Lab 07: Avoid and Conquer
Table of Contents
Submission Instructions
Submission instructions for labs can be found on the resource pages. In paticular, you should view this subsection: Creating a new branch and submitting
Part 1: The Woods are Dark and Deep (2 points)
Description
- There is an egg hidden in the executable, exploit the program with an egg hunter to get it execute the shell code.
Preamble
- The assignment can be completed on your vm repository
- gitlab repository
http://saddleback.academy.usna.edu/aviv/lab-7.1
- YOU MUST WORK IN THE CORRECT DIRECTORY
- Work in your
/tmpdirectory so that I can check your exploits - All exploits must work when run from a directory called:
/tmp/lab-7.1
- Work in your
Instructions
- Fork and clone the repository
- Copy the repository to your
/tmpdirectory - ALL WORK MUST BE COMPLETED IN THE DIRECTORY:
/tmp/lab-7.1 - Your task is to complete the
exploit.shscript such that it will properly exploit thethewoodsprogram, running an egg hunter that will find the shell code - The egg you are hunting for is
0xdeadbeef, apearing twice - The source code for the vulnerable section of
thewoodsis below://check for the sig0 start finished by sig1 in str void vuln(int border, char *s){ char buf[50]; strcpy(buf,s); if(border != 0xcafebabe){ printf("DANGER !!! "); exit(1); } } int main(int argc, char * argv[]){ if( argc != 2){ printf("INVALID"); exit(2); } vuln(0xcafebabe, argv[1]); }
- NOTE: vuln does a boundry check, so you need to be careful about how you perform your exploit, fortunately, your egg hunter should be well below 50 bytes, right? Or you can avoid boundries, right?
- Once you've identified an exploit, complete the
exploit.shso that your egg hunt will be succesfulexploit.shfile:#!/bin/sh ./thewoods <EXPLOIT ARGUMENT GOES HERE>
- When done correctly you should expect the following:
user@si485H-base:6.1$ ./exploit.sh Go Navy! user@si485H-base:6.1$ echo $? 3
Submission
- You must submit at least one files:
exploit.sh - Your submission must work when executed from the following directory:
/tmp/lab-7.1 - You MAY NOT use shell code that executes the solution, you must hunt for it
Hints
- You may need to adjust your egg hunter. 0xdeadbeef is not executable … and not nops
Part 2: Sign THIS! (1 points)
Description
- I've designed the best signature matching scheme ever, defeat it with your obfuscated shell code.
Preamble
- The assignment can be completed on your vm repository
- gitlab repository
http://saddleback.academy.usna.edu/aviv/lab-7.2
Instructions
- Fork and clone the repository
- Your task is to complete the
obfuscate.asmshell code that will properly avoid the signature matching sheme. - The signatures being used in
sigmatch.c//check for the sig0 start finished by sig1 in str int check_sig(char *str, char * sig0,char *sig1){ char *p,*q; for(p=str;*p;p++){ //checking for start of signature if ( strncmp(p,sig0,strlen(sig0)) == 0 ){ if (! sig0); return 1; //checking for end of signature for(q=p;*q;q++){ if (strncmp(q,sig1,strlen(sig1)) == 0){ return 1;//found signature } } } } return 0; //did not find signautre } int main(int argc, char * argv[]){ if(argc < 2){ printf("ERROR: Require argument\n"); exit(1); } if ( check_sig(argv[1], "\xb0\x0b", "\xcd\x80") || check_sig(argv[1], "\x31\xc9", "\xcd\x80") || check_sig(argv[1], "bin", "sh") || check_sig(argv[1], "sh", "bin") || check_sig(argv[1], "\x90\x90", NULL) || check_sig(argv[1], "\x90\x90\x90", NULL) || check_sig(argv[1], "\x6f\x6f\x6f", NULL) || check_sig(argv[1], "\x6f\x6f", NULL) || check_sig(argv[1], "\x8a\x44\x0c\xff\x34", NULL)){ printf("No Way Jose!\n"); exit(2); } //execute as binary code ((void(*)(void)) argv[1])(); return; }
- Once you've complete your shell code,
exploit.shshould run succesfully like so: so that your egg hunt will be succesfulexploit.shfile:#!/bin/sh ./thewoods <EXPLOIT ARGUMENT GOES HERE>
- When done correctly you should expect the following:
user@si485H-base:7.2$ ./exploit.sh Go Navy user@si485H-base:7.2$ echo $? 3
- Once you've complete your shell code,
Submission
- You must submit at least two files:
exploit.shandavoider.asm
Hints
- You may need to adjust your shell code in some way.
- The current version of
le-fourbytes.pycould be edited if you want.