SI485H: Stack Based Binary Exploits (SP17)


Home Policy Calendar Units Assignments Resources

Lab 11: (FTW) Format for The Win

Submission Instructions

Submission instructions for labs can be found on the resource pages. In paticular, you should view this subsection: Creating a new branch and submitting

Part 1: Reveal the Secret (1 point)

Description

  • Use a format string attack to reveal the password that when use will print the secret message.

Preamble

  • This lab must be completed on the si485h-clone1 vm machine

    ssh -p 2201 saddleback.academy.usna.edu
    

Instructions

  • The vulnerable program is found at the following path

    ~aviv/labs/11.1/crack
    
  • This program source code is provided as part of the repo, but you must exploit the compiled version found at the path above.
  • Once you've learned the password, it should print the secret message.

Submissions

  • You must submit the secret message in the file secret.txt

Hints

  • Have you tried a format string attack? What format might you want to use?

Part 2: Launch a shell (3 point)

Description

  • Use a format string attack to launch a shell to access the secret message.

Preamble

  • This lab must be completed on the si485h-clone1 vm machine

    ssh -p 2201 saddleback.academy.usna.edu
    

Instructions

  • The vulnerable program is found at the following path

    ~aviv/labs/11.2/crack
    
  • This program source code is provided as part of the repo, but you must exploit the compiled version found at the path above.
  • You should launch a shell once you've completed the exploit. You can then find the secret message at the following path:

    ~aviv/labs/11.2/secret.txt
    

Submissions

  • You must submit the secret message in the file secret.txt

Hints

  • There will be some challenges finding the return address and where to jump to. Work in gdb first to test your format, then calculate the offets to get it to work outside of gdb.

Part 3: Write a byte here or there (2 point)

Description

  • Use a format string attack to overwrite a value that will reveal a secret message

Preamble

  • This lab must be completed on the si485h-clone1 vm machine

    ssh -p 2201 saddleback.academy.usna.edu
    

Instructions

  • The vulnerable program is found at the following path

    ~aviv/labs/11.3/crack
    
  • This program source code is provided as part of the repo, but you must exploit the compiled version found at the path above.
  • If you write the right byte you'll get the secret message.

Submissions

  • You must submit the secret message in the file secret.txt

Hints

  • Which byte might you want to overwrite? How would you learn it's address?
  • You'll also have to look pretty far up the stack to find format string intself to get it to reference the right address.