SI485H: Stack Based Binary Exploits and Defenses (F15)
Home Policy Calendar Resources

Lab 04: Hulk Smash Now!

Table of Contents

Submission Instructions

Submission instructions for labs can be found on the resource pages. In paticular, you should view this subsection: Creating a new branch and submitting

Part 1: Loop Smashing for Fun and Profit (1 point)

Description

  • Given the compiled program looper, create a stack smashing buffer overflow to change the loop structure to match the desired output.

Preamble

  • The assignment can be completed on your vm repository
  • gitlab repository
http://saddleback.academy.usna.edu/aviv/lab-4.1

Instructions

  • Fork and clone the repository
  • Find the program looper, which will execute like so:
$ ./looper "Go Navy!"
0:10: Go Navy!
1:9: Go Navy!
2:8: Go Navy!
3:7: Go Navy!
4:6: Go Navy!
5:5: Go Navy!
  • Use gdb and your knowledge of stack smashing to have the program execute in the following manner:
$ ./looper <SOME STACK SMASH OF YOUR CREATION>
 -16:-1: <OUTPUT>
 -15:-2: <OUTPUT>
 -14:-3: <OUTPUT>
 -13:-4: <OUTPUT>
 -12:-5: <OUTPUT>
 -11:-6: <OUTPUT>
 -10:-7: <OUTPUT>
  -9:-8: <OUTPUT>

Submission

  • NOTE NEW SUBMISSION INSTRUCTIONS HAVE CHANGD
  • Complete two files: exploit.sh and descript.txt

    • exploit.sh should contain an executable version of your exploit 

      #!/bin/bash
./loop <SOME STACK SMASH OF YOUR CREATION>

      Such that when executed, you get the desired result: 

      $ ./exploit.sh
-16:-1: <OUTPUT>
-15:-2: <OUTPUT>
-14:-3: <OUTPUT>
-13:-4: <OUTPUT>
-12:-5: <OUTPUT>
-11:-6: <OUTPUT>
-10:-7: <OUTPUT>
-9:-8: <OUTPUT>
    • desript.txt should contain a short description of the exploit

Hints

  • 2's compliment numbers?
  • What are the arguments to vulnerable function?

Part 2: Loop-de-(Loop-de-(Loop-de-( … ))) For Fun and Profit (3 point + 1 point)

Description

  • Given the compiled program recursion, create an exploit that will cause an infinite loop of calls to the recruse function and the bad function.
  • You only have to get this explioit to work in gdb. Extra credit is awarded for coming up with an exploit outside of gdb.

Preamble

  • The assignment can be completed on your vm repository
  • gitlab repository
http://saddleback.academy.usna.edu/aviv/lab-4.2

Instructions

  • Fork and clone the repository

  • You'll find the program recursion whose source code is below: 

      #include <stdio.h>
  #include <stdlib.h>
  #include <string.h>

void bad(){
   printf("You did it!\n");
}

void recurse(char * input){

  char buf[0x30];

  strcpy(buf,input);

  return;
}

int main(int argc, char * argv[]){

  recurse(argv[1]);
}
  • Find an exploit string in gdb such that the program will recurse forever by calling bad and recurse back and forth (until memory runs out and segfault occurs)
  • To do this, you want to
    1. Overflow the buffer in vulnerable such that bad is called
    2. The next value on the stack (the return value) to bad, should be recurse function
    3. The stack should further be setup such that the argument to recurse is the exploit string (again), so the whole process repeats.

Extra Credit

  • Develop an exploit string outside of gdb

Submission

  • NOTE NEW SUBMISSION INSTRUCTIONS HAVE CHANGED

    • Complete the following files to receive credit:

      • exploit.gdb : file containing the command line as you used in gdb. In this case, it would just be the line 

        r `python -c "...."`

        Your file should execute the exploit if run like this: 

        $ gdb --batch --command=exploit.gdb ./recursion
You did it!
You did it!
You did it!
You did it!
You did it!
You did it!
You did it!
You did it!
You did it!
(...)
      • descript.txt : file containing a short description of your exploit

    • If you complete the extra credit, complete the file called exploit.sh: 

      #!/bin/bash
./recursion `python -c " .... "`

      which when run, will complete the exploit: 

      $ ./exploit.sh
You did it!
You did it!
You did it!
You did it!
You did it!
You did it!
You did it!
You did it!
You did it!
(...)

Hints

  • gdb changes the address space layout … you'll need to do some experimentation to determine how many bytes gdb affects the stack addresses.

Part 3: Smashing for Secrets (2 points)

Description

  • Given the compiled program vuln find a way to smash the stack to find the secret message.
  • Your exploit should work, in and out of gdb.

Preamble

  • The assignment can be completed on your vm repository
  • gitlab repository
http://saddleback.academy.usna.edu/aviv/lab-4.3

Instructions

  • Fork and clone the repository
  • You'll find the program vuln which you need to analyze using objdump and gdb to determine the fulnerability.
  • Once you've identified the vulnerability. exploit it to reveal the secret message.

Submision

  • NOTE NEW SUBMISSION INSTRUCTIONS HAVE CHANGED
  • Complete two files for submission: exploit.sh and descript.txt

  • exploit.sh should contain the expoit executable like so: 

    #/bin/bash
python -c " .... " | ./vuln

    such that when run, the secret message is displayed 

    $ ./exploit.sh
<SECRET MESSAGE>
  • descript.txt contains information about how you achieved your exploit

Hints

  • strings is a very useful tool … ;-)