CSE 127: Assignment 1 In this assignment, you will use a buffer-overflow attack to "exploit" a simple program. Your goal is to get the provided program to print out the string You got it! by giving it input data that overflows its input buffer used in the gets(3S) library function. You should not change the source code to the program at all. You may, of course, make temporary changes in order to learn more about what it is doing, but the attack that you design must be implemented with respect to the unchanged source code. You should be able to provide input to the program which makes it print out the "You got it!" string without generating a core image. Your testbed must be a Solaris machine managed by Academic Computing. Your exploit will necessarily be architecture specific. Note that due to the way that the SPARC processor uses register windows for the top of its stack (the number of frames held in register windows depend on the processor model), the precise details of the attack will differ from architectures that do not employ register-windows. Furthermore, the exact location of the buffer in memory will differ, depending on the execution environment. In particular, it depends on the size of the environment and the number and size of arguments passed to the program. You must clearly describe how to attack the program so that the exploit will work regardless of the particulars of the execution environment: your only assumption should be that the executing binary was compiled from the given source code, and that you are using a SPARC Solaris machine. You should compile the program using the command $ cc -g assn1.c which will include a symbol table for debugging. You should use the GNU debugger "gdb" to explore the resultant a.out file. $ gdb a.out some gdb commands that you will find useful are: help x/i ADDRESS x/x ADDRESS up down break ADDRESS you can get more information about how these commands work using the help command. In lieu of ADDRESS, you may use the name of a function or a numeric address; precede the numeric value with "0x" if you wish to use a hexadecimal value. You may wish to write program(s) that generates the necessary input values based on what the given program prints out. If you do this, include the source code for your auxilliary programs, and explain what they do. WHAT YOU SHOULD HAND IN You should create a tar(1) image of a directory named "assn1" that contains all the handed-in files. There should be no files outside of this directory. Within this directory, you should have the input data file named "INPUT" that will make the program print "You got it!"; if you wrote a program to generate that data, include that program's source code as well. Do not include assn1.c, helper files (show_addr.c), this file, or any binary files (other than the input file). In addition to this, you should have an ASCII text file named "writeup.txt" which clearly explains what you did and how it works. If there are extraneous files included in the tar file, I will deduct points. The tar file should not be larger than a few tens of kilobytes; if it is, then you've done something wrong and you should talk to us. Email this tar file to me as an attachment. If you are unsure about how to do this, ask a TA or an ACS consultant. Test this out by mailing an attachment to YOURSELF first and make sure that the attachment does not become corrupted. When you test the extraction of the files, do it in some testing subdirectory, so you will not overwrite the original files. HINTS If you wish to type in binary data, it's a better idea idea to use X windows and cut-and-paste instead, since typing in binary data, especially those with the 8th bit set, is difficult/cumbersome. Furthermore, beware of the tty(7d) driver's interpretation of certain control characters (e.g., flow control, reprint, etc), typing in such data can give unexpected results. See the manual page for stty(1). Also, generating 8-bit data with vi can be difficult, so you may wish to use a program or use emacs to create a binary data file. You can run the program after generating and saving the necessary data to a file and then use input redirection to get the program to read from that file. This is probably the easiest way to handle the input data.