Assignment 4: Debugging with GDB
Please, submit your solution by plain-text e-mail to: benjamin (at) os.inf.tu-dresden.de. Don't attach anything to the e-mail (like pdf, docs etc.) other than the requested source code and a Makefile within a tar-archive. Especially, don't attach the (simple_login) target binary! Please, place all answers within the mail body.
In this exercise you will learn to apply widely used debugging tools, namely, gdb and objdump while reverse engineering and exploiting a very simple and vulnerable login program.
In Unix systems, a login program is normally invoked by some login shell (like getty) together with a user-name. The login executable mostly is owned by the superuser and it's SUID bit is set. Therefore, from an attacker's point of view a vulnerable login program means potential root access to the system.
You have to analyze this simplified version of a login program, which waits for a password and as a function of the given string will return a success or failure message.
Your first step is to simply extract the password by analyzing the binary with objdump or gdb. Describe how to extract the password from the binary by sending the output of a terminal session, where you use objdump and/or gdb to extract it. In addition to that, please send the plain password.
Next, exploit the buffer overflow vulnerability of this binary. By choosing an appropriated input you are able to skip the password check and force the program to jump directly to the success message printing. To do so, you should find out:
Write a short program, which takes an address of 8 hex-digits as input and produces an appropriated string as output. When using that string as input for the login program, it should directly jump to the given hex address. Additionally, send the hex-address you would use to circumvent the authentication check.
An example session using your resulting program should look similar to this one (expect replace 00000000 with the correct value.)):
$> ./cracker 00000000 | ./simple_login Enter the correct password: Successful login! Now, we would execute a shell ...
When simply overwriting the return address of the password authentication function, you will experience problems (segmentation fault) whenever the main function returns. Explain why this happens. How could you avoid this in theory? What practical countermeasures of today's UNIX systems complicate such buffer overflow attacks?
Last modified: 19th Dec 2013, 10.01 AM
Author: Dipl.-Inf. Jan Bierbaum
Time and Place
Meetings are conducted by arrangement.