SI485H: Stack Based Binary Exploits (SP17)


Home Policy Calendar Units Assignments Resources

Lab 01: git'em done

Submission Instructions

Submission instructions for labs can be found on the resource pages. In paticular, you should view this subsection: Creating a new branch and submitting

Part 1: Knife, Spoon, Fork (1 point)

Description

  • You will perform basic git commands to fork/clone/push

Preliminaries

  • This assignment can be completed on any machine
  • gitlab repository:

    http://saddleback.academy.usna.edu/aviv/lab-1.1
    

Instructions

  • Fork and clone the assignment repository
  • Update a json file: fill-me-in.json
  • Create a new json file called current-temp.json that has the following fields:

    Location : current location (type string)
    Timestamp : seconds since epoch (type number) 
    GPS : gps coordinates of weather readong (type string)
    temp : temperature in celsiusm (type number)
    
  • Submit all work to gitlab

Submission Requirements

  • fill-me-in.json : json you fill in
  • current-temp.json : new json you create

Part 2: Crack the secret message (3 point)

Description

  • Write a C program to brute force an encrypted message

Preliminaries

  • This assignment can be completed on any machine
  • gitlab repository:

    http://saddleback.academy.usna.edu/aviv/lab-1.2
    
  • Fork and clone the repository

Instructions

  • The following string encodes a secret message

    char enc[] = "\xb2\x70\xc1\xc0\xe0\x72\x95\x85\xb4\x30\xc0\x85\xa2\x32\xc6\xc7"
      "\xe7\x54\x87\xf9\xe3\x02\x8f\xb6\xfc\x08\xdd\xa7\xb4\x1d\xdb\xe6"
      "\xae\x55\xc0\xfb\xe1\x53\x88\xe7\xfe\x59\x8c\xf6\xa1\x0d\xf3\xa6"
      "\x97\x1c\xfd\xe7\x90\x59\xe2\xf1\xc3\x5e\xaa\xe4\xc5\x1f\xb0\xac"
      "\xde\x02\xff\xb2\x90\x06\xe6\xb8\x94\x17\xb9\xec\xf4\x52\x9b\xed"
      "\xba\x5a\xde\xf2\xac\x09\xd9\xba\xb9\x0f\x98\xa0\xf1\x14\x85\xef"
      "\xeb\x43\x8f\xeb\xfa\x1c\xdb\x95\xb3\x2a\xd7\xd1\xbb\x65\xc8\xdb"
      "\xe9\x74\x80\xce\xef\x35\x9a\x86\xf4\x28\xd5\x94\xbb\x2a\xc9\x85"
      "\xe4\x7e\xa9\xc0\xc9\x69\xa6\x92\xca\x26\xb9\x98\x98\x37\xf1\x8d"
      "\x9e\x76\xeb\xc5\x85\x6b\xa4\xc4\xd7\x70\xa1\xce\xd3\x61\xfc\x9a";
    
  • The string was encrypted using the following ecnryption routine that employs Cypher-Block-Chaining (CBC mode) with two byte increments.

    void encrypt(char * msg, int len, short key){
      //Encryption Routine
      unsigned short iv =  0xcafe;
      for(i=0; i < len ; i+=2){
        unsigned short * seg = (unsigned short *) &msg[i];
        *seg = *seg ^ key ^ iv;
        iv = *seg;
      }    
    }
    
  • Note that ^ operator in C is the xor, which has the following properties:
    • a ^ a = 0
    • a ^ 0 = a
    • a ^ b = b ^ a
    • a ^ b ^ a = a ^ a ^ b = 0 ^ b = b
  • Your task is to crack the encryption by determining the key and decrypting the message
  • You should write a C program named cracker.c where you crack the secret message and produce the key, as a two byte short value.
  • Once you have cracked the message complete a solution.json file with the following fields (replaced with the solution results):

    {
      "key" : "0x0000",
      "msg" : "the secret message"
    }
    

Submission Requirements

  • cracker.c : cracker.c code for cracking the inpput
  • solution.json : json file with secret information

Hints

  • Why not brute force … only two byte keys?
  • How can you check if message is in ASCII? Have you checked out an ASCII table recently? http://www.asciitable.com/
  • What might be some common words that would decrypt? (But, this phrase doesn't have "the" in it …)

Part 3: Write an Encryption Routine (3 points)

Description

  • Implement a new encryption routine that can encrypt an arbitrary message using command line arguments

Preliminaries

  • This assignment can be completed on any machine
  • gitlab repository:

    http://saddleback.academy.usna.edu/aviv/lab-1.3
    

Instructions

  • Fork and clone the repository
  • Write a c-program named encyrpt.c that will encrypt a message using the following routine (in pseudo code)

    key := command_line_argument[1]  ; must be at most a 2-byte number
    IV  := command_line_argument[2]  ; must be at most a 2-byte number
    msg := command_line_argument[3]  
    
    cipher_text := [] ; /empty list/
    
    length = len(msg)       ; length calculation should include trailing null byte
    
    if length % 2 == 1:     ; round message length up so divisible by 2
       msg = msg|'\0'       
       length := length+1
    
    i := 0
    while i < length {    
       m1 := msg[i]
       m2 := msg[i+1]
    
       plain_block = m2|m1    ; single bytes concatenated to form 2-byte block
                              ; note the order of byte is reversed
    
       cipher_block := plain_block ^ key ^ IV  ; encrypt with xor
    
       cipher_text := cipher_text|cipher_block ; concatenate cipher_block 
                                              ; on the cipher_text
    
       IV := cipher_block
       i := i+2
    }
    
    output to stdout: cipher_text as hex encoded string
    
  • You should also provide an example of your encryption in a solution.json file with the following fields fill in

    {
        "key": "0x0000",
        "IV" : "0x0000",
        "msg": "the message that was encrypted",
        "enc": "the encryption of the message using string hex notation"
    }
    
  • You will also find a compiled executable decrypt that you can use to test your output. Here's the -h output fo that program:

    user@si485H-base:1.3$ ./decrypt -h
    USAGE: ./decrypt key iv msg msg_len
    
    key     : hex value for the key, e.g  "0xffff"
    IV      : hex value for the IV, e.g., "0xffff"
    msg     : the message to be decrypted
    msg_len : the length of the message (in case it contains NULL)
    

Sample Usage

  • Here's what your output for encrypt should look like:

    aviv@si485H-saddleback:1.3$ ./encrypt "0xffff" "0xbbbb" "Hello World!"
    key: 0xffff IV:0xbbbb
    msg: "Hello World!"
    msg_len: 14
    \x21\xc\xb2\x9f\x6d\xf\xfd\xa7\x6e\x2a\xb0\xb1\x4f\x4e
    
  • Here's that message decyrpted with the provided decrypt function

    user@si485H-base:1.3$ ./decrypt "0xffff" "0xbbbb" $(printf "\x21\xc\xb2\x9f\x6d\xf\xfd\xa7\x6e\x2a\xb0\xb1\x4f\x4e") 14
    key: 0xffff IV:0xbbbb
    msg: "\x21\xc\xb2\x9f\x6d\xf\xfd\xa7\x6e\x2a\xb0\xb1\x4f\x4e"
    msg_len: 14
    Hello World!
    

Submission Requirements

  • Makefile : Makefile to compile encrypt.c
  • encrypt.c : source code for encryption routine
  • submission.json : submission information as json

Hints

  • pointer casting can really help, say casting a short * to char *.
  • Remember your bit-wise operators:
    • & : bit-wise and
    • | : bit-wise or
    • ^ : bit-wise xor
    • << : left shift
    • >> : right shift