Buffer Lab

5 minute read

Published:

Purpose:

Designed to help us in understanding stack frame, code injection, and usage of GDB (GNU Debugger).

General explanation:

Buffer Lab has 4 levels starting from level 0 till level 3. Each level has different difficulty level and test one application of buffer overflow technique, where such applications including changing the return address of a functio/ procedure (redirecting), changing the variables value, changing the return value of a function/ procedure, or configuring the stack frame.

Technical

Buffer Lab will be given in a ZIP format containing 3 files, namely bufbomb, makecookie, and hex2raw.

File bufbomb is an executable file where your main activity will be done on this file. You are allowed to use GDB for doing any exploration to this file.

File makecookie is a file for generating cookie (a unique number represented by hexadecimal) regarding your username.

File hex2raw is used to convert string or char into hexadecimal representation so that it can be used for configuring stack frame.

To see all the variables within file bufbomb, use this command: info var

To see all the functions/ procedures within file bufbomb, use this command:
objdump -d bufbomb | less.
Press button F to go forward to the next function/ procedure and press button B to go backward to the previous function/ procedure.

Initial Configuration

Let we initiate the first configuration to record any important information we’ll use later, such as the value of called function’s address and certain variable’s address.

FYI, my file bufbomb contains important functions such as ah_shoo(), ah_choo(), and few of procedures like good_night(), shooting_star(), and annyeong().

FYI, I use Ubuntu 64 bit and Little Endian machine.

So, let’s go!

First, compress buflab-handout.tar file which has 3 files like I’ve explained before. Save it on your own working directory.

Open your terminal and go to the directory of bufbomb file. Then, type this command:

Type this on your terminal:
objdump -d bufbomb | less

That command will show all address from each functions/ procedures within bufbomb file. Try to find the address for each functions and procedures like I’ve said before.

08048b50 < good_night >: address good_night()

AddressHexa codeOperationElements in operation
8048b50:83 ec 1csub$0x1c, %esp
8048b53:c7 04 24 64 a0 04 08movl$0x804a064, (%esp)
8048b5a:e8 b1 fc ff ffcall8048810 puts@plt
8048b5f:c7 04 24 00 00 00 00movl$0x0, (%esp)
8048b66:e8 06 06 00 00call8049171
8048b6b:c7 04 24 00 00 00 00movl$0x0, (%esp)
8048b72:e8 d9 fc ff ffcall8048850 exit@plt

08048b77 < shooting_star >: address shooting_star()

AddressHexa codeOperationElements in operation
8048b77:83 ec 1csub$0x1c, %esp
8048b7a:8b 54 24 20mov0x20(%esp), %edx
8048b7e:8b 44 24 28mov0x28(%esp), %eax
8048b82:3b 05 0c d1 04 08cmp0x804d10c, %eax
8048b88:75 45jne8048bcf <shooting_star+0x58>
8048b8a:80 fa 59cmp$0x59, %dl
8048b8d:75 26jne8048bb5 <shooting_star+0x3e>
8048b8f:89 44 24 08mov%eax, 0x8(%esp)
8048b93:c7 44 24 04 8c a0 04movl$0x804a08c, 0x4(%esp)

08048bf3 < annyeong >: address annyeong()

AddressHexa codeOperationElements in operation
8048bf3:83 ec 1csub$0x1c, %esp
8048bf6:a1 04 d1 04 08mov0x804d104, %eax
8048bfb:3b 05 0c d1 04 08cmp0x804d10c, %eax
8048c01:75 2fjne8048c32 <annyeong+0x3f>
8048c03:83 3d 00 d1 04 08 ffcmpl$0xffffffff, 0x804d100
8048c0a:75 26jne8048c32 <annyeong+0x3f>
8048c0c:89 44 24 08mov%eax, 0x8(%esp)
8048c10:c7 44 24 04 37 a2 04movl$0x804a237, 0x4(%esp)
8048c17:08  
8048c18:c7 04 24 01 00 00 00movl$0x1, (%esp)

08048cec < ah_choo >: address ah_choo()

AddressHexa codeOperationElements in operation
8048cec:83 ec 4csub$0x4c, %esp
8048cef:8d 44 24 18lea0x18(%esp), %eax
8048cf3:89 04 24mov%eax, (%esp)
8048cf6:e8 5b ff ff ffcall8048c56
8048cfb:b8 01 00 00 00mov$0x1, %eax
8048d00:83 c4 4cadd$0x4c, %esp
8048d03:c3ret 

08048d04 < ah_shoo >: address ah_shoo()

AddressHexa codeOperationElements in operation
8048d04:83 ec 0csub$0xc, %esp
8048d07:e8 e0 ff ff ffcall8048cec
8048d0c:83 c4 0cadd$0xc, %esp
8048d0f:c3ret 

After finding the address for each function and procedure, try to look at this procedure test() in C language which will be our starting point of Buffer Overflow attack.

void test() {
       int val;

       /* Put canary on stack to detect possible corruption */
       volatile int local = uniqueval();
       val = ah_choo();

       /* Check for corrupted stack */
       if (local != uniqueval()) {
            printf(“NO: Stack terkorupsi\n”);
       } else if (val == cookie) {
            printf(“OK: ah_choo 0x%x\n”, val);
            validate(3);
       } else {
            printf(“NO: ah_choo 0x%x\n”, val);
       }
}

And this is function ah_choo().

int ah_choo() {
       char buf[32];
       gets(buf);
       return 1;
}

Next stop: Level 0!