Buffer Overflow Example Programs Orion Sky Lawlor, olawlor@acm.org, 2005/2/4 (Public Domain) (Modern 2011 version: You may need -fno-stack-protector on modern gcc with stack canary. This is a *lot* harder on 64-bit machines (embedded NULLs in pointer). ) Small set of programs demonstrating a buffer overflow vulnerability. Will only work on x86 on Linux; but corresponding attacks can be written for other machines and operating systems. vulnerable.c is a little C program with a buffer overflow as it reads from auth.txt. invulnerable.c is the same program without the buffer overflow hole. evil.as is the assembly code we'd like to run via the buffer overflow hole. It's just a call to 'write' and then a call to 'exit'. This was assembled using Linux as (gas) to form the basis of evil.c; so you don't have to run it--it's just for reference. evil.c writes out a special auth.txt file containing our buffer overflow exploit. For the auth.txt file to work, you'll need to set "exploit_addr" to the correct address of the overflowing buffer. Trying out vulnerable first is the only sure way to find out this address; otherwise you'll just have to keep trying and trying, because the stack address depends on the runtime environment. Typical usage: 1.) Build and run vulnerable.c. Remember the address it prints out. 2.) Edit evil.c's "exploit_addr" to point to this address. 3.) Build and run evil.c to generate an overflowing auth.txt. 4.) Run vulnerable again. It should print out EVIL_DEEDS_HERE! as soon as getAuthLevel returns. 5.) Run invulnerable on the same auth.txt file. Note that it doesn't do anything unusual. Remember that *any* change to the environment will change the address of the buffer, so you'll have to run vulnerable in exactly the same way in steps (1) and (4) or you'll just segfault, because you've jumped to the wrong address.