Obtain access. Use only strings. Getting the password might not be trivial.

A shell script that finds and displays the username and the password - each on its own line. Name it str-pass.sh. The script will receive the path to the binary as its first argument. Again, you will only be able to call strings and the binary. Keep in mind that things change on our testing infrastructure - make it work with any password.

Let's play with GDB. This binary computes the SHA-1 hash of some input, but if you send him a signal at the right time, it will also compute a special hash. Make a GDB script/commands file that goes through the following steps (you can add more stuff if you want):

1. catch the read() syscall (only the one called when reading the data to be hashed)
2. break before the call to compute_hash() (you should still be in main())
3. print the 5 instructions before the current instruction pointer
4. break on printf calls when the special/reversed hash mode is active; print the current frame and EIP each time this breakpoint triggers
5. break on malloc; print the return value after malloc is done
6. break after malloc call (in compute_hash()) and print the stack, the registers and the last 3 frames
7. move to the previous frame; print registers
8. move back; print locals and arguments
9. remove all breakpoints, catchpoints and watchpoints
10. rerun
11. watch for mode changes
12. send the required signal
13. rerun; trigger the mode change without sending the signal
14. break somewhere; print the memory where the intro message is held in hex
15. rerun; break after compute_hash() (in main())
16. print the heap section holding the hash in hex
17. rerun; trigger the mode change; break just before main has finished
18. get the hash from stdout; find it in memory using GDB (you can call, from GDB, a small shell/Python script to make format conversions)

• Use source code line numbers and/or addresses when you cannot use the symbols.
• You can redirect all GDB and the binary's outputs to files.
• On Ubuntu/Debian x86_64: You will need libssl-dev:i386. Installing that might uninstall the 64-bit libssl. Be sure to reinstall it after you finish. We tested with libssl-dev:i386 1.0.1c-4ubuntu8.1 on Ubuntu Raring.

• Write everything in Python and run the script with GDB's interpreter.

The GDB script/commands file or the Python script (for bonus). Any aditional scripts called from GDB should also be submitted. Your submission will be run as follows, in the directory containing the hasher binary:

• normal: gdb -q --command=gdb-sha1.gdb
• bonus: gdb -q -x gdb-sha1.py

Can you guess the Username and the Password that this program is using? You'll have to read some assembly code in order to solve this task. The username, the password and the key (A_KEY_THAT_YOU_LL_NEVER_GET…REALLY) are randomly generated each time the binary is tested by our system.

A python script that prints to stdout (in binary format, no newline) the correct string that has to be used as input by rev-this. A correct input will make the program to show the OK message. The submited python script will receive, as first argument, the path to the rev-this binary.

There is a buffer overflow in this program, can you trigger it? You'll have to understand a protocol, *trace is your friend.

Note: a failed assertion is not a buffer overflow. You should be able to trigger a SIGSEGV.

A python script that prints to stdout (in binary format, no newline) the correct string that has to be used as input by png-bof. A correct input will force the program to crash with a SIGSEGV.

The submission will made through VMchecker interface.

The archive will contain at least the following 5 files: README gdb-sha1.gdb str-pass.sh rev-this.py png-bof.py

Note: the python version from the machine is: 2.6.6. The machine is a 32bit Ubuntu based machine.

Shortly describe your approach for each task. If some details are not clear you can ask us or make some assumptions. Describe the assumptions in the README file.

foo-bar
--------

objdump can be used to disassemble the binary. I found an overflow 
when reading into the input buffer (see snippet below). We can
generate an attack string with the following format: [FORMAT].

[assembly snippet showing the ovf]

I am not sure if the UNIVERSAL answer is 41 or 42, but I tried using
42 and seems to work. Further investigation into why this is the case
might be needed. Tests pass just fine.

cns-assignment-0.v47-g2778188.tar.gz

Last version SHA1: 87f74e7d3fa4d501b38001778084ba52d5838a1a

If you encounter problems, please make sure you are working with the latest version.

• Oct 15 22:24: Two x86-64 binaries (str-pass & png-bof) replaced by x86. Same functionality.

If you are really stuck or think that there is a bug in the assignment feel free to ask the OSS Team. Keep in mind that we wont give solutions but rather hints. We will answer in less than one day and update this page accordingly.