SI485H: Stack Based Binary Exploits (SP17)


Home Policy Calendar Units Assignments Resources

Lab 10: Connect and Conquer

Submission Instructions

Submission instructions for labs can be found on the resource pages. In paticular, you should view this subsection: Creating a new branch and submitting

Part 1: Brute Force is far from brutal (2 points)

Description

  • Exploit the program by brute force to get the secret

Preamble

  • This lab must be completed on the si485h-base vm machine

    ssh -p 2222 saddleback.academy.usna.edu
    

Instructions

  • The si485h-base machine as ASLR turned on, but that shouldn't stop you from being able to exploit the program, right?!
  • The vulnerable program is found at the following path

    ~aviv/labs/10.1/vulnerable
    
  • The source code is provided below:

    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <unistd.h>
    
    void foo(){
    
      char buf[0x10];
    
      printf("%s", "Say something spirtiful!\n");
    
      setregid(getegid(),getegid());
    
      scanf("%s",buf);
    
    }
    
    int main(int argc, char * argv[]){
      foo();
      printf("Go Army!\n");
      exit(0);
    }
    
  • Brute force an exploit that can read the secret file.

    ~aviv/labs/10.1/secret.txt
    

Submissions

  • You must submit the secret message in the file secret.txt

Hints

  • Write a bash script of some sort to make this easier
  • Choose an address that isn't ASCII white space
  • You might need to modify your shell code does not contain ASCII white space
  • You could use a port-bind shell code if you want to launch a shell

Part 2: Everyone, jump, jump! (2 points)

Description

  • Exploit the program by finding a jump/bounce point to break randomness for a statically compiled program to reveal the secret message.

Preamble

  • This lab must be completed on the si485h-base vm machine

    ssh -p 2222 saddleback.academy.usna.edu
    

Instructions

  • The si485h-base machine has ASLR turned on, but that shouldn't stop you from being able to exploit the program, right?!
  • The vulnerable program is found at the following path

    ~aviv/labs/10.2/vulnerable
    
  • The code is compiled statically, so you should be able to find a bounce point. I recommend looking for the following gadget:

    push esp
    ret
    

    You can compile that gadget in NASM to get the bytes to find.

  • The source code is provided below:

    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <unistd.h>
    
    void foo(char * s){
    
      char buf[0x10];
    
      strcpy(buf,s);
    
      return;
    
    }
    
    int main(int argc, char * argv[]){
    
      if(argc < 2){
        printf("I pitty the fool who doesn't give me at least one argument\n");
        exit(1);
      }
    
      if(strlen(argv[1]) > 100){
        printf("That's just too damn long!\n Try something less tahn 100 bytes.\n");
        exit(1);
      }
    
    
      foo(argv[1]);
      printf("Go Army!\n");
      exit(0);
    }
    
  • Once you find a jump point, try launching a shell and reading the secret file

    ~aviv/labs/10.2/secret.txt
    

Submissions

  • You must submit the secret message in the file secret.txt

Hints

  • Use objdump, grep, objcopy to find the jump/bounce point's address.
  • You could brute force this, but it might take you a week …

Part 3: Turn up the base! (3 points)

Description

  • Exploit the program by identifying the base address of libc to calculate the jump point to run shell code that reveals the secret message.

Preamble

  • This lab must be completed on the si485h-base vm machine

    ssh -p 2222 saddleback.academy.usna.edu
    

Instructions

  • The si485h-base machine has ASLR turned on, but that shouldn't stop you from being able to exploit the program, right?!
  • The vulnerable program is found at the following path

    ~aviv/labs/10.3/vulnerable
    
  • The code is not compiled statitcally, but you can find a bounce point in libc by of the following gadget.

    push esp
    ret
    

    You can calculate the offset of that basepoint from the mapped location of libc.

  • The vulnerable program reads from stdin, so you can look in /proc/[pid]/maps to learn the map address of the program, where [pid] is replaced by the process id.
  • The source code is provided below:

    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <unistd.h>
    
    void foo(){
    
      char buf[0x10];
    
      scanf("%100s",buf);
    
      return;
    
    }
    
    int main(int argc, char * argv[]){
    
      foo();
      printf("Go Army!\n");
      exit(0);
    }
    
  • Once you've calculated the jump point, use carefully crafted shell code to print out the secret file, found here:

    ~aviv/labs/10.3/secret.txt
    

Submissions

  • You must submit the secret message in the file secret.txt

Hints

  • Use gdb to find the offset of the gadget
  • You're not going to be able to brute force this one.