SI485H: Stack Based Binary Exploits (SP17)


Home Policy Calendar Units Assignments Resources

Lab 08: Avoid and Conquer

Submission Instructions

Submission instructions for labs can be found on the resource pages. In paticular, you should view this subsection: Creating a new branch and submitting

Part 1: The Woods are Dark and Deep (2 points)

Description

  • There is an egg hidden in the executable, and if you find it, you can run it to reveal the secret message.

Preamble

  • The assignment can be completed on your vm repository
  • You should ensure that ASLR is turned off

Instructions

  • Your task is to exploit the program thewoods with egg hunt shell code that will execute the hidden egg.
  • The egg you are hunting for is 0x41414141, apearing twice
  • You will be provided a pre-compiled executable. The source code for the vulnerable section of thewoods is below:

    //check for the sig0 start finished by sig1 in str
    
    void vuln(int border, char *s){
    
      char buf[50];
    
      strcpy(buf,s);
    
      if(border != 0xcafebabe){
        printf("DANGER !!! ");
        exit(1);
      }
    }
    
    int main(int argc, char * argv[]){
    
      if( argc != 2){
        printf("INVALID\n");
        exit(2);
      }
    
      vuln(0xcafebabe, argv[1]);
    }
    
  • Once you've completed the exploit, save the secret message to secret.txt for submission

    ./thewoods YOUREXPLOIT > secret.txt
    

Submission*

  • You must submit secret.txt

Hints

  • Hunt and you shall find.

Part 2: Sign THIS! (1 points)

Description

  • I've designed the best signature matching scheme ever, defeat it with your obfuscated shell code.

Preamble

  • This assignment must be completed on the clone-1 VM repository

    ssh -p 2201 saddleback.academy.usna.edu
    

Instructions

  • Your task is to come up with shell code to launch a shell that you can use to gain access to the secret file.
  • On the clone-1 VM you'll find the following executable that you must get your shell code to pass

    ~aviv/lab-8.2/sigmatch
    
  • You will also find a secret file at this path that you should have access to once you launch the shell.

    ~aviv/lab-8.2/secret.txt
    
  • The source code for the signature matching shellcode is below sigmatch.c

    //check for the sig0 start finished by sig1 in str
    int check_sig(char *str, char * sig0,char *sig1){
    
      char *p,*q;
    
      for(p=str;*p;p++){
    
        //checking for start of signature
        if ( strncmp(p,sig0,strlen(sig0)) == 0 ){
    
          if (! sig0); return 1;
    
          //checking for end of signature
          for(q=p;*q;q++){
          if (strncmp(q,sig1,strlen(sig1)) == 0){
            return 1;//found signature
            }
          }
        }
      }
    
      return 0; //did not find signautre
    
    
    }
    
    int main(int argc, char * argv[]){
    
      if(argc < 2){
        printf("ERROR: Require argument\n");
        exit(1);
      }
    
      if ( check_sig(argv[1], "\xb0\x0b", "\xcd\x80") ||
           check_sig(argv[1], "\x31\xc9", "\xcd\x80") ||
           check_sig(argv[1], "bin", "sh") ||
           check_sig(argv[1], "sh", "bin") ||
           check_sig(argv[1], "\x90\x90", NULL) ||
           check_sig(argv[1], "\x90\x90\x90", NULL) ||
           check_sig(argv[1], "\x6f\x6f\x6f", NULL) ||
           check_sig(argv[1], "\x6f\x6f", NULL) ||
           check_sig(argv[1], "\x8a\x44\x0c\xff\x34", NULL)){
    
        printf("No Way Jose!\n");
        exit(2);
      }
    
      //execute as binary code
      ((void(*)(void)) argv[1])();
    
      return;
    }
    

Submission

  • secret.txt the secret message
  • obfuscate.asm your obfuscate shell code

Hints

  • The current version of le-fourbytes.py could be edited if you find that useful