Project 8: Buffer Overflow (20 pts + 10 pts extra credit)

What You Need for This Project

8.1: Buffer Overflow

Writing the hello.c Source Code

In a Terminal window, execute this command:
nano hello.c
The nano editor opens. Type in the program shown below. 
#include <stdio.h>

void main()
{
   buf();
}

int buf(){
   char name[10];
   printf("What is your name? ");
   scanf("%s", name);
   printf("Hi, %s\n\n", name);
}
Save your file with Ctrl+X, Y, Enter.

Compiling hello.c to Create the hello File

In a Terminal window, execute these commands:
gcc hello.c -o hello

./hello

These commands compile the hello.c program, creating an executable machine language file named hello, and run the hello executable.

It should ask you for your name. When you type in your name (no longer than 10 characters), you should be greeted by name, as shown below.

Causing a Buffer Overflow

The hello program is poorly written, and exposes your machine to being exploited by hackers. That's because it takes the name from typed input and puts it in the name string, but the name string has a size limit--it only has enough room for 10 characters. Names longer than 10 characters will cause user-input data to overwrite parts of memory that were not intended to store data, making the program crash. This is a Buffer Overflow. In a Terminal window, execute this command:
./hello
When you see the "What is your name?" prompt, type in this name, which consists of forty "A" characters, followed by the Enter key:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
You see a "Segmentation fault" error, as shown below.

Using a Debugger

To see why the program crashed, we'll use the Gnu debugger.

In a Terminal window, execute this command, which loads the "hello" program into the "gdb" debugger:

gdb -q hello
At the (gdb) prompt, enter this command:
run
When you see the "What is your name?" prompt, type in this name, which consists of forty "A" characters, followed by the Enter key:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
You see a "Segmentation fault" error, as shown below, followed by the hexadecimal value 0x41414141, which is the ASCII encoding of "AAAA".

Examining the Registers

At the (gdb) prompt, enter this command:
info registers
The values stored in the registers, appear, as shown in the image above. The eip contains 0x41414141 which indicates that a portion of the name you entered was inserted into it, which can be exploited to gain control of the machine.

Troubleshooting

If you see longer register values with names like rax and rip, you are using a 64-bit machine. Download a 32-bit Kali machine and start over.

8.1: Recording Your Success (10 pts.)

Find the ebp value, which is covered with a gray box in the image above.

Use the form below to record your score in Canvas.

If you don't have a Canvas account, see the instructions here.

Name or Email:
ebp:

8.2 Fuzzing (10 pts.)

Enter this code into a file named yo.c 
#include <stdio.h>

void main()
{
   buf();
}

int buf(){
   char name[3];
   printf("What is your name? ");
   scanf("%s", name);
   printf("Yo, %s\n\n", name);
}
Save the file and compile it, as you did for the hello.c program.

Run the program for a short name. The program runs properly, as shown below.

Try longer names until the program crashes, as shown below. This process is called "fuzzing" and it's an essential part of vulnerability discovery.

8.2: Recording Your Success (10 pts.)

Find the length of the shortest name that causes a crash.

Use the form below to record your score in Canvas.

If you don't have a Canvas account, see the instructions here.

Name or Email:
Length of name:

8.3 Fuzzing Online (10 pts. extra credit)

Online Function

Use the form below to fuzz the online program "bufo3":
Username:

8.3: Recording Your Success (10 pts.)

Find a username that causes a "stack smashing" error.

Use the form below to record your score in Canvas.

If you don't have a Canvas account, see the instructions here.

Name or Email:
Username:

Posted: 7-10-18