Exercise 21: Exploiting Buffer Overflow in a C Program

Objective: Understand how buffer overflow vulnerabilities occur in C programs and exploit them to execute arbitrary code, and learn techniques to mitigate such vulnerabilities.

---

Scenario: Buffer overflow vulnerabilities occur when a program writes more data to a buffer than it can hold, leading to unintended behavior such as overwriting memory. Attackers can exploit this to execute arbitrary code or crash the program. Your task is to identify and exploit a buffer overflow in a vulnerable C program and implement mitigation techniques.

---

Lab Setup

1. Environment:
   • A Linux system with gcc installed for compiling C programs.
2. Tools Required:
   • gdb for debugging.
   • Python or other scripting tools for crafting payloads.

---

Lab Steps

Step 1: Create a Vulnerable C Program

1. Write the following vulnerable C program: #include <stdio.h> #include <string.h> void vulnerable_function() { char buffer[64]; printf("Enter some text: "); gets(buffer); // Vulnerable function printf("You entered: %s\n", buffer); } int main() { vulnerable_function(); return 0; }
2. Save the file as vulnerable.c.
3. Compile the program without stack protection: gcc -fno-stack-protector -z execstack -o vulnerable vulnerable.c

Step 2: Analyze the Vulnerability

1. Run the program and provide input longer than 64 characters: ./vulnerable
   • Example input: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2. Observe how the program crashes due to the overflow.
3. Analyze the program in gdb to locate the return address: gdb ./vulnerable
   • Set a breakpoint at the vulnerable function: break vulnerable_function run
   • Examine the stack after entering input: info frame

Step 3: Craft an Exploit

1. Determine the exact offset needed to overwrite the return address:
   • Use a pattern generator (e.g., msf-pattern_create): msf-pattern_create -l 100
   • Input the generated pattern into the program: ./vulnerable
   • Analyze the crash in gdb to find the offset: info registers
2. Write shellcode to spawn a shell: python -c 'print("\x90"*40 + "<shellcode>" + "<return_address>")'
   • Replace <shellcode> with a valid shellcode (e.g., /bin/sh).
   • Replace <return_address> with the address of the shellcode in memory.
3. Input the crafted payload into the program: ./vulnerable
   • Verify that the program spawns a shell.

Step 4: Exploit Validation

1. Confirm that the exploit works as expected by obtaining a shell.
2. Document the process and the results.

---

Solution

Explanation:

• The vulnerability occurs because gets() does not check the bounds of the input, allowing attackers to overflow the buffer and overwrite the return address.
• By crafting a payload with shellcode and the correct return address, attackers can execute arbitrary code.

Prevention:

1. Use Safe Functions:
   • Replace gets() with fgets(): fgets(buffer, sizeof(buffer), stdin);
2. Enable Compiler Protections:
   • Use stack protection: gcc -fstack-protector -o secure_program program.c
   • Enable non-executable stack: gcc -z noexecstack -o secure_program program.c
3. Implement Address Space Layout Randomization (ASLR):
   • Ensure ASLR is enabled to randomize memory addresses: sudo sysctl -w kernel.randomize_va_space=2
4. Conduct Regular Code Audits:
   • Review code for unsafe functions like gets(), strcpy(), or sprintf().

---

Testing and Verification

1. Recompile the program with mitigations and test the exploit to ensure it no longer works.
2. Verify that input exceeding the buffer size is safely handled without crashing.
3. Document all changes and verify compliance with secure coding standards.

---

Reflection

This exercise demonstrates the risks of buffer overflow vulnerabilities in C programs and how they can be exploited. By completing this lab, you’ve gained insights into writing secure code and preventing memory-related vulnerabilities.