Differences
This shows you the differences between two versions of the page.
|
cns:labs:lab-13 [2017/01/11 14:54] lucian.mogosanu [Lab Support Files] |
cns:labs:lab-13 [2019/12/08 15:19] (current) dennis.plosceanu |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Lab 13 - Advanced Binary Analysis ====== | + | ====== Extra - Advanced Binary Analysis ====== |
| ===== Resources ===== | ===== Resources ===== | ||
| Line 137: | Line 137: | ||
| Examples of symbolic execution engines include [[http://angr.io/|Angr]], [[https://klee.github.io/|KLEE]], [[http://www.cs.ubc.ca/labs/isd/Projects/Kite/|Kite]], [[https://users.ece.cmu.edu/~arebert/papers/mayhem-oakland-12.pdf|Mayhem]] and [[http://s2e.epfl.ch/|S2E]]. | Examples of symbolic execution engines include [[http://angr.io/|Angr]], [[https://klee.github.io/|KLEE]], [[http://www.cs.ubc.ca/labs/isd/Projects/Kite/|Kite]], [[https://users.ece.cmu.edu/~arebert/papers/mayhem-oakland-12.pdf|Mayhem]] and [[http://s2e.epfl.ch/|S2E]]. | ||
| - | ===== Tutorial: Symbolic Execution using Angr ===== | + | ===== Tutorial: Symbolic Execution using Angr [2p] ===== |
| First, install angr. See [[http://angr.io/install.html|http://angr.io/install.html]]. | First, install angr. See [[http://angr.io/install.html|http://angr.io/install.html]]. | ||
| + | |||
| + | <note important> | ||
| + | Make sure you grab all the dependencies, as per [[https://docs.angr.io/INSTALL.html|the documentation]]: | ||
| + | |||
| + | <code> | ||
| + | sudo apt-get install python-dev libffi-dev build-essential virtualenvwrapper | ||
| + | </code> | ||
| + | </note> | ||
| <note important> | <note important> | ||
| Line 173: | Line 181: | ||
| For more details, refer to the [[http://docs.python-guide.org/en/latest/dev/virtualenvs/|Python virtualenv guide]]. | For more details, refer to the [[http://docs.python-guide.org/en/latest/dev/virtualenvs/|Python virtualenv guide]]. | ||
| + | </note> | ||
| + | |||
| + | <note important> | ||
| + | If you get the following message when you try to run ''solve.py'': | ||
| + | |||
| + | <code> | ||
| + | ... | ||
| + | ImportError: cannot import name arm | ||
| + | </code> | ||
| + | |||
| + | Try applying the workaround from this GitHub issue: [[https://github.com/angr/angr/issues/52#issuecomment-169509200|https://github.com/angr/angr/issues/52#issuecomment-169509200]] | ||
| </note> | </note> | ||
| Line 286: | Line 305: | ||
| segmentation fault | segmentation fault | ||
| </code> | </code> | ||
| + | |||
| + | <note warning> | ||
| + | It may be that above so many NUL-bytes will not work properly under Bash. So you can replace that with a command such as the one below<code> | ||
| + | $ ./level07 -2147483627 $(python -c 'print "A"*40 + "FLOW"') | ||
| + | WIN! | ||
| + | segmentation fault | ||
| + | </code> | ||
| + | </note> | ||
| <note important> | <note important> | ||
| Line 292: | Line 319: | ||
| ===== Tasks ===== | ===== Tasks ===== | ||
| - | ==== 0. Extra: Feedback ==== | + | ==== 0. Extra: Feedback [2p] ==== |
| We value your opinions and input on improving the Computer and Network Security class (CNS) and its | We value your opinions and input on improving the Computer and Network Security class (CNS) and its | ||
| Line 303: | Line 330: | ||
| Thank you! | Thank you! | ||
| - | ==== 1. baby-re ==== | + | ==== 1. baby-re [3p] ==== |
| We're given a binary (''1-baby-re/baby-re'') that we want to reverse engineer, the end result being a **flag**. Running the program, we see that it asks us for some inputs: | We're given a binary (''1-baby-re/baby-re'') that we want to reverse engineer, the end result being a **flag**. Running the program, we see that it asks us for some inputs: | ||
| Line 393: | Line 420: | ||
| The typical symbolic execution run can take minutes, if not hours or days to complete. The exploration for this task may take around 5 to 10 minutes to run, so make sure to **carefully verify your script** before running it. | The typical symbolic execution run can take minutes, if not hours or days to complete. The exploration for this task may take around 5 to 10 minutes to run, so make sure to **carefully verify your script** before running it. | ||
| </note> | </note> | ||
| - | ==== 2. hash ==== | + | ==== 2. hash [5p] ==== |
| Switch to ''2-hash''. The task performs a hash on the input and overwrites the return address with the function output. Use this to jump to the ''win'' function. | Switch to ''2-hash''. The task performs a hash on the input and overwrites the return address with the function output. Use this to jump to the ''win'' function. | ||
| - | - **Solve the task by hand** | + | - **Solve the task by hand [2p]** |
| - | - **Solve the task using the provided angr skeleton script** | + | - **Solve the task using the provided angr skeleton script [3p]** |
| <note tip> | <note tip> | ||
