CS 105

Phase 1: Calling an Unexpected Function

For Phase 1, you will craft an exploit string to cause ctarget to execute an existing, but normally unused, function, touch1.

Triggering the touch1 Function

Inside ctarget, the getbuf function,

1
2
3
4
5
6
unsigned getbuf()
{
    char buf[BUFFER_SIZE];
    Gets(buf);
    return 1;
}

is called by a function called test, which has the following C code:

1
2
3
4
5
6
void test()
{
    int val;
    val = getbuf();
    printf("No exploit.  Getbuf returned 0x%x\n", val);
}

When getbuf executes its return statement (line 5 of getbuf), the program ordinarily resumes execution within the test function (at its line 5). We want to change this behavior.

ctarget, has code for a function called touch1 with the following C representation:

void touch1()
{
    vlevel = 1;       /* Part of validation protocol */
    printf("Touch1!: You called touch1()\n");
    validate(1);
    exit(0);
}

Your task is to get ctarget to execute the code for touch1 when getbuf executes its return statement instead of returning to test. Note that your exploit string may also corrupt parts of the stack not directly related to this stage, but we don't care because touch1 causes the program to exit anyway (so it doesn't matter if the program can keep running).

Hints

  • All the information you need to devise your exploit string for this level can be determined by examining a disassembled version of ctarget. Use objdump -d to generate it.

  • The idea is to position a byte representation of the starting address for touch1 such that the ret instruction at the end of the code for getbuf will transfer control to touch1.

  • Be careful about byte ordering, and remember that addresses are 8 bytes.

  • You might want to use gdb to step the program through the last few instructions of getbuf to make sure it is doing the right thing.

  • The placement of buf within the stack frame for getbuf depends on the value of the compile-time constant BUFFER_SIZE and on the allocation strategy used by gcc. You will need to examine the disassembled code to determine its position.

  • There is a -q flag to ctarget that stops the program from talking to the grading server.

  • There is an -i file option to ctarget that tells it to read from a file named file instead of from stdin.

To Complete This Part of the Assignment

You'll know you're done with this part of the assignment when you've done all of the following:

(When logged in, completion status appears here.)