Differences
This shows you the differences between two versions of the page.
|
cns:labs:lab-01 [2019/10/05 12:38] cristina.popescu |
cns:labs:lab-01 [2021/10/12 16:07] (current) razvan.deaconescu [Tasks] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Lab 01 - Introduction. Basic Exploration Tools ====== | ====== Lab 01 - Introduction. Basic Exploration Tools ====== | ||
| - | ===== Resources ===== | ||
| - | * [[https://eli.thegreenplace.net/2011/09/06/stack-frame-layout-on-x86-64|assembly calling convention on x64]] | ||
| - | * [[http://flint.cs.yale.edu/cs421/papers/x86-asm/asm.html|assembly calling convention on x86]] | ||
| - | * [[http://www.gnu.org/software/gdb/documentation/|gdb documentation]] | ||
| - | * [[http://unixhelp.ed.ac.uk/CGI/man-cgi?strings|strings (1) manual]] | ||
| - | * [[http://linuxcommand.org/man_pages/xxd1.html|xxd (1) manual]] | ||
| - | * [[http://stackoverflow.com/questions/2388595/perl-how-do-i-escape-encode-special-characters/2388736#2388736|Perl - How do I escape/encode special characters]] | ||
| - | * [[http://stackoverflow.com/questions/7668919/sending-hex-packets-in-python/7668943#7668943|Sending hex packets in Python]] | ||
| - | * [[http://www.python.org/dev/peps/pep-0223/|Hex escape strings in Python]] | ||
| - | * [[http://linux.die.net/man/1/strace|strace (1) manual]] | ||
| - | * [[http://linux.die.net/man/1/objdump|objdump (1) manual]] | ||
| - | * [[http://unixhelp.ed.ac.uk/CGI/man-cgi?nm|nm (1) manual]] | ||
| - | * [[http://man7.org/linux/man-pages/man8/ld.so.8.html|ld.so (8) manual]] | ||
| - | * [[https://github.com/radare/radare2/blob/master/doc/intro.md|Radare2 Cheatsheet]] | ||
| - | * For the bonus: | ||
| - | * [[http://ftp.jaist.ac.jp/pub/raspberrypi/raspbian/images/raspbian-2015-05-07/|Linux ARM Raspbian image]] | ||
| - | * [[https://github.com/dhruvvyas90/qemu-rpi-kernel/blob/master/kernel-qemu-3.10.25-wheezy|Linux ARM kernel image]] | ||
| - | ===== Supporting files ===== | ||
| - | |||
| - | [[http://elf.cs.pub.ro/oss/res/labs/lab-01.tar.gz|Lab archive]] | ||
| ===== Introduction ===== | ===== Introduction ===== | ||
| - | You will spend a large part of the labs and assignments working with *binaries*; in some of the cases we will also provide you with source code. You will have to find vulnerabilities in those binaries, then (possibly) exploit them and (possibly) fix the vulnerabilities in order to illustrate various secure coding practices. To achieve this, first you need to get comfortable with at least some of the common tools that are right for the job. | + | You will spend a large part of the labs and assignments working with **binaries**; in some of the cases we will also provide you with source code. You will have to find vulnerabilities in those binaries, then (possibly) exploit them and (possibly) fix the vulnerabilities in order to illustrate various secure coding practices. To achieve this, first you need to get comfortable with at least some of the common tools that are right for the job. |
| In the introductory lab we'll spice things up a bit by providing some simple binaries (with no source code) for you to play with. In order to solve the lab, you'll have to perform both **static analysis** and **dynamic analysis** on said binaries. | In the introductory lab we'll spice things up a bit by providing some simple binaries (with no source code) for you to play with. In order to solve the lab, you'll have to perform both **static analysis** and **dynamic analysis** on said binaries. | ||
| - | If you're too comfortable with the x86 architecture and feel that you could use some challenge, the [[http://elf.cs.pub.ro/oss/res/labs/lab-01.tar.gz|lab archive]] also contains the binaries compiled for ARM. You can try them out by running a Raspbian image on [[http://www.unixmen.com/emulating-raspbian-using-qemu/|QEMU]] ([[http://ftp.jaist.ac.jp/pub/raspberrypi/raspbian/images/raspbian-2015-05-07/|Raspbian image]], [[https://github.com/dhruvvyas90/qemu-rpi-kernel/blob/master/kernel-qemu-3.10.25-wheezy|Linux kernel image]]). | + | For consistency we recommend you use the provided [[cns:resources:vm|Kali Virtual Machine]] for all the labs from this point forward. |
| - | ===== 1. even-password ===== | + | |
| + | As a bonus the same tasks in this lab are compiled for the ARM architecture, you can use the [[cns:resources:vm|Debian ARM Virtual Machine]] for these tasks. | ||
| + | |||
| + | ===== Tasks ===== | ||
| + | |||
| + | All content necessary for the CNS laboratory tasks can be found in [[cns:resources:repo|the CNS public repository]], in the ''labs/01-introduction/'' folder. | ||
| + | |||
| + | ==== 1. even-password ==== | ||
| GLaDOS' binary ''even-password'' is asking you to provide a password: | GLaDOS' binary ''even-password'' is asking you to provide a password: | ||
| Line 71: | Line 58: | ||
| </code> | </code> | ||
| - | ===== 2. odd-password ===== | + | ==== 2. odd-password ==== |
| Same as the previous task, only this time the password is a non-ASCII string. The following approach should work: | Same as the previous task, only this time the password is a non-ASCII string. The following approach should work: | ||
| Line 85: | Line 72: | ||
| <code> | <code> | ||
| $ # python | $ # python | ||
| - | $ python -c 'print ("\x02"*20 + "\x03")' # output 0x02 20 times, followed by 0x03 and a newline | + | $ python -c 'import sys; sys.stdout.buffer.write(b"\x02"*20 + b"\x03")' # output 0x02 20 times, followed by 0x03 and a newline |
| $ # perl | $ # perl | ||
| Line 92: | Line 79: | ||
| For more complex strings, consider putting everything in a (Python or Perl) script. | For more complex strings, consider putting everything in a (Python or Perl) script. | ||
| - | ===== 3. halting-problem ===== | + | |
| + | ==== 3. halting-problem ==== | ||
| Disassemble ''halting-problem'' and take a look at it: | Disassemble ''halting-problem'' and take a look at it: | ||
| Line 133: | Line 121: | ||
| To find the code, you can search for the opcodes (use ''pd 2@addr'' and ''px'' to see the exact values). | To find the code, you can search for the opcodes (use ''pd 2@addr'' and ''px'' to see the exact values). | ||
| - | ===== 4. straceme ===== | + | |
| + | ==== 4. straceme ==== | ||
| Use only dynamic analysis to figure out what ''straceme'' does. First ''strace'' it: | Use only dynamic analysis to figure out what ''straceme'' does. First ''strace'' it: | ||
| Line 152: | Line 141: | ||
| </code> | </code> | ||
| - | If we run the program a couple of times, we observe that the condition for ''cmpl $0x2,-0x44(%rbp)'' fails. Let's inspect that address: | + | If we run the program a couple of times, we observe that the condition for ''cmp DWORD PTR [rbp-0x54],0x2'' fails. Let's inspect that address: |
| <code> | <code> | ||
| Line 162: | Line 151: | ||
| After figuring that out, run the program with ''strace'' again to determine the password. | After figuring that out, run the program with ''strace'' again to determine the password. | ||
| - | ===== 5. guesser ===== | + | |
| + | ==== 5. guesser ==== | ||
| ''guesser'' reads an ''unsigned int'' from ''/dev/urandom'' and asks you to guess it. | ''guesser'' reads an ''unsigned int'' from ''/dev/urandom'' and asks you to guess it. | ||
| Line 171: | Line 161: | ||
| - Resume the program's execution and input the random value | - Resume the program's execution and input the random value | ||
| - | ===== 6. Extra: ARM Tasks ===== | + | ==== 6. Extra: ARM Tasks ==== |
| Try the above tasks using the ARM binaries. For static analysis you can use Radare2 directly on the host machine. For the other tools (gdb, strace, objdump) you can use the QEMU setup described in the introduction. | Try the above tasks using the ARM binaries. For static analysis you can use Radare2 directly on the host machine. For the other tools (gdb, strace, objdump) you can use the QEMU setup described in the introduction. | ||
| - | - For scrolling in the QEMU VM you can use ''Shift PageUp'' and ''Shift PageDown''. | + | |
| - | - In order to copy the lab binaries in the QEMU machine, you can temporary mount and update the RPI image. | + | ===== Resources ===== |
| - | <code> | + | * [[https://cs.brown.edu/courses/cs033/docs/guides/x64_cheatsheet.pdf|assembly calling convention on x64]] |
| - | $ file 2015-05-05-raspbian-wheezy.img | + | * [[http://flint.cs.yale.edu/cs421/papers/x86-asm/asm.html|assembly calling convention on x86]] |
| - | ;; From the output of the file command, take the partition 2 'startsector' | + | * [[http://www.gnu.org/software/gdb/documentation/|gdb documentation]] |
| - | ;; value an multiply by 512, and use this figure as the offset value in the mount command below. | + | * [[http://unixhelp.ed.ac.uk/CGI/man-cgi?strings|strings (1) manual]] |
| - | $ sudo mount 2015-05-05-raspbian-wheezy.img -o offset=62914560 /mnt | + | * [[http://linuxcommand.org/man_pages/xxd1.html|xxd (1) manual]] |
| - | ;; Add the tasks in the filesystem mounted in /mnt. | + | * [[http://stackoverflow.com/questions/2388595/perl-how-do-i-escape-encode-special-characters/2388736#2388736|Perl - How do I escape/encode special characters]] |
| - | $ sudo umount 2015-05-05-raspbian-wheezy.img /mnt | + | * [[http://stackoverflow.com/questions/7668919/sending-hex-packets-in-python/7668943#7668943|Sending hex packets in Python]] |
| - | </code> | + | * [[http://www.python.org/dev/peps/pep-0223/|Hex escape strings in Python]] |
| + | * [[http://linux.die.net/man/1/strace|strace (1) manual]] | ||
| + | * [[http://linux.die.net/man/1/objdump|objdump (1) manual]] | ||
| + | * [[http://unixhelp.ed.ac.uk/CGI/man-cgi?nm|nm (1) manual]] | ||
| + | * [[http://man7.org/linux/man-pages/man8/ld.so.8.html|ld.so (8) manual]] | ||
| + | * [[https://github.com/radare/radare2/blob/master/doc/intro.md|Radare2 Cheatsheet]] | ||
| + | * For the bonus: | ||
| + | * [[http://ftp.jaist.ac.jp/pub/raspberrypi/raspbian/images/raspbian-2015-05-07/|Linux ARM Raspbian image]] | ||
| + | * [[https://github.com/dhruvvyas90/qemu-rpi-kernel/blob/master/kernel-qemu-3.10.25-wheezy|Linux ARM kernel image]] | ||
