Lab 3: Return-oriented Programming and Return-to-libc

Lab Overview

The goal of this lab is for you to gain the first-hand experience on an interesting variant of the buffer-overflow attack; this attack can bypass an existing protection scheme currently implemented in major Linux OSes. A common way to exploit a buffer overflow vulnerability is to overflow the buffer with malicious shellcode, then cause the vulnerable program to jump to the shellcode on the stack. To prevent such attacks, some OSes allow programs to make their stacks non-executable; thus, jumping to the shellcode causes the program to fail. Unfortunately, the above protection scheme is not foolproof. There exists a variant of buffer overflow attacks called return-to-libc, which does not need an executable stack; it does not even use shellcode. Instead, it causes the vulnerable program to jump to some existing code, such as the system() function in the libc library, which is already loaded into a process's address space at runtime. In this lab, you are given a program with a buffer overflow vulnerability; your task is to develop a return-to-libc attack to exploit the vulnerability and gain root privileges. In addition to the attacks, you will be guided through some protection schemes implemented in Ubuntu to counter buffer overflow attacks. This lab covers the following topics:

• Buffer overflows
• Stack layout in a function invocation and Non-executable stack
• The return-to-libc attack and Return-Oriented Programming (ROP) in general

Lab Description

Please find the lab description here. The buffer size for this lab will be the same as the previous lab (BUF_SIZE=44).

Handin

Please write your lab report according to the description. Please also list the important code snippets followed by your explanation. You will not receive credit if you simply attach code without any explanation. Upload your answers as a PDF to blackboard. You must turn this in by Tuesday 2/4 11:59 PM.

Suggested Reading

• SEED Book Chapters 4 and 5

Acknowledgements

Most content taken from Wenliang Du.

This work is licensed under a Creative Commons Attribution-NonCommercialShareAlike 4.0 International License. A human-readable summary of (and not a substitute for) the license is the following: You are free to copy and redistribute the material in any medium or format. You must give appropriate credit. If you remix, transform, or build upon the material, you must distribute your contributions under the same license as the original. You may not use the material for commercial purposes.