SI485H: Stack Based Binary Exploits and Defenses (F15)
Home Policy Calendar Resources

Lab 11: Pesky Formats

Table of Contents

Submission Instructions

Submission instructions for labs can be found on the resource pages. In paticular, you should view this subsection: Creating a new branch and submitting

Part 1: FTW: Format the Win! (1 points)

Description

  • Write an format string exploit to reveal the secret flag.

Preamble

  • The assignment must be completed on the clone-2 saddleback VM which can be reached as follows: 

    ssh -p 5555 saddleback.academy.usna.edu

  • gitlab repository for this lab is found here 

    http://saddleback.academy.usna.edu/aviv/lab11.1

Instructions

  • Fork and clone the repository
  • You will find a source file for a program called vulnerable.c you ca compile and work with this file as you wish

  • Your task is to exploit the version of the program that is compiled and executable on clone-2 saddleback VM at this location 

    /home/aviv/lab/11.1/vulnerable
  • Your task is to overwrite the return address of main() with the function called flag() such that the flag is printed to the screen.
  • Once you've completed the assignment, plase your exploit paramater for the format attack in a file called exploit.txt and the secret message in a file called flag.

Submission

  • You must submit at least two files:
    • flag : contents of the flag file
    • exploit.txt : the format string you used

Hints

  • Set up your format the whole way through first with the right length, and then start to manipulate
  • Use the target variable to get things setup before targeting the return address
  • Use the index flag options: e.g., %3$x … will make life a lot esier.
  • Don't forget to escape $ with \$ as $ is a special symbol in bash

Part 2: FTW2: Format The Win with a side of dead beef (2 points)

Description

  • Write an format string exploit to reveal the secret flag.

Preamble

  • The assignment must be completed on the clone-2 saddleback VM which can be reached as follows: 

    ssh -p 5555 saddleback.academy.usna.edu

  • gitlab repository for this lab is found here 

    http://saddleback.academy.usna.edu/aviv/lab11.2

Instructions

  • Fork and clone the repository
  • You will find a source file for a program called vulnerable.c you ca compile and work with this file as you wish

  • Your task is to exploit the version of the program that is compiled and executable on clone-2 saddleback VM at this location 

    /home/aviv/lab/11.2/vulnerable
  • Your task is to overwrite the return address of main() with the function called flag() such that the flag is printed to the screen.
  • Once you've completed the assignment, plase your exploit paramater for the format attack in a file called exploit.txt and the secret message in a file called flag.

Submission

  • You must submit at least two files:
    • flag : contents of the flag file
    • exploit.txt : the format string you used

Hints

  • Set up your format the whole way through first with the right length, and then start to manipulate
  • Use the target variable to get things setup before targeting the return address
  • Use the index flag options: e.g., %3$x … will make life a lot esier.
  • Don't forget to escape $ with \$ as $ is a special symbol in bash

Part 3: Two Phased Attack (2 points)

Description

  • Exploit the hextochar service by first identifying the cannary and then performing a buffer overflow

Preamble

  • The assignment must be completed on the clone-2 saddleback VM which can be reached as follows: 

    ssh -p 5555 saddleback.academy.usna.edu

  • gitlab repository for this lab is found here 

    http://saddleback.academy.usna.edu/aviv/lab11.3

Instructions

  • Fork and clone the repository
  • You will find a source file for the hextochar service which is running on port 9595 on clone 2 for saddleback.
  • The service is using stack guards as a protection
  • Your task is to use a format string attack to identify the cannary and then use the cannary value as part of a stack smashing attack

  • Once you've exploited the process, you should be able to reveal the flag here: 

    cat /home/aviv/lab/11.3/flag

  • Place your exploit in a file called exploit.sh, such that when executed the secret flag is revealed. 

    ./exploit.sh
<FLAG>

    The exploit may contain a script (i.e., run the program multiple times)

Submission

  • You must submit at least two files:
    • flag : contents of the flag file
    • exploit.sh : which when run on clone 2, should reveal the flag

Hints

  • This is a two phased attack
  • All the source code is available for you, so practice the attack locally first and then go after the main one
  • Your shell code should be used to

Part 4: Formatting in the Blind (2 points)

Description

  • Write a format string attack that will execute the flag function to reveal a flag

Preamble

  • The assignment must be completed on the clone-2 saddleback VM which can be reached as follows: 

    ssh -p 5555 saddleback.academy.usna.edu

  • gitlab repository for this lab is found here 

    http://saddleback.academy.usna.edu/aviv/lab11.4

Instructions

  • Fork and clone the repository
  • You will find a source file the vulnerable program

  • Your task is to exploit the version of the program found on the clone-2 saddleback VM at this location 

    /home/aviv/lab/11.4/vulnerable
  • Once you've succesfully exploited the program to overwrite the return address of foo() to flag(), the flag should be revealed.
  • Place your exploit format in a file called exploit.txt

Submission

  • You must submit at least two files:
    • flag : contents of the flag file
    • exploit.txt : the format you used in the exploit

Hints

  • You'll need to do some detective work for this one by running a copy in gdb to determine an offset to the address of the return address of foo based on something that can be revealed via a format. For example, if the format %0x prints an address on the stack, how far is that address offset from the return address in gdb? Then you can run it outside of gdb to determine the address of the return address
  • When you are doing your probing, be sure to use a format string that is of the same length as your eventual format so you don't need to any recaclulations.

Part 5: Launching Shells in the Blind (3 points)

Description

  • Write a format string attack that will launch a shell such tht you can retrieve the flag

Preamble

  • You should work and develop your exploit locally and then finish your exploit on the VM

  • The assignment must be completed on the clone-2 saddleback VM which can be reached as follows: 

    ssh -p 5555 saddleback.academy.usna.edu

  • gitlab repository for this lab is found here 

    http://saddleback.academy.usna.edu/aviv/lab11.5

Instructions

  • Fork and clone the repository
  • You will find a source file with the vulnerable program which you can compile and test with before moving to the saddleback-VM

  • Your task is to exploit the version of the program found on the clone-2 saddleback VM at this location 

    /home/aviv/lab/11.5/vulnerable

  • Once you've succesfully exploited the program such that a shell is launched, you can reveal the flag via: 

    cat /home/aviv/lab/11.5/flag
  • Place your exploit format in a file called exploit.txt

Submission

  • You must submit at least two files:
    • flag : contents of the flag file
    • exploit.txt : the format you used in the exploit

Hints

  • You'll need to do some detective work again (see 11.4 for a hint on that) but this time you need to overwrite the return address to your input buffer somewhere. You can use a similar technique as in in lab 11.4 for this by calculating an offset to an address that is revealed via format directive
  • When you are doing your probing, be sure to use a format string that is of the same length as your eventual format including the shell code so you don't need to do any recalculations.