Retro prof in the lab University of Washington Computer Science & Engineering
 CSE 378 Fall 2007
  CSE Home   About Us    Search    Contact Info 

 Home
Administrative
 Schedule
 Syllabus
 Academic Misconduct
Resources
 Wiki
 MIPS Resources
 AHDL Resources
Anonymous Feedback
 Feedback Form
   

There is a wiki-fied version of this assignment, if you wish to make clarifications to this document.

Objective

To understand MIPS functions, calling conventions and stack layout, and to exploit this knowledge to "take over" a program.

A vulnerable program

This simple assemble program copies a global buffer to a local, stack-allocated buffer, displays the buffer and exits. The problem is that the local, stack-allocated buffer (inside the main() function) is of fixed size, and the memcpy() function does not check that the destination buffer is large enough to hold what's copied into it. If something too large is written into the destination buffer, memcpy() will just keep writing past the end and overwrite whatever happens to be adjacent in memory.

You need to alter the contents of input_buffer so that, when the program is run, the stack frame of main() gets smashed and the return address of main() gets overwritten. You need to inject the address of the attack() function on the stack so that, when main() returns, it causes the flow of control to transfer to the attack() function and run the code in attack().

There are 2 places where you need to alter the source code. These places are marked with the word "TODO" in a comment. All other source code should remain intact.

Sample run

A typical run of the echo program looks like this:

(spim) run
About to copy buffer...
hi!
buffer copied.
(spim)

When the program is run with your specially-crafted input buffer, the output should be instead:

(spim) run
About to copy buffer...
<your answer here>
buffer copied.
pwned!

Approaching the problem

  1. figure out the size of the stack-allocated buffer in main() that you are going to smash
  2. figure out the address of the attack() function, so you know what address to inject into the stack
  3. craft your value for input_buffer and smash away!

Some advice:

  • don't worry about shutting down the program cleanly; it's okay if the program crashes after running the code in attack()
  • it may be helpful to sketch out the stack layout at the time that the ''memcpy'' function is called, so that you know what value on the stack you have to smash.
  • you will have to consider endian-ness issues when crafting your value for input_buffer

Turning in the assignment

For this assignment, submit your modified version of echo.s via the Catalyst dropbox at https://catalysttools.washington.edu/collectit/dropbox/summary/luisceze/786. The assignment is due at 5pm on Wednesday, 17 October.

CSE logo Computer Science & Engineering
University of Washington
Box 352350
Seattle, WA  98195-2350
(206) 543-1695 voice, (206) 543-2969 FAX
[comments to Joe]