tags:

views:

409

answers:

3
+2  Q: 

Illustration of buffer overflows for students (linux, C)

Hello

My friend is teacher of first-year CS students. We want to show them buffer overflow exploitation. But modern distribs are protected from simples buffer overflows:

HOME=`perl -e "print 'A'x269"`  one_widely_used_utility_is_here --help

on debian (blame it)

Caught signal 11,

on modern commercial redhat

*** buffer overflow detected ***: /usr/bin/one_widely_used_utility_is_here terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x41)[0xc321c1]
/lib/libc.so.6(__strcpy_chk+0x43)[0xc315e3]
/usr/bin/one_widely_used_utility_is_here[0x805xxxc]
/usr/bin/one_widely_used_utility_is_here[0x804xxxc]
/lib/libc.so.6(__libc_start_main+0xdc)[0xb61e9c]
/usr/bin/one_widely_used_utility_is_here[0x804xxx1]
======= Memory map: ========
00336000-00341000 r-xp 00000000 08:02
2751047    /lib/libgcc_s-4.1.2-20080825.so.1
00341000-00342000 rwxp 0000a000 08:02
2751047    /lib/libgcc_s-4.1.2-20080825.so.1
008f3000-008f4000 r-xp 008f3000 00:00 0          [vdso]

The same detector fails for more synthetic examples from the internet.

How can we demonstrate buffer overflow with modern non-GPL distribs (there is no debian in classes)

How can we

  • DISABLE canary word checking in stack ?
  • DISABLE checking variants of strcpy/strcat ?
  • write an example (in plain C) with working buffer overrun ?
+2  A: 

In my security and privacy class, they used virtual machines that had vulnerable programs compiled with an older version of GCC that did not have canaries. You can also use newer versions of GCC and use command-line switches to disable security features like stack-smashing detection.

Either way, you'll need to recompile the programs if you're on a modern Linux distribution.

Ben S  2010-04-15 21:33:09
which options will disable canary in stack, non-exec stack and which `-D` define will disable checking versions of strings functions
osgx  2010-04-15 21:37:26
-fno-stack-protector to disable the canary
Ben S  2010-04-15 21:42:07
-fnomudflap for string methods
Ben S  2010-04-15 21:45:11
The no-executing stack is an OS option that can be backed by the CPU. To disable it you need to set the option in the Linux kernel. See this for some insight (http://en.wikipedia.org/wiki/Executable_space_protection#Linux)
Ben S  2010-04-15 21:46:44
no-exec stack HAS an option in ELF file header. so gcc can disable it. UPD: http://linux.die.net/man/8/execstack
osgx  2010-04-15 21:57:45
A:  
#include <stdio.h>

int main()
{ int x = 0; char buffer[8]; strcpy(buffer, "test hello world;-)"); return 0; }

After strcpy(), you have in x some ascii from this string, but if this string is too long, overvride ESP adres and program fail for protect from this and better ilustration buffer overrun, you must before declaration of x, declarate some big buffer to protect you overflow from esp address. (before x because variables is declarating on memory in stack arrange).

Edit: You can ilustrate it from StackOverflow Logo!!

Svisstack  2010-04-15 21:38:29
"program fail" == segmentation fault
Svisstack  2010-04-15 21:39:23
maybe i forget #include <string.h> for strcpy
Svisstack  2010-04-15 21:40:13
When including `#include <string.h>` modern glibc WILL CHANGE call to `strcpy_chk(buffer, "test...", sizeof(buffer))`. so we NEED NOT TO INCLUDE IT!
osgx  2010-04-15 21:44:56
oh no, fu**ing gclib, i dont know this
Svisstack  2010-04-16 07:56:01
+1  A: 

To disable checking strings functions form glibc you should change your exploitable example. Change all calls to strcpy and other functions with cheking variants from

strcpy(dst, src);

to

(strcpy)(dst, src);

This will magically disable checking macroses.

To turn off gcc protection, use options

-fno-stack-protector
-fnomudflap
-U_FORTIFY_SOURCE or -D_FORTIFY_SOURCE=0

To turn off non-exec stack, use

execstack -s ./programme

or as gcc-linker option

-Wl,-z execstack
osgx  2010-04-15 21:50:05

related questions

Teach an M.B.A. the intricacies of Microsoft SQL Server (and how's it different from MySQL?)
How and when do you teach a kid to code?
Basic programming/algorithmic concepts
"Firefighter" consulting, getting a project released
Advanced database concepts
What are essential topics to have in a Web Services (semester) course?
Teaching: Field, Class & Package Relationships
How do you teach the stuff that good programming is made of?
What's a good Wiki for technical documentation?
Motivations for choosing a career in programming
What's the best way to introduce non-majors to HTML / programming?
What's the best way to teach young kids some basic programming concepts?
Single most important thing to impart when teaching TDD
Which is the best Linux C/C++ debugger (or front-end to gdb) to help teaching programming?
What are some games with fairly simple heuristics to evaluate positions?
How to teach a crash course on C++?
High School Programming
Rewarding code projects for *complete* beginners
How to mentor a junior programmer
Suggestions on starting a child programming.
What's a good starting development environment for teaching/learning Python?
Best Windows Command Line tutorial for beginners?
Why are professors or schools picking Java over C++ to teach to students?
What is the easiest language to start with?
Best ways to teach a beginner to program?