Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
seed-labs
GitHub Repository: seed-labs/seed-labs
 Path: blob/master/category-software/Buffer_Overflow_Server/labenv.tex
3059 views
1


2
% *******************************************

3
% SECTION

4
% *******************************************

5
\section{Lab Environment Setup} 

6


7
Please download the \texttt{Labsetup.zip} file to your VM from the lab’s website, 

8
unzip it, and you will get a folder called \texttt{Labsetup}. All the files 

9
needed for this lab are included in this folder.

10


11


12
% -------------------------------------------

13
% SUBSECTION

14
% -------------------------------------------

15
\subsection{Turning off Countermeasures} 

16


17
Before starting this lab, we need to make sure the 

18
address randomization countermeasure is turned off; otherwise, the 

19
attack will be difficult. 

20
You can do it using the following command:

21


22
\begin{lstlisting}

23
$ sudo /sbin/sysctl -w kernel.randomize_va_space=0

24
\end{lstlisting}

25
 

26


27
% -------------------------------------------

28
% SUBSECTION

29
% -------------------------------------------

30
\subsection{The Vulnerable Program} 

31
\label{sec:vulnerable_program}

32


33
The vulnerable program used in this lab is called

34
\texttt{stack.c}, which is in the \texttt{server-code} folder.

35
This program has a buffer-overflow vulnerability,

36
and your job is to exploit this vulnerability and gain the root privilege.

37
The code listed below has some non-essential information removed,

38
so it is slightly different from what you get from the lab setup file.

39


40
\begin{lstlisting}[language=C, caption={The vulnerable program \texttt{stack.c}}]

41
#include <stdlib.h>

42
#include <stdio.h>

43
#include <string.h>

44


45
/* Changing this size will change the layout of the stack.

46
 * Instructors can change this value each year, so students

47
 * won't be able to use the solutions from the past. */

48
#ifndef BUF_SIZE

49
#define BUF_SIZE 100

50
#endif

51


52
int bof(char *str)

53
{

54
    char buffer[BUF_SIZE];

55


56
    /* The following statement has a buffer overflow problem */ 

57
(*@\ifdefined\arm

58
\ \ \ \ memcpy(buffer, str, 517);       

59
\else

60
\ \ \ \ strcpy(buffer, str);          

61
\fi@*)

62


63
    return 1;

64
}

65


66
void foo(char *str)

67
{

68
    ...

69
    bof(str);

70
}

71


72
int main(int argc, char **argv)

73
{

74
    char str[517];

75


76
    int length = fread(str, sizeof(char), 517, stdin);

77
    foo(str);

78
    fprintf(stdout, "==== Returned Properly ====\n");

79
    return 1;

80
}

81
\end{lstlisting}

82


83
The above program has a buffer overflow vulnerability. It 

84
reads data from the standard input, and the data are 

85
eventually copied to another buffer in the function {\tt bof()}. 

86
The original input can have a maximum length of \texttt{517} bytes, but the buffer

87
in {\tt bof()} is only \texttt{BUF\_SIZE} bytes long, which is less than

88
\texttt{517}. 

89
\ifdefined\arm

90
When \texttt{memcpy()} copies the data to the target buffer,

91
\else

92
Because {\tt strcpy()} does not check boundaries, 

93
\fi

94
buffer overflow will occur.

95


96
The program will run on a server with the root privilege, and its 

97
standard input will be redirected to a TCP connection between the

98
server and a remote user. 

99
Therefore, the program actually gets its data from a remote user. 

100
If users can exploit this buffer overflow vulnerability, 

101
they can get a root shell on the server. 

102


103


104
\paragraph{Compilation.}

105
To compile the above vulnerable program, we need to 

106
turn off the StackGuard and the non-executable stack protections 

107
using the \texttt{-fno-stack-protector} and \texttt{"-z execstack"} options.

108
The following is an example of the compilation command (the \texttt{L1} environment 

109
variable sets the value for the \texttt{BUF\_SIZE} constant inside \texttt{stack.c}).   

110


111
\begin{lstlisting}

112
$ gcc -DBUF_SIZE=$(L1) -o stack -z execstack -fno-stack-protector stack.c

113
\end{lstlisting}

114


115
\ifdefined\arm

116
\else

117
We will compile the \texttt{stack} program into both 32-bit and 64-bit 

118
binaries. Our pre-built Ubuntu 20.04 VM is a 64-bit VM, but it 

119
still supports 32-bit binaries. All we need to do is to 

120
use the \texttt{-m32} option in the \texttt{gcc} command. 

121
For 32-bit compilation, we also use \texttt{-static} to generate 

122
a statically-linked binary, which is self-contained and not depending

123
on any dynamic library, because the 32-bit dynamic libraries 

124
are not installed in our containers. 

125
\fi

126


127
The compilation commands are already provided in \texttt{Makefile}. To compile

128
the code, you need to type \texttt{make} to execute those commands.

129
The variables \texttt{L1}, \texttt{L2}, \texttt{L3}, and \texttt{L4} are

130
set in \texttt{Makefile}; they will be used during the compilation.

131
After the compilation, we need to copy the binary into

132
the \texttt{bof-containers} folder, so they can be used by the 

133
containers. The following commands conduct compilation and 

134
installation.

135


136
\begin{lstlisting}

137
$ make

138
$ make install

139
\end{lstlisting}

140
 

141


142
\paragraph{For instructors (customization).}

143
To make the lab slightly different from the one offered in the past,

144
instructors can change the value for \texttt{BUF\_SIZE} by requiring

145
students to compile the server code using different \texttt{BUF\_SIZE} values.

146
In \texttt{Makefile}, the \texttt{BUF\_SIZE} value is set by

147
four variables \texttt{L1}, ..., \texttt{L4}.

148
Instructors should pick the values for these variables based

149
on the following suggestions:

150


151
\begin{itemize}[noitemsep]

152
\item \texttt{L1}: pick a number between 100 and 400

153
\item \texttt{L2}: pick a number between 40 and 200

154
\item \texttt{L3}: pick a number between 100 and 400

155
\item \texttt{L4}: pick a number between 20 and 80;

156
we need to keep this number smaller, to make this level more challenging 

157
than the previous level. 

158
\end{itemize}

159


160


161


162
\paragraph{The Server Program.} 

163
In the \texttt{server-code} folder, you can find a program called \texttt{server.c}. 

164
This is the main entry point of the server. It listens to port \texttt{9090}. 

165
When it receives a TCP connection, it 

166
invokes the \texttt{stack} program, and sets the TCP connection

167
as the standard input of the \texttt{stack} program. This way,

168
when \texttt{stack} reads data from \texttt{stdin}, it actually 

169
reads from the TCP connection, i.e. the data are provided by

170
the user on the TCP client side. It is not necessary for 

171
students to read the source code of \texttt{server.c}.  

172


173


174
% -------------------------------------------

175
% SUBSECTION

176
% -------------------------------------------

177
\subsection{Container Setup and Commands}

178


179
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

180
\input{\commonfolder/container/setup}

181
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

182


183


184
\paragraph{Note.} It should be noted that before running 

185
\texttt{"docker-compose build"} to build the docker

186
images, we need to compile and copy the server 

187
code to the \texttt{bof-containers} folder. 

188
This step is described in Section~\ref{sec:vulnerable_program}.

189


190


191


192