2. Exploiting Buffer Overflow (50 points) The attached C code (sort.c) contains a stack buffer overflow vulnerability. Please write an exploit (by modifying data.txt) to open a shell on Linux. The high level idea is to overwrite the return address with the address of function system(), and pass the parameter /bin/sh to this function. Once the return instruction is executed, this function will be called to open a shell.

3) Compile the provided C code (which you will be exploiting): gcc sort.c -o sort -fno-stack- 4) To run this program, put some hexadecimal integers in the file: data.tct, and execute sort by: 5) When you put a very long list of integers in data.at, you will notice sort crashes with memory protector. (DO NOT use other options) /sort data tct segfault, this is because the return address has been overwritten by your data. If you first answer step 1, part 1 above, you should understand the goal of this exploit and why a seg fault occors. Pay aikxnon to inc .non broaUy, a locakxl boi ix and what it does to tue stack. S ROCONe (and you can see this in GDB) Now you can craft your shellcode in data.axt. Again, your goal is to overwrite the return address with the address of function 'system0 and pass it with the address of string "bin/sh". Do not use environment variables to store these addresses and then access those environment variables Use the library addresses of "system0" and "bin/sh" explicitly. GDB (if you're using GDB for the first time, we recommend checking out Gdblnit) can be used to find these library addresses and test/debug your exploit. However, it should be noted that your final exploit (i.e., the final 6 version of your data.tat) should work outside of GDB. Just running "/sort data.tf should spawn a shell for you. This needs to be a clean shell, with NO segfaults. 7) You can verify the exploit has occurred because you will get a new, clean command prompt. But, how do we know it is not the same bash shell that invoked the sort program? To verify you have successfully caused a buffer overflow, issuing echo SS will give the process ID of the current process. Issuing: echo SS (shows PID of current bash shell), then run /sort data.txt, (then after sort completes to a clean shell) issue echo S$ to show the PID of the current exploited shell. (noted echo $0 instead of or in addition to echo SS will return the name of the current shel) 8) Provide a screenshot of you exploiting sort