CS 105

Phase 3: Injecting a String

Phase 3 also involves a code-injection attack against ctarget, but this time, instead of passing your hexadecimal cookie, you have to pass a string as the argument.

As a reminder, here's the code for getbuf,

1
2
3
4
5
6
unsigned getbuf()
{
    char buf[BUFFER_SIZE];
    Gets(buf);
    return 1;
}

and for test:

1
2
3
4
5
6
void test()
{
    int val;
    val = getbuf();
    printf("No exploit.  Getbuf returned 0x%x\n", val);
}

ctarget has a function called hexmatch, whose C code looks like

1
2
3
4
5
6
7
8
9
/* Compare string to hex represention of unsigned value */
int hexmatch(unsigned val, char *sval)
{
    char cbuf[110];
    /* Make position of check string unpredictable */
    char *s = cbuf + random() % 100;
    sprintf(s, "%.8x", val);
    return strncmp(sval, s, 9) == 0;
}

and a touch3 function, which looks like

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
void touch3(char *sval)
{
    vlevel = 3;       /* Part of validation protocol */
    if (hexmatch(cookie, sval)) {
        printf("Touch3!: You called touch3(\"%s\")\n", sval);
        validate(3);
    } else {
        printf("Misfire: You called touch3(\"%s\")\n", sval);
        fail(3);
    }
    exit(0);
}

Your task is to get ctarget to execute the code for touch3 rather than returning to test. You must make it appear to touch3 as if you have passed a string representation of your cookie as its argument.

Hints

  • You will need to include a string representation of your cookie in your exploit string. The string should consist of the eight hexadecimal digits (ordered from most to least significant) without a leading 0x.

  • Recall that a string is represented in C as a sequence of bytes followed by a byte with value 0 (i.e., a null). man ascii will show you the byte representations of the characters you need.

  • Your injected code should set register reg to the address of this string.

  • When the functions hexmatch and strncmp are called, they push data onto the stack, overwriting portions of the memory that held the buffer used by getbuf. As a result, you will need to be careful where you place the string representation of your cookie.

  • hexmatch is a bit difficult to understand. In essence, hexmatch(val, sval) converts val into printable hexadecimal format and compares it with the 8-character string sval, returning true if the two match. So, for example,

    Comparison Return Value
    hexmatch(0x1234abcd, "1234abcd") true
    hexmatch(0x1, "00000001") true
    hexmatch(0xdcba4321, "1234abcd") false
    hexmatch(0x1234ABCD, "1234ABCD") false (why?)

  • See Generating Byte Codes on how to use tools to generate the byte-level representations of instruction sequences.

  • There is a -q flag to ctarget that stops the program from talking to the grading server.

  • There is an -i file option to ctarget that tells it to read from a file named file instead of from stdin.

To Complete This Part of the Assignment

You'll know you're done with this part of the assignment when you've done all of the following:

(When logged in, completion status appears here.)