SI485H: Stack Based Binary Exploits (SP17)


Home Policy Calendar Units Assignments Resources

Lab 03: Fooey … so many bits

Submission Instructions

Submission instructions for labs can be found on the resource pages.

Part 1: Beef Fooey (1 point + 1 point)

Description

  • Given the dissaembled object file, write a functionally equivalent C program that produces the same results.

Preliminaries

  • The assignment can be completed on any machine
  • gitlab repository
http://saddleback.academy.usna.edu/aviv/lab-2.1

Instructions

  • fork and clone the repo
  • You will find two files
    • main.c : a file containing the main program
    • foo.c : a blank file which you will in
  • Complete foo.c such that the C code functionally matches the following disassembly. (It doesn't have to precisely match, but it does need to produce roughly the same output).

     0000000 <foo>:
     0:	55                   	push   ebp
     1:	89 e5                	mov    ebp,esp
     3:	8b 45 0c             	mov    eax,DWORD PTR [ebp+0xc]
     6:	c1 e0 0b             	shl    eax,0xb
     9:	83 c0 61             	add    eax,0x61
     c:	01 45 08             	add    DWORD PTR [ebp+0x8],eax
     f:	8b 45 0c             	mov    eax,DWORD PTR [ebp+0xc]
    12:	c1 e0 0e             	shl    eax,0xe
    15:	83 c0 76             	add    eax,0x76
    18:	01 45 08             	add    DWORD PTR [ebp+0x8],eax
    1b:	8b 45 0c             	mov    eax,DWORD PTR [ebp+0xc]
    1e:	c1 e0 0e             	shl    eax,0xe
    21:	83 c0 79             	add    eax,0x79
    24:	01 45 08             	add    DWORD PTR [ebp+0x8],eax
    27:	8b 45 0c             	mov    eax,DWORD PTR [ebp+0xc]
    2a:	c1 e0 0f             	shl    eax,0xf
    2d:	83 c0 21             	add    eax,0x21
    30:	01 45 08             	add    DWORD PTR [ebp+0x8],eax
    33:	8b 45 08             	mov    eax,DWORD PTR [ebp+0x8]
    36:	5d                   	pop    ebp
    37:	c3                   	ret
    
  • If completed properly, you should expect the following output from executing main:

    user@si485H-base:2.1$ for i in `seq 1 1 5`; do for j in `seq 1 1 5`; do ./main $i $j; done; done
    foo(0x1,0x1) = 0x00010972
    foo(0x1,0x2) = 0x00021172
    foo(0x1,0x3) = 0x00031972
    foo(0x1,0x4) = 0x00042172
    foo(0x1,0x5) = 0x00052972
    foo(0x2,0x1) = 0x00010973
    foo(0x2,0x2) = 0x00021173
    foo(0x2,0x3) = 0x00031973
    foo(0x2,0x4) = 0x00042173
    foo(0x2,0x5) = 0x00052973
    foo(0x3,0x1) = 0x00010974
    foo(0x3,0x2) = 0x00021174
    foo(0x3,0x3) = 0x00031974
    foo(0x3,0x4) = 0x00042174
    foo(0x3,0x5) = 0x00052974
    foo(0x4,0x1) = 0x00010975
    foo(0x4,0x2) = 0x00021175
    foo(0x4,0x3) = 0x00031975
    foo(0x4,0x4) = 0x00042175
    foo(0x4,0x5) = 0x00052975
    foo(0x5,0x1) = 0x00010976
    foo(0x5,0x2) = 0x00021176
    foo(0x5,0x3) = 0x00031976
    foo(0x5,0x4) = 0x00042176
    foo(0x5,0x5) = 0x00052976
    

Submission Requirements

  • main.c main program
  • foo.c foo function

Bonus 1 point

  • There is a hidden message in the instructions (hint: it's not "beef", but you're on the right track)
  • If you cracked the message, create a solution.json file in your repo with the following fields:
{
  "msg": "the secret message",
  "desc": "a description of how you found the secret file"
}

Part 2: Shifty Fooey (2 point)

Description

  • Given the dissaembled object file, write a functionally equivalent C program that produces the same results.

Preliminaries

  • The assignment can be completed on any machine
  • gitlab repository
http://saddleback.academy.usna.edu/aviv/lab-2.2

Instructions

  • fork and clone the repo
  • You will find two files
    • main.c : a file containing the main program
    • foo.c : a blank file which you will in
  • Complete foo.c such that the C code functionally matches the following disassembly. (It doesn't have to precisely match, but it does need to produce the same output).

     00000000 <foo>:
     0:	55                   	push   ebp
     1:	89 e5                	mov    ebp,esp
     3:	83 ec 10             	sub    esp,0x10
     6:	8b 45 08             	mov    eax,DWORD PTR [ebp+0x8]
     9:	0f b6 c0             	movzx  eax,al
     c:	89 45 fc             	mov    DWORD PTR [ebp-0x4],eax
     f:	8b 45 08             	mov    eax,DWORD PTR [ebp+0x8]
    12:	25 00 ff 00 00       	and    eax,0xff00
    17:	89 45 f8             	mov    DWORD PTR [ebp-0x8],eax
    1a:	8b 45 08             	mov    eax,DWORD PTR [ebp+0x8]
    1d:	25 00 00 ff 00       	and    eax,0xff0000
    22:	89 45 f4             	mov    DWORD PTR [ebp-0xc],eax
    25:	8b 45 08             	mov    eax,DWORD PTR [ebp+0x8]
    28:	25 00 00 00 ff       	and    eax,0xff000000
    2d:	89 45 f0             	mov    DWORD PTR [ebp-0x10],eax
    30:	c1 6d f0 18          	shr    DWORD PTR [ebp-0x10],0x18
    34:	c1 65 f4 08          	shl    DWORD PTR [ebp-0xc],0x8
    38:	c1 65 fc 10          	shl    DWORD PTR [ebp-0x4],0x10
    3c:	81 75 f8 00 ff 00 00 	xor    DWORD PTR [ebp-0x8],0xff00
    43:	8b 45 f8             	mov    eax,DWORD PTR [ebp-0x8]
    46:	8b 55 fc             	mov    edx,DWORD PTR [ebp-0x4]
    49:	09 d0                	or     eax,edx
    4b:	0b 45 f4             	or     eax,DWORD PTR [ebp-0xc]
    4e:	0b 45 f0             	or     eax,DWORD PTR [ebp-0x10]
    51:	c9                   	leave  
    52:	c3                   	ret
    
  • If completed properly, you should expect the following output from executing main:

    aviv@si485H-saddleback:2.2$ ./main 0xcafebabe
    foo(0xcafebabe) = 0xfebe45ca
    aviv@si485H-saddleback:2.2$ ./main 0xdeadbeef
    foo(0xdeadbeef) = 0xadef41de
    

Submission Requirements

  • main.c main program
  • foo.c foo function

Part 3: Pointy Fooey (3 point)

Description

  • Given the dissaembled object file, write a functionally equivalent C program that produces the same results.

Preliminaries

  • The assignment can be completed on any machine
  • gitlab repository
http://saddleback.academy.usna.edu/aviv/lab-2.3

Instructions

  • fork and clone the repo
  • You will find two files
    • main.c : a file containing the main program
    • foo.c : a blank file which you will in
  • Complete foo.c such that the C code functionally matches the following disassembly. (It doesn't have to precisely match, but it does need to produce roughly the same output).

     00000000 <foo>:
     0:	55                   	push   ebp
     1:	89 e5                	mov    ebp,esp
     3:	83 ec 10             	sub    esp,0x10
     6:	8b 45 08             	mov    eax,DWORD PTR [ebp+0x8]
     9:	89 45 f8             	mov    DWORD PTR [ebp-0x8],eax
     c:	eb 04                	jmp    12 <foo+0x12>
     e:	83 45 f8 01          	add    DWORD PTR [ebp-0x8],0x1
    12:	8b 45 f8             	mov    eax,DWORD PTR [ebp-0x8]
    15:	0f b6 00             	movzx  eax,BYTE PTR [eax]
    18:	84 c0                	test   al,al
    1a:	75 f2                	jne    e <foo+0xe>
    1c:	83 6d f8 01          	sub    DWORD PTR [ebp-0x8],0x1
    20:	8b 45 08             	mov    eax,DWORD PTR [ebp+0x8]
    23:	89 45 fc             	mov    DWORD PTR [ebp-0x4],eax
    26:	eb 25                	jmp    4d <foo+0x4d>
    28:	8b 45 fc             	mov    eax,DWORD PTR [ebp-0x4]
    2b:	0f b6 00             	movzx  eax,BYTE PTR [eax]
    2e:	88 45 f7             	mov    BYTE PTR [ebp-0x9],al
    31:	8b 45 f8             	mov    eax,DWORD PTR [ebp-0x8]
    34:	0f b6 10             	movzx  edx,BYTE PTR [eax]
    37:	8b 45 fc             	mov    eax,DWORD PTR [ebp-0x4]
    3a:	88 10                	mov    BYTE PTR [eax],dl
    3c:	8b 45 f8             	mov    eax,DWORD PTR [ebp-0x8]
    3f:	0f b6 55 f7          	movzx  edx,BYTE PTR [ebp-0x9]
    43:	88 10                	mov    BYTE PTR [eax],dl
    45:	83 45 fc 01          	add    DWORD PTR [ebp-0x4],0x1
    49:	83 6d f8 01          	sub    DWORD PTR [ebp-0x8],0x1
    4d:	8b 45 fc             	mov    eax,DWORD PTR [ebp-0x4]
    50:	3b 45 f8             	cmp    eax,DWORD PTR [ebp-0x8]
    53:	72 d3                	jb     28 <foo+0x28>
    55:	90                   	nop
    56:	c9                   	leave  
    57:	c3                   	ret
    
  • No sample output is provided for this one, you must complete the following solution.json:

    {
      "description" : "Program description"
      "input1" : "some input",
      "output1" : "what it produces as output",
      "input2": "some input",
      "output2": "what it produces as output",
      }
    
  • Note, it is important that your solution uses pointer arithmetic and not indexing,

Submission Requirements/

  • main.c main program
  • foo.c foo function
  • solution.json solution information

Part 4: Hash Fooey (3 points)

Description

  • Given the dissaembled object file, write a functionally equivalent C program that produces the same results.

Preliminaries

  • The assignment can be completed on any machine
  • gitlab repository
http://saddleback.academy.usna.edu/aviv/lab-2.4

Instructions

  • fork and clone the repo
  • You will find two files
    • main.c : a file containing the main program
    • foo.c : a blank file which you will in
  • Complete foo.c such that the C code functionally matches the following disassembly. (It doesn't have to precisely match, but it does need to produce roughly the same output).
0x08048493 <+0>:	push   ebp 
0x08048494 <+1>:	mov    ebp,esp
0x08048496 <+3>:	push   ebx
0x08048497 <+4>:	sub    esp,0x24
0x0804849a <+7>:	mov    WORD PTR [ebp-0xa],0x0
0x080484a0 <+13>:	mov    DWORD PTR [ebp-0x10],0x0
0x080484a7 <+20>:	jmp    0x80484e6 <foo+83>
0x080484a9 <+22>:	mov    edx,DWORD PTR [ebp-0x10]
0x080484ac <+25>:	mov    eax,DWORD PTR [ebp+0x8]
0x080484af <+28>:	add    eax,edx
0x080484b1 <+30>:	mov    DWORD PTR [ebp-0x14],eax
0x080484b4 <+33>:	mov    eax,DWORD PTR [ebp-0x14]
0x080484b7 <+36>:	movzx  eax,WORD PTR [eax]
0x080484ba <+39>:	xor    WORD PTR [ebp-0xa],ax
0x080484be <+43>:	movzx  eax,WORD PTR [ebp-0xa]
0x080484c2 <+47>:	shr    ax,0x8
0x080484c6 <+51>:	mov    edx,eax
0x080484c8 <+53>:	movzx  eax,WORD PTR [ebp-0xa]
0x080484cc <+57>:	shl    eax,0x8
0x080484cf <+60>:	or     eax,edx
0x080484d1 <+62>:	mov    WORD PTR [ebp-0xa],ax
0x080484d5 <+66>:	movzx  eax,WORD PTR [ebp-0xa]
0x080484d9 <+70>:	imul   ax,ax,0xa7a7
0x080484de <+75>:	mov    WORD PTR [ebp-0xa],ax
0x080484e2 <+79>:	add    DWORD PTR [ebp-0x10],0x2
0x080484e6 <+83>:	mov    ebx,DWORD PTR [ebp-0x10]
0x080484e9 <+86>:	mov    eax,DWORD PTR [ebp+0x8]
0x080484ec <+89>:	mov    DWORD PTR [esp],eax
0x080484ef <+92>:	call   0x8048330 <strlen@plt>
0x080484f4 <+97>:	cmp    ebx,eax
0x080484f6 <+99>:	jb     0x80484a9 <foo+22>
0x080484f8 <+101>:	movzx  eax,WORD PTR [ebp-0xa]
0x080484fc <+105>:	add    esp,0x24
0x080484ff <+108>:	pop    ebx
0x08048500 <+109>:	pop    ebp
0x08048501 <+110>:	ret
  • If implemented properly, you should expect the following output
aviv@si485H-saddleback:2.4$ ./main "H"
hash("H") =  0xf800
aviv@si485H-saddleback:2.4$ ./main "He"
hash("He") =  0x1ce3
aviv@si485H-saddleback:2.4$ ./main "Hel"
hash("Hel") =  0x9f44
aviv@si485H-saddleback:2.4$ ./main "Hell"
hash("Hell") =  0xa210
aviv@si485H-saddleback:2.4$ ./main "Hello"
hash("Hello") =  0xf0ae
aviv@si485H-saddleback:2.4$ ./main "Hello "
hash("Hello ") =  0xfbce
aviv@si485H-saddleback:2.4$ ./main "Hello W"
hash("Hello W") =  0x2fbd
aviv@si485H-saddleback:2.4$ ./main "Hello Wo"
hash("Hello Wo") =  0xbb8c
aviv@si485H-saddleback:2.4$ ./main "Hello Wor"
hash("Hello Wor") =  0x28fd
aviv@si485H-saddleback:2.4$ ./main "Hello Worl"
hash("Hello Worl") =  0x7f41
aviv@si485H-saddleback:2.4$ ./main "Hello World"
hash("Hello World") =  0x4ed9

Submission Requirements/

  • main.c main program
  • foo.c foo function completed

Hints

  • If you see a command you may not know already, e.g., imul or jb, you should look up what it does.
  • Note the types in the function declaration of foo(): shorts can overflow in multiplication if the result is greater than 0xFFFF.