ED 2: Linux Buffer Overflow Without Shellcode (50 pts)

What You Need

A 32-bit x86 Kali 2 Linux machine.


To develop a very simple buffer overflow exploit in Linux, that alters execution to bypass a password. This will give you practice with these techniques:

Disabling ASLR

Address Space Layout Randomization is a defense feature to make buffer overflows more difficult, and Kali Linux uses it by default.

This makes you much safer, but it's an irritation we don't need for this project, so we'll turn it off.

In a Terminal, execute this command:

echo 0 > /proc/sys/kernel/randomize_va_space

Creating a Vulnerable Program

This program asks for a password. The function test_pw uses simple bitwise manipulations to obfuscate the password comparison, so that the correct password is not literal in the source code.

In a Terminal window, execute this command:

nano pwd.c
Enter this code:

#include <stdio.h>

int test_pw()
        char pin[10];
        int x=15, i;
        printf("Enter password: ");
        for (i=0; i<10; i+=2) x = (x & pin[i]) | pin[i+1];
        if (x == 48) return 0;
        else return 1;

void main()
        if (test_pw()) printf("Fail!\n");
        else printf("You win!\n");
Your screen should look like this, without the explanatory boxes and arrows:

Save the file with Ctrl+X, Y, Enter.

Execute these commands to compile the code and run it.

Since version 2017.1, Kali includes a version of gcc that creates Position Independent Executables by default, which breaks this project. The "-static --no-pie" options tell gcc to make the older-style executable file we need.

gcc -g -static --no-pie -o pwd pwd.c

You should see compiler warnings, but no errors.

Enter a password of aaa and press Enter.

The program exits normally, wth the "Fail!" message, as shown below.

If we knew the correct password, we could get to the "You Win!" message. But we'll get there by exploiting an overflow instead.

Execute the program again, with a password 40 characters long, as shown below.

The "Segmentation fault" message indicates a buffer overflow.

Debugging the Program

Execute these commands to run the file in the gdb debugging environment, list the source code of the test_pw function, and set two breakpoints.

The "-q" option tells gdb to run in "quiet" mode, that is, not to display its banner message.

gdb -q pwd
list 1,12
break 8
break 10

Normal Execution

In the gdb debugging environment, execute these commands:

info registers
The code runs to the breakpoint, and shows the registers, as shown below. (Your address values may be different.)

The important registers for us now are:

Notice that $eip has an address of <test_pw+43> (or something similar) -- that is, inside the test_pw function.

$esp is the start of the stack, at 0xbffff610 in the image above.

$ebp is 0xbffff638 in the image above -- this is the end of the "stack frame" containing local variables for the test_pw function, and other information.

Examining the Stack Frame

In the gdb debugging environment, execute this command:

x/20x $esp
This command is short for "eXamine 20 heXadecimal 32-bit words, starting at $esp". It shows the stack frame, as shown below.

The highlighted region is the stack frame for test_pw(). It starts at the 32-bit word pointed to by $esp and continues through the 32-bit word pointed to by $ebp.

The next word after the stack frame, at address 0xbffff63c, is 0x080488d4. This is the RET value, and it will be placed into $eip when the test_pw function returns to main.

Overflowing the Stack with 40 Characters

In the gdb debugging environment, execute this command to continue the program:

At the "Enter password" prompt, type in this 40-character password, and then press Enter:

The program proceeds to the next breakpoint.

Execute this command to see the stack:

x/20x $esp
As you can see, the RET value now contains 0x51515050 -- hexadecimal codes for "PPQQ" in reverse order, as you can see in the ASCII table below.

In the gdb debugging environment, execute this command to continue the program:

The program halts with a "Segmentation fault", as shown below.

In the gdb debugging environment, execute this command:

info registers
As shown below, the $eip now contains 0x51515050. The 4 characters "PPQQ" end up in $eip.

ED 2.1: ebx (10 pts)

The flag is the value of ebx, covered by a green box in the image above.

Selecting a Location

We can make the program go to any address we like now.

To see the addresses in main, execute this command:

disassemble main
There are two calls to "puts" in main. The first one prints the "Fail!" message, and the second one prints the "You Win!" message.

To get "You Win!", we need to jump to the "push" instruction before the second call to "puts".

When I did it, that address was 0x080488ed, as shown below:

Quitting the Debugger

In the gdb debugging environment, execute this command:

At the "Quit anyway? (y or n)" prompt, type y and press Enter.

Using Python to Create an Exploit File

In a Terminal window, execute this command:

nano exploit-pwd
Type in the code shown below. This puts in the same string we used before, replacing "PPQQ" with the four bytes of the desired address, 0x080488ed, in reverse order:

import sys

"sys.stdout.write" is used here to prevent Python from adding a linefeed at the end of the text.

Save the file with Ctrl+X, Y, Enter.

Next we need to make the program executable and run it.

In a Terminal window, execute these commands.

chmod a+x exploit-pwd

The program prints out some characters, ending with unprintable ones, as shown below.

We can't easily copy and paste strings that contain strange characters like that, so we need to put the output into a file named attack-pwd.

In a Terminal window, execute these commands.

Note that the second command begins with "LS -L " in lowercase characters.

./exploit-pwd > attack-pwd

ls -l attack-pwd
This creates a file named "attack-pwd" containing 34 characters, as shown below.

Testing the Exploit in the Debugger

Exploits almost never work the first time, so you need to know how to test them in a debugger.

Execute these commands to load the file in the gdb debugging environment, list the source code of the test_pw function, and set a breakpoint after the password is input:

gdb -q pwd
list 1,12
break 10

Execute this command to run the file in the gdb debugging environment, with input from the "attack-pwd" file, show registers, and show the stack:

run --args < attack-pwd
info registers
x/20x $esp
As you can see below, the RET value (just after the highlighted section) is now 0x080488ed -- the value we chose earlier.

Execute this command to continue executing the file:

We get the "You Win!" message, as desired. Then, the program crashes because the stack is corrupted and it cannot return normally from main, but that's OK for now.

ED 2.2: Crash message (10 pts)

The flag is the message covered by a green box in the image above.

Quitting the Debugger

In the gdb debugging environment, execute this command:

At the "Quit anyway? (y or n)" prompt, type y and press Enter.

Testing the Exploit in the Shell

The debugging environment is not perfect, so some exploits that work in the debugger don't work against real running code.

Execute this command to run the exploit on the real pwd executable:

./pwd < attack-pwd
As you can see, we get the "You Win!" message. The exploit works!

ED 2.3: Product Activation (15 pts)

In a Terminal window, execute these commands:

curl https://samsclass.info/127/proj/p2xc.c > p2xc.c
curl https://samsclass.info/127/proj/p2xc > p2xc
chmod a+x p2xc
Enter a as the product key. The key is rejected, as shown below.

Hack past the product activation, to reveal the message "A WINNER IS YOU!" message, as shown below.

Hint: this executable was compiled with symbols, so you can use the "list" command in gdb to see the source code.

The flag is the message covered by a green box in the image above.

ED 2.4: CISSP ID (15 pts)

In a Terminal window, execute these commands:

curl https://samsclass.info/127/proj/p2xb > p2xb
chmod a+x p2xb 
Enter AA as a CISSP ID. The ID is rejected.

Hack in to reveal the secret message, redacted in the image below.

Hints: this executable was compiled without symbols, so you cannot see the source code.

Use the "disassemble main" command to see the assembly code in the main() routine.

Examine that code to find the name of the function called, and use "disassemble functionname" to see its code.

Then set a breakpoint at a memory address with a command like this: "break *0x08048470".

The flag is the message covered by a green box in the image above.


To compile this code on Kali 2018.1, I needed to use the -mpush-args switch in gcc, as explained here, so the entire command line to compile it was:

gcc -mpush-args -static -g -o p2xar p2xar.c 

