SI485H: Stack Based Binary Exploits (SP17)


Home Policy Calendar Units Assignments Resources

Lab 02: Access Control, FAIL!

Submission Instructions

Submission instructions for labs can be found on the resource pages.

Part 1: Your password was what?!? (2 points)

Description

  • Use your knowledge of signess to crack a password comparison tool

Preliminaries

  • This assignment must be completed on the course VM
  • gitlab repository:

    http://saddleback.academy.usna.edu/aviv/lab-2.1
    

Instructions

  • Fork and clone the repository
  • On the course VM, you'll find the access program at the following path:

    ~aviv/labs/2.1/access
    
  • The access program requires a 16 character password to unlock access to a secret message. However, there is a bug in the string comparison method which checks the password. The source of that method is found below:

    char mycmp(char *s1,char*s2){
    
      char cmp=0;
      for( ; *s1 || *s2 ;){
        cmp += (*s1++) - (*s2++);
      }
      return cmp;
    }
    
  • If the comparison routine returns 0's access is granted, and any other result, access is denied. This is printed to the screen after each try. Like below:

    $ ./access 
    Enter Passwd
    thisisnothtepassword
    Result code: 6	denied
    
  • Your task is to gain access to the secret message by abusing the string comparison routine.
  • You should provide a solution.json file with the following fields once you've completed this task:

    {
        "passwd" : "cackingpasswd",
        "secret" : "the secret message"
    }
    

Submission Requirements

  • submission.json : submission information as json

Hints

  • Use a pipe to make your life easier so you don't have type your guesses over and over again
  • You don't have to guess the exact password, there are many passwords that will crack this. Remember, the string comparison routine has a bug.
  • What happens when you keep adding 1 to a 1-byte value?

Part 2: Hard coded passwords are bad, right? (2 points)

Description

  • Use your disassembly skills to determine what the hard coded password is.

Preliminaries

  • This assignment must be completed on the course VM
  • gitlab repository:

    http://saddleback.academy.usna.edu/aviv/lab-2.2
    

Instructions

  • Fork and clone the repository
  • On the course VM, you'll find the access program at the following path:

    ~aviv/labs/2.2/access
    
  • The access program reads a password from stdin, but the programmer (what a dope!) hard coded the password that is being compared to. He tried to obfuscate it, sort of.
  • Your task is to gain access to the secret message by deducing the password
  • You should provide a solution.json file with the following fields once you've completed this task:

    {
        "passwd" : "cackedpasswd",
        "secret" : "the secret message"
    }
    

Submission Requirements

  • submission.json : submission information as json

Hints

  • Use a pipe to make your life easier so you don't have type your guesses over and over again
  • What looks like data in there? Don't forget to check out your ASCII table?

Part 3: I obfuscated it, all better, right? (1 points)

Description

  • Use your shell analysis skills to determine what the hard coded password is.

Preliminaries

  • This assignment must be completed on the course VM
  • gitlab repository:

    http://saddleback.academy.usna.edu/aviv/lab-2.2
    

Instructions

  • Fork and clone the repository
  • On the course VM, you'll find the access program at the following path:

    ~aviv/labs/2.3/access
    
  • The access program reads a password from stdin, but the programmer has learned his lesson and is no longer storing the password in the clear; it's been obfuscated.
  • Your task is to gain access to the secret message by deducing the password.
  • You should provide a solution.json file with the following fields once you've completed this task:

    {
        "passwd" : "cackedpasswd",
        "secret" : "the secret message"
    }
    

Submission Requirements

  • submission.json : submission information as json

Hints

  • Use a pipe to make your life easier so you don't have type your guesses over and over again
  • It's much harder to disassemble and figure out what is going on this time.
  • What other analysis tools have we learned that you can use on this program?