Challenge 7: Stack Buffer OverflowsIntroductionA buffer overflow occurs when a program or process tries to store more data in a buffer (or some temporary data storage area) than that buffer was intended to hold. This extra data, which has to go somewhere, overflows adjacent memory regions, corrupting or overwriting the valid data stored there. If the buffer is stored on the stack, as it is the case for local variables in C, control information such as function return addresses can be altered. This allows the attacker to redirect the execution flow to arbitrary memory addresses. By injecting machine code into the process memory (e.g., as part of the data used to overflow the buffer, or in environment variables), the attacker can redirect the execution flow to this code and execute arbitrary machine instructions with the privileges of the running process. Thus, it is imperative that the length of the input data is checked before copied into buffers of fixed lengths. Unfortunately, a number of popular C functions (e.g., strcpy, strcat, sprintf, gets, or fgets) do not perform such length checks, making many applications vulnerable to this kind of attack. Detailed DescriptionYour task is to exploit stack buffer overflow vulnerabilities in two programs that have their set-guid (i.e. set group identification) bit enabled. The programs are installed under /usr/local/bin/prog[7-8]. The source for the two programs can be obtained here: You have successfully exploited a vulnerability in one of our two challenge programs when you are able to call /bin/grade with the effective group-id of the group that owns the vulnerable program (for our challenge, these are groups bsp[7-8]). HintsPerforming a successful buffer overflow can be tricky, because it is important to get all the little details right. This section lists a few things that you might consider.
DeliverablesTo submit your challenge solution to us, you need to follow these steps:
Administrative Information and DeadlineThis is an individual project. The project is due on Wednesday, 01.06.2011, 23:59:59 PST. |