# SI485H: Stack Based Binary Exploits (SP17)

Home Policy Calendar Units Assignments Resources

# HW 8: W-xor-X

## Instructions

• You must turn in a sheet of paper that is neatly typed or written answering the questions below. (You are strongly encouraged to type your homework.)
• This homework is graded out of 70 points. Point values are associated to each question.

## Questions

1. (5 points) Explain the principle of w-⊗-x as a way to protect against stack smashing attacks that load shell code.
2. (5 points) What `gcc` compilation is used to tunr off w-xor-x?
3. (5 points) What is a return-to-libc attack?
4. (5 points) What c-library function is typically called when performing a return-to-libc attack? Why do we choose this one?
5. (5 points) Explain the error output and how we know that this was a successful exploit.

```user@si485H-base:demo\$ ./vulnerable 10 `python -c "print 'A'*(0x2c+4)+'\x90\xa1\xe5\xb7'"`
Segmentation fault (core dumped)
```
6. (10 points) Draw the stack diagram for the function below after ret2libc attack is executed properly. Use the diagram to explain how you control the argument in a ret2libc attack.

``````void vuln(int i, char * s){

char buf[20];
strcpy(buf,s);

while(i-- > 0)
printf("%d: %s\n",i,buf);

return;
}
``````
7. (5 points) Suppose you're exploiting the function below. You know that the value of `s` is 0xbfff625. Provide an exploit string for a re2libc attack that will launch a shell.

``````void vuln(char * s){

char buf[20];
strcpy(buf,s);

while(i-- > 0)
printf("%d: %s\n",i,buf);

return;
}
``````
8. (5 point) If the function bad() is at address 0x0804847d and the address of good() is at address 0x0804852a, what order of functions results from the exploit string:

```./prog `python -c "print 'A'*(0x6c+4) + '\x7d\x84\x04\x08' + '\x2a\x85\x04\x08' + '\x2a\x85\x04\x08' + '\x7d\x84\x04\x08'"`
```
9. (5 point) Consider that the function bad() is defined as following:

``````void bad(int a){printf("%#08x\n",a);}
``````

and good() is defined as following

``````void good(){printf("Go Navy!\n");}
``````

What is the output given the exploit string if good() and bad() is at the same location as before?

```./prog `python -c "print 'A'*(0x6c+4) + '\x7d\x84\x04\x08' + '\x2a\x85\x04\x08' + '\xbe\xba\xfe\xca' + '\xef\xbe\xad\xde'"`
```
10. (5 point) Consider that the function bad() is defined as following:

``````void bad(int a, int b){printf("%#08x %#08x\n",a,b);}
``````

And good() is defined the same as before, what will the output of the program be?

```./prog `python -c "print 'A'*(0x6c+4) + '\x7d\x84\x04\x08' + '\x2a\x85\x04\x08' + '\xbe\xba\xfe\xca' + '\xef\xbe\xad\xde'"`
```
11. (5 points) Given the definition of `bad(int a, int b)` and `good()` from above, why can we not create a exploit string where we call `bad(0xcafebabe,0xdeadbeef)` then `good()` and then `bad()` again such that this time `bad(0xbadf00d,0xfeed3e3e)` is called?
12. (5 points) If we were to write an exploit string to do the sequence of function calls as desired above (ie, `bad(0xcafebabe)`, `good(0xdeadbeef)`, then `bad(0xbadf00d,0xfeed3e3e)`): What gadget would we need?
13. (5 points) Assuming the gadget was at memory address `0x080485a9`,complete the exploit string to do the desired sequence of function calls.