CSC 495/583 Topics of Software Security

Lab1 Walkthrough

2017-Fall Course Website

Advisor: Si Chen

Step 1: Open Terminal

Open Terminal

Step 2: Check and Turn off ASLR

Type: cat /proc/sys/kernel/randomize_va_space If return 0, it means the ASLR have been turned off. Otherwise, we need to manually turn it off.

check ASLR

To turn off ASLR:


Change to root user: su root, default password is chensi
Then type: echo 0 > /proc/sys/kernel/randomize_va_space

Step 3: Compile the code

  • Download the source code to a folder
  • Compile the code, make sure to turn off DEP and StackGuard gcc lab1.c -o lab1 -m32 -fno-stack-protector -zexecstack

Step 4: Use GDB

  • Open GDB and load program: gdb ./lab1
  • Run the program: run
  • You can now type some characters as input
  • type input

    type input

  • Disassemble return_input function: disas return_input
  • Set a break point at the ret instruction: break *0x004005ad (note: you may have a different address)
  • type input

  • Re-Run the program: run
  • This time, the program will stop at the ret instruction in return_input, we know that the program will use the address stored on the stack to return back to the main function in the next round.
  • So before we let the program continue, let's first disassemble the main function: disas main
  • type input

  • We need to write down the return address (hightlighted in the screenshot): 0x004005ce (note: you may have a different address)
  • Next, we need to check the stack to see if this address 0x004005ce is stored on the stack and we need to write down the stack address. Type: x/20x $esp
  • type input

  • As shown in the above picture, we can see that the return address 0x004005ce has been stored on stack with address 0xbffff11c
  • Disassemble hakced function: disas hacked
  • type input

  • Our goal is to change the return address (0x004005ce) stored on the stack to hacked function's address 0x0040054d
  • Step 5: Prepare ShellCode

  • Creat a new file in the same folder, and use an editor to edit it
  • Add/remove some dummy characters to make sure we can overflow the return address on the stack (0xbffff11c)
  • Your shellcode should looks like this: Some dummey characters + hacked function address (e.g. 0x0040054d)
  • The hacked function address (e.g. 0x0040054d) should write in a little endian way (What is little endian?)
  • Genrate the shellcode file using Python2's print function in terminal: python2 -c 'print "YOUR SHELLCODE"' > shellcode(Replace YOUR SHELLCODE with the actual shellcode
  • type input

    Step 6: Launch attack (success)

  • Run the program with the shellcode as input: ./lab1 < shellcode
  • type input

  • If you see "Hacked by Si Chen", it means you successfully launched the attack. Now please change the output string in lab1.c to your name and re-compile/re-do the whole process again :)
  • Step 6: Launch attack (failed)

  • Open GDB and load program again: gdb ./lab1
  • Re-run the program in gdb use shellcode as input: run ./lab1 < shellcode
  • Disassemble return_input function: disas return_input
  • Set a break point at the ret instruction: break *0x004005ad (note: you may have a different address)
  • type input

  • Re-run the program in gdb use shellcode as input: run ./lab1 < shellcode
  • This time, the program will stop at the ret instruction in return_input, we know that the program will use the address stored on the stack to return back to the main function in the next round.
  • Next, we need to check the stack to see if the hacked address 0x0040054d is stored on the stack with address 0xbffff11c (note: you may have a different address) Type: x/20x 0xbffff11c (You can also check some adjacent addresses e.g. x/20x 0xbffff10c)
  • If not, try to add/remove some dummy charaters in step 5 and re-generate the shellcode file