Differences
This shows you the differences between two versions of the page.
|
cns:labs:lab-13 [2017/01/10 14:24] lucian.mogosanu [Tutorial: Symbolic Execution using Angr] |
cns:labs:lab-13 [2019/12/08 15:19] (current) dennis.plosceanu |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Lab 13 - Advanced Binary Analysis ====== | + | ====== Extra - Advanced Binary Analysis ====== |
| ===== Resources ===== | ===== Resources ===== | ||
| Line 16: | Line 16: | ||
| ===== Lab Support Files ===== | ===== Lab Support Files ===== | ||
| - | TODO | + | We will use this [[http://elf.cs.pub.ro/oss/res/labs/lab-13.tar.gz|lab archive]] throughout the lab. |
| + | Please download the lab archive an then unpack it using the commands below: | ||
| + | |||
| + | <code> | ||
| + | spyked@tuvok:~% wget http://elf.cs.pub.ro/oss/res/labs/lab-13.tar.gz | ||
| + | spyked@tuvok:~% tar xzf lab-13.tar.gz | ||
| + | </code> | ||
| + | |||
| + | After unpacking we will get the ''lab-13/'' folder that we will use for the lab: | ||
| + | |||
| + | <code> | ||
| + | spyked@tuvok:~% cd lab-13 | ||
| + | spyked@tuvok:~/lab-13% ls -F | ||
| + | 0-tutorial/ 1-baby-re/ 2-hash/ | ||
| + | </code> | ||
| ===== Introduction: Binary Analysis Techniques ===== | ===== Introduction: Binary Analysis Techniques ===== | ||
| Line 123: | Line 137: | ||
| Examples of symbolic execution engines include [[http://angr.io/|Angr]], [[https://klee.github.io/|KLEE]], [[http://www.cs.ubc.ca/labs/isd/Projects/Kite/|Kite]], [[https://users.ece.cmu.edu/~arebert/papers/mayhem-oakland-12.pdf|Mayhem]] and [[http://s2e.epfl.ch/|S2E]]. | Examples of symbolic execution engines include [[http://angr.io/|Angr]], [[https://klee.github.io/|KLEE]], [[http://www.cs.ubc.ca/labs/isd/Projects/Kite/|Kite]], [[https://users.ece.cmu.edu/~arebert/papers/mayhem-oakland-12.pdf|Mayhem]] and [[http://s2e.epfl.ch/|S2E]]. | ||
| - | ===== Tutorial: Symbolic Execution using Angr ===== | + | ===== Tutorial: Symbolic Execution using Angr [2p] ===== |
| First, install angr. See [[http://angr.io/install.html|http://angr.io/install.html]]. | First, install angr. See [[http://angr.io/install.html|http://angr.io/install.html]]. | ||
| + | |||
| + | <note important> | ||
| + | Make sure you grab all the dependencies, as per [[https://docs.angr.io/INSTALL.html|the documentation]]: | ||
| + | |||
| + | <code> | ||
| + | sudo apt-get install python-dev libffi-dev build-essential virtualenvwrapper | ||
| + | </code> | ||
| + | </note> | ||
| <note important> | <note important> | ||
| Line 159: | Line 181: | ||
| For more details, refer to the [[http://docs.python-guide.org/en/latest/dev/virtualenvs/|Python virtualenv guide]]. | For more details, refer to the [[http://docs.python-guide.org/en/latest/dev/virtualenvs/|Python virtualenv guide]]. | ||
| + | </note> | ||
| + | |||
| + | <note important> | ||
| + | If you get the following message when you try to run ''solve.py'': | ||
| + | |||
| + | <code> | ||
| + | ... | ||
| + | ImportError: cannot import name arm | ||
| + | </code> | ||
| + | |||
| + | Try applying the workaround from this GitHub issue: [[https://github.com/angr/angr/issues/52#issuecomment-169509200|https://github.com/angr/angr/issues/52#issuecomment-169509200]] | ||
| </note> | </note> | ||
| Line 272: | Line 305: | ||
| segmentation fault | segmentation fault | ||
| </code> | </code> | ||
| + | |||
| + | <note warning> | ||
| + | It may be that above so many NUL-bytes will not work properly under Bash. So you can replace that with a command such as the one below<code> | ||
| + | $ ./level07 -2147483627 $(python -c 'print "A"*40 + "FLOW"') | ||
| + | WIN! | ||
| + | segmentation fault | ||
| + | </code> | ||
| + | </note> | ||
| <note important> | <note important> | ||
| Line 278: | Line 319: | ||
| ===== Tasks ===== | ===== Tasks ===== | ||
| - | ==== 0. Extra: Feedback ==== | + | ==== 0. Extra: Feedback [2p] ==== |
| We value your opinions and input on improving the Computer and Network Security class (CNS) and its | We value your opinions and input on improving the Computer and Network Security class (CNS) and its | ||
| Line 289: | Line 330: | ||
| Thank you! | Thank you! | ||
| - | ==== 1. baby-re ==== | + | ==== 1. baby-re [3p] ==== |
| We're given a binary (''1-baby-re/baby-re'') that we want to reverse engineer, the end result being a **flag**. Running the program, we see that it asks us for some inputs: | We're given a binary (''1-baby-re/baby-re'') that we want to reverse engineer, the end result being a **flag**. Running the program, we see that it asks us for some inputs: | ||
| Line 375: | Line 416: | ||
| Given this information, **your task** is to fill in ''solve_skel.py'' with an angr script that solves the riddle and makes the program print out the flag. Remember that in this case we don't need to find out the exact inputs that print out the solution; we only care about **the flag**, which is printed to standard output (''path_groups.found[0].state.posix.dumps(1)''). | Given this information, **your task** is to fill in ''solve_skel.py'' with an angr script that solves the riddle and makes the program print out the flag. Remember that in this case we don't need to find out the exact inputs that print out the solution; we only care about **the flag**, which is printed to standard output (''path_groups.found[0].state.posix.dumps(1)''). | ||
| - | ==== 2. hash ==== | + | |
| + | <note tip> | ||
| + | The typical symbolic execution run can take minutes, if not hours or days to complete. The exploration for this task may take around 5 to 10 minutes to run, so make sure to **carefully verify your script** before running it. | ||
| + | </note> | ||
| + | ==== 2. hash [5p] ==== | ||
| + | |||
| + | Switch to ''2-hash''. The task performs a hash on the input and overwrites the return address with the function output. Use this to jump to the ''win'' function. | ||
| + | |||
| + | - **Solve the task by hand [2p]** | ||
| + | - **Solve the task using the provided angr skeleton script [3p]** | ||
| + | |||
| + | <note tip> | ||
| + | What properties do hash functions have in general? What properties do you think the hash function ''hash'' has? For the first part of the task, you might be able to get away with brute-forcing the hash inverse. | ||
| + | </note> | ||
| + | |||
| + | <note tip> | ||
| + | ''scanf'' might behave oddly when we try to execute it symbolically. We're not interested in it: we just want to execute ''hash'' and find the input argument (the 8-byte value stored on the stack) for which the output (the value in ''eax'' at the end of the function/after returning from it) has a particular value. | ||
| + | |||
| + | The angr skeleton script (''skel.py'') captures this pattern very well, so you need to just look for the right addresses in the binary and make sure you understand what is it that is set as input, explored, solved, etc. | ||
| + | </note> | ||
