SI485H: Stack Based Binary Exploits (SP17)


Home Policy Calendar Units Assignments Resources

Lab 06: a little push esp makes the shell code go round

Submission Instructions

Submission instructions for labs can be found on the resource pages. In paticular, you should view this subsection: Creating a new branch and submitting

Part 1: Cat-tastic (2 point)

Description

  • Write shell code that will cat /etc/passwd to stdout using /bin/cat and the execve system call.

Preamble

  • The assignment can be completed on your vm repository
  • gitlab repository
http://saddleback.academy.usna.edu/aviv/lab-6.1

Instructions

  • Fork and clone the repository
  • Your task is to complete the exploit.asm file such that when compiled and run, it will printout /etc/passwd using /bin/cat. For example, here is the execution of the exploit:

    user@si485H-base:5.1$ ./exploit 
    root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
    bin:x:2:2:bin:/bin:/usr/sbin/nologin
    (...)
    

    And if we strace it, we see that, yes, it runs /bin/cat

    user@si485H-base:5.1$ strace ./exploit > /dev/null 
    execve("./exploit", ["./exploit"], [/* 20 vars */]) = 0
    execve("/bin/cat", ["/bin/cat", "/etc/passwd"], [/* 0 vars */]) = 0
    (...)
    
  • To demonstrate your exploit, use the hexify.sh program to place your byte code in the dummy_exploit.c program. So that when it is compiled and run, it will show the exploit.

Submission

  • You must submit two files: exploit.asm and dummy_exploit.c
  • exploit.asm will contain your assembly code for the shell code
  • dummy_exploit.c will contain the bytes of your shell code in a mock exploit

Hints

  • You do not need to worry of null bytes, but you will need to worry about fixed references

Part 2: System Call Timesamp-Bonaza (3 point)

Description

  • Write shell code that has no NULLS, will open a file, write the current time to it, close the file, and exit.

Preamble

  • The assignment can be completed on your vm repository
  • gitlab repository
http://saddleback.academy.usna.edu/aviv/lab-6.2

Instructions

  • Fork and clone the repository
  • You must complete the exploit.asm program with instructions that will execute the following system calls that will execute the equivlalent c program below:

    int fd = open("timestamp.dat", O_WRONLY|O_CREAT|O_TRUNC, 0600);
    time_t t = time(NULL);
    write(fd,&time,4);
    close(fd);
    exit(0);
    
  • Your program should have NO fied referecens and NO null bytes (except for one terminated the shell code)
  • When executed properly, you should see the following strace output:

    user@si485H-base:5.2$ strace -x ./exploit 
    execve("./exploit", ["./exploit"], [/* 20 vars */]) = 0
    open("timestamp.dat", O_WRONLY|O_CREAT|O_TRUNC, 0660) = 3
    time(NULL)                              = 1442952463
    write(3, "\x0f\xb5\x01\x56", 4)         = 4
    close(3)                                = 0
    _exit(0)                                = ?
    +++ exited with 0 +++
    user@si485H-base:5.2$ hexdump -C timestamp.dat 
    00000000  0f b5 01 56                                       |...V|
    00000004
    

    Of course timestamp may change, but you can check the timestamp in timestamp.dat with hexdump:

    user@si485H-base:5.2$ ./exploit 
    user@si485H-base:5.2$ hexdump -C timestamp.dat 
    00000000  0e b6 01 56                                       |...V|
    00000004
    user@si485H-base:5.2$ ./exploit 
    user@si485H-base:5.2$ hexdump -C timestamp.dat 
    00000000  11 b6 01 56                                       |...V|
    00000004
    
  • Your program should also work with the dumy exploit like so:

    user@si485H-base:5.2$ ./dummy_exploit $(printf `./hexify.sh ./exploit`)
    user@si485H-base:5.2$ hexdump -C timestamp.dat 
    00000000  2a b6 01 56                                       |*..V|
    00000004
    user@si485H-base:5.2$ ./dummy_exploit $(printf `./hexify.sh ./exploit`)
    user@si485H-base:5.2$ hexdump -C timestamp.dat 
    00000000  34 b6 01 56                                       |4..V|
    00000004
    

Submission

  • Complete files

Hints

  • Look up your system call numbers and their arugments
  • Use the stack to save previous return values, like the file descriptor
  • Be creative with avoiding NULL bytes with adds, shifts, and what not

Part 3: Grep-a-root-a-licious (2 point)

Description

  • Complete shell code that will grep out the root entry in /etc/passwd

Preamble

  • The assignment can be completed on your vm repository
  • gitlab repository
http://saddleback.academy.usna.edu/aviv/lab-6.3

Instructions

  • Fork and clone the repository
  • Create assembly in exploit.asm that will execute the following command via a call to execve:

    /bin/grep root /etc/passwd
    
  • Was completed, running exploit should result in:

    user@si485H-base:5.3$ ./exploit 
    root:x:0:0:root:/root:/bin/bash
    
  • I will check your strace to make sure you are making the right system calls with the right arguments
  • Your resulting shell code should have NO fixed references and NO NULL bytes. It should work with the dummy exploit like so:

    user@si485H-base:5.3$ ./dummy_exploit $(printf `./hexify.sh ./exploit`)
    root:x:0:0:root:/root:/bin/bash
    

Submission

  • Complete the file exploit.asm for your submission

Hints

  • jmp-callback is not the only way to get references to strings, consider:

    push 0x6e69622f
    mov eax,esp
    

    0x6e69622f is the ascii values of "/bin" and now eax stores the address of that string. It's not null terminated, yet…

  • "/bin/grep" is the same as "/bin////grep" and "/bin////grep" can be broken into groupings of 4, which seems really useful given the above hint.
  • "/etc/passwd" is the same "//etc/passwd" for the same useful hint as above
  • "root" is already of length 4, fortunately.
  • 0x2f is "/"
  • Little endian!
  • Go Navy!