SlideShare a Scribd company logo

4 Task 2- Understanding the Vulnerable Program The vulnerable program.pdf

A
atozshoppe

4 Task 2: Understanding the Vulnerable Program The vulnerable program used in this lab is called stack. c, which is in the code folder. This program has a buffer-overflow vulnerability, and your job is to exploit this vulnerability and gain the root privilege. The code listed below has some non-essential information removed, so it is slightly different from what you get from the lab setup file. Listing 2: The vulnerable program (stack. c) The above program has a buffer overflow vulnerability. It first reads an input from a file called badf ile, and then passes this input to another buffer in the function bof () . The original input can have a maximum length of 517 bytes, but the buffer in bof () is only BUF_SIZE bytes long, which is less than 517. Because strcpy () does not check boundaries, buffer overflow will occur. Since this program is a root- owned Set-UID program, if a normal user can exploit this buffer overflow vulnerability, the user might be able to get a root shell. It should be noted that the program gets its input from a file called badfile. This file is under users' control. Now, our objective is to create the contents for badfile, such that when the vulnerable program copies the contents into its buffer, a root shell can be spawned. Compilation. To compile the above vulnerable program, do not forget to turn off the StackGuard and the non-executable stack protections using the -fno-stack-protector and "-z execstack " options. After the compilation, we need to make the program a root-owned Set-UID program. We can achieve this by first change the ownership of the program to root (Line (1), and then change the permission to 4755 to enable the Set-UID bit (Line (2)). It should be noted that changing ownership must be done before turning on the Set-UID bit, because ownership change will cause the Set-UID bit to be turned off. The compilation and setup commands are already included in Makefile, so we just need to type make to execute those commands. The variables L1, ..., L4 are set in Makefile; they will be used during the compilation. We have chosen a different set of values for these variables, you need to change them in Makefile. The values are listed below: - L1: 100 - L2: 150 - L3: 200 - L4: 10 5 Task 3: Launching Attack on 32-bit Program (Level 1) 5.1 Investigation To exploit the buffer-overflow vulnerability in the target program, the most important thing to know is the distance between the buffer's starting position and the place where the return-address is stored. We will use a debugging method to find it out. Since we have the source code of the target program, we can compile it with the debugging flag turned on. That will make it more convenient to debug. We will add the g flag to gcc command, so debugging information is added to the binary. If you run make, the debugging version is already created. We will use gdb to debug stack-L1-dbg. We need to create a file called badfile before running the program. Note 1. When gdb .

Education
1 of 2
Download to read offline
4 Task 2: Understanding the Vulnerable Program The vulnerable program used in this lab is called stack. c, which is in the code folder. This program has a buffer-overflow vulnerability, and your job is to exploit this vulnerability and gain the root privilege. The code listed below has some non-essential information removed, so it is slightly different from what you get from the lab setup file. Listing 2: The vulnerable program (stack. c) The above program has a buffer overflow vulnerability. It first reads an input from a file called badf ile, and then passes this input to another buffer in the function bof () . The original input can have a maximum length of 517 bytes, but the buffer in bof () is only BUF_SIZE bytes long, which is less than 517. Because strcpy () does not check boundaries, buffer overflow will occur. Since this program is a root- owned Set-UID program, if a normal user can exploit this buffer overflow vulnerability, the user might be able to get a root shell. It should be noted that the program gets its input from a file called badfile. This file is under users' control. Now, our objective is to create the contents for badfile, such that when the vulnerable program copies the contents into its buffer, a root shell can be spawned. Compilation. To compile the above vulnerable program, do not forget to turn off the StackGuard and the non-executable stack protections using the -fno-stack-protector and "-z execstack " options. After the compilation, we need to make the program a root-owned Set-UID program. We can achieve this by first change the ownership of the program to root (Line (1), and then change the permission to 4755 to enable the Set-UID bit (Line (2)). It should be noted that changing ownership must be done before turning on the Set-UID bit, because ownership change will cause the Set-UID bit to be turned off. The compilation and setup commands are already included in Makefile, so we just need to type make to execute those commands. The variables L1, ..., L4 are set in Makefile; they will be used during the compilation. We have chosen a different set of values for these variables, you need to change them in Makefile. The values are listed below: - L1: 100 - L2: 150 - L3: 200 - L4: 10 5 Task 3: Launching Attack on 32-bit Program (Level 1) 5.1 Investigation To exploit the buffer-overflow vulnerability in the target program, the most important thing to know is the distance between the buffer's starting position and the place where the return-address is stored. We will use a debugging method to find it out. Since we have the source code of the target program, we can compile it with the debugging flag turned on. That will make it more convenient to debug. We will add the g flag to gcc command, so debugging information is added to the binary. If you run make, the debugging version is already created. We will use gdb to debug stack-L1-dbg. We need to create a file called badfile before running the program. Note 1. When gdb stops inside the bof () function, it stops before the ebp register is set to point to the current stack frame, so if we print out the value of ebp here, we will get the caller's ebp value. We need to use next to execute a few instructions and stop after the ebp register is modified to point to the stack frame of the bof () function. The SEED book is based on Ubuntu 16.04, and gdb's behavior is slightly different, so the book does not have the next step. Note 2. It should be noted that the frame pointer value obtained from g db is different from that during the actual execution (without using gdb). This is because gdb has pushed some environment data into the stack before running the debugged program. When the program runs directly without using gdb, the stack does not have those data, so the actual frame pointer value will be larger. You should keep this in mind when constructing your payload. 5.2 Launching Attacks To exploit the buffer-overflow vulnerability in the target program, we need to prepare a payload, and save it inside badfile. We will use a Python program to do that. We provide a skeleton program called exploit.py, which is included in the lab setup file. The code is incomplete, and students need to replace some of the essential values in the code. Listing 3: exploit.py In your lab report, in addition to providing screenshots to demonstrate your
investigation and attack, you also need to explain how the values used in your exploit.py are decided. These values are the most important part of the attack, so a detailed explanation can help the instructor grade your report. Only demonstrating a successful attack without explaining why the attack works will not receive many points. 6 Task 4: Launching Attack without Knowing Buffer Size (Level 2) In the Level-1 attack, using gdb, we get to know the size of the buffer. In the real world, this piece of information may be hard to get. For example, if the target is a server program running on a remote machine, we will not be able to get a copy of the binary or source code. In this task, we are going to add a constraint: you can still use g db , but you are not allowed to derive the buffer size from your investigation. Actually, the buffer size is provided in Makefile, but you are not allowed to use that information in your attack. Your task is to get the vulnerable program to run your shellcode under this constraint. We assume that you do know the range of the buffer size, which is from 100 to 200 bytes. Another fact that may be useful to you is that, due to the memory alignment, the value stored in the frame pointer is always multiple of four (for 32-bit programs). Please be noted, you are only allowed to construct one payload that works for any buffer size within this range. You will not get all the credits if you use the brute-force method, i.e., trying one buffer size each time. The more you try, the easier it will be detected and defeated by the victim. That's why minimizing the number of trials is important for attacks. In your lab report, you need to describe your method, and provide evidences.

Recommended

Debugging Modern C++ Application with Gdb
Debugging Modern C++ Application with GdbDebugging Modern C++ Application with Gdb
Debugging Modern C++ Application with GdbSenthilKumar Selvaraj
 
Hibernate notes
Hibernate notesHibernate notes
Hibernate notesRajeev Uppala
 
When Good Code Goes Bad: Tools and Techniques for Troubleshooting Plone
When Good Code Goes Bad: Tools and Techniques for Troubleshooting PloneWhen Good Code Goes Bad: Tools and Techniques for Troubleshooting Plone
When Good Code Goes Bad: Tools and Techniques for Troubleshooting PloneDavid Glick
 
create_patch_file_v3a.pdf
create_patch_file_v3a.pdfcreate_patch_file_v3a.pdf
create_patch_file_v3a.pdfvilaylala
 
Ex11 mini project
Ex11 mini projectEx11 mini project
Ex11 mini projectElanthendral Mariappan
 
GNU Debugger
GNU DebuggerGNU Debugger
GNU DebuggerGizem Çetin
 
Gnu debugger
Gnu debuggerGnu debugger
Gnu debuggerGizem Çetin
 
Debuggers in system software
Debuggers in system softwareDebuggers in system software
Debuggers in system softwaregayathri ravi
 

Recommended

Debugging Modern C++ Application with Gdb
Debugging Modern C++ Application with GdbDebugging Modern C++ Application with Gdb
Debugging Modern C++ Application with GdbSenthilKumar Selvaraj
 
Hibernate notes
Hibernate notesHibernate notes
Hibernate notesRajeev Uppala
 
When Good Code Goes Bad: Tools and Techniques for Troubleshooting Plone
When Good Code Goes Bad: Tools and Techniques for Troubleshooting PloneWhen Good Code Goes Bad: Tools and Techniques for Troubleshooting Plone
When Good Code Goes Bad: Tools and Techniques for Troubleshooting PloneDavid Glick
 
create_patch_file_v3a.pdf
create_patch_file_v3a.pdfcreate_patch_file_v3a.pdf
create_patch_file_v3a.pdfvilaylala
 
Ex11 mini project
Ex11 mini projectEx11 mini project
Ex11 mini projectElanthendral Mariappan
 
GNU Debugger
GNU DebuggerGNU Debugger
GNU DebuggerGizem Çetin
 
Gnu debugger
Gnu debuggerGnu debugger
Gnu debuggerGizem Çetin
 
Debuggers in system software
Debuggers in system softwareDebuggers in system software
Debuggers in system softwaregayathri ravi
 
Reverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentalsReverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentalsEran Goldstein
 
CSO Laboratory Manual
CSO Laboratory ManualCSO Laboratory Manual
CSO Laboratory ManualDwight Sabio
 
12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CD12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CDDaniel Garcia (a.k.a cr0hn)
 
Readme
ReadmeReadme
Readmerec2006
 
C# Production Debugging Made Easy
C# Production Debugging Made Easy C# Production Debugging Made Easy
C# Production Debugging Made EasyAlon Fliess
 
Mkl mic lab_0
Mkl mic lab_0Mkl mic lab_0
Mkl mic lab_0Hung le Minh
 
Introduction to segmentation fault handling
Introduction to segmentation fault handling Introduction to segmentation fault handling
Introduction to segmentation fault handling Larion
 
Process (OS),GNU,Introduction to Linux oS
Process (OS),GNU,Introduction to Linux oSProcess (OS),GNU,Introduction to Linux oS
Process (OS),GNU,Introduction to Linux oSHarrytoye2
 
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...Hafez Kamal
 
Unit i
Unit iUnit i
Unit ivijay gupta
 
Buffer overflow tutorial
Buffer overflow tutorialBuffer overflow tutorial
Buffer overflow tutorialhughpearse
 
Rifartek Robot Training Course - How to use ClientRobot
Rifartek Robot Training Course - How to use ClientRobotRifartek Robot Training Course - How to use ClientRobot
Rifartek Robot Training Course - How to use ClientRobotTsai Tsung-Yi
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaCODE BLUE
 
Vulnerable_and_outdated_components_suman.pptx
Vulnerable_and_outdated_components_suman.pptxVulnerable_and_outdated_components_suman.pptx
Vulnerable_and_outdated_components_suman.pptxSuman Astani
 
Advance Android Application Development
Advance Android Application DevelopmentAdvance Android Application Development
Advance Android Application DevelopmentRamesh Prasad
 
Java Chapter 2 Overview.ppt
Java Chapter 2 Overview.pptJava Chapter 2 Overview.ppt
Java Chapter 2 Overview.pptMiltonMolla1
 
Java Chapter 2 Overview.ppt
Java Chapter 2 Overview.pptJava Chapter 2 Overview.ppt
Java Chapter 2 Overview.pptMiltonMolla1
 
Srgoc java
Srgoc javaSrgoc java
Srgoc javaGaurav Singh
 
Java performance tuning
Java performance tuningJava performance tuning
Java performance tuningJerry Kurian
 
GDB - a tough nut to crack: only a few bugs found by PVS-Studio
GDB - a tough nut to crack: only a few bugs found by PVS-StudioGDB - a tough nut to crack: only a few bugs found by PVS-Studio
GDB - a tough nut to crack: only a few bugs found by PVS-StudioPVS-Studio
 
4- -2 pts- Consider the ER schema for the MOVIES database as tollows-.pdf
4- -2 pts- Consider the ER schema for the MOVIES database as tollows-.pdf4- -2 pts- Consider the ER schema for the MOVIES database as tollows-.pdf
4- -2 pts- Consider the ER schema for the MOVIES database as tollows-.pdfatozshoppe
 
4- A random variable X has a cumulative distribution function given by.pdf
4- A random variable X has a cumulative distribution function given by.pdf4- A random variable X has a cumulative distribution function given by.pdf
4- A random variable X has a cumulative distribution function given by.pdfatozshoppe
 

More Related Content

Similar to 4 Task 2- Understanding the Vulnerable Program The vulnerable program.pdf

Reverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentalsReverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentalsEran Goldstein
 
CSO Laboratory Manual
CSO Laboratory ManualCSO Laboratory Manual
CSO Laboratory ManualDwight Sabio
 
C# Production Debugging Made Easy
C# Production Debugging Made Easy C# Production Debugging Made Easy
C# Production Debugging Made EasyAlon Fliess
 
Introduction to segmentation fault handling
Introduction to segmentation fault handling Introduction to segmentation fault handling
Introduction to segmentation fault handling Larion
 
Process (OS),GNU,Introduction to Linux oS
Process (OS),GNU,Introduction to Linux oSProcess (OS),GNU,Introduction to Linux oS
Process (OS),GNU,Introduction to Linux oSHarrytoye2
 
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...Hafez Kamal
 
Buffer overflow tutorial
Buffer overflow tutorialBuffer overflow tutorial
Buffer overflow tutorialhughpearse
 
Rifartek Robot Training Course - How to use ClientRobot
Rifartek Robot Training Course - How to use ClientRobotRifartek Robot Training Course - How to use ClientRobot
Rifartek Robot Training Course - How to use ClientRobotTsai Tsung-Yi
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaCODE BLUE
 
Vulnerable_and_outdated_components_suman.pptx
Vulnerable_and_outdated_components_suman.pptxVulnerable_and_outdated_components_suman.pptx
Vulnerable_and_outdated_components_suman.pptxSuman Astani
 
Advance Android Application Development
Advance Android Application DevelopmentAdvance Android Application Development
Advance Android Application DevelopmentRamesh Prasad
 
Java Chapter 2 Overview.ppt
Java Chapter 2 Overview.pptJava Chapter 2 Overview.ppt
Java Chapter 2 Overview.pptMiltonMolla1
 
Java Chapter 2 Overview.ppt
Java Chapter 2 Overview.pptJava Chapter 2 Overview.ppt
Java Chapter 2 Overview.pptMiltonMolla1
 
Java performance tuning
Java performance tuningJava performance tuning
Java performance tuningJerry Kurian
 
GDB - a tough nut to crack: only a few bugs found by PVS-Studio
GDB - a tough nut to crack: only a few bugs found by PVS-StudioGDB - a tough nut to crack: only a few bugs found by PVS-Studio
GDB - a tough nut to crack: only a few bugs found by PVS-StudioPVS-Studio
 

Similar to 4 Task 2- Understanding the Vulnerable Program The vulnerable program.pdf (20)

Reverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentalsReverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentals
 
CSO Laboratory Manual
CSO Laboratory ManualCSO Laboratory Manual
CSO Laboratory Manual
 
12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CD12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CD
 
Readme
ReadmeReadme
Readme
 
C# Production Debugging Made Easy
C# Production Debugging Made Easy C# Production Debugging Made Easy
C# Production Debugging Made Easy
 
Mkl mic lab_0
Mkl mic lab_0Mkl mic lab_0
Mkl mic lab_0
 
Introduction to segmentation fault handling
Introduction to segmentation fault handling Introduction to segmentation fault handling
Introduction to segmentation fault handling
 
Process (OS),GNU,Introduction to Linux oS
Process (OS),GNU,Introduction to Linux oSProcess (OS),GNU,Introduction to Linux oS
Process (OS),GNU,Introduction to Linux oS
 
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
 
Unit i
Unit iUnit i
Unit i
 
Buffer overflow tutorial
Buffer overflow tutorialBuffer overflow tutorial
Buffer overflow tutorial
 
Rifartek Robot Training Course - How to use ClientRobot
Rifartek Robot Training Course - How to use ClientRobotRifartek Robot Training Course - How to use ClientRobot
Rifartek Robot Training Course - How to use ClientRobot
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
 
Vulnerable_and_outdated_components_suman.pptx
Vulnerable_and_outdated_components_suman.pptxVulnerable_and_outdated_components_suman.pptx
Vulnerable_and_outdated_components_suman.pptx
 
Advance Android Application Development
Advance Android Application DevelopmentAdvance Android Application Development
Advance Android Application Development
 
Java Chapter 2 Overview.ppt
Java Chapter 2 Overview.pptJava Chapter 2 Overview.ppt
Java Chapter 2 Overview.ppt
 
Java Chapter 2 Overview.ppt
Java Chapter 2 Overview.pptJava Chapter 2 Overview.ppt
Java Chapter 2 Overview.ppt
 
Srgoc java
Srgoc javaSrgoc java
Srgoc java
 
Java performance tuning
Java performance tuningJava performance tuning
Java performance tuning
 
GDB - a tough nut to crack: only a few bugs found by PVS-Studio
GDB - a tough nut to crack: only a few bugs found by PVS-StudioGDB - a tough nut to crack: only a few bugs found by PVS-Studio
GDB - a tough nut to crack: only a few bugs found by PVS-Studio
 

More from atozshoppe

4- -2 pts- Consider the ER schema for the MOVIES database as tollows-.pdf
4- -2 pts- Consider the ER schema for the MOVIES database as tollows-.pdf4- -2 pts- Consider the ER schema for the MOVIES database as tollows-.pdf
4- -2 pts- Consider the ER schema for the MOVIES database as tollows-.pdfatozshoppe
 
4- A random variable X has a cumulative distribution function given by.pdf
4- A random variable X has a cumulative distribution function given by.pdf4- A random variable X has a cumulative distribution function given by.pdf
4- A random variable X has a cumulative distribution function given by.pdfatozshoppe
 
4- A man named Paul has type A blood- His father is type AB and his mo.pdf
4- A man named Paul has type A blood- His father is type AB and his mo.pdf4- A man named Paul has type A blood- His father is type AB and his mo.pdf
4- A man named Paul has type A blood- His father is type AB and his mo.pdfatozshoppe
 
4- A density-dependent population grows according to dNt-dt-0-4Nt0-002.pdf
4- A density-dependent population grows according to dNt-dt-0-4Nt0-002.pdf4- A density-dependent population grows according to dNt-dt-0-4Nt0-002.pdf
4- A density-dependent population grows according to dNt-dt-0-4Nt0-002.pdfatozshoppe
 
4- (8 points) The figure below shows the double Holliday junction mode.pdf
4- (8 points) The figure below shows the double Holliday junction mode.pdf4- (8 points) The figure below shows the double Holliday junction mode.pdf
4- (8 points) The figure below shows the double Holliday junction mode.pdfatozshoppe
 
34- The Neurospora octad shown came from a cross between m+and mstrain.pdf
34- The Neurospora octad shown came from a cross between m+and mstrain.pdf34- The Neurospora octad shown came from a cross between m+and mstrain.pdf
34- The Neurospora octad shown came from a cross between m+and mstrain.pdfatozshoppe
 
4- (10 points) Solve the following recurrence relation using tree meth.pdf
4- (10 points) Solve the following recurrence relation using tree meth.pdf4- (10 points) Solve the following recurrence relation using tree meth.pdf
4- (10 points) Solve the following recurrence relation using tree meth.pdfatozshoppe
 
4) Using the area in figure- find the area to the right of Z-2- a) 0-8.pdf
4) Using the area in figure- find the area to the right of Z-2- a) 0-8.pdf4) Using the area in figure- find the area to the right of Z-2- a) 0-8.pdf
4) Using the area in figure- find the area to the right of Z-2- a) 0-8.pdfatozshoppe
 
33-34 will upvote Which of the following statements is correct- When a.pdf
33-34 will upvote Which of the following statements is correct- When a.pdf33-34 will upvote Which of the following statements is correct- When a.pdf
33-34 will upvote Which of the following statements is correct- When a.pdfatozshoppe
 
4) A firm with unlimited funds must evaluate five projects- Projects 1.pdf
4) A firm with unlimited funds must evaluate five projects- Projects 1.pdf4) A firm with unlimited funds must evaluate five projects- Projects 1.pdf
4) A firm with unlimited funds must evaluate five projects- Projects 1.pdfatozshoppe
 
31- of all college students major in STEM (Science- Technology- Engine.pdf
31- of all college students major in STEM (Science- Technology- Engine.pdf31- of all college students major in STEM (Science- Technology- Engine.pdf
31- of all college students major in STEM (Science- Technology- Engine.pdfatozshoppe
 
37- D Genetic and genomic research can have D) 1 social and environm.pdf
37- D Genetic and genomic research can have D) 1 social and environm.pdf37- D Genetic and genomic research can have D) 1 social and environm.pdf
37- D Genetic and genomic research can have D) 1 social and environm.pdfatozshoppe
 
36- The project management triangle is a simple communication model-.pdf
36- The project management triangle is a simple communication model-.pdf36- The project management triangle is a simple communication model-.pdf
36- The project management triangle is a simple communication model-.pdfatozshoppe
 
33- Helper T cells are differentiated into Th1 and Th2 according to a-.pdf
33- Helper T cells are differentiated into Th1 and Th2 according to a-.pdf33- Helper T cells are differentiated into Th1 and Th2 according to a-.pdf
33- Helper T cells are differentiated into Th1 and Th2 according to a-.pdfatozshoppe
 
34-Explain differences between Lytic cycle and Lysogenic cycle- 35-.pdf
34-Explain differences between Lytic cycle and Lysogenic cycle- 35-.pdf34-Explain differences between Lytic cycle and Lysogenic cycle- 35-.pdf
34-Explain differences between Lytic cycle and Lysogenic cycle- 35-.pdfatozshoppe
 
32- Which of these climographs shows an equatorial location- 33- Upwel.pdf
32- Which of these climographs shows an equatorial location- 33- Upwel.pdf32- Which of these climographs shows an equatorial location- 33- Upwel.pdf
32- Which of these climographs shows an equatorial location- 33- Upwel.pdfatozshoppe
 
31- Saving Account Write a menu-driven program that allows the user to.pdf
31- Saving Account Write a menu-driven program that allows the user to.pdf31- Saving Account Write a menu-driven program that allows the user to.pdf
31- Saving Account Write a menu-driven program that allows the user to.pdfatozshoppe
 
3- What would be the most likely result if the domain of pRB that lets.pdf
3- What would be the most likely result if the domain of pRB that lets.pdf3- What would be the most likely result if the domain of pRB that lets.pdf
3- What would be the most likely result if the domain of pRB that lets.pdfatozshoppe
 
3- What is the most dangerous greenhouse gas that has been released in.pdf
3- What is the most dangerous greenhouse gas that has been released in.pdf3- What is the most dangerous greenhouse gas that has been released in.pdf
3- What is the most dangerous greenhouse gas that has been released in.pdfatozshoppe
 
3- Your random sample was obtained from the population of participants.pdf
3- Your random sample was obtained from the population of participants.pdf3- Your random sample was obtained from the population of participants.pdf
3- Your random sample was obtained from the population of participants.pdfatozshoppe
 

More from atozshoppe (20)

4- -2 pts- Consider the ER schema for the MOVIES database as tollows-.pdf
4- -2 pts- Consider the ER schema for the MOVIES database as tollows-.pdf4- -2 pts- Consider the ER schema for the MOVIES database as tollows-.pdf
4- -2 pts- Consider the ER schema for the MOVIES database as tollows-.pdf
 
4- A random variable X has a cumulative distribution function given by.pdf
4- A random variable X has a cumulative distribution function given by.pdf4- A random variable X has a cumulative distribution function given by.pdf
4- A random variable X has a cumulative distribution function given by.pdf
 
4- A man named Paul has type A blood- His father is type AB and his mo.pdf
4- A man named Paul has type A blood- His father is type AB and his mo.pdf4- A man named Paul has type A blood- His father is type AB and his mo.pdf
4- A man named Paul has type A blood- His father is type AB and his mo.pdf
 
4- A density-dependent population grows according to dNt-dt-0-4Nt0-002.pdf
4- A density-dependent population grows according to dNt-dt-0-4Nt0-002.pdf4- A density-dependent population grows according to dNt-dt-0-4Nt0-002.pdf
4- A density-dependent population grows according to dNt-dt-0-4Nt0-002.pdf
 
4- (8 points) The figure below shows the double Holliday junction mode.pdf
4- (8 points) The figure below shows the double Holliday junction mode.pdf4- (8 points) The figure below shows the double Holliday junction mode.pdf
4- (8 points) The figure below shows the double Holliday junction mode.pdf
 
34- The Neurospora octad shown came from a cross between m+and mstrain.pdf
34- The Neurospora octad shown came from a cross between m+and mstrain.pdf34- The Neurospora octad shown came from a cross between m+and mstrain.pdf
34- The Neurospora octad shown came from a cross between m+and mstrain.pdf
 
4- (10 points) Solve the following recurrence relation using tree meth.pdf
4- (10 points) Solve the following recurrence relation using tree meth.pdf4- (10 points) Solve the following recurrence relation using tree meth.pdf
4- (10 points) Solve the following recurrence relation using tree meth.pdf
 
4) Using the area in figure- find the area to the right of Z-2- a) 0-8.pdf
4) Using the area in figure- find the area to the right of Z-2- a) 0-8.pdf4) Using the area in figure- find the area to the right of Z-2- a) 0-8.pdf
4) Using the area in figure- find the area to the right of Z-2- a) 0-8.pdf
 
33-34 will upvote Which of the following statements is correct- When a.pdf
33-34 will upvote Which of the following statements is correct- When a.pdf33-34 will upvote Which of the following statements is correct- When a.pdf
33-34 will upvote Which of the following statements is correct- When a.pdf
 
4) A firm with unlimited funds must evaluate five projects- Projects 1.pdf
4) A firm with unlimited funds must evaluate five projects- Projects 1.pdf4) A firm with unlimited funds must evaluate five projects- Projects 1.pdf
4) A firm with unlimited funds must evaluate five projects- Projects 1.pdf
 
31- of all college students major in STEM (Science- Technology- Engine.pdf
31- of all college students major in STEM (Science- Technology- Engine.pdf31- of all college students major in STEM (Science- Technology- Engine.pdf
31- of all college students major in STEM (Science- Technology- Engine.pdf
 
37- D Genetic and genomic research can have D) 1 social and environm.pdf
37- D Genetic and genomic research can have D) 1 social and environm.pdf37- D Genetic and genomic research can have D) 1 social and environm.pdf
37- D Genetic and genomic research can have D) 1 social and environm.pdf
 
36- The project management triangle is a simple communication model-.pdf
36- The project management triangle is a simple communication model-.pdf36- The project management triangle is a simple communication model-.pdf
36- The project management triangle is a simple communication model-.pdf
 
33- Helper T cells are differentiated into Th1 and Th2 according to a-.pdf
33- Helper T cells are differentiated into Th1 and Th2 according to a-.pdf33- Helper T cells are differentiated into Th1 and Th2 according to a-.pdf
33- Helper T cells are differentiated into Th1 and Th2 according to a-.pdf
 
34-Explain differences between Lytic cycle and Lysogenic cycle- 35-.pdf
34-Explain differences between Lytic cycle and Lysogenic cycle- 35-.pdf34-Explain differences between Lytic cycle and Lysogenic cycle- 35-.pdf
34-Explain differences between Lytic cycle and Lysogenic cycle- 35-.pdf
 
32- Which of these climographs shows an equatorial location- 33- Upwel.pdf
32- Which of these climographs shows an equatorial location- 33- Upwel.pdf32- Which of these climographs shows an equatorial location- 33- Upwel.pdf
32- Which of these climographs shows an equatorial location- 33- Upwel.pdf
 
31- Saving Account Write a menu-driven program that allows the user to.pdf
31- Saving Account Write a menu-driven program that allows the user to.pdf31- Saving Account Write a menu-driven program that allows the user to.pdf
31- Saving Account Write a menu-driven program that allows the user to.pdf
 
3- What would be the most likely result if the domain of pRB that lets.pdf
3- What would be the most likely result if the domain of pRB that lets.pdf3- What would be the most likely result if the domain of pRB that lets.pdf
3- What would be the most likely result if the domain of pRB that lets.pdf
 
3- What is the most dangerous greenhouse gas that has been released in.pdf
3- What is the most dangerous greenhouse gas that has been released in.pdf3- What is the most dangerous greenhouse gas that has been released in.pdf
3- What is the most dangerous greenhouse gas that has been released in.pdf
 
3- Your random sample was obtained from the population of participants.pdf
3- Your random sample was obtained from the population of participants.pdf3- Your random sample was obtained from the population of participants.pdf
3- Your random sample was obtained from the population of participants.pdf
 

Recently uploaded

BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting DataJhengPantaleon
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Celine George
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Sakshi Ghasle
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon AUnboundStockton
 
Class 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdfClass 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdfakmcokerachita
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsKarinaGenton
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsanshu789521
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxRaymartEstabillo3
 

Recently uploaded (20)

BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
 
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application )
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
 
Class 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdfClass 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdf
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its Characteristics
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha elections
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
 

4 Task 2- Understanding the Vulnerable Program The vulnerable program.pdf

  • 1. 4 Task 2: Understanding the Vulnerable Program The vulnerable program used in this lab is called stack. c, which is in the code folder. This program has a buffer-overflow vulnerability, and your job is to exploit this vulnerability and gain the root privilege. The code listed below has some non-essential information removed, so it is slightly different from what you get from the lab setup file. Listing 2: The vulnerable program (stack. c) The above program has a buffer overflow vulnerability. It first reads an input from a file called badf ile, and then passes this input to another buffer in the function bof () . The original input can have a maximum length of 517 bytes, but the buffer in bof () is only BUF_SIZE bytes long, which is less than 517. Because strcpy () does not check boundaries, buffer overflow will occur. Since this program is a root- owned Set-UID program, if a normal user can exploit this buffer overflow vulnerability, the user might be able to get a root shell. It should be noted that the program gets its input from a file called badfile. This file is under users' control. Now, our objective is to create the contents for badfile, such that when the vulnerable program copies the contents into its buffer, a root shell can be spawned. Compilation. To compile the above vulnerable program, do not forget to turn off the StackGuard and the non-executable stack protections using the -fno-stack-protector and "-z execstack " options. After the compilation, we need to make the program a root-owned Set-UID program. We can achieve this by first change the ownership of the program to root (Line (1), and then change the permission to 4755 to enable the Set-UID bit (Line (2)). It should be noted that changing ownership must be done before turning on the Set-UID bit, because ownership change will cause the Set-UID bit to be turned off. The compilation and setup commands are already included in Makefile, so we just need to type make to execute those commands. The variables L1, ..., L4 are set in Makefile; they will be used during the compilation. We have chosen a different set of values for these variables, you need to change them in Makefile. The values are listed below: - L1: 100 - L2: 150 - L3: 200 - L4: 10 5 Task 3: Launching Attack on 32-bit Program (Level 1) 5.1 Investigation To exploit the buffer-overflow vulnerability in the target program, the most important thing to know is the distance between the buffer's starting position and the place where the return-address is stored. We will use a debugging method to find it out. Since we have the source code of the target program, we can compile it with the debugging flag turned on. That will make it more convenient to debug. We will add the g flag to gcc command, so debugging information is added to the binary. If you run make, the debugging version is already created. We will use gdb to debug stack-L1-dbg. We need to create a file called badfile before running the program. Note 1. When gdb stops inside the bof () function, it stops before the ebp register is set to point to the current stack frame, so if we print out the value of ebp here, we will get the caller's ebp value. We need to use next to execute a few instructions and stop after the ebp register is modified to point to the stack frame of the bof () function. The SEED book is based on Ubuntu 16.04, and gdb's behavior is slightly different, so the book does not have the next step. Note 2. It should be noted that the frame pointer value obtained from g db is different from that during the actual execution (without using gdb). This is because gdb has pushed some environment data into the stack before running the debugged program. When the program runs directly without using gdb, the stack does not have those data, so the actual frame pointer value will be larger. You should keep this in mind when constructing your payload. 5.2 Launching Attacks To exploit the buffer-overflow vulnerability in the target program, we need to prepare a payload, and save it inside badfile. We will use a Python program to do that. We provide a skeleton program called exploit.py, which is included in the lab setup file. The code is incomplete, and students need to replace some of the essential values in the code. Listing 3: exploit.py In your lab report, in addition to providing screenshots to demonstrate your
  • 2. investigation and attack, you also need to explain how the values used in your exploit.py are decided. These values are the most important part of the attack, so a detailed explanation can help the instructor grade your report. Only demonstrating a successful attack without explaining why the attack works will not receive many points. 6 Task 4: Launching Attack without Knowing Buffer Size (Level 2) In the Level-1 attack, using gdb, we get to know the size of the buffer. In the real world, this piece of information may be hard to get. For example, if the target is a server program running on a remote machine, we will not be able to get a copy of the binary or source code. In this task, we are going to add a constraint: you can still use g db , but you are not allowed to derive the buffer size from your investigation. Actually, the buffer size is provided in Makefile, but you are not allowed to use that information in your attack. Your task is to get the vulnerable program to run your shellcode under this constraint. We assume that you do know the range of the buffer size, which is from 100 to 200 bytes. Another fact that may be useful to you is that, due to the memory alignment, the value stored in the frame pointer is always multiple of four (for 32-bit programs). Please be noted, you are only allowed to construct one payload that works for any buffer size within this range. You will not get all the credits if you use the brute-force method, i.e., trying one buffer size each time. The more you try, the easier it will be detected and defeated by the victim. That's why minimizing the number of trials is important for attacks. In your lab report, you need to describe your method, and provide evidences.