Working with GNU binutils

Download the sample binary and use GNU binutils to solve the following tasks:

1. The binary contains a function named grant_rights(). Use the nm tool to determine the function's address.
2. Use the objdump utility to disassemble the binary. Find the main() function and determine, which functions are called by main().
3. Use strace to find out if (and with which arguments) the write system call is called.
4. Make yourself comfortable with the gdb debugger. Run the sample binary using gdb and:
   • Single-step through the do_work() function.
   • Determine the return address stored in do_work()'s stack frame.
   • The binary uses fread() to read data into a buffer within the function do_work. Using gdb, determine the address and the maximum size of the buffer.
5. Write a C program that takes 32-bit hexadecimal numbers from the command line and prints them byte-wise to stdout. Use hexdump to verify the results.

Redirecting control flow

Use the knowledge obtained in exercise 1 to modify the do_work() function's return address so that it returns to the function grant_rights().

Executing shell code

Download the 32-byte shell code binary. Use ndisasm to disassemble the shell code and find out, what it does. Place it in the sample binary's buffer and overflow the buffer, so that the do_work() function returns into the shell code.

Return into libC

Let's assume the existence of non-executable stacks. The method from exercise 3 doesn't work under these circumstances. However, return-into-libC attacks still work. Overflow the buffer in a way that makes do_work() return into the libC's execve() function and uses this function to start /bin/date.

Safe string functions?

The following program sn.c passes its first command line argument to the function do_work, which then uses strncpy() to make sure that the buffer buf cannot be overflown.

Compile the program in the following ways:

• $> gcc -fno-stack-protector -o sn_noprot sn.c
• $> gcc -fstack-protector -o sn_prot sn.c