Assignment 4

Due Wednesday March 21, 2018 6:30pm via sakai

Authored by Aditya Geria

Protostar Exploit Exercises

Welcome to practical exploit exercises with Protostar! In this assignment, your goal is to find and exploit vulnerabilities in insecure C functions such as gets() and change the flow of code. Several functions in C are listed as insecure, and you will encounter a few of them here, such as gets() and puts(). These functions, for example, allow you to read from a buffer without a size limit. This can cause buffer overflow and modify values you did not intend to touch (or you did intend to touch for the purposes of these exercises).

Logistics

You may work on this assignment as a group comprising no more than four members. Only one group member should submit the assignment and the submission writeup should clearly indicate the names of all group members. Note later in the writeup: if your group has four people in it, you must also complete the Stack5 level of the assignment.

Setting up the working environment

This assignment must be set up correctly. If you have any issues during setup, please email any TA and we will try our best to help you.

First, visit the Protostar Exploit Exercises webpage. This is your starting point for this assignment. You can also visit the download link and grab the .iso file which you will need later.

1. Download Virtualbox for your appropriate operating system. Make sure you download the correct version for your OS. - Install virtualbox, and download the .iso from the above linked download. You should now have exploit-exercises-protostar-2.iso on your machine, and Virtualbox installed.

2. Open Virtualbox, and create a new VM by clicking New. Name your VM something recognizable (not important), and set both Type and Version fields to “Other” and “Other/Unknown”, respectively.

  • It will ask you to allocate RAM for your VM. Approximately 512 MB of RAM will be more than enough, but if you want to be safe and can spare the resources, 1 GB will work.

  • It will also ask you to create a Virtual Hard Disk. Retain the default options and create a hard disk with at least 512 MB.

VM Setup
VM Setup

3. Finally, it will conclude setup, and you will see your VM on the left side panel. Select it, and hit Run.

4. A window will pop out, and after some more initial setup, it will ask you for a disk image. At this point, select the .iso you downloaded exploit-exercises-protostar-2.iso.

5. After running some more initial setup, you will have 4 options on screen - select “Live”, and when prompted for a username and password enter the username user and password user.

6. Use the cd ~/../.. command to the correct directory, and then navigate to the /opt/protostar/bin/ directory listed in the challenge to find the source code for all the challenges we will be attempting.

Setup
Setup

How Protostar Works

The goal of this assignment is to use GDB (GNU Debugger) to find vulnerabilities in and exploit the specified programs. To start, you can use the gdb [file] command in your VM to begin debugging through the file. Using GDB you should step through the execution of each program, understand how the stack changes, and notice what happens to registers and values throughout its execution cycle.

For each stage, the binary executable accepts some input. You can look at the source code for each step here. The input must be carefully crafted in a way that exploits a buffer overflow or stack vulnerability in the program and allows you to reach the end goal for that program (for example, a win() function or a “you successfully did X” message).

When debugging, pay close attention to registers such as eip esp and eax. You can use this cheat sheet for references to GDB Commands.

Helpful GDB Commands

You should consider utilizing the following commands in GDB to your advantage in analyzing the code structure and flow of execution:

  • disassemble: Print the assembly of the code

  • i r: Prints register information

  • x[/us] [address]: Examine u bytes at that address, as a string.

  • break [*address]: Set a breakpoint which halts code execution at address. You can also use a function name instead as the parameter.

  • ni: Next instruction, runs the program only 1 instruction at a time

  • si: Step into a function to examine it

  • r [< input]: run the executable with some input.

Running and testing your input

Once you have inspected the source code and ran through the debugger to understand the code, you will want to craft an input that exploits the specific vulnerability. We will look at the Stack0 example level for this.

Stack0

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>

int main(int argc, char **argv)
{
  volatile int modified;
  char buffer[64];

  modified = 0;
  gets(buffer);

  if(modified != 0) {
      printf("you have changed the 'modified' variable\n");
  } else {
      printf("Try again?\n");
  }
}

Here, the insecure function is gets() because it does not place a limit on the size of the input buffer. Hence, this is vulnerable to a buffer overflow attack. As your input gets longer and longer, when debugging, you will notice that it may start to overwrite key registers such as eax, esp and eip.

stack
stack

The colored points in this picture correlate to key addresses. In this case, the first blue value is modified since it is 0. We can craft an input such that it is long enough to overwrite modified:

Python shortcut

You can use a python script such as this to expedite crafting your input:

print "A"*40

$ python -c 'print "A"*70' | /stack0

Allows you to take write python code as a script in the command line and pipe the output as input to /stack0. This command will let you complete the stage and modify the modified variable because the input overflows into the memory where modified is stored. It will print a message You have changed the modified variable letting you know the task is complete.

Your challenges

Complete and determine the exploit input for the following levels of the Protostar challenge.

Stack1

You must find the location of the modified variable in memory on the stack and overwrite it such that the program outputs “you have correctly got the variable to the right value”. Your input should be sufficiently long enough to overwrite the value but short enough to keep execution clean and not cause a Segmentation Fault.

Stack4

Here, your goal is to overwrite the order of code execution so that main() calls the win() function and outputs “code flow successfully changed”. It will be important to know which registers dictate code and instruction flow.

Format0

You can use the %x format identifier and the unspecified buffer length size to exploit a format string vulnerability here. The goal is to make the code output “you have hit the target correctly :)” by overwriting the target variable.

Heap0

This level will be tricky as it uses function pointers. Here, f->fp is initially set to the nowinner() function which will not pass the level. The main() function will output the address in the stack of where fp is stored so you can target it with a heap overflow and overwrite its value such that it now points to the winner() function. To reiterate, the goal is to overwrite the value of f->fp from pointing to nowinner() to winner().

If your group has four people in it, you must also complete the Stack5** Level:**

Stack 5

This will be your first shellcode exploit where your input to the code must contain shellcode and exploit a vulnerability there. If the next instruction is a byte of shellcode, the program will execute that shellcode as instruction. You can exploit this vulnerability using a NOP Slide and the INT3 instruction (\xcc).

Now consider this exploit shellcode which allows you to execute a shell with root privileges using execve() inside your program. Your goal is to use this exploit shellcode as your buffer overflow input to execute a shell inside the vulnerable program.

To test whether you have successfully executed it you will need to do the following:

a. You can use python exploit.py to generate your input using python. You can also just use a normal string between double quotes.

b. This input must be chained to cat so that the output from the shell can be read.

c. This input must be piped into the execution of /stack5.

Execution piping
Execution piping

Submission Guidelines

For each of the levels, you must submit the following:

  • Your input (a script is fine).
  • The output showing the completion message.
  • A short explanation of why your exploit works.

You must provide an explanation for credit. Pictures/detailed information are always helpful. Create a text file called submission.txt and write your results there.

Be sure to identify all members of your group and have only one member submit the assignment.

Also be sure to observe the posted deadline. Late submissions will not be accepted.