Home    Labs

Assignment 2 - Exploit this binary!

For this assignment you are given a binary, which you can download from here. Check that you have downloaded the correct binary by checking the MD5 hash of the file; it should be: 922ecceb4b229992df391b9c32d60a4d. Additionally, use chmod(1) to make the binary executable (chmod a+x ./lls).

The binary is produced using a C++ compiler for IA32 (Intel, 32-bit). You should run and explore the binary in the Unix workstations (i.e., 103ws1). For running the binary, use the setarch(8) command to emulate the environment (IA32, 1GB-3GB split, no ASLR): setarch i686 -R -3 ./lls. In case you need to run the binary using gdb use the set exec-wrapper command for wrapping the execution of the binary with setarch(8). Assuming the binary is loaded in gdb:

(gdb) set exec-wrapper setarch i686 -R -3
(gdb) r

Do not try to run the binary differently; you will most likely experience crashes and you will not be able to complete the tasks.

Q1 (10 pts): Write down all C/C++ functions provided by the binary, and their addresses.
Q2 (10 pts): How long is the stack frame used by the function usage()?
Q3 (20 pts): The program checks for a magic folder name. Can you find which name is this?
Q4 (40 pts): Try to inject your shellcode for spawning a shell, while the program executes. The stack of the process is executable. Provide your payload as an answer.
Q5 (20 pts): Try to inject your shellcode that runs ssh(1) (with no arguments). Provide your payload as an answer.

Important Notice. The stack of the binary is randomized per different user, which means that each student has to find and submit as a solution a unique payload that exploits the binary when running in her/his environment. This also means that submitting a copied payload can be trivially checked by us. We are not only able to detect cheating, but also to detect which students are involved, since the stack is randomized based on your user id. In such cheating cases all students that are involved in copying the payload will be zeroed in all five questions. Also, do not attempt to bypass this stack randomization, you will be again disqualified. The submitted payloads will be checked as running with a randomized stack based on your user id.

What to submit? Use blackboard and submit your answers before the deadlne by filling in (using a text editor) the answer sheet.

Good luck!

Assignment deadline (firm): 11th of November, 2017, 23:59 (Local time).