Write an exploit / attack for the scanf function. Explain how the given buffer overflow attack works. Hint: write second program that spits out input.
Deliverables: - discussion of the buffer overflow attack.
- stack diagram of the given code execution.
-- valid input.
--invalid input (input that causes function bar to be called.
- exploit of scanf.
- brief discussion on how to prevent buffer overflows.
#include
#include
void foo (const char * input)
{
char buf [50];
printf ("My stack looks like: \n%p\n%p\n%p\n%p\n%p\n%p\n%p\n\n");
strcpy (buf,"I am Bender. Please Insert Girder");
strcat (buf,input);
printf ("%s\n",buf);
printf ("My stack looks like: \n%p\n%p\n%p\n%p\n%p\n%p\n%p\n\n");
return;
}
void bar ()
{
printf ("Auug! I've been hacked!\n");
return;
}
int main (int argc, char*argv[])
{
scanf("%s",buf);
printf ("address of foo: %p\n",foo);
printf ("address of bar: %p\n", bar);
foo (buf);
return 0;
}
Example Stack Diagram:
Stack diagram for the strcat function at the beginning of function foo.
|
Hexadecimal Stack
|
Value Interpretation
|
|
0x1
|
|
|
0xfeea8380
|
|
|
0x212ab6
|
|
|
(nil)
|
The 50-character buffer
|
|
(nil)
|
"
|
|
(nil)
|
"
|
|
(nil)
|
"
|
|
(nil)
|
"
|
|
(nil)
|
"
|
|
(nil)
|
"
|
|
(nil)
|
"
|
|
(nil)
|
"
|
|
(nil)
|
"
|
|
(nil)
|
"
|
|
(nil)
|
"
|
|
0xfeea000
|
|
|
0x262690
|
|
|
0x34235c0
|
|
|
0x8048704
|
|
|
0xfeea83a8
|
|
|
0xfeea8430
|
|
|
Oxfeea8418
|
|
|
0x80484eb
|
Return address from foo to main
|