Submission

Please, submit your solution by plain-text e-mail to: jan.bierbaum (at) os.inf.tu-dresden.de. Don't attach anything to the e-mail (like pdf, docs etc.) other than the requested source code and a Makefile. Especially, don't attach the (simple_login) target binary! Please, place all answers within the mail body.

Exercise

In this exercise you will learn to apply widely used debugging tools, namely, gdb and objdump while reverse engineering and exploiting a very simple and vulnerable login program.

In Unix systems, a login program is normally invoked by some login shell (like getty) together with a user-name. The login executable mostly is owned by the superuser and it's SUID bit is set. Therefore, from an attacker's point of view a vulnerable login program means potential root access to the system.

You have to analyze this simplified version of a login program, which waits for a password and as a function of the given string will return a success or failure message.

Your first step is to simply extract the password by analyzing the binary with objdump or gdb. Describe how to extract the password from the binary by sending the output of a terminal session, where you use objdump and/or gdb to extract it. In addition to that, please send the plain password.

Next, exploit the buffer overflow vulnerability of this binary. By choosing an appropriated input you are able to skip the password check and force the program to jump directly to the success message printing. To do so, you should find out:

• How does gcc translate function calls to assembly code?
• Which Standard C-Library functions are vulnerable to buffer overflows?
• How to use this knowledge to overwrite the return address of a function?

Write a short C/C++ program, which takes an address of 8 hex-digits as input and produces an appropriated string as output. When using that string as input for the login program, it should directly jump to the given hex address. Additionally, send the hex-address you would use to circumvent the authentication check.

An example session using your resulting program should look similar to this one (replacing 00000000 with the correct value of course):

$> ./cracker 00000000 | ./simple_login
Enter the correct password:
Successful login! Now, we would execute a shell ...

When simply overwriting the return address of the password authentication function, you will experience problems (segmentation fault). Explain why this happens. How could you avoid this in theory? What practical countermeasures of today's UNIX systems complicate such buffer overflow attacks?

Resources

• Target binary: simple_login
• GNU Debugger (GDB) User Manual
• GNU objdump User Manual
• Understanding buffer overflow exploitation (presentation)