Reference no: EM133678499 , Length: word count:2400
Task 1
Overview
Buffer overflow is a notorious vulnerability which was first reported in 1988 involving the Morris worm. One of the causes of buffer overflow is the lack of input bound check. A recent buffer overflow vulnerability was recorded for the Linux Kernel Ceph file system driver (Torvalds, 2023). See the following link for details.
A clear understanding of how buffer overflows happen can be demonstrated using a simple program that accepts input from the user. Examine the provided C file, below, and practice using it. Compile* it and run it to test its operation. The program is a game to be run from the command line. It takes your name which you can enter when prompted.
Task
(a) Examine the operation of this file.
• Through simple static analysis, show the addresses that are important for understanding the operation of this program.
• Run the program in GDB. Set breakpoint(s) at the most appropriate place. Display information about the stack before and after the buffer overflow with corresponding addresses. From the raw data, identify and annotate which parts of the stack correspond to what. Identify all elements that make up the stack, covering at least one whole stack frame in size. Identify which other elements are a potential target for exploitation.
(b) Demonstrate a simple buffer overflow so that you always win the game, but you do not cause the program to crash. Show the input byte stream and the method used to achieve this exploit. Annotate and explain this input byte stream.
* Assume any ASLR is disabled, the stack is executable, and there are no stack canaries or other optimisations to the code on compilation.
C code: co7605_portfo_ex1.c - This is the source code
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/time.h>
#define MAX_NAME_SIZE 256
void prepare_random_num_generator(void);
void game(void)
{ int number; // to hold the random number
char buffer[24]; // to hold the player's name
// Get a random number (from 0 to RAND_MAX)
number = rand();
printf("Please enter your name: ");
fgets(buffer, MAX_NAME_SIZE, stdin); // input from 'Standard In'
printf("Welcome "); //
printf(buffer); //
if (number < (int)(RAND_MAX/20)) // Only win one time in 20
{
printf("YOU WIN!");
}
else
{
printf("YOU LOSE... too bad.");
}
printf("\n"); // 'End of line' / 'Newline' character
return;
}
int main(void)
{
// Program starts here.
// Prepare the random number generator
prepare_random_num_generator();
game();
return 0;
}
// ------------------------------------------------------------------------
void prepare_random_num_generator(void)
{
struct timeval tv; gettimeofday(&tv,
NULL);
srand(tv.tv_usec);
return;
}
// ------------------------------------------------------------------------
Task 2
Overview
Demonstrate stack overflow and direct code execution using a C source code. The program is a server which listens on a chosen port number and waits for an incoming TCP connection from a client. The server prompts and then takes an input from the client and returns a welcome message with the inputted string. The C source code is provided below and on Moodle.
Task
(a) Compile the provided C code co7605_portfo_ex2.c into executable* in the following versions:
• Compile the C code so that the stack is executable and there are no stack canaries or other optimisations to the code.
• Compile the C code so that the stack is not executable, includes stack canaries, and full optimisation to the code.
* Take note that the C code has a header file co7605_portfo_ex2.h
(b) Run** both executables normally to test their operation.
(c) Demonstrate stack overflow with machine code injection delivered via a client for the two binaries.
In doing this you should:
• Do simple static analysis on each of the server binaries to identify critical information for this exercise.
• Use a debugger on the server binaries to identify and detail the call stack locations of importance in achieving this task, and the placement of the injected code. Annotate the call stack etc.
• Construct some code to write a message to screen on each target server using either a call to a library that is already loaded, for example the printf family of functions in libc, or, by doing a write system call. After leaving the message, demonstrate the return of control flow back to the server code, or exit the program safely. Do either of these without crashing the servers.
• Elaborate on and detail the constructed code used in the stack overflow; show how it was constructed and the byte stream equivalent.
(d) Give a brief description of the difference in the outcome of code injection for the two binaries. Include screenshots of your attempts to exploit the two executables.
(e) Specific to the binary with executable stack, no canaries and no optimisations, describe briefly whether it is easier to construct a library call to the loaded dynamic libraries, or to make a system call to the same effect, and why.
(f) Deliverables: In addition to the written work for this exercise, you are required to submit the two executable binaries. The binaries should be uploaded to Executable-files-submission-link in Turnitin.
Task 3
Overview
A non-executable (NX) stack will render a code injection attack inert but this countermeasure (the nonexec stack) can itself be countered using ROP (Return Oriented Program). In ROP, attacker is able to
bypass the protections by using existing code to achieve an exploit. Show how the equivalent of
arguments passed to functions and local variables can be used within ROP code.
Task
(a) Compile the provided C code co7605_portfo_ex2.c into executable* in the following version:
• Compile the C code so that the stack is not executable, includes stack canaries, no optimisations to the code. You should use the static flag to ensure that libraries are within the binary.
* Take note that the C code has a header file co7605_portfo_ex2.h
(b) Do static analysis on the executable identify at least three gadgets in the loaded target program's memory address space**, i.e., including the loaded program and libraries at the time of exploitability, giving the location in memory, the machine instructions, and what the gadget corresponds to.
(c) Do dynamic analysis on the executable binary to identify critical information for this exercise.
(d) Use your selected gadgets to demonstrate a ROP attack on the target.
(e) Give a brief discussion on the impact of the ROP input on the target and suggest possible mitigations for the attack.
** Make sure ASLR is disabled on your system.
C code: co7605_portfo_ex2.c - This is the source code.
#include "co7605_portfo_ex1.h"
#define MAX_DATA_SIZE 256
void serve_welcome_response(int the_connection)
{
char buffer[32]; // buffer to hold the client's name
memset(buffer, 0, 32); // Clear the buffer for receiving
// Send the query to the client...
write(the_connection, "Please enter your name: ", 24);
// Get the client's name...
read(the_connection, buffer, MAX_DATA_SIZE);
// Print the received message locally...
printf("Message received: ");
printf(buffer);
printf("\n");
// Send the message back to the client to welcome them...
write(the_connection, "Welcome ", 8); // Send 8 characters
write(the_connection, buffer, strlen(buffer));
return;
}
int server_loop(int port_number)
{
int sockfd, newsockfd;
// Establish a socket for this server to listen on...
sockfd = create_socket(port_number);
for (;;) { // Loop forever
// Accept a new connection - get a 'new socket fd' to handle it...
newsockfd = accept_connection(sockfd);
// serve the client...
serve_welcome_response(newsockfd);
// We've now finished with this 'new socket file descriptor'
close(newsockfd);
}
}
int main(int argc, char *argv[])
{
char some_space[92];
int port_number;
if (argc< 2) {
printf("ERROR: no port provided\n");
exit(-1);
}
else
{
// Get the port number as provided on the command line...
port_number = atoi(argv[1]);
server_loop(port_number);
}
}