Professional Documents
Culture Documents
EH Project Report
EH Project Report
By,
Nitin Chandra (17100030)
M Krishna Chaitanya (17100026)
C Tarun Sai (17101015)
Department of CSE
Dr. Shyama Prasad Mukherjee
International Institute of Information Technology, Naya Raipur
(A Joint Initiative of Govt. of Chhattisgarh and NTPC)
Email: iiitnr@iiitnr.ac.in, Tel: (0771) 2474040, Web: www.iiitnr.ac.in
CERTIFICATE
DECLARATION
I declare that this written submission represents my ideas in my own words and where
others' ideas or words have been included, I have adequately cited and referenced the
original sources. I also declare that I have adhered to all principles of academic
honesty and integrity and have not misrepresented or fabricated or falsified any
idea/data/fact/source in my submission. I understand that any violation of the above
will be cause for disciplinary action by the Institute and can also evoke penal action
from the sources which have thus not been properly cited or from whom proper
permission has not been taken when needed.
Signature: ___________________
Nitin Chandra
(17100030)
Signature: ___________________
M Krishna Chaitanya
(17100026)
Signature: ___________________
C Tarun Sai
(17101015)
Signature: ________________________
Dr. Mahesh Patil
Signature: ________________________
Dr. Appala Naidu
CERTIFICATE 1
Declaration 2
ABSTRACT 4
CHAPTER 1 6
INTRODUCTION 6
1.1 Application Memory: 6
1. Text Segment: 7
2. Initialized Data: 7
3. Uninitialized Data: 7
4. Stack: 7
5. Heap: 7
1.2 Buffer Overflow: 7
1.3 Buffer Overflow Attacks: 8
CHAPTER 2 9
LITERATURE SURVEY 9
CHAPTER 3 10
METHODOLOGY 10
1. Fuzzer: 10
2. Disassembler: 11
3. Debugger: 12
4. Exploit: 13
CHAPTER 4 14
IMPLEMENTATION 14
Analysis of 1st ELF file : 14
Fuzzing 14
Dissassembler 15
Debugger 17
Exploit 21
Analysis of 2nd ELF file : 22
Fuzzing 22
Dissassembler 23
Debugger 25
Exploit 28
Analysis of 3rd ELF file : 29
Fuzzing 29
Dissassembler 30
Debugger 32
Exploit 34
CHAPTER 5 35
CONCLUSION 35
CHAPTER 6 37
REFERENCES 37
ABSTRACT
Buffer overflow attacks have been the most common attacks from the past 10
years. With the help of these attacks, an anonymous attacker can gain either the
total or partial control over the program. Attackers can do many malicious
things with the help of buffer overflow attacks like Code Injection, Control the
variables on stack, Function calls etc. In this project, we will be focusing mainly
on how an attacker can control the variables of stack with the help of buffer
overflow attack by some examples and also the possible ways to control these
types of attacks. If these types of vulnerabilities could be eliminated, then a
large portion of the serious threats would also be eliminated.
CHAPTER 1
INTRODUCTION
LITERATURE SURVEY
2. Disassembler:
Disassembler is a tool, which is used for reverse engineering the
programs. It generally displays the instructions in low level language
(machine-level). We used Cutter Disassembler, in order to perform the reverse
engineering.
Fig 3.3: Figure shows the example Graph of the Reverse Engineered Program.
For additional help in understanding the exact meaning of the code, we could
also use a decompiler and strings that appear in the code. These features are
readily available in Cutter.
3. Debugger:
At this stage, we will be using the GDB-PEDA debugger, in order to understand
the step wise low level language (assembly language) operations that are
happening while the program is under execution. By using the debugger we can
identify whether the variables present on the stack are getting affected by the
overflow attack or not.
Fig 3.4: The above figure shows the sample output of GDB-PEDA, It shows the
register values in the register section, Upcoming instructions in code section and
Stack content in the stack section.
4. Exploit:
At this stage, we will be sending the desired value as extra space (main cause
for the overflow) and the value present at the top of the current value in the
stack will be overwritten by this extra space. If the value of the variable is
changed then the sample program outputs “Cracked”, else the output will be
“Try Again”.
Fig 3.5: The above figure shows the output, when the overflow doesn’t happen
and the value of the variable isn’t changed.
Fig 3.6: The above figure shows the output, when the overflow happens and the
value of the variable is changed.
CHAPTER 4
IMPLEMENTATION
Fig 4.1: Showing the randomly generated test cases using Radamsa tool.
The above figure shows the randomly generated test cases using Radamsa
Fuzzer. The program is cracked for some of the above inputs, where the length
of the string is greater than 64. Hence from this step we can say that this
program can be cracked using the Buffer overflow attack.
b. Dissassembler
This is the Dashboard for the 1st object file in Cutter. It shows that it is an
ELF-32 bit file. It uses the x86 architecture instruction set. It runs on a Linux
machine. It has been compiled by a Ubuntu compiler (gcc). It has also guessed
that the programming language used might be C.
Fig 4.3 : Flow control for 1st object file
This is a graph which shows the control flow of the program 1.c and it is clear
that a conditional statement is present in it. Here, it says if eax==0, go to the
green part, else go to the red part. Either part is used to print some string. So, the
program says : 2 variables exist (1st an integer initialized to 0 and then a
character buffer). Some input is taken and stored onto the buffer. Then the value
of the integer is checked and based on whether it is 0 or not, the branching
depends.
c. Debugger
Here a string is taken as input and it is getting stored in a buffer. Clearly the
integer variable is 64 bytes from the top stack. So, we can enter a 65 bytes string
to overflow the buffer.
Fig 4.6 : Checking the modified value != 0 or not.
The test instruction performs bitwise AND of the 2 operands and modifies zero
flag. If eax==0, then ZF is set to 1. Here depending on whether the integer
variable is changed or not the value of eax is 0 or another number. If ZF==1,
then “Cracked” is printed. Else “Try Again?” is printed.
Fig 4.7 : When the program is going to output Cracked.
d. Exploit
The program runs smoothly if we give 64 times “a” as input. The value of the
variable (modified) will not be changed. The above figure shows the output of
the program, when 64 times “a” is given as input to the program.
The above program changes the modified variable value. The above figure
shows the output as “Cracked”, as the modified variable value is changed. Here
the input given is 64 times “a” + “bcde”. Hence the modified value becomes the
decimal ascii values of (“edcb”), as the modified variable is an integer variable.
2. Analysis of 2nd ELF file :
a. Fuzzing
Fig 4.10: Showing the randomly generated test cases using Radamsa tool.
The above figure shows the randomly generated test cases using Radamsa
Fuzzer. The program is cracked for some of the above inputs, where the length
of the string is greater than 64. Hence from this step we can say that this
program can be cracked using the Buffer overflow attack.
b. Dissassembler
This is the Dashboard for the 2nd object file in Cutter. It shows that it is an
ELF-32 bit file. It uses the x86 architecture instruction set. It runs on a Linux
machine. It has been compiled by a Ubuntu compiler (gcc). It has also guessed
that the programming language used might be C.
Fig 4.12 : Flow control for 2nd object file
This is a graph which shows the control flow of the 2nd executable file.
Initially, it checks if arguments are present or not. If arguments are not present
then some string is printed. Then an integer variable is initialized to zero and a
buffer is filled with the string argument. The integer variable is compared with
0x61626364 and if they are equal, some string is printed. Else some other string
is printed.
c. Debugger
Here the integer variable is loaded onto eax and compared with a hex number
0x61626364. So, probably if the overflowed part is this number, we might get
the “Cracked” string as output.
Here we check the characters whose ascii values are 61,62,63,64. We append
this string after 64 bytes in reverse order so that the integer variable will contain
the value 0x61626364.
Fig 4.17 : “Cracked” string gets printed
d. Exploit
The program runs smoothly if we give 64 times “a” as input. The value of the
variable (modified) will not be changed. The above figure shows the output of
the program, when 64 times “a” is given as input to the program.
Fig 4.19 : Output when the program is cracked.
The above program changes the modified variable value. The above figure
shows the output as “Cracked”, as the modified variable value is changed. Here
the input given is 64 times “a” + “dcba”. Hence the modified value becomes the
decimal ascii values of (“abcd”), as the modified variable is an integer variable.
Fig 4.20: Showing the randomly generated test cases using Radamsa tool.
The above figure shows the randomly generated test cases using Radamsa
Fuzzer. The program is cracked for some of the above inputs, where the length
of the string is greater than 64. Hence from this step we can say that this
program can be cracked using the Buffer overflow attack.
b. Dissassembler
This is the Dashboard for the 3rd object file in Cutter. It shows that it is an
ELF-32 bit file. It uses the x86 architecture instruction set. It runs on a Linux
machine. It has been compiled by a Ubuntu compiler (gcc). It has also guessed
that the programming language used might be C.
Fig 4.22 : Flow control for 3rd object file
This is a graph which shows the control flow of the 3rd executable file. Here an
environment variable is taken and it’s value is compared to 0. If it is zero, some
string is printed. An integer variable is taken and is initialized to 0. Then the
value of the environment variable is copied into some buffer. Now if the value
of the integer variable is 0x0d0a0d0a then some string is printed. Else some
other string is printed.
c. Debugger
The GREENIE environment variable is pushed onto the stack because it is the
argument for the function getenv().
Fig 4.24 : Initialize the integer variable to 0
d. Exploit
The program runs smoothly if we give 64 times “a” as input. The value of the
variable (modified) will not be changed. The above figure shows the output of
the program, when 64 times “a” is given as input to the program.
Fig 4.28 : Output when the program is cracked.
The above program changes the modified variable value. The above figure
shows the output as “Cracked”, as the modified variable value is changed. Here
the input given is 64 times “a” + “\r\n\r\n”. Hence the modified value becomes
the decimal ascii values of (“\n\r\n\r”), as the modified variable is an integer
variable.
CHAPTER 5
CONCLUSION
From the above, we can conclude that attackers can easily gain the control over
variables that are present on the stack. Apart from modifying variables,
attackers can do a variety of tasks through buffer overflow attack. They can
access private information, change the flow control of the program and also the
most dangerous task of running a program of attacker’s choice.
In order to prevent these kinds of attacks, various defense mechanisms can be
used.
1. Primarily good and safe programming techniques should be used such as
input data validation
2. Good choice of safe programming languages should be made
3. Features of OS and compilers which provide security against buffer
overflow attacks such as Stack canaries, Non-executable data, Address
space layout randomization (ASLR), Control flow Integrity etc., are to be
used.
CHAPTER 6
REFERENCES