SI485H: Stack Based Binary Exploits and Defenses (F15)
Home Policy Calendar Resources

Lab 05: a little push esp h makes the shell code go round

Table of Contents

Submission Instructions

Submission instructions for labs can be found on the resource pages. In paticular, you should view this subsection: Creating a new branch and submitting

Part 1: Cat-tastic (1 point)

Description

  • Write shell code that will cat /etc/passwd to stdout using /bin/cat and the execve system call.

Preamble

  • The assignment can be completed on your vm repository
  • gitlab repository
http://saddleback.academy.usna.edu/aviv/lab-5.1

Instructions

  • Fork and clone the repository

  • Your task is to complete the exploit.asm file such that when compiled and run, it will printout /etc/passwd using /bin/cat. For example, here is the execution of the exploit: 

    user@si485H-base:5.1$ ./exploit 
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
(...)

    And if we strace it, we see that, yes, it runs /bin/cat 

    user@si485H-base:5.1$ strace ./exploit > /dev/null 
execve("./exploit", ["./exploit"], [/* 20 vars */]) = 0
execve("/bin/cat", ["/bin/cat", "/etc/passwd"], [/* 0 vars */]) = 0
(...)
  • To demonstrate your exploit, use the hexify.sh program to place your byte code in the dummy_exploit.c program. So that when it is compiled and run, it will show the exploit.

Submission

  • You must submit two files: exploit.asm and dummy_exploit.c
  • exploit.asm will contain your assembly code for the shell code
  • dummy_exploit.c will contain the bytes of your shell code in a mock exploit

Hints

  • You do not need to worry of null bytes, but you will need to worry about fixed references

Part 2: System Call Timesamp-Bonaza (3 point)

Description

  • Write shell code that has no NULLS, will open a file, write the current time to it, close the file, and exit.

Preamble

  • The assignment can be completed on your vm repository
  • gitlab repository
http://saddleback.academy.usna.edu/aviv/lab-5.2

Instructions

  • Fork and clone the repository

  • You must complete the exploit.asm program with instructions that will execute the following system calls that will execute the equivlalent c program below: 

    int fd = open("timestamp.dat", O_WRONLY|O_CREAT|O_TRUNC, 0600);
time_t t = time(NULL);
write(fd,&time,4);
close(fd);
exit(0);
  • Your program should have NO fied referecens and NO null bytes (except for one terminated the shell code)

  • When executed properly, you should see the following strace output: 

    user@si485H-base:5.2$ strace -x ./exploit 
execve("./exploit", ["./exploit"], [/* 20 vars */]) = 0
open("timestamp.dat", O_WRONLY|O_CREAT|O_TRUNC, 0660) = 3
time(NULL)                              = 1442952463
write(3, "\x0f\xb5\x01\x56", 4)         = 4
close(3)                                = 0
_exit(0)                                = ?
+++ exited with 0 +++
user@si485H-base:5.2$ hexdump -C timestamp.dat 
00000000  0f b5 01 56                                       |...V|
00000004

    Of course timestamp may change, but you can check the timestamp in timestamp.dat with hexdump: 

    user@si485H-base:5.2$ ./exploit 
user@si485H-base:5.2$ hexdump -C timestamp.dat 
00000000  0e b6 01 56                                       |...V|
00000004
user@si485H-base:5.2$ ./exploit 
user@si485H-base:5.2$ hexdump -C timestamp.dat 
00000000  11 b6 01 56                                       |...V|
00000004

  • Your program should also work with the dumy exploit like so: 

    user@si485H-base:5.2$ ./dummy_exploit $(printf `./hexify.sh ./exploit`)
user@si485H-base:5.2$ hexdump -C timestamp.dat 
00000000  2a b6 01 56                                       |*..V|
00000004
user@si485H-base:5.2$ ./dummy_exploit $(printf `./hexify.sh ./exploit`)
user@si485H-base:5.2$ hexdump -C timestamp.dat 
00000000  34 b6 01 56                                       |4..V|
00000004

Submission

  • Complete files

Hints

  • Look up your system call numbers and their arugments
  • Use the stack to save previous return values, like the file descriptor
  • Be creative with avoiding NULL bytes with adds, shifts, and what not

Part 3: Grep-a-root-a-licious (2 point)

Description

  • Complete shell code that will grep out the root entry in /etc/passwd

Preamble

  • The assignment can be completed on your vm repository
  • gitlab repository
http://saddleback.academy.usna.edu/aviv/lab-5.3

Instructions

  • Fork and clone the repository

  • Create assembly in exploit.asm that will execute the following command via a call to execve: 

    /bin/grep root /etc/passwd

  • Was completed, running exploit should result in: 

    user@si485H-base:5.3$ ./exploit 
root:x:0:0:root:/root:/bin/bash
  • I will check your strace to make sure you are making the right system calls with the right arguments

  • Your resulting shell code should have NO fixed references and NO NULL bytes. It should work with the dummy exploit like so: 

    user@si485H-base:5.3$ ./dummy_exploit $(printf `./hexify.sh ./exploit`)
root:x:0:0:root:/root:/bin/bash

Submission

  • Complete the file exploit.asm for your submission

Hints

  • jmp-callback is not the only way to get references to strings, consider: 

    push 0x6e69622f
mov eax,esp

    0x6e69622f is the ascii values of "/bin" and now eax stores the address of that string. It's not null terminated, yet…

  • "/bin/grep" is the same as "/bin////grep" and "/bin////grep" can be broken into groupings of 4, which seems really useful given the above hint.
  • "/etc/passwd" is the same "//etc/passwd" for the same useful hint as above
  • "root" is already of length 4, fortunately.
  • 0x2f is "/"
  • Little endian!
  • Go Navy!