392
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
1 |
Virtual-Box
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
2 |
|
410
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
3 |
Start "Linux Hacking"
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
4 |
login is cu
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
5 |
password is "test"
|
392
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
6 |
|
393
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
7 |
The programs are under
|
392
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
8 |
|
395
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
9 |
cu$> app-material/progs
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
10 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
11 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
12 |
Programs can be updated using
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
13 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
14 |
hg pull
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
15 |
hg update
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
16 |
hg revert --all
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
17 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
18 |
Emacs can be used to edit files
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
19 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
20 |
emacs -nw ...file.... (is also an alias)
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
21 |
|
477
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
22 |
Compiler
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
23 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
24 |
gcc -O0 -o file file.c
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
25 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
26 |
Backtick is key §/±.
|
395
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
27 |
|
546
|
28 |
example.c
|
|
29 |
=========
|
|
30 |
file to explain assembly code
|
|
31 |
|
|
32 |
|
395
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
33 |
C0.c
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
34 |
====
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
35 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
36 |
Add the bigger string and the long is printed out differently.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
37 |
|
402
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
38 |
foo("my string is too long !!!!! \x15\xcd\x5b\x07");
|
400
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
39 |
|
395
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
40 |
C1.c
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
41 |
====
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
42 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
43 |
needs to be called using
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
44 |
|
470
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
45 |
./C1 `./args1-good`
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
46 |
./C1 `./args1-bad`
|
395
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
47 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
48 |
or in gdb using
|
392
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
49 |
|
395
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
50 |
gdb --args ./C1 `args1-bad`
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
51 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
52 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
53 |
C2.c
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
54 |
====
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
55 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
56 |
called with
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
57 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
58 |
./args2-good | ./C2
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
59 |
./args2-bad | ./C2
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
60 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
61 |
C3.c
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
62 |
====
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
63 |
(shell injection)
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
64 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
65 |
called with
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
66 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
67 |
./C3
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
68 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
69 |
opens a new shell
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
70 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
71 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
72 |
C4.c
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
73 |
====
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
74 |
Format string attack
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
75 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
76 |
./C4 "%s"
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
77 |
./C4 `./args4`
|
392
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
78 |
|
403
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
79 |
This vulnerability does not need the defences, but prints out
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
80 |
the string only correctly with `./args4`. The %s option needs
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
81 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
82 |
-mpreferred-stack-boundary=2
|
392
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
83 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
84 |
|
479
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
85 |
C6.c
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
86 |
====
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
87 |
Enter the password :
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
88 |
hhhhhhhhhhhhhhhhhhhh
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
89 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
90 |
Wrong Password
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
91 |
Root privileges given to the user
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
92 |
|
392
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
93 |
------------------------------------
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
94 |
|
213
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
95 |
to switch off address randomization
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
96 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
97 |
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
98 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
99 |
|
212
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
100 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
101 |
C0.c
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
102 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
103 |
add to string
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
104 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
105 |
" \x15\xcd\x5b\x07"
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
106 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
107 |
to get
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
108 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
109 |
foo("my string is too long !!!!! \x15\xcd\x5b\x07"); |