区溢出 .pdf

中国 科学 技术 大学软件 学院University of Science and Technology of China School of Software Engineering of USTC Lab3: The Buffer Bomb G430113385: Computer Systems A Programmers Perspectives 2010-10-31 Junmin Wu (TA: Xiaoyu Z hao (z haox y299 ) x ueb ing (b ingx ue )名师资料总结 - - -精品资料欢迎下载 - - - - - - - - - - - - - - - - - - 名师精心整理 - - - - - - - 第 1 页，共 9 页 - - - - - - - - - 1 Introduction This assignment helps you develop a detailed understanding of the calling stack organization on an IA32 processor. It involves applying a series of buffer overflow attacks on an executable file bufbomb in the lab directory. Note : In this lab, you will gain firsthand experience with one of the methods commonly used to exploit security weaknesses in operating systems and network servers. Our purpose is to help you learn about the runtime operation of programs and to understand the nature of this form of security weakness so that you can avoid it when you write system code. We do not condone the use of these or any other form of attack to gain unauthorized access to any system resources. There are criminal statutes governing such activities. 2 Logistics You may work in a group of up to two people in solving the problems for this assignment. The only “hand-in ” will be an automated logging of your successful attacks. Any clarifications and revisions to the assignment will be posted on the ftp server (). 3 Hand Out Instructions Start by copying buflab-handout.tar to a (protected) directory in which you plan to do your work. Then give the command “tar xvf buflab-handout.tar”. This will cause a number of files to be unpacked in the directory: MAKECOOKIE: Generates a “cookie ” based on your team name. BUFBOMB: The code you will attack. SENDSTRING: A utility to help convert between string formats. All of these programs are compiled to run on Linux machines. In the following instructions, we will assume that you have copied the three programs to a protected local directory, and that you are executing them in that local directory. 4 Team Name and Cookie You should create a team name for the one or two people in your group of the following form: ?“ ID1+ID2 ” where ID1 is theStudent Number of the first team member and ID2 is the Student Number of the second team member. You should choose a consistent ordering of the IDs in the second form of team name. Teams “SA08225155+ SG08225120” and “SG08225120 +SA08225155” are considered distinct. You must follow this scheme for generating your team name. Our grading program will only give credit to those people whose Student Number can be extracted from the team names. A cookie is a string of eight hexadecimal digits that is (with high probability) unique to your 名师资料总结 - - -精品资料欢迎下载 - - - - - - - - - - - - - - - - - - 名师精心整理 - - - - - - - 第 2 页，共 9 页 - - - - - - - - - 2 Lab3: The Bomb Lab team. You can generate your cookie with the makecookie program giving your team name as the argument. For example: unix ./makecookie SA08225155+SG08225120 0 x451a3cdd In four of your five buffer attacks, your objective will be to make your cookie show up in places where it ordinarily would not. 5 The BUFBOMB Program The BUFBOMB program reads a string from standard input with a function getbuf having the following C code: 1 int getbuf() 2 3 char buf12; 4 Gets(buf); 5 return 1; 6 The function Gets is similar to the standard library function getsit reads a string from standard input (terminated by n or end-of-file) and stores it (along with a null terminator) at the specified destination. In this code, the destination is an array buf having sufficient space for 12 characters. Neither Gets nor gets has any way to determine whether there is enough space at the destination to store the entire string. Instead, they simply copy the entire string, possibly overrunning the bounds of the storage allocated at the destination. If the string typed by the user to getbuf is no more than 11 characters long, it is clear that getbuf will return 1, as shown by the following execution example: unix ./bufbomb -t SA08225155+SG08225120 Type string: howdy doody Dud: getbuf returned 0 x1 Better luck next time Typically an error occurs if we type a longer string: unix ./bufbomb -t SA08225155+SG08225120 Type string: This string is too long Ouch!: You caused a segmentation fault! Better luck next time As the error message indicates, overrunning the buffer typically causes the program state to be corrupted, leading to a memory access error. Your task is to be more clever with the strings you feed BUFBOMB so that it does more interesting things. These are called exploit strings. BUFBOMB takes several different command line arguments: -t TEAM: Operate the bomb for the indicated team. You should always provide this argument for several reasons: zBUFBOMB determines the cookie you will be using based on your team name, just as does the program MAKECOOKIE. zWe have built features into BUFBOMB so that some of the key stack addresses you will need to use depend on your teams cookie. -h: Print list of possible command line arguments 名师资料总结 - - -精品资料欢迎下载 - - - - - - - - - - - - - - - - - - 名师精心整理 - - - - - - - 第 3 页，共 9 页 - - - - - - - - - Lab3: The Bomb Lab 3 -n: Operate in “Nitro ” mode, as is used in Level 4 below. Your exploit strings will typically contain byte values that do not correspond to the ASCII values for printing characters. The program SENDSTRING can help you generate these raw strings. It takes as input a hexformatted string. In this format, each byte value is represented by two hex digits. For example, the string “012345” could be entered in hex format as “30 31 32 33 34 35.” (Recall that the ASCII code for decimal digit is 0 x3x.) Non-hex digit characters are ignored, including the blanks in the example shown. If you generate a hex-formatted exploit string in the file exploit.txt, you can apply the raw string to BUFBOMB in several different ways: 1. You can set up a series of pipes to pass the string through SENDSTRING. unix cat exploit.txt | ./sendstring | ./bufbomb -t SA08225155+SG08225120 2. You can store the raw string in a file and use I/O redirection to supply it to BUFBOMB: unix ./sendstring exploit-raw.txt unix ./bufbomb -t SA08225155+SG08225120 gdb bufbomb (gdb) run -t SA08225155+SG08225120 gcc -c example.s unix objdump -d example.o example.d The generated file example.d contains the following lines 0: 68 ef cd ab 89 push $0 x89abcdef 5: 83 c0 11 add $0 x11,%eax 8: 98 cwtl Objdump tries to interpret 9: ba dc fe 00 00 mov $0 xfedc,%edx these as instructions Each line shows a single instruction. The number on the left indicates the starting address (starting with 0), while the hex digits after the : character indicates the byte codes for the instruction. Thus, we can see that the instruction pushl $0 x89ABCDEF has hex-formatted byte code 68 ef cd ab 89.Starting at address 8, the disassembler gets confused. It tries to interpret the bytes in the fileexample.o as instructions, but these bytes actually correspond to data. Note, however, that if we read off the 4 bytes starting at address 8 we get: 98 ba dc fe. This is a byte-reversed version of the data word0 xFEDCBA98 . This byte reversal represents the proper way to supply the bytes as a string, since a little endian machine lists the least significant byte first. Note also that it only generated two of the four bytes at the end with value 00 . Had we not added this padding, OBJDUMP gets even more confused and does not emit all of the bytes we want. Finally, we can read off the byte sequence for our code (omitting the final 0s) as: 68 ef cd ab 89 83 c0 11 98 ba dc fe11 Hand In Instructions zRecord your exploit strings for each level in a .txt file named ID1+ID2.txt zSend your txt file to the TA (), the attachment is your own txt document, and the subject of your mail is as follows: ?“ Lab1 ID1+ID2” where ID1 is the Student Number of the first team member and ID2 is theStudent Number of the second team member. 名师资料总结 - - -精品资料欢迎下载 - - - - - - - - - - - - - - - - - - 名师精心整理 - - - - - - - 第 8 页，共 9 页 - - - - - - - - - 8 Lab3: The Bomb Lab zPlease check out the list of the teams who have turned in the codes on the ftp server. zIf you have turned in the codes, but your name doesnt appear in the list, please contact to the TA. 名师资料总结 - - -精品资料欢迎下载 - - - - - - - - - - - - - - - - - - 名师精心整理 - - - - - - - 第 9 页，共 9 页 - - - - - - - - -