Context

Out of bound accesses (and writes) to buffer are a recurring issue in computer security, especially for code bases written in C based language. In this project we explore how to exploit buffer overflows (that is writes past the end of buffers) in order to hijack the control flow of the program.

This project will involve learning about the program stack memory layout, assembly, and in the last part memory allocator structures.

Aim

Your mission is to exploit our target programs in various ways to demonstrate that you are able to execute code of your choice.

You should be able to each time take control of the instruction pointer and pass parameters of your choice to the target function.

You should start with the unprotected stack target, then the protected stack, and last with the heap buffer overflow.

Logistics

We will provide a Virtual machine on which to run the targets, in order to have a reproducible environment. You can find more details on how to exploit the target here: [PDF]

We expect a report of how you set up your different attacks. We also expect you to provide the hex representation of all your attack strings.

Progression

On the first target, ctarget :

1. Call a function that takes no argument and then exits
2. Call a function that expects arguments
3. Call a function that expects a string
4. Execute code on the stack that then restore the stack and continues execution normally

On the second target you should try to:

1. Call a function that expects a register argument
2. Call a function that expects a string parameter

On the last target, you are expected to create an exploit string that:

1. Calls a function with no argument
2. Calls a function with a single register argument
3. Calls a function with a string argument

We’re bored

Are you, really?

You can explore how to get an actual shell instead of calling target functions.

Bibliography

Read this seminal publication first to familiarize yourself with buffer overflows:

• Aleph One: Smashing The Stack For Fun And Profit. Phrack 49, 1996 http://phrack.org/issues/49/14.html

During the final presentation, you should summarize these two papers:

• Ryan Roemer, Erik Buchanan, Hovav Shacham, Stefan Savage (2012). Return-oriented programming: Systems, languages, and applications. ACM Transactions on Information and System Security (TISSEC), 15(1), 2. https://hovav.net/ucsd/dist/rop.pdf
• Laszlo Szekeres, Mathias Payer, Tao Wei, Dawn Song: SoK: Eternal War in Memory. IEEE Symposium on Security and Privacy 2013: 48-62 http://www.nebelwelt.net/publications/files/13Oakland.pdf

More publications about attacks on the heap for the last part of the project (to read in order):

• anonymous: Once upon a free(). Phrack 57, 2001 http://phrack.org/issues/57/9.html
• Michel "MaXX" Kaempf: Vudo - An object superstitiously believed to embody magical powers. Phrack 57, 2001 http://phrack.org/issues/57/8.html
• jp: Advanced Doug lea's malloc exploits. Phrack 61, 2003 http://phrack.org/issues/61/6.html

And other resources for more background information:

• The Intel assembly primer slides [PDF]
• Carnegie Mellon University's lectures ("machine prog" lectures are the ones relevant for the project): http://www.cs.cmu.edu/afs/cs/academic/class/15213-s18/www/schedule.html
• Computer Systems: A programmer perspective, 3rd edition is also a good reference
• A very complete book on reverse engineering and assembly for beginners for when you want more details on a specific topic: https://beginners.re/RE4B-EN.pdf [EN], https://beginners.re/RE4B-FR.pdf [FR].
• The ultimate reference, Intel Softare Developper manual : https://software.intel.com/content/www/us/en/develop/articles/intel-sdm.html#combined