The C programs $($given below$)$ should be compiled and executed in a Linux environment. In addition, $32-$bit binaries can be used and turn off the stack protections. Note that, although you can use gdb to help analyse the memory and instructions, your exploitation must work under the normal shell $($not inside gdb$).$

The C program bo$.$c $($below$)$ takes a password from users, but never lets any user log in$.$

Task $1$ : Pointing out the statement in the program that has a buffer overflow vulnerability and Have to explain why it may cause a buffer overflow attack.

Task $2$ : Figuring out a password to make the program output "You are logged in$!",$ without modifying the return address. Have to explain in detail how the password works.

Task $3$ : Figuring out a password to make the program output "You are logged in$!",$ by modifying the return address. Have to explain in detail how the password works.

Task $4$ : Have to explain how you can fix the buffer overflow vulnerability in the program.

Task $5$ : Figure out a way to defeat ASLR $($Address Space Layout Randomisation$)$ and still complete Task $3.$ Have to explain the answer. To turn on ASLR, you must run the following command and compile the program without the option $\text{'}$no$-$pie'.

"echo $2|$ sudo tee $/$proc$/$sys$/$kernel$/$randomize$\_$va$\_$space

gcc $-$w $-$m$32-$g $-$fno$-$stack$-$protector $-$z execstack $-$o bo bo$.$c$"$

Figuring out a way to defeat ASLR and still complete Task $3.$ Have to explain your answer.

The bo$.$c C program

#include

char getPasswd$()$

$\{$

int trigger $=\text{'}$F$\text{'}$;

char passwd$[100]$;

gets$($passwd$)$;

return $($char$)$trigger;

$\}$

void login$()$

$\{$

printf$("$You are logged in$!$

$")$;

exit$(0)$;

$\}$

void main$()$

$\{$

printf$("$Please enter password: $")$;

if $($getPasswd$()==\text{'}$T$\text{'})$

$\{$

login$()$;

$\}$

else

$\{$

printf$("$The password is incorrect.

$")$;

exit$(1)$;

$\}$

$\}$

$--------------------------------------------------------------------------------------------------------------------------------------------------------------$

The C program fs$.$c $($given below$)$ is a slightly modified version of the previous program, which also never lets any user log in$.$

Task $6$ : Pointing out the statement in the program that has a format string vulnerability and have to explain why it may cause a format string attack.

Task $7$ : Figuring out a password to reveal the contents on the current stack frame in hexadecimal format with width $8($for example, $804$c$014$ should be displayed as $0804$c$014.$ Have to explain in detail how the password works.

Task $8$ : Figure out a password to launch a simple DoS $($Denial of Service$)$ attack. Have to explain in detail how the password works.

Task $9$ : Figure out a password to make the program output "You are logged in$!".$ Have to explain in detail how the password works.

Task $10$ : Have to explain how you can fix the format string vulnerability in the program.

The fs$.$c C program

#include

char passwd$[100]$;

char getPasswd$()$

$\{$

int trigger $=\text{'}$F$\text{'}$;

int $*$t $=$ &trigger;

fgets$($passwd$,$ sizeof$($passwd$),$ stdin$)$;

printf$("$Password is $")$;

printf$($passwd$)$;

return $($char$)(*$t$)$;

$\}$

void main$()$

$\{$

printf$("$Please enter password: $")$;

if $($getPasswd$()==\text{'}$T$\text{'})$

$\{$

printf$("$You are logged in$!$

$")$;

exit$(0)$;

$\}$

else

$\{$

printf$("$The password is incorrect.

$")$;

exit$(1)$;

$\}$

$\}$