Differences
This shows you the differences between two versions of the page.
|
cns:assignments:assignment-0 [2013/10/19 15:38] lucian.cojocar [Hints] |
— (current) | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Assignment 0 ====== | ||
| - | <note important>**Deadline: Sun, Oct 27, 23:59 EEST**</note> | ||
| - | ===== str-pass (1 pt.) ===== | ||
| - | |||
| - | Obtain access. Use only ''strings''. Getting the password might not be trivial. | ||
| - | |||
| - | ==== What to submit ==== | ||
| - | |||
| - | A shell script that finds and displays the username and the password - each on its own line. Name it ''str-pass.sh''. The script will receive the path to the binary as its first argument. Again, you will only be able to call ''strings'' and the binary. Keep in mind that things change on our testing infrastructure - make it work with any password. | ||
| - | ===== gdb-sha1 (3 pts.) ===== | ||
| - | |||
| - | Let's play with GDB. This binary computes the SHA-1 hash of some input, but if you send him a signal at the right time, it will also compute a special hash. Make a GDB script/commands file that goes through the following steps (you can add more stuff if you want): | ||
| - | - catch the ''read()'' syscall (only the one called when reading the data to be hashed) | ||
| - | - break **before** the call to ''compute_hash()'' (you should still be in ''main()'') | ||
| - | - print the 5 instructions before the current instruction pointer | ||
| - | - break on ''printf'' calls when the special/reversed hash mode is active; print the current frame and EIP each time this breakpoint triggers | ||
| - | - break on ''malloc''; print the return value after ''malloc'' is done | ||
| - | - break **after** ''malloc'' call (in ''compute_hash()'') and print the stack, the registers and the last 3 frames | ||
| - | - move to the previous frame; print registers | ||
| - | - move back; print locals and arguments | ||
| - | - remove all breakpoints, catchpoints and watchpoints | ||
| - | - __rerun__ | ||
| - | - watch for mode changes | ||
| - | - send the required signal | ||
| - | - __rerun__; trigger the mode change **without** sending the signal | ||
| - | - break somewhere; print the memory where the intro message is held in hex | ||
| - | - __rerun__; break **after** ''compute_hash()'' (in ''main()'') | ||
| - | - print the heap section holding the hash in hex | ||
| - | - __rerun__; trigger the mode change; break just before main has finished | ||
| - | - get the hash from stdout; find it in memory using GDB (you can call, from GDB, a small shell/Python script to make format conversions) | ||
| - | |||
| - | ==== Tips ==== | ||
| - | * Use source code line numbers and/or addresses when you cannot use the symbols. | ||
| - | * You can redirect all GDB and the binary's outputs to files. | ||
| - | * On Ubuntu/Debian x86_64: You will need libssl-dev:i386. Installing that might uninstall the 64-bit libssl. Be sure to reinstall it after you finish. We tested with libssl-dev:i386 1.0.1c-4ubuntu8.1 on Ubuntu Raring. | ||
| - | ==== Bonus ==== | ||
| - | * Write everything in Python and run the script with GDB's interpreter. | ||
| - | |||
| - | ==== What to submit ==== | ||
| - | |||
| - | The GDB script/commands file or the Python script (for bonus). Any aditional scripts called from GDB should also be submitted. Your submission will be run as follows, in the directory containing the ''hasher'' binary: | ||
| - | * normal: ''gdb -q <nowiki>--</nowiki>command=gdb-sha1.gdb'' | ||
| - | * bonus: ''gdb -q -x gdb-sha1.py'' | ||
| - | |||
| - | |||
| - | ===== rev-this (3 pts.) ===== | ||
| - | Can you //guess// the ''Username'' and the ''Password'' that this program is using? You'll have to read some assembly code in order to solve this task. The ''username'', the ''password'' **and** the key (''A_KEY_THAT_YOU_LL_NEVER_GET...REALLY'') are randomly generated each time the binary is tested by our system. | ||
| - | ==== What to submit ==== | ||
| - | |||
| - | A python script that prints to stdout (in binary format, no newline) the //correct// string that has to be used as input by ''rev-this''. A //correct// input will make the program to show the OK message. The submited python script will receive, as first argument, the path to the ''rev-this'' binary. | ||
| - | |||
| - | ===== png-bof (3 pts.) ===== | ||
| - | There is a buffer overflow in this program, can you trigger it? You'll have to understand a protocol, ''*trace'' is your friend. | ||
| - | |||
| - | **Note:** a failed assertion is **not** a buffer overflow. You should be able to trigger a **''SIGSEGV''**. | ||
| - | |||
| - | ==== What to submit ==== | ||
| - | |||
| - | A python script that prints to stdout (in binary format, no newline) the //correct// string that has to be used as input by ''png-bof''. A //correct// input will force the program to crash with a **''SIGSEGV''**. | ||
| - | |||
| - | ===== Submission ===== | ||
| - | The submission will made through [[https://vmchecker.cs.pub.ro|VMchecker]] interface. | ||
| - | |||
| - | ==== Archive format ==== | ||
| - | The archive will contain //at least// the following 5 files: | ||
| - | ''README'' | ||
| - | ''gdb-sha1.gdb'' | ||
| - | ''str-pass.sh'' | ||
| - | ''rev-this.py'' | ||
| - | ''png-bof.py'' | ||
| - | |||
| - | |||
| - | **Note**: the python version from the machine is: 2.6.6. The machine is a 32bit Ubuntu based machine. | ||
| - | |||
| - | ==== README ==== | ||
| - | |||
| - | Shortly describe your approach for each task. If some details are not clear you can ask us or make some assumptions. Describe the assumptions in the ''README'' file. | ||
| - | |||
| - | === Example === | ||
| - | |||
| - | <code> | ||
| - | |||
| - | foo-bar | ||
| - | -------- | ||
| - | |||
| - | objdump can be used to disassemble the binary. I found an overflow | ||
| - | when reading into the input buffer (see snippet below). We can | ||
| - | generate an attack string with the following format: [FORMAT]. | ||
| - | |||
| - | [assembly snippet showing the ovf] | ||
| - | |||
| - | I am not sure if the UNIVERSAL answer is 41 or 42, but I tried using | ||
| - | 42 and seems to work. Further investigation into why this is the case | ||
| - | might be needed. Tests pass just fine. | ||
| - | |||
| - | </code> | ||
| - | ===== Files ===== | ||
| - | {{:cns:resurse:cns-assignment-0.v47-g2778188.tar.gz|}} | ||
| - | |||
| - | Last version SHA1: ''87f74e7d3fa4d501b38001778084ba52d5838a1a'' | ||
| - | |||
| - | If you encounter problems, please make sure you are working with the latest version. | ||
| - | |||
| - | ==== Updates Log ==== | ||
| - | |||
| - | * Oct 15 22:24: Two x86-64 binaries (str-pass & png-bof) replaced by x86. Same functionality. | ||
| - | ===== Hints/Clarifications ===== | ||
| - | If you are really stuck or think that there is a bug in the assignment feel free to ask the [[oss-support@cursuri.cs.pub.ro | OSS Team]]. Keep in mind that we wont give solutions but rather hints. We will answer in **less than one day** and update this page accordingly. | ||
| - | |||
| - | === rev-this === | ||
| - | The ''username'', the ''password'' **and** the key (''A_KEY_THAT_YOU_LL_NEVER_GET...REALLY'') are randomly generated each time the binary is tested by our system. | ||
