Teaching Stack Overflow
We have developed a number of web based simulations and activities to help teach students about stack overflow exploits. The assignments can be run from http://williams.comp.ncat.edu/overflow/labs.html A link below provides access to all materials. There are several simple simulations (Java applets) that explain how data is stored on the stack. Some of the simulations allow the student to enter data that can generate an overflow exploit. After running the simulations, students can then create real buffer overflow exploits by entering carefully crafted data to some C or C++ programs. The student needs to download the programs and compile them on their local system. To do these lab activities effectively, it is very helpful if the students know how to use a debugging system. A debugger will allow the student to look at the contents of memory as their data is read by the program. It will also provide the addresses necessary to create the exploit.
The ultimate stack overflow exploit loads machine language and makes the victim system do whatever you want. Modern operating systems and compilers have several features to protect the system. A virtual machine running Windows XP using Visual C++ Express allows the student to perform an arbitrary code stack overflow and learn exactly how it works. The assignment is available here and the 3.3 GB VMPlayer virtual machine is available here.
A downloadable ZIP file of the stack overflow web simulations, assignments and source code is available at http://williams.comp.ncat.edu/overflow/Overflow.zip A set of slides for teaching buffer overflow are available here (and also with TurningPoint response questions). If you have any suggestions or if you make any improvements, please contact Ken Williams at firstname.lastname@example.org
Many students do not get much nourishment from looking at a memory dump. It is advantageous to review the usual format of the program stack. A couple of hints to understand what you are looking at:
· The ESP (Extended Stack Pointer) on an Intel processor points to the top of the stack. The data you want will be near this address. You can use a debugger to view this register when the program is executing in the method where the overflow will occur.
· Remember that the Intel processor is a little endian machine. An address or integer value will appear in reverse order.
· View the memory around the stack pointer. When the programs read characters, it is usually possible to see where the data is being stored. This gives you the address of a local variable. The frame pointer and return address will be after this.
· The frame pointer will contain an address of the previous frame on the stack. This address will not be too different from the current stack pointer.
· The return address will follow the frame pointer. Using the debugger, you can get the start address of the calling method (the main method is the examples). The return address will be a little after the start of the main method (tens of bytes not millions of bytes).
· It is very helpful for the students to have use of an editor that allows them to change the hexadecimal values of a file. They will need to create files with binary address values at specific locations.