COMP620 Information Privacy and Security
Stack Overflow Lab
In this exercise you will commit the most hideous of all security attacks. You will force a simple
program to run your own arbitrary program. This requires creating a data file containing machine
language of the program you want to run. For this exercise you only have to print a message.

Download the simple program available at http://williams.comp.ncat.edu/overflow/RealReturn.html

Create a simple text file of about 50 bytes.

Start Microsoft Visual C++ express and create a Win32 Console application project. Add the
program downloaded from the website to the project.

Disable the stack overflow defenses as described in
http://williams.comp.ncat.edu/overflow/MSVShints.htm

Turn on the option for the compiler to show the generated assembler and machine language. Select
Project → Properties → Configuration Properties → C/C++ → Output Files and select
Assembly, Machine Code and Source for Assembler Output. This will generate a file with a
.cod extension in the Debug directory.

Tell the compiler the address of your input text file at Project → Properties → Configuration
Properties → C/C++ → Output Files → Command Arguments

Build the project (press F7).

Put a breakpoint in the program and start debugging it. Remember to “step over” except to “Step
into” the doit function.

When the debugger is in the doit function, hover the mouse over the following names and record
the addresses:
doit
0X___________________________
exploit 0X___________________________

main
0X___________________________
str
0X___________________________
Open the memory window in the debugger and look at the memory of the str variable. As you step
through the program, the contents of the str variable should change. Changes are highlighted in red.
The str array holds four characters. Following this variable in memory will be the frame pointer.
This will be an address on the stack. It should not be very different from the address of str.
Remember that the Intel processor is a Little Endian machine and the addresses are in reverse byte
order. Following the frame pointer will be the return address. This should not be much larger than
the start address of the main function. If your memory looks like this, you will know that the 9th to
12th bytes of your input file will overwrite the return address. Record the address of the frame
pointer:
frame pointer 0X___________________________
Page 1 of 2
COMP620 Information Privacy and Security
Stack Overflow Lab

If you look in the assembler listing file you can see the machine language of the program. The
exploit function should look something like:
; 21
: void exploit() {
00000
00001
00003
00006
00007
00008
; 22
:
00009
0000e
00014

55
8b ec
83 ec 40
53
56
57
push
mov
sub
push
push
push
ebp
ebp, esp
esp, 64
ebx
esi
edi
printf("\nExploit successful!\n\n");
68 00 00 00 00
ff 15 00 00 00 00
83 c4 04
add
push OFFSET “Exploit successful”
call DWORD PTR __imp__printf
esp, 4
Enter the address of the exploit function in the memory address window. You should see the same
machine language. The address of the string to be printed was not known at compile time, so it is
shown as zeroes in the machine language listing. Similarly the address of the printf function is
shown as zeroes in the listing, but the real address appears in the debugger memory. Record the
address of the printf function.
printf 0X________________________

Using a hexadecimal editor, edit your input file to include the following. Remember that the Intel
processor is a Little Endian machine and the addresses are in reverse byte order.
offset
0
4
8
C
D
11
13
17

value
4 bytes of anything as data for str
4 bytes containing the frame pointer address
4 bytes of the start of your exploit program. Add 0X0C to the address of str to get this address.
Your exploit program in hexadecimal starting with 68 Intel push instruction
4 byte address of your message string
ff 15 Intel call instruction
4 byte address of printf
Text of your message terminated by a zero byte.
Run the program in Visual C++ and see if it prints your message. Because your hacking has
damaged the stack integrity, the program will generate an error immediately after printing your
message.
Page 2 of 2