SI485H: Stack Based Binary Exploits and Defenses (F15)
Home Policy Calendar Resources

Lab 10: Smash the Guards

Table of Contents

Submission Instructions

Submission instructions for labs can be found on the resource pages. In paticular, you should view this subsection: Creating a new branch and submitting

Part 1: Limitted Guards (2 points)

Description

  • Write an exploit script that will gain a shell to reveal the secret flag.

Preamble

  • The assignment must be completed on the clone-2 saddleback VM which can be reached as follows: 

    ssh -p 5555 saddleback.academy.usna.edu

  • gitlab repository for this lab is found here 

    http://saddleback.academy.usna.edu/aviv/lab10.1

Instructions

  • Fork and clone the repository
  • You will find a source file for the tokenizer program as well as a compiled version of the program.

  • Your task is to exploit the version of the program found on the clone-2 saddleback VM at this location 

    /home/aviv/lab/10.1/tokenizer
  • The tokenizer program employs stack guards, but not gcc's implementation. It is a custom implementation that draws from a choice of 256 possible canary values at random when the program starts.

  • Once you've succesfully exploited the program to get a shell, you can reveal the flag like so: 

    cat /home/aviv/lab/10.1/flag

  • Place your exploit in a file called exploit.sh, such that when executed the secret flag is revealed. 

    ./exploit.sh
<FLAG>

    The exploit may contain a script (i.e., run the program multiple times)

Submission

  • You must submit at least two files:
    • flag : contents of the flag file
    • exploit.sh : which when run, will exploit the tokenizer program … eventually … and reveal the flag.

Hints

  • How much randomness is here? A lot or a little.

Part 2: (Semi-)Random Guards (2 points)

Description

  • Write an exploit script that will gain a shell to reveal the secret flag.

Preamble

  • The assignment must be completed on the clone-2 saddleback VM which can be reached as follows: 

    ssh -p 5555 saddleback.academy.usna.edu

  • gitlab repository for this lab is found here 

    http://saddleback.academy.usna.edu/aviv/lab10.2

Instructions

  • Fork and clone the repository
  • You will find a source file for the tokenizer program as well as a compiled version of the program.

  • Your task is to exploit the version of the program found on the clone-2 saddleback VM at this location 

    /home/aviv/lab/10.2/tokenizer

  • The tokenizer program employs stack guards, that uses the following formuling initialization: 

    int initcannary(){
  srand(time(NULL));
  int canary = random(); //choose random 4 byte value
  canary &= 0xffffff00; // zero at last byte
  canary |= 0x01010100; //nothing but last byte can be zero
  _canary = canary;
}

    where _canary is the set canary value

  • Once you've succesfully exploited the program to get a shell, you can reveal the flag like so: 

    cat /home/aviv/lab/10.2/flag

  • Place your exploit in a file called exploit.sh, such that when executed the secret flag is revealed. 

    ./exploit.sh
<FLAG>

    The exploit may contain a script (i.e., run the program multiple times)

Submission

  • You must submit at least two files:
    • flag : contents of the flag file
    • exploit.sh : which when run, will exploit the tokenizer program and usually (but maybe not always) reveal the flag.

Hints

  • Could you predict what the canary value might be in the future?