Security Exercise 8
Part 1. Background and Initial Setup
USMA Exchange Cadet Nerdenheimer and his friend, Exchange Cadet Geekenstein, have written a program to
control access to the USMA Knowledge Database (which is a very small text file).
The idea is this: To be granted access to the USMA Knowledge Database, when you run the program you also
enter a password on the command line. If you enter a valid password, you are granted access. If you enter an
invalid password you are denied access.
You start by surreptitiously looking in the trash can outside the cadet’s room. Amidst the candy-bar wrappers,
Doritos bags and empty Kool-Aid containers, you find a piece of paper labeled SECRET SOURCE CODE.
Looking at the paper, you see the program below (continued on the next page):
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int check_password( char *password )
{
int auth_flag = 0;
char password_buffer[16];
strcpy( password_buffer, password );
if(strcmp( password_buffer, "donkey" ) == 0)
auth_flag = 1;
if(strcmp( password_buffer, "gousma" ) == 0)
auth_flag = 1;
return auth_flag;
}
int main(int argc, char *argv[])
{
if(argc < 2)
exit(0);
if ( check_password( argv[1] )
== 0 )
printf("\n\n
Access Denied.\n\n");
else
printf("\n\n
Access Granted.\n\n");
}
To save you the trouble of typing, we have already placed this file (named
machine in the EC310 folder under your home directory.
1
accesscontrol.c ) on your
Copy this file to the work directory by carefully entering the following at the home directory prompt:
midshipman@EC310:~ $
cp
ec310code/accesscontrol.c
Make sure you are at your home directory!
work
Enter this!
Verify that you have accesscontrol.c in your work directory by changing to the work directory:
cd work
and then listing the files in the work directory:
ls
If you do not have accesscontrol.c in your work directory
tech for help. Otherwise, proceed to Part 2.
STOP and ask your instructor or lab
Part 2. Gaining Access by Buffer Overflow
Before compiling and executing the program, let's first see if we can understand its operation.
Suppose I were to run the program (./a.out) by entering at the command line:
midshipman@EC310-VM:~ $ ./a.out Navy
Question 1.
If I ran the program as above, what would be the value of argc?
Question 2.
If I ran the program as above, what would be the value of argv[0]?
Question 3.
If I ran the program as above, what would be the value of argv[1]?
Question 4.
Where does this program begin executing?
Question 5.
What is the purpose of the two lines:
if(argc < 2)
exit(0);
Question 6.
In main, what is the value of the argument that we give to the function named
check_password? (Recall our input as depicted in the command line shown above.)
Question 7.
What happens in main if the function named check_password returns a value of 0?
Question 8.
What happens in main if the function named check_password returns a value other
than 0?
Question 9.
Finish this sentence: The function check_password returns the value of the
variable named
auth_flag.
For access to be denied in main, the value of
auth_flag that is returned must be equal to ____.
2
Question 10. Let's look at the function check_password . After the line of code:
strcpy( password_buffer, password );
executes, what will be stored in password_buffer?
Recall that the function string compare , strcmp, in the generic line of code
value = strcmp( s1
Compares the strings s1 and s2 character by character.
(i.e., identical).
, s2 );
The function returns zero if the two strings are equal
Question 11. Recalling our presumption that you entered at the command line:
midshipman@EC310-VM:~ $ ./a.out Navy
will either of the two strcmp operations in the function check_password return a
value of zero?
Question 12. Will the function check_password return to main a value equal to zero, or will it
return something other than zero?
Question 13. If you enter at the command line:
midshipman@EC310-VM:~ $ ./a.out Navy
what message will be sent to the screen?
At this point, if you are confused by the operation of the program (on paper), ask your instructor for help.
Let's now compile the program:
gcc –g
accesscontrol.c
and run the program. Try out executing the program with a few different command line inputs. You should
see that the two secret passwords that will allow access are
donkey and gousma . So, you can enter
one of these passwords and gain access!
But that is not your goal. The cadets might, in the future, change their passwords, in which case you will have
to try to find a new version of the source code. Your goal is to find a way to hack the cadet's program so that
even if they change the passwords you will be able to gain access.
Determine a password that you can enter that will always allow access, regardless of the actual passwords being
used by the cadets!
Enter the following commands:
gcc –g accesscontrol.c
gdb –q ./a.out
set dis intel
list check_password
<Enter>
list main
<Enter>
3
Here is what you would like to accomplish: You notice that in the function check_password, the variable
auth_flag is initially set to zero. The only way auth_flag is ever changed is if we enter the correct
password. But… perhaps we can change the value of auth_flag by executing a buffer overflow without
needing to worry about the correct password!!! Perhaps the incorrect password you enter as the command line
argument can be used to change the value of auth_flag !!!
STEP 1: Determine the proper breakpoint for your program.
You want the program to run up to a certain point, then freeze at a breakpoint, allowing you to examine the
stack. Where should you set the breakpoint? Looking at the listing on your screen, you want to set the
breakpoint to be at a point where you can examine how the command line argument (i.e., what you enter as the
pretend password) is situated with respect to the variable auth_flag.
Question 14: Where should you set the breakpoint?
STOP and show your instructor or lab tech your answer to Question 14.
With their okay, proceed to Step 2
below.
STEP 2: Run to the breakpoint and examine the stack.
To enter a breakpoint for a program that requires command line arguments (where, let’s say, the command line
argument is Navy, you would enter:
break <whatever number you have for Question 14>
run Navy
For example, if you answered Question 14 by deciding the breakpoint should be at line 4, you would enter:
break 4
run Navy
Now, examine the stack by entering
i r esp
i r ebp
Question 15: How many bytes are on the stack?
Question 16: Whose stack frame is this anyway? Is this the stack frame for main?
Examine the stack by entering
x/60xb
$esp
Question 17: Fill in the values in the table below, showing where the base pointer (label as EBPcheck_password) and stack pointer (label as ESP-check_password) are pointing to.
Label these addresses on your picture.
4
Question 18: Locate on the stack the two command line arguments. Show these on the table below,
labeling them as password_buffer and authflag.
STEP 3: Determine the attack technique.
Question 19: Based on your picture of the stack, design your buffer overflow. Write a clear
explanation of how your attack works in the answer space for Question 19.
Question 20: Demonstrate your buffer overflow attack during a run of the program. Your instructor or
lab tech will sign off on this.
The program used in this lab was adapted from a program presented in Hacking, the Art of Exploitation, by Jon
Erickson, No Starch Press, 2008.
5
Security Exercise 8
Name:
Question 1:
Question 2:
Question 3:
Question 4:
Question 5:
Question 6:
Question 7:
Question 8:
Question 9:
Question 10:
Question 11:
Question 12:
Question 13:
Question 14:
Question 15:
Question 16:
6
Question 17 and Question 18:
Question 19:
Question 20: When you have successfully hacked the cadet's program, show your instructor. Your instructor
will sign your answer sheet.
_________________________________
Instructor or Lab Tech signature
7