Lab on Code Inject/ Stack Smashing

  1. Work-in-Progress TBD 2019. Added .iso links, files: exploit4.cpp and exploit4-cpp-typescript.txt.
  2. Objective: Get you into thinking about code injections, and mitigations. Understand the stack smashing buffer exploit thoroughly.
  3. Background: This lab will be using Auditor Linux distro. Read Virtual machine set up to learn how to run auditor-*.iso. This is an early Linux distribution. It did not incorporate the modern day buffer overflow protection mechanisms.
    1. Web search and find the files: auditor-250405-01.iso, VMware-player-*.exe, VMware-Player-*.x86_64.bundle. The .bundle is a shell "script" for Linux 64-bit systems; install it as in /bin/sh VMware-Player-*.x86_64.bundle
    2. Here is a link to WSU-local copy of auditor-250405-01.iso, but not guaranteed to exist.
  4. Exploring ROP exploits and ASLR in PCs and Android devices are worthy topics but omitted due to time and load on you.

1 Tasks

1.1 Task: Make modret.c Skip Lines of Code

  1. Read ./modret-acer602-20080507.html These are the results of trying out the modret.c and code examples from the AlephOne article on an old (2008) Acer laptop. Includes modret.c.

1.1.1 TBD Auditor

  1. Compile and run modret.c. Instructions to compile and examine the assembly code are embedded as comments in the code.
  2. Your goal is to make this process print (i) x = 66, (ii) x = 44 and (iii) x == 11 by invoking the modret program three times with chosen integers. You may need to modify the numbers appearing with the modret procedure. Record your process of discovering these numbers.

1.1.2 Other Distros

  1. Boot into Ubuntu, Knoppix or Kali. Do the above step for modret.c. Are you able to make x come out as 66, 44, and 11? Explain.
  2. Search the web and report (summarize with technical descriptions) on at least two recent (within last two years) buffer overflow attacks (on PCs or Androids).
  3. Bonus Points: Do the above step for modret.c successfully in a distro other than Auditor. Points awarded are calculated using this formula: ((Year the distro is released) - 2007) * 10. Do not share your info with others until the bonus points are awarded.

1.1.3 Deliverables

  1. Screenshots of modret input + output showing the three values of x.
  2. Content similar to Section 1 of ./modret-acer602-20080507.html.

1.2 Task: AlephOne's exploit4.c

  1. We will be using C src code files from AlephOne's article. This directory includes exploit4.c, and exploit4.cpp (same program but in C++) and exploit4-cpp-typescript.txt that shows what you get if you run it in modern Ubuntu.

1.2.1 Auditor

  1. Improve the code of exploit4.c so that there are no warning messages whatsoever from gcc even after using the flags as in gcc -ansi -pedantic -Wall
  2. Reduce the size of their compiled binaries by, say, 5%, as seen by the size command under the text column. Make sure no functionality is lost. Removing printf's amounts to changing functionality. Optimized rewriting of portions of source code is permitted. You must use the same gcc (optimization or other) flags. Partial credit is given.

1.2.2 Other Distros

  1. Boot into Ubuntu, Knoppix or Kali. Login as a non-root user. Verify that the exploit still works on the vulnerable program. (It may not!)

1.2.3 Deliverables

  1. Insert the code of exploit4-improved.c into the PDF. Describe the improvements you made.
  2. Show that, after improvement, the exploit still works.
  3. Show the outputs of size exploit4-improved and size exploit4

1.3 Task 3: Android Internals

  1. Make a list of suid programs within your Android device.
  2. A bash or python script can ease this taks. Web search.
  3. Deliverables: The list.

2 Submission

Submit on Pilot dropbox. TBD Lx == L6??

L6 Report-L6.pdf exploit4-improved.c

There should be one C src code file, and one pdf file named exactly as above. Include in the .pdf all screenshots, other outputs as described in the deliverables above and your commentary on all aspects of this lab. Suggestions as to what this commentary should focus on are spread out in the above. Scripts are used to check various things – so file names should obey "rules". Please include a journal.

3 References

  1. Lecture Notes on ../../Exploits/Injection

4 End

Copyright © 2019 www.wright.edu/~pmateti