Buffer Overflow

Your task is to exploit a buffer$-$overflow in function f of code provided to you in file ex$1.$c $($use the

Makefile to compile it$).$ You are not allowed to change the source code. The program receives three

arguments: your first and last name and the name of a file. The function f reads the content of that file

but doesn't check if there is enough space for all contents of the file.

Your task is to provide a file with proper content such that after running the executable you will be

dropped into a new shell instance $($and the final message "This message should not be printed" is not

printed$).$ Moreover, the program must display your name twice. For example, the following is an example

of an intended behavior:

The size of the buffer is dependent on the lengths of your names and the values of the initial letters of

both. Thus, each of you will have to produce a different file and each file produced will match a single

name.

Hint: Because the buffer in the function is allocated via alloca, you will have to also keep the address

of the buffer on the stack even after the attack. Use the address returned by the executable for this.

However, you don't need to insert the buffer's address exactly but an address at a constant offset $($which

depends on the numbers m and n $).$

To debug from GDB$,$ run "set architecture i$386"$ after launching it$.$

$($PLEASE SOLVE AND SHOW STEPS FROM TERMINAL$)$

ex$1.$c:

#include

#include

#include

void f$($int n$,$ int m$,$ char $*$str$)$

$\{$

$$ FILE $*$f $=$ fopen$($str$,"$r$")$;

$$ char buf$[$n$]$;

$$ size$\_$t pos;

$$ if $($m $>=$ n$)\{$

$$ fprintf$($stderr$,$ "Invalid call of f

$")$;

$$ exit$($EXIT$\_$FAILURE$)$;

$\}$

$$ if $($f $==$ NULL$)\{$

$$ perror$("$Invalid file with buffer"$)$;

$$ exit$($EXIT$\_$FAILURE$)$;

$\}$

$$ printf$("$Reading file into buffer at $\%$p

$",$ buf$)$;

$$ fseek$($f$,0,$ SEEK$\_$END$)$;

$$ pos $=$ ftell$($f$)$;

$$ fseek$($f$,0,$ SEEK$\_$SET$)$;

$/*$ here's the bug: pos should be at most n for legit calls $*/$

$$ fread$($buf$,$ sizeof$($buf$[0]),$ pos, f$)$;

$$ buf$[$m$]=0$;

$$ printf$("$Your name is: $\%$s

$",$ buf$)$;

$$ printf$("$First $32$ hex values read from file $($A$=0$x$41,$ a$=0$x$61)$:$")$;

$$ for $($pos $=0$; pos $<mtext></mtext><mn>3</mn><mn>2</mn>$; pos$++)\{$

$$ if $($pos $\%16==0)$

$$ printf$("$

$\backslash$t$")$;

$$ printf$("0$x$\%02$x $",($unsigned char$)$buf$[$pos$])$;

$\}$

$$ printf$("$

$")$;

$\}$

int main$($int argc, char $**$argv$)$

$\{$

$$ int m$,$ n;

$$ if $($argc $!=4)\{$

$$ fprintf$($stderr$,$ "Usage: $./$ex$1$ firstname lastname filename

$")$;

$$ exit$($EXIT$\_$FAILURE$)$;

$\}$

$$ m $=10*($argv$[1][0]-\text{'}$A$\text{'}+1)+($argv$[2][0]-\text{'}$A$\text{'}+1)$;

$$ if $($m $<mtext></mtext><mn>0</mn><mi>)</mi>$ m $=-$m;

$$ n $=$ strlen$($argv$[1])+$ strlen$($argv$[2])+1$;

$$ if $($m $<mtext></mtext><mn>4</mn><mn>2</mn><mtext></mtext><mi>*</mi>$ n $+42)$ m $+=42*$ n $+42$;

$$ if $($m $>1024)$ m $=1024$;

$$ if $($n $>50)$ n $=50$;

$$ fprintf$($stdout$,$ "Numbers $($m$,$ n$)$: $\%$d $\%$d

$",$ m$,$ n$)$;

$$ fprintf$($stdout$,$ "Provided name: $\%$s $\%$s

$",$ argv$[1],$ argv$[2])$;

$$ f$($m$,$ n$,$ argv$[3])$;

$$ printf$("$This message should not be printed

$")$;

$$ return $0$;

$\}$

makefile:

$.$PHONY: all clean md$5$

TARGET $=./$ex$1$

CC $=$ gcc

CFLAGS $=-$Wall $-$Wextra $-$g $-$fno$-$stack$-$protector $-$m$32-$z execstack

LDFLAGS $=-$fno$-$stack$-$protector $-$m$32-$z execstack

all: md$5$

md$5$: $$($TARGET$)$

$$ md$5$sum $$($TARGET$)$

clean:

$$ $$($RM$)$ $$($TARGET$)$