The first step in accomplishing this buffer overflow attack is to identify the vulnerability. One of the function calls in the provided code is unsafe and allows a buffer overflow to occur. [What is the name of this function? *without any parentheses in all lowercase.]
The next step is to identify the vulnerable buffer. This is the area of memory that the vulnerable function uses to hold its data. In the later attack, this buffer will overflow into other parts of memory. [What is the name of the buffer in all lowercase?. Hint: This is a variable’s name.]
Now it is time to determine how much data is needed to fill the buffer and overflow into key parts of memory. First, we must know how much our buffer holds. This is the programmer defined size of the buffer. [What is the number of bytes the buffer holds below. This is a single numerical number. If the buffer held twenty bytes, you would enter “20” without the quotations.]
Without knowing the password, we want to get the “Access Granted” message to display. We can do this by overflowing the buffer into the access variable. Determine the number of bytes required to do this. This number is the total of your response to question 3 and the additional number of bytes required to overflow the access variable. You may partially or completely overflow the access variable; these answers are all accepted because they would successfully change the value of the variable. Do not overflow past the access variable; these answers are not accepted. [What is the number of bytes you would input into the program to fill the buffer and overflow the access variable. This is a single numerical number. If the required number of bytes were thirty, you would enter “30” without the quotations.]
Let us consider some string inputs to the program with the goal of causing the overflow described in question 4. Which of the following strings, when entered at the prompt for a password, will successfully display the “Access Granted” message?
[Select all that apply. Assume that none of the options are the actual password. Do not attempt to run this code on your system as it will likely not match the target system in the example. A partial overflow may be valid. Hint: Consider the number of bytes of the password and the data type assigned to it in the code.]
adminpas0
adminpas10
adminpassword
adminpas
Let us now continue determining how many bytes of data we need to fill the buffer and overflow into other parts of memory. We now want to overflow the frame pointer. How many bytes of data would we need to fill the buffer, overflow the access variable, and overflow the frame pointer? This number is the total of your response to question 4 (if you completely overflowed the access variable) and the additional number of bytes required to completely overflow the frame pointer. Do not overflow past the frame pointer. [What is the number of bytes you would input into the program to fill the buffer and completely overflow the frame pointer. This is a single numerical number. If the required number of bytes were f
Finally, we want to determine how many bytes of data we need to overflow the return address. How many bytes of data would we need to fill the buffer and overflow the access variable, frame pointer, and return address? This number is the total of your response to question 6 and the additional number of bytes required to completely overflow the return address. Do not overflow past the return address. [What is the number of bytes you would input into the program to fill the buffer and completely overflow the return address. This is a single numerical number. If the required number of bytes were fifty, you would enter “50” without the quotations.]orty, you would enter “40” without the quotations.]
Let us now put all this together.
In question 7, we determined how many bytes were required to overflow the return address in this specific example. In theory, we had the address of some malicious function call that we wanted to replace the return address with to make our buffer overflow attack useful. In Part 2 of this project, you will have to determine this malicious address, or payload, using GDB commands.
You will also have to determine the number of bytes required to overflow up to the return address as you did in question 6. This amount of data, required to fill the buffer up to the return address, is referred to as garbage data because the value of that data does not matter. Garbage data is just used as a filler to deliver the payload to the location it needs to be. The goal of this question is to identify the formula which calculates the amount of garbage data required such that the next byte will begin to overflow the return address.
If you apply this formula correctly and answered question 6 correctly, you should receive the same answer. You can substitute hypothetical addresses into the formula and stack diagram provided to test your answer.
[Select the formula which gives the correct number of bytes of garbage data.]
The address contained in ESP + 4 – The Buffer’s starting address
The address contained in EBP + 4 + The Buffer’s starting address
The address contained in EBP + 4 – The Buffer’s starting address
The address contained in ESP + 4 + The Buffer’s starting address
The following questions will test your knowledge of the stack and the heap and are unrelated to the overflow example provided in Section I. Note that the stack and the heap are architectural constructs and not the same as a stack or a heap data structure.
Assume that the following lines of code are run on a 32-Bit OS that utilizes stack alignment.
char buf1[5]; // Line 1
char buf2[8]; // Line 2
[How many bytes would be allocated on the stack for each? The options represent buf1 and buf2 respectively.]
8 and 8
5 and 16
16 and 16
5 and 8
For a C program, when is memory allocated on the stack?
At run time
When a function is exited
At compile time
When a function is entered
For a C program, when is memory de-allocated from the stack?
When a function is entered
At run time
When a function is exited
At compile time
For most systems, such as the one described in chapter 10 of the book, which of the following describes the growth of the stack.
The stack grows from lower memory addresses upwards towards higher memory addresses.
The stack grows from higher memory addresses downward towards lower memory addresses.
The stack can contain multiple stack frames.
True
False
Data is pushed onto the stack and organized in a specific order. [Order the data below, such that the first response represents the first value pushed onto the stack and the last response represents the last value pushed onto the stack (which is also the top of the stack).]
Options are as follows:
Return Address
Function Arguments
Frame Pointer
Local Variables
The following are operations involved with control flow, utilizing the stack, when exiting a function and returning to the calling function. [Order the operations below, such that the first response represents the first step and the last response represents the last step.]
Options are as follows:
The return address is popped off the stack
The function return statement is reached in the function’s code
ESP is set to point to EBP
Execution jumps to the calling function
For a C program, when is memory allocated on the heap?
During run time
When a function is exited
At compile time
When a function is entered
For a C program, when is memory de-allocated from the heap?
When a function is entered
At compile time
When a function is exited
During run time
For most systems, such as the one described in chapter 10 of the book, which of the following describes the growth of the heap.
The heap grows from higher memory addresses downward towards lower memory addresses.
The heap grows from lower memory addresses upwards towards higher memory addresses.
The stack and the heap grow towards each other.
True
False
It is possible to perform a buffer overflow attack on the heap.
True
False