Illustration of buffer overflows for students (linux, C)

My friend is teacher of first-year CS students. We want to show them buffer overflow exploitation. But modern distribs are protected from simples buffer overflows:

HOME=`perl -e "print 'A'x269"`  one_widely_used_utility_is_here --help

on debian (blame it)

Caught signal 11,

on modern commercial redhat

*** buffer overflow detected ***: /usr/bin/one_widely_used_utility_is_here terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x41)[0xc321c1]
/lib/libc.so.6(__strcpy_chk+0x43)[0xc315e3]
/usr/bin/one_widely_used_utility_is_here[0x805xxxc]
/usr/bin/one_widely_used_utility_is_here[0x804xxxc]
/lib/libc.so.6(__libc_start_main+0xdc)[0xb61e9c]
/usr/bin/one_widely_used_utility_is_here[0x804xxx1]
======= Memory map: ========
00336000-00341000 r-xp 00000000 08:02
2751047    /lib/libgcc_s-4.1.2-20080825.so.1
00341000-00342000 rwxp 0000a000 08:02
2751047    /lib/libgcc_s-4.1.2-20080825.so.1
008f3000-008f4000 r-xp 008f3000 00:00 0          [vdso]

The same detector fails for more synthetic examples from the internet.

How can we demonstrate buffer overflow with mo开发者_开发技巧dern non-GPL distribs (there is no debian in classes)

How can we

• DISABLE canary word checking in stack ?
• DISABLE checking variants of strcpy/strcat ?
• write an example (in plain C) with working buffer overrun ?

To disable checking strings functions form glibc you should change your exploitable example. Change all calls to strcpy and other functions with checking variants from

strcpy(dst, src);

to

(strcpy)(dst, src);

This will magically disable checking macroses.

To turn off gcc protection, use options

-fno-stack-protector
-fnomudflap
-U_FORTIFY_SOURCE or -D_FORTIFY_SOURCE=0

To turn off non-exec stack, use

execstack -s ./programme 

or as gcc-linker option

-Wl,-z execstack  

In my security and privacy class, they used virtual machines that had vulnerable programs compiled with an older version of GCC that did not have canaries. You can also use newer versions of GCC and use command-line switches to disable security features like stack-smashing detection.

Either way, you'll need to recompile the programs if you're on a modern Linux distribution.

#include <stdio.h>

int main()
{ int x = 0; char buffer[8]; strcpy(buffer, "test hello world;-)"); return 0; }

After strcpy(), you have in x some ascii from this string, but if this string is too long, overvride ESP adres and program fail for protect from this and better ilustration buffer overrun, you must before declaration of x, declarate some big buffer to protect you overflow from esp address. (before x because variables is declarating on memory in stack arrange).

Edit: You can ilustrate it from StackOverflow Logo!!