#include

char *echo() { char buffer[32]; return gets(buffer);

}

int level1() { printf("Made it to level 1 ");

}

int level2(int a, int b, int c, int d, int e, int f, int x) { if (x == 0xff) printf("Made it to level 2 with x = %#x ", x); else printf("Made it to level 2 but x is %#x or %d ", x, x);

}

int level3(int x) { if (x == 0xff) printf("Made it to level 3 with x = %#x ", x); else printf("Made it to level 3 but x is %#x or %d ", x, x);

}

int junk(int x) { return x & 0x101;

}

int helper() { printf("You make it to helper "); char buffer[8]; gets(buffer); junk(0xff);

}

int main() { char c;

echo();

}

Lab Exercise On D2L, you will find a Lab dropbox folder. It contains this write-up, plus a file called buffer.tar. The tar file contains a program called lab.c and an executable called hex2raw, In addition to main and echo functions, the lab.tar contains functions called level1, level2, and level3. While main explicitly called echo, the other functions are not explicitly called. Your task in this lab is to devise input which, when fed into a buffer, overflows the input in such a way that one of the level functions is called. Details of each level are described below.

Level 1

Here is the relevant code:

#include

char *echo() {

char buffer[32];

return gets(buffer);

}

int main() {

echo();

}

int level1() {

printf("Made it to level 1 ");

}

Again, while nothing in the code explicitly calls level1, it is possible to corrupt the stack in such a way as to call level1 (although the program will then crash).

Level 2

In this level, we would like to corrupt the stack in such a way that level2 thinks it has been passed 0xff as its 7th parameter. As you may recall, the first 6 parameters are passed to functions through registers. Any additional parameters are passed through the program stack. Here is the prototype for level2:

void level2(int a, int b, int c, int d, int e, int f, int x);

We only care about the value of the parameter x (which should be 0xff), and not the other 6 parameters. To succeed at this level, you will see an output statement which indicates that you have passed the correct value for the parameter x. However, you program will then crash again.

Level 3

A difficult way to modify the value of a parameter is to do so through the registers rather that the stack frame. As in Level 2, we will change the valueof a parameter, but Level 3 only has one parameter:

void level3(int x);

Once again, we would like to pass the value 0xff as the value of the parameter x. However, since the first parameter of a function is passed in register %rsi, we must do something more devious in order to change the value of the parameter that it passed.

Specifically, we will look for another part of the lab application which does what we want it do: namely, it copies 0xff into register %rsi. I have placed a function in the lab executable which does what we want:

int helper() {

printf("You made it to helper ");

char buffer[8];

gets(buffer);

junk(0xff);

int junk(int x) {

return x & 0x101;

}

Helper moves the value 0xff into register %rsi, since it is passed as a parameter. Therefore, if we execute helper, then our desired number is in the correct register. We then need to further corrupt the stack to the the program returns to level3, which prints a message that x has the correct value (and then crashes again).