This lab introduces you to buffer overflows. Please follow the instructions given below, adapted from an exercise produced by Bryant and O'Hallaron, the authors of our textbook.
Abuf = '' Bbuf = '123'
Abuf = '' Bbuf = '1234'
Abuf = 'efghijk' Bbuf = 'abcdefghijk'
As you single-step through the instructions in gdb, you may find it useful to set up this display:
display/5i $pcThen every time gdb stops at a breakpoint or after a stepi or nexti command, it shows the next 5 assembler instructions.
As echo() is about to return to main(), you might want to look the return address, which is pointed to by $rsp, in several ways:
In the bufdemo directory is a file called oflow_echo.c. You can compile it by make GOAL=oflow_echo.
Try to find an input string that causes the oflow_echo program to call the not_called() procedure. You can verify that oflow_echo.c never calls not_called(), so you need to use a buffer-overflow attack (described below) to fool the code into jumping to not_called().
You need to create a binary exploit string to send as input to the program. To create an exploit string, you can use the hex2raw program, which is in the bufdemo directory you have already built. hex2raw takes as input a hex-formatted string: Each byte represented by two hex digits. For example, the ASCII string 012345 is represented in hex format as 30 31 32 33 34 35, because the ASCII code for decimal digit n is 0x3n.
Separate the hex characters you pass to hex2raw by whitespace (blanks or newlines). I recommend separating different parts of your exploit string with newlines while you're working on this puzzle. hex2raw also supports C-style block comments, so you can mark off sections of your exploit string. For example:
bf 66 7b 32 78 /* some arbitrary bytes */Be sure to leave space around both the starting and ending comment strings (/*, */) so they are properly ignored.
Place your hex-formatted exploit string in the file exploit.txt. From it, build a binary file like this:
./hex2raw < exploit.txt > exploit.rawRun oflow_echo from gdb in order to get consistent results (Linux applies address-space layout randomization otherwise). Inside of gdb, you can say:
(gdb) run < exploit.raw | headto start the program. This command pipes the output through head to protect you from unbounded output, which can happen if you provide some invalid inputs in exploit.raw.
When you complete the exercises, submit your typescript file to the cs portal (https://www.cs.uky.edu/csportal).