Lab 06: Smash, Smash, Smash, Shell!!!!!

Submission instructions for labs can be found on the resource pages. In paticular, you should view this subsection: Creating a new branch and submitting

Description

• Use the shell code to exploit the vulnerable program.

Preamble

• The assignment can be completed on your vm repository
• gitlab repository

  http://saddleback.academy.usna.edu/aviv/lab-6.1
  

• YOU MUST WORK IN THE CORRECT DIRECTORY
  • Work in your /tmp directory so that I can check your exploits
  • All exploits must work when run from a directory called: /tmp/lab-6.1

Instructions

• Fork and clone the repository
• Copy the repository to your /tmp directory
• ALL WORK MUST BE COMPLETED IN THE DIRECTORY: /tmp/lab-6.1
• Your task is to complete the exploit.sh script such that it will properly exploit the vulnerable program.
• The source code for vulnerable is below:

  #include <stdio.h>
  #include <stdlib.h>
  #include <string.h>
  
  void foo(char *s){
  
    int i = 0xcafebabe;
    char buf[0xbf];
  
    strcpy(buf,s);
  
    if(i != 0xcafebabe){
      printf("Danger! I'm out-of-here!\n");
      exit(1);
    }
  
  }
  
  int main(int argc, char * argv[]){
    if ( argc < 2){
      printf("I pitty thefool who doesn't give me at least one argument!\n");
      exit(2);
    }
    foo(argv[1]);
  
    printf("Go Army!\n");
    exit(0);
  }
  

• Here's some sample execution traces for vulnerable:

  user@si485H-base:6.1$ ./vulnerable 
  I pitty thefool who doesn't give me at least one argument!
  user@si485H-base:6.1$ ./vulnerable a
  Go Army!
  user@si485H-base:6.1$ ./vulnerable `python -c "print 'A'*200"`
  Danger! I'm out-of-here!
  

• Your goal is to change the output such that it no longer prints "Go Army!" and instead prints "Go Navy!" without hiting the "Danger!"
• The provided shell code to do that is beatarmy.asm (shown below) which will execute the program ./gonavy.sh (also shown below) which will echo "Go Navy"

  SECTION .text
          global _start
  
  _start:
          jmp callback
  dowork:
          pop esi
          xor ecx,ecx
          mul ecx
          mov al,0xb
          mov ebx, esi
          int 0x80                ;exec("./gonavy.sh",NULL,NULL)
  callback:
          call dowork
          db "./gonavy.sh",0x0
  

  #!/bin/sh
  
  echo "Go Navy!"
  exit 3
  

• Once you've gotten your exploit to work, save the arguments in exploit.sh file:

  #!/bin/sh
  
  ./vulnerable <EXPLOIT ARGUMENT GOES HERE>
  

• When done correctly you should expect the following:

  user@si485H-base:6.1$ ./exploit.sh 
  Go Navy!
  user@si485H-base:6.1$ echo $?
  3
  

Submission

• You must submit at least one files: exploit.sh
• Your submission must work when executed from the following directory: /tmp/lab-6.1
• You MAY NOT change the shell code in anyway

Hints

• None. You got this one.

Description

• Use the provided shell code to exploit the vulnerable program.

Preamble

• The assignment can be completed on your vm repository
• gitlab repository

  http://saddleback.academy.usna.edu/aviv/lab-6.2
  

• YOU MUST WORK IN THE CORRECT DIRECTORY
  • Work in your /tmp directory so that I can check your exploits
  • All exploits must work when run from a directory called: /tmp/lab-6.2

Instructions

• Fork and clone the repository
• Copy the repository to your /tmp directory
• ALL WORK MUST BE COMPLETED IN THE DIRECTORY: /tmp/lab-6.2
• Your task is to complete the exploit.gdb which commands the gdb environment commands to properly exploit the program when run like so:

  gdb -batch -x exploit.gdb ./vulnerable
  

• You will be exploit the vulnerable program whose source code is below:

  #include <stdio.h>
  #include <stdlib.h>
  #include <string.h>
  
  void foo(char *s){
  
    char * p;
    char buf[300];
  
    for(p=buf; *s; p++,s++){
      *p = *s;
    }
  
    return;
  }
  
  int main(int argc, char * argv[]){
    if ( argc < 2){
      printf("I pitty the fool who doesn't give me at least one argument!\n");
      exit(2);
    }
  
    foo(argv[1]);
  
    printf("Go Army!\n");
    exit(0);
  }
  

• Using gdb, determine a argument to vulnerbale which "Go Navy!" instead of "Go Army!" using the provided shell code beatarmy.asm (provide below) which will execute a shell script to print "Go Navy" and exit with status 3:

  SECTION .text
          global _start
  
  _start:
          xor ecx,ecx
          mul ecx
          push eax
          push 0x68732e79         ;"y.sh"
          push 0x76616e6f         ;"onav"
          push 0x672f2f2e         ;".//g"
          mov al,0xb
          mov ebx, esp
          int 0x80                ;execv(".//gonavy.sh",NULL,NULL)
  

  #!/bin/sh
  
  echo "Go Navy!"
  exit 3
  

• Once you've gotten your exploit to work save the commands in exploit.gdb

  # PUT EXPLOIT BELOW for the r command
  
  r <EXPLOIT GOES HERE>
  

• When done correctly you should expect the following:

  user@si485H-base:6.2$ gdb -batch -x exploit.gdb ./vulnerable
  process 18296 is executing new program: /bin/dash
  Go Navy!
  [Inferior 1 (process 18296) exited with code 03]
  

Submission

• You must submit at least one files: exploit.sgdb
• Your submission must work when executed from the following directory: /tmp/lab-6.2
• You may not alter the beatarmy.asm program in any way

Hints

• Consider what happens when you smash the pointer p: Once you overwrite that value, you can get it to write almost anywhere … such as the return address!

Description

• Use the provided shell code to exploit the vulnerable program.

Preamble

• The assignment can be completed on your vm repository
• gitlab repository

  http://saddleback.academy.usna.edu/aviv/lab-6.3
  

• YOU MUST WORK IN THE CORRECT DIRECTORY
  • Work in your /tmp directory so that I can check your exploits
  • All exploits must work when run from a directory called: /tmp/lab-6.3

Instructions

• Fork and clone the repository
• Copy the repository to your /tmp directory
• ALL WORK MUST BE COMPLETED IN THE DIRECTORY: /tmp/lab-6.3
• Your task is to complete the exploit.sh which when executed will properly exploit the vulnerable program.
• You will be exploit the vulnerable program whose source code is below:

  #include <stdio.h>
  #include <stdlib.h>
  #include <string.h>
  
  void foo(){
  
    char buf[0x10];
  
    printf("%s", "Say something spirtiful!\n");
  
    scanf("%s",buf);
  
  }
  
  int main(int argc, char * argv[]){
    foo();
    printf("Go Army!\n");
    exit(0);
  }
  

• You will use the following shell code which will print "Go Navy!" when executed properly:

  SECTION .text
          global _start
  
  _start:
          xor ecx,ecx
          mul ecx
          push eax
          push 0x68732e79         ;"y.sh"
          push 0x76616e6f         ;"onav"
          push 0x672f2f2e         ;".//g"
          mov al,0xb
          mov ebx, esp
          int 0x80                ;execv(".//gonavy.sh",NULL,NULL)
  

  #!/bin/sh
  
  echo "Go Navy!"
  exit 3
  

• Once you've gotten your exploit to work save the commands in exploit.sh

  #!/bin/bash
  
  <EXPLOIT TO STDOUT GOES HERE> | ./vulnerable
  

• When done correctly you should expect the following:

  user@si485H-base:6.3$ ./exploit.sh 
  Say something spirtiful!
  Go Navy!
  

• YOU ARE ALLOWED TO ALTER THE SHELL CODE

Submission

• You must submit at least one files: exploit.sb
• Your submission must work when executed from the following directory: /tmp/lab-6.3
• You MAY (and probably will need to) alter the beatarmy.asm program in any way

Hints

• In gdb, if you want to set standard input you can use a redirct:

  (gdb) r < input.txt
  

  Where input.txt is some file that will be read from. While probing, you can place your exploit string there for testing

• You might find that scanf() doesn't properly read your source code sometimes: How can you fix that?