C Basics

• In one of our Linux labs launch vmplayer
• mkdir /virtual/$USER cd /virtual/$USER scp $USER@dh2020pc02.utm.utoronto.ca:/virtual/RH72LabImageShah.zip . unzip RH72LabImageShah.zip vmplayer
• Open the vm with vmplayer
• When the vm launches, login with hacker/password
• Locate stack.c, you can build it with make stack
• Play with the debugger gdb stack,
• x86 is little-endian, that is, the 32 bits of a word with bytes B3B2B1B0 appear in memory as address 0 B0 address 1 B1 address 2 B2 address 3 B3 Now if you are using gdb, and displaying memory, it will display as follows +------address here is 0xbffffab0+3 | = 0xbffffab3 (gdb) x/24b $esp V 0xbffffab0: 0xf0 0xfa 0xff 0xbf 0xb6 0xd2 0x00 0x40 0xbffffab8: 0xac 0x95 0x04 0x08 0x45 0x82 0x04 0x08 0xbffffac0: 0x64 0x21 0x03 0x40 0x54 0xd1 0x15 0x40 offset +0 +1 +2 +3 +4 +5 +6 +7 +------address here is 0xbffffab0+3 | = 0xbffffab3 (gdb) x/24w $esp V 0xbffffab0: 0xbffffaf0 0x4000d2b6 0x080495ac 0x08048245 0xbffffac0: 0x40032164 0x4015d154 0x00000000 0x4014212e 0xbffffad0: 0xbffffb08 0x4000d450 0xbffffaf8 0x080484da 0xbffffae0: 0x00000003 0x00000007 0xbffffb08 0x08048441 0xbffffaf0: 0x0804958c 0x08049690 0xbffffb38 0x40043507 0xbffffb00: 0x00000001 0xbffffb64 0xbffffb6c 0x080482fa offset 3 2 1 0 7 6 5 4 b a 9 8 f e d c
• Put a breakpoint at int sum=0; and run the code.
• Examine the contents of the current stack frame x/24w $esp find all of the variables on the stack. Which ones are initialized properly? If they are not initialized, what values are there, and why is this a security issue?
• Step through the code until you reach c[0]=0x41;, use step and x/24w $esp.
• Draw a picture of the stack, it should be similar to the one in the notes, with the addresses appropriately modified. Try things like print &i
• Modify stack.c so that the assignments to the 'c' array causes the program to execute the hacked function. Do this by using the four assignment statements to overwrite the return address in the current stack frame with the address of the hacked function.