SI485H: Stack Based Binary Exploits (SP17)


Home Policy Calendar Units Assignments Resources

HW 5: Socket Programming

Instructions

  • You must turn in a sheet of paper that is neatly typed or written answering the questions below. (You are strongly encouraged to type your homework.)
  • This homework is graded out of 80 points. Point values are associated to each question.

Questions

  1. For each of the socket programming API calls below, provide (a) the arguments, (b) the return value, and (c) the function as called to set up a reverse shell.
    1. (3 points) socket()
    2. (3 points) bind()
    3. (3 points) listen()
    4. (3 points) accept()
  2. (3 points) On most Intel, x86 machines, what is the difference between network and host byte order?
  3. (5 points) Complete the code for the struct sockaddr_in such that the host will bind to address 192.168.2.1 on port 582.

    struct sockaddr_in host_addr;
    memset(&(host_addr), '\0', sizeof(struct sockaddr_in));
    host_addr.sin_family= /* ... */;
    host_addr.sin_port=/* ... */;
    host_addr.sin_addr.s_addr=/* ... */;
    
  4. (5 points) Explain how the following code snippet connects the newly connected client with the newly executed /bin/sh.

    dup2(client, 0);
    dup2(client, 1);
    dup2(client, 2);
    
  5. (5 points) Modify the code snippet below such that multiple clients can connect to the remote shell such that a new shell is created for each connecting client.

    client = accept(server,
                    (struct sockaddr *) &client_addr,
                    &sin_size);
    
    dup2(client, 0);
    dup2(client, 1);
    dup2(client, 2);
    char *args[2]={"/bin//sh", NULL};
    execve(args[0], args, NULL);
    
  6. For each of the socket API calls, translate them to their socketcall equivalent. Yes, you may need to declare new variables to do this or infer variable type information, such as a host_addr and client_addr are of type sockaddr_in.
    1. (3 points) sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_IP)
    2. (3 points) bind(sockfd, &host_addr, sizeof(struct sockaddr_in))
    3. (3 points) listen(sockfd,4)
    4. (3 points) accept(sockfd, &client_addr, &sin_size)
  7. (3 points) Why is it necessary to setup our own syscall method to perform socketcall's?
  8. Describe the socketcall arguments from the assembly code:

    1. (5 points)

      xor ecx,ecx
      mov cl,0x2
      push ecx
      push esi ;sockfd
      mov ecx, esp
      xor ebx,ebx
      mov bl, 0x4
      xor eax,eax
      mov al,0x66
      int 0x80
      
    2. (5 points)

      xor ecx,ecx
      push ecx
      push ecx
      push esi ;sockfd
      mov ecx,esp
      xor ebx,ebx
      mov bl, 0x5
      xor eax,eax
      mov al,0x66
      int 0x80
      mov edi,eax
      
    1. (5 points)

      xor eax,eax
      push eax
      push 0x1
      push 0x2
      mov ecx,esp
      xor ebx,ebx
      mov bl,0x1
      mov al,0x66
      int 0x80
      mov esi,eax
      
    2. (5 points)

      xor eax,eax
      push eax
      push WORD 0xbeef
      push WORD 0x02
      mov ecx,esp
      push 0x16
      push ecx
      push esi ;sockfd
      xor ebx,ebx
      mov bl,0x2
      mov ecx,esp
      mov al,0x66
      int 0x80
      
  9. (10 points) If register edx stores the value for the socket file descriptor (sockfd), and ecx stores the value of an open file descriptor. Write the dup2() code in assembly such that all the standard file descriptors are from the shell will be duplicated to the socket.