Lab3 The Attack Lab: Understanding Buffer Overflow Bugs

说明文档

Note：这次的说明文档很长，下面先放上原文档，放题目前会对要求做一总结，可跳过说明文档直接看题

Introduction

This assignment involves generating a total of five attacks on two programs having different security vulnerabilities.
Outcomes you will gain from this lab include:
• You will learn different ways that attackers can exploit security vulnerabilities when programs do not safeguard themselves well enough against buffer overflows.
• Through this, you will get a better understanding of how to write programs that are more secure, as well as some of the features provided by compilers and operating systems to make programs less
vulnerable.
• You will gain a deeper understanding of the stack and parameter-passing mechanisms of x86-64 machine code.
• You will gain a deeper understanding of how x86-64 instructions are encoded.
• You will gain more experience with debugging tools such as GDB and OBJDUMP.
Note: In this lab, you will gain firsthand experience with methods used to exploit security weaknesses in operating systems and network servers. Our purpose is to help you learn about the runtime operation of programs and to understand the nature of these security weaknesses so that you can avoid them when you write system code. We do not condone the use of any other form of attack to gain unauthorized access to any system resources.

Get Your File

1. You can obtain your files by pointing your Web browser at:
   http://ipads.se.sjtu.edu.cn:15513/
   The server will build your files and return them to your browser in a tar file called targetk.tar, where kis the unique number of your target programs.
   Note: It takes a few seconds to build and download your target, so please be patient.
   Save the targetk.tarfile in a (protected) Linux directory in which you plan to do your work. Then give the command: tar -xvf targetk.tar. This will extract a directory targetk containing the files described below.
2. The files in targetk include:
   • README.txt: A file describing the contents of the directory
   • ctarget: An executable program vulnerable to code-injection attacks
   • rtarget: An executable program vulnerable to return-oriented-programming attacks
   • cookie.txt: An 8-digit hex code that you will use as a unique identifier in your attacks.
   • farm.c: The source code of your target’s “gadget farm,” which you will use in generating return-oriented
     programming attacks.
   • hex2raw: A utility to generate attack strings.
3. In the following instructions, we will assume that you have copied the files to a protected local directory, and that you are executing the programs in that local directory.

Important Points

Here is a summary of some important rules regarding valid solutions for this lab. These points will not make much sense when you read this document for the first time. They are presented here as a central reference of rules once you get started.

• You must do the assignment on a machine that is similar to the one that generated your targets.
• Your solutions may not use attacks to circumvent the validation code in the programs. Specifically,
  any address you incorporate into an attack string for use by a retinstruction should be to one of the following destinations:
  • The addresses for functions touch1, touch2, or touch3.
  • The address of your injected code
  • The address of one of your gadgets from the gadget farm.
• You may only construct gadgets from file rtarget with addresses ranging between those for functions start_farmand end_farm.

Target Programs

Both CTARGETand RTARGETread strings from standard input. They do so with the function getbufdefined below:

unsigned getbuf()
{
   
	char buf[BUFFER_SIZE];
	Gets(buf);
	return 1;
}

The function Gets is similar to the standard library function gets—it reads a string from standard input (terminated by ‘\n’ or end-of-fileEOF) and stores it (along with a null terminator) at the specified destination.
In this code, you can see that the destination is an array buf, declared as having BUFFER_SIZEbytes. At the time your targets were generated, BUFFER_SIZEwas a compile-time constant specific to your version
of the programs.
Functions Gets()and gets()have no way to determine whether their destination buffers are large enough to store the string they read. They simply copy sequences of bytes, possibly overrunning the bounds
of the storage allocated at the destinations.
If the string typed by the user and read by getbuf is sufficiently short, it is clear that getbuf will return 1, as shown by the following execution examples:

unix> ./ctarget
Cookie: 0x1a7dd803
Type string: Keep it short!
No exploit. Getbuf returned 0x1
Normal return

Typically an error occurs if you type a long string:

unix> ./ctarget
Cookie: 0x1a7dd803
Type string: This is not a very interesting string, but it has the property ...
Ouch!: You caused a segmentation fault!
Better luck next time

(Note that the value of the cookie shown will differ from yours.)
Program RTARGETwill have the same behavior. As the error message indicates, overrunning the buffer typically causes the program state to be corrupted, leading to