author | Christian Urban <christian dot urban at kcl dot ac dot uk> |
Thu, 15 Oct 2015 10:07:14 +0100 | |
changeset 410 | d0a95f3aa65e |
parent 403 | 92c49c160b24 |
child 467 | da4896f201b5 |
permissions | -rw-r--r-- |
392
4dff36e2bbc6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
213
diff
changeset
|
1 |
Virtual-Box |
4dff36e2bbc6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
213
diff
changeset
|
2 |
|
410
d0a95f3aa65e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
403
diff
changeset
|
3 |
Start "Linux Hacking" |
d0a95f3aa65e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
403
diff
changeset
|
4 |
login is cu |
d0a95f3aa65e
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
403
diff
changeset
|
5 |
password is "test" |
392
4dff36e2bbc6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
213
diff
changeset
|
6 |
|
393
cb308583d86c
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
392
diff
changeset
|
7 |
The programs are under |
392
4dff36e2bbc6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
213
diff
changeset
|
8 |
|
395
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
9 |
cu$> app-material/progs |
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
10 |
|
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
11 |
|
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
12 |
Programs can be updated using |
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
13 |
|
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
14 |
hg pull |
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
15 |
hg update |
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
16 |
hg revert --all |
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
17 |
|
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
18 |
Emacs can be used to edit files |
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
19 |
|
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
20 |
emacs -nw ...file.... (is also an alias) |
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
21 |
|
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
22 |
|
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
23 |
C0.c |
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
24 |
==== |
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
25 |
|
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
26 |
Add the bigger string and the long is printed out differently. |
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
27 |
|
402
fb0c844a26cf
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
400
diff
changeset
|
28 |
foo("my string is too long !!!!! \x15\xcd\x5b\x07"); |
400
f05368d007dd
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
395
diff
changeset
|
29 |
|
395
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
30 |
C1.c |
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
31 |
==== |
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
32 |
|
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
33 |
needs to be called using |
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
34 |
|
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
35 |
./C1 `args1-good` |
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
36 |
./C1 `args1-bad` |
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
37 |
|
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
38 |
or in gdb using |
392
4dff36e2bbc6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
213
diff
changeset
|
39 |
|
395
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
40 |
gdb --args ./C1 `args1-bad` |
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
41 |
|
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
42 |
|
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
43 |
C2.c |
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
44 |
==== |
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
45 |
|
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
46 |
called with |
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
47 |
|
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
48 |
./args2-good | ./C2 |
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
49 |
./args2-bad | ./C2 |
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
50 |
|
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
51 |
C3.c |
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
52 |
==== |
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
53 |
(shell injection) |
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
54 |
|
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
55 |
called with |
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
56 |
|
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
57 |
./C3 |
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
58 |
|
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
59 |
opens a new shell |
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
60 |
|
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
61 |
|
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
62 |
C4.c |
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
63 |
==== |
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
64 |
Format string attack |
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
65 |
|
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
66 |
./C4 "%s" |
60f64793266f
added assembly programs
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
393
diff
changeset
|
67 |
./C4 `./args4` |
392
4dff36e2bbc6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
213
diff
changeset
|
68 |
|
403
92c49c160b24
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
402
diff
changeset
|
69 |
This vulnerability does not need the defences, but prints out |
92c49c160b24
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
402
diff
changeset
|
70 |
the string only correctly with `./args4`. The %s option needs |
92c49c160b24
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
402
diff
changeset
|
71 |
|
92c49c160b24
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
402
diff
changeset
|
72 |
-mpreferred-stack-boundary=2 |
392
4dff36e2bbc6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
213
diff
changeset
|
73 |
|
4dff36e2bbc6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
213
diff
changeset
|
74 |
|
4dff36e2bbc6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
213
diff
changeset
|
75 |
------------------------------------ |
4dff36e2bbc6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
213
diff
changeset
|
76 |
|
213
9c2fa54c7c2d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
212
diff
changeset
|
77 |
to switch off address randomization |
9c2fa54c7c2d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
212
diff
changeset
|
78 |
|
9c2fa54c7c2d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
212
diff
changeset
|
79 |
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space |
9c2fa54c7c2d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
212
diff
changeset
|
80 |
|
9c2fa54c7c2d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
212
diff
changeset
|
81 |
|
212
1d2744383b7a
added readme
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
82 |
|
1d2744383b7a
added readme
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
83 |
C0.c |
1d2744383b7a
added readme
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
84 |
|
1d2744383b7a
added readme
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
85 |
add to string |
1d2744383b7a
added readme
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
86 |
|
1d2744383b7a
added readme
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
87 |
" \x15\xcd\x5b\x07" |
1d2744383b7a
added readme
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
88 |
|
1d2744383b7a
added readme
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
89 |
to get |
1d2744383b7a
added readme
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
90 |
|
1d2744383b7a
added readme
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
91 |
foo("my string is too long !!!!! \x15\xcd\x5b\x07"); |