# Buffer-overflow Lab 


### What is a Buffer Overflow attack?
A buffer overflow occurs when a program or process attempts to write more data to a fixed length block of memory causing the data to overflow to other buffers, which can corrupt or overwrite whatever data they were holding.

In terms of a buffer-overflow attack the extra data that is overwritten could hold malicious instructions that could trigger a respone that could cause a program to crash or run something else. If the program that triggers the buffer overflow attack is privileged this could result in potential privilege escalation for something malicious.


### The Difference Between a 32-bit and a 64-bit Buffer Overflow attack?


The major difference between x32 and x64 machines are the length of the memory addresses. In a 64 bit machine the memory address are 64 bit long, but addresses greater than 0x0000FFFFFFFFFFF (48 bits) will raise an exception and cause a segmentation fault.

64-bit registers have names beginning with "R", 32-bit registers begin with "E"

The RPB register points to the base of the current stack frame (32-bit EBP)
The RSP register points to the top of the current stack frame (32-bit ESP)
The RIP register points to the next processor instruction

### 1. Overview
The learning objective of this lab is for students to gain the first-hand experience on buffer-overflow vulnerability
by putting what they have learned about the vulnerability from class into action. Buffer overflow is
defined as the condition in which a program attempts to write data beyond the boundaries of pre-allocated
fixed length buffers. This vulnerability can be used by a malicious user to alter the flow control of the program,
leading to the execution of malicious code. This vulnerability arises due to the mixing of the storage
for data (e.g. buffers) and the storage for controls (e.g. return addresses): an overflow in the data part can
affect the control flow of the program, because an overflow can change the return address.
In this lab, students will be given a program with a buffer-overflow vulnerability; their task is to develop
a scheme to exploit the vulnerability and finally gain the root privilege. In addition to the attacks, students
will be guided to walk through several protection schemes that have been implemented in the operating
system to counter against buffer-overflow attacks. Students need to evaluate whether the schemes work or
not and explain why. This lab covers the following topics:

- Buffer overflow vulnerability and attack
- Stack layout in a function invocation
- Shellcode
- Address randomization
- Non-executable stack
- StackGuard

### Setting Up Jupyter Via Cloudlab Console

After instantiation is complete and anaconda is installed, open up a shell node on the list view tab in CloudLab

Once you are in the terminal you will want to change user id to seed. In our lab the seed account has root privileges. In order to gain access to seed you need to input the password ***dees*** 

```
$ su seed
Password: dees
```

Once you are under the seed account change directories to /local/repository/. The reason being you want your Juypter home directory to be /local/repository/ because that is where all the files will be readily available.
```
seed@node:~$ cd /local/repository
seed@node:/local/repository$
```

Once you are in your local repository you will want to check your ip address in order to access the notebook.
```
seed@node:/local/repository$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 02:2f:eb:3e:a7:10 brd ff:ff:ff:ff:ff:ff
    inet 130.127.135.7/22 brd 130.127.135.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::2f:ebff:fe3e:a710/64 scope link
       valid_lft forever preferred_lft forever
```
In the example above our IP address is 130.127.135.7

After you have discovered your ip address you are able to open a jupyter note book input the following code
```
seed@node:/local/repository$ jupypter notebook --generate-config

Writing default config to: /home/seed/.jupyter/jupyter_notebook_config.py
```
After generating the config file you will want to set the jupyter notebook passwordless by entering the following code and when prompted to create a password you hit the [Enter] key.
```
seed@node:/local/repository$ juypter notebook password

Enter password:
Verify password:

[NotebookPasswordApp] Wrote hashed password to /home/seed/.jupyter/juypter_notebook_config.json
```
Now we are able to launch our notebook which will launch into a seed account. We will use the inet IP address we found a few steps to launch the notebook. Input the following code
```
seed@node:/local/repository$ juypter notebook --ip 130.127.135.7 --no-browser

[I 18:51:36.564 NotebookApp] Writing notebook server cookie secret to /home/seed/.local/share/jupyter/runtime/notebook_cookie_secret
[I 18:51:37.287 NotebookApp] JupyterLab extension loaded from /opt/anaconda3/lib/python3.7/site-packages/jupyterlab
[I 18:51:37.288 NotebookApp] JupyterLab application directory is /opt/anaconda3/share/jupyter/lab
[I 18:51:37.291 NotebookApp] Serving notebooks from local directory: /home/seed
[I 18:51:37.291 NotebookApp] The Jupyter Notebook is running at:
[I 18:51:37.291 NotebookApp] http://130.127.135.7:8888/
[I 18:51:37.291 NotebookApp] Use Control-C to stop this server and shut down all kernels (twice to skip confirmation).
[I 18:51:46.186 NotebookApp] 302 GET / (108.4.213.14) 0.49ms
[I 18:51:46.274 NotebookApp] 302 GET /tree? (108.4.213.14) 0.45ms
[I 18:51:49.888 NotebookApp] 302 POST /login?next=%2Ftree%3F (108.4.213.14) 0.60ms
[I 18:52:05.236 NotebookApp] New terminal with automatic name: 1
TermSocket.open: 1
TermSocket.open: Opened 1
```
By clicking on the link http://130.127.135.7:8888/ we are able to launch a notebook.

*The link and IP address will be different depending on what server you are instantiating from.

Once you are in the notebook you will be able to run and compile code through the notebook and also have access to a jupyter terminal shell through your web browser.


### 2. Lab Tasks

### 2.1 Turning Off Countermeasures

**Address Space Randomization**
Ubuntu and several other Linux-based systems uses address space randomization to randomize the starting address of heap and stack. This makes guessing the exact addresses difficult; guessing addresses is one of the critical steps of buffer-overflow attacks. In this lab, we disable this feature using the following command:
```
$ sudo sysctl -w kernel.randomize_va_space=0
```
**The StackGuard Protection Scheme**
The GCC compiler implements a security mechanism called StackGuard
to prevent buffer overflows. In the presence of this protection, buffer overflow attacks will not work.
We can disable this protection during the compilation using the `-fno-stack-protector` option. For example,
to compile a program example.c with StackGuard disabled, we can do the following:

```
$ gcc -fno-stack-protector example.c
```
**Non-Executable Stack**

Ubuntu used to allow executable stacks, but this has now changed: the binary images of programs (and shared libraries) must declare whether they require executable stacks or not, i.e., they need to mark a field in the program header. Kernel or dynamic linker uses this marking to decide whether to make the stack of this running program executable or non-executable. This marking is done automatically by the recent versions of gcc, and by default, stacks are set to be non-executable. To change that, use the following option when compiling programs:

For executable stack:

```
$ gcc -z execstack -o test test.c
```

For non-executable stack:

```
$ gcc -z noexecstack -o test test.c
```