Differences
This shows you the differences between two versions of the page.
|
cns:labs:lab-01 [2020/10/11 14:05] mihai.dumitru2201 [4. straceme] use intel syntax |
cns:labs:lab-01 [2021/10/12 16:07] (current) razvan.deaconescu [Tasks] |
||
|---|---|---|---|
| Line 8: | Line 8: | ||
| In the introductory lab we'll spice things up a bit by providing some simple binaries (with no source code) for you to play with. In order to solve the lab, you'll have to perform both **static analysis** and **dynamic analysis** on said binaries. | In the introductory lab we'll spice things up a bit by providing some simple binaries (with no source code) for you to play with. In order to solve the lab, you'll have to perform both **static analysis** and **dynamic analysis** on said binaries. | ||
| - | If you're too comfortable with the x86 architecture and feel that you could use some challenge, the [[http://elf.cs.pub.ro/oss/res/labs/lab-01.tar.gz|lab archive]] also contains the binaries compiled for ARM. You can try them out by running a Raspbian image on [[http://www.unixmen.com/emulating-raspbian-using-qemu/|QEMU]] ([[http://ftp.jaist.ac.jp/pub/raspberrypi/raspbian/images/raspbian-2015-05-07/|Raspbian image]], [[https://github.com/dhruvvyas90/qemu-rpi-kernel/blob/master/kernel-qemu-3.10.25-wheezy|Linux kernel image]]). | + | For consistency we recommend you use the provided [[cns:resources:vm|Kali Virtual Machine]] for all the labs from this point forward. |
| - | ===== 1. even-password ===== | + | |
| + | As a bonus the same tasks in this lab are compiled for the ARM architecture, you can use the [[cns:resources:vm|Debian ARM Virtual Machine]] for these tasks. | ||
| + | |||
| + | ===== Tasks ===== | ||
| + | |||
| + | All content necessary for the CNS laboratory tasks can be found in [[cns:resources:repo|the CNS public repository]], in the ''labs/01-introduction/'' folder. | ||
| + | |||
| + | ==== 1. even-password ==== | ||
| GLaDOS' binary ''even-password'' is asking you to provide a password: | GLaDOS' binary ''even-password'' is asking you to provide a password: | ||
| Line 51: | Line 58: | ||
| </code> | </code> | ||
| - | ===== 2. odd-password ===== | + | ==== 2. odd-password ==== |
| Same as the previous task, only this time the password is a non-ASCII string. The following approach should work: | Same as the previous task, only this time the password is a non-ASCII string. The following approach should work: | ||
| Line 65: | Line 72: | ||
| <code> | <code> | ||
| $ # python | $ # python | ||
| - | $ python -c 'print ("\x02"*20 + "\x03")' # output 0x02 20 times, followed by 0x03 and a newline | + | $ python -c 'import sys; sys.stdout.buffer.write(b"\x02"*20 + b"\x03")' # output 0x02 20 times, followed by 0x03 and a newline |
| $ # perl | $ # perl | ||
| Line 72: | Line 79: | ||
| For more complex strings, consider putting everything in a (Python or Perl) script. | For more complex strings, consider putting everything in a (Python or Perl) script. | ||
| - | ===== 3. halting-problem ===== | + | |
| + | ==== 3. halting-problem ==== | ||
| Disassemble ''halting-problem'' and take a look at it: | Disassemble ''halting-problem'' and take a look at it: | ||
| Line 113: | Line 121: | ||
| To find the code, you can search for the opcodes (use ''pd 2@addr'' and ''px'' to see the exact values). | To find the code, you can search for the opcodes (use ''pd 2@addr'' and ''px'' to see the exact values). | ||
| - | ===== 4. straceme ===== | + | |
| + | ==== 4. straceme ==== | ||
| Use only dynamic analysis to figure out what ''straceme'' does. First ''strace'' it: | Use only dynamic analysis to figure out what ''straceme'' does. First ''strace'' it: | ||
| Line 142: | Line 151: | ||
| After figuring that out, run the program with ''strace'' again to determine the password. | After figuring that out, run the program with ''strace'' again to determine the password. | ||
| - | ===== 5. guesser ===== | + | |
| + | ==== 5. guesser ==== | ||
| ''guesser'' reads an ''unsigned int'' from ''/dev/urandom'' and asks you to guess it. | ''guesser'' reads an ''unsigned int'' from ''/dev/urandom'' and asks you to guess it. | ||
| Line 151: | Line 161: | ||
| - Resume the program's execution and input the random value | - Resume the program's execution and input the random value | ||
| - | ===== 6. Extra: ARM Tasks ===== | + | ==== 6. Extra: ARM Tasks ==== |
| Try the above tasks using the ARM binaries. For static analysis you can use Radare2 directly on the host machine. For the other tools (gdb, strace, objdump) you can use the QEMU setup described in the introduction. | Try the above tasks using the ARM binaries. For static analysis you can use Radare2 directly on the host machine. For the other tools (gdb, strace, objdump) you can use the QEMU setup described in the introduction. | ||
| - | - For scrolling in the QEMU VM you can use ''Shift PageUp'' and ''Shift PageDown''. | ||
| - | - In order to copy the lab binaries in the QEMU machine, you can temporary mount and update the RPI image. | ||
| - | <code> | ||
| - | $ file 2015-05-05-raspbian-wheezy.img | ||
| - | ;; From the output of the file command, take the partition 2 'startsector' | ||
| - | ;; value an multiply by 512, and use this figure as the offset value in the mount command below. | ||
| - | $ sudo mount 2015-05-05-raspbian-wheezy.img -o offset=62914560 /mnt | ||
| - | ;; Add the tasks in the filesystem mounted in /mnt. | ||
| - | $ sudo umount 2015-05-05-raspbian-wheezy.img /mnt | ||
| - | </code> | ||
| ===== Resources ===== | ===== Resources ===== | ||
| Line 183: | Line 183: | ||
| * [[http://ftp.jaist.ac.jp/pub/raspberrypi/raspbian/images/raspbian-2015-05-07/|Linux ARM Raspbian image]] | * [[http://ftp.jaist.ac.jp/pub/raspberrypi/raspbian/images/raspbian-2015-05-07/|Linux ARM Raspbian image]] | ||
| * [[https://github.com/dhruvvyas90/qemu-rpi-kernel/blob/master/kernel-qemu-3.10.25-wheezy|Linux ARM kernel image]] | * [[https://github.com/dhruvvyas90/qemu-rpi-kernel/blob/master/kernel-qemu-3.10.25-wheezy|Linux ARM kernel image]] | ||
| - | |||
| - | ===== Supporting files ===== | ||
| - | |||
| - | [[http://elf.cs.pub.ro/oss/res/labs/lab-01.tar.gz|Lab archive]] | ||
