The learning objective of this lab is for students to gain the first-hand experience on an interesting variant of buffer-overflow attack; this attack can bypass an existing protection scheme currently implemented in major Linux operating systems. A common way to exploit a heap-overflow vulnerability is to overflow the heap with garbage values, and then overwrite the return address to jump to the target function that is not called in the program. To prevent these types of attacks, some operating systems have protection in heaps and stacks and ; therefore, jumping to the function will cause the program to fail.

In this lab, students are given three programs. understand_heap.c to understand the memory layout, heapoverflow_vulnerability.c for understanding the vulnerability and attack.c for attacking the vulnerablity. In addition to the attacks, students will be guided to walk through some protection schemes that have been implemented in Ubuntu to counter against the buffer-overflow attacks. This lab covers the following topics:

• Heap overflow vulnerability and attack
• Stack and heap layout in a c program and the registers related
• Address randomization
• Assembly language
• GDB
• The generation of Shell Code

Readings and related topics. Detailed coverage of the buffer overflow attack can be found in Chapter 4 of the SEED book, Computer Security: A Hands-on Approach, by Wenliang Du.

Each running program has its own memory layout, separated from other programs. To understand it more better let us take the example of our understanding_heap.c example. The layout consists of a lot of segments, including:

/* understanding_heap.c */

/* This program is to understand memory layout. */
#include<stdio.h>

void dummy_func()
{
    printf("This is a dummy function.");
}
  
void memory_check()
{
    printf("This is a sample memory check");
}

  
int main(void)
{
    char *address;
    int main_add=memory_check;
    printf("Enter the address of function memory_check in hex :");
    scanf("%s", address);
    char *b = address + 2;
    int num = (int)strtol(b, NULL, 16);
    if(main_add==num){
        printf("\n You have found the address successfully!!!\n\n");
    }
    printf("Next Step is to attack the heapoverflow_vulnerability");
    return 0;
}

In this example let us consider the memory layout for function default_fc(argv*)

• Stack: Stores local variables of a function.

  Stores the variable temp[72] + ebp[Base pointer address] + Return address + arguments[char *arg]

• Heap: Stores dynamically allocated variables. (Variables stored using malloc() or calloc() are stored in heap)

  Stores the variable ptr + ebp[Base pointer address] + Return address.

• Data: Stores global variables of the function. (Consist of both unitialized data + initialized data)

  Stores the variable data : 10 Bytes.

How it works: The vulnerable point of this Lab is strcpy function which is a C function. We can refer the program.c given The strcpy() function is used to copy a string from one location to another. However, it is considered to be a potentially unsafe function because it does not perform any bounds checking on the length to be copied on destination buffer, which can lead to buffer overflow vulnerabilities, as we can overflow the destination buffer to our required length to overwritte specific parts of stack. Other vulnerable functions include strncpy(); memset(); etc. Suppose now the destination buffer is 20 bytes, but we paste 30 bytes in it. As we know from the introduction of heap above, it will overwrite some blocks of heap such as framed pointer or even return address. So it will not return to the default place but rather return to the address we overwrite to.

From the above example, the Core goal is to call the function success(), but in the example there is no where that the function is called. To achieve this we can use the existing vulnearbilty and overwrite the buffer and return address with the address of function success such that the function doesn't exit to main(), rather it will call the function success().

In real life application this attack can be used to return the program to system function [ to spawn a shell] and gain root access.

GDB is a debugger to analyse the memory and perform code analysis of C programs. To understand more about GDB follow the link- https://www.sourceware.org/gdb/

$ gdb <Executable_program>
$ gdb understand_heap

info procmap # To get the address of stacks and heap.
disassemble <functionName> #To get the address the functions.

Run the executable understand_heap to understand the memory layout and find the address of function in the code.

/* program.c */

/* This program has a stack overflow vulnerability. */
/* Our task is to exploit this vulnerability */
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <stdio.h>
#include <sys/types.h>

struct data {
 char name[64];
};

struct fp {
 int (*fp)();
};

void success()
{
 printf("Congratulations to attack the lab\n");
}

void fail()
{
 printf("Goal Failed\n");
}

int main(int argc, char **argv)
{
 struct data *d;
 struct fp *f;

 d = malloc(sizeof(struct data));
 f = malloc(sizeof(struct fp));
 f->fp = fail;

 printf("data is at %p, fp is at %p\n", d, f);

 strcpy(d->name, argv[1]);

 f->fp();

}

$gdb heapoverflow
(gdb) b 38
(gdb) run AAAAAAAA

(gdb) info proc map
(gdb) x/2200x $(the address of heap())
(gdb) info address success

(gdb) q
(gdb) y
$vim sol1.py
$ ./heapoverflow $(python sol1.py)

You make it!

figure of the sign showing success.