Investigation into the use of gets() in buffer overflow attacks

Overview:

During a home work assignment, we discovered that gets() cannot be exploited in a manner similar to using strcpy(). At first glance, it would appear that both C utilities should be equally vulnerable to a buffer overflow attack via stdin, since both use a buffer to store input and both accept input from stdin,. However, we determined that gets() does not respond to malformed input from stdin, but can be exploited if a file holding malformed input is redirected to gets().

This project has three goals:

  • determine the specifics of why this is,
  • attempt to either find a method to exploit gets() in the same manner as strcpy(), or show why such an method isn't possible
  • explore similar exploits

Our plan is to review in detail exactly how both gets() and strcpy work when part of a buffer overflow attack (using the gbd utility), attempt to craft a buffer overflow attack using gets() that works in a manner similar to buffer overfflow attacks that use strcpy(), and report on the results.
References:
  1. Smashing The Stack for Fun and Profit
  2. gets() man page
  3. strcpy() man page
Link to the actual paper:

As the project progresses, a link will be placed to it here.

Author: Frank Gearhart

Presented as partial fulfillment of the course requirements for Fall 2005 CS591; University of Colorado at Colorado Springs, Colorado