Posted:

29 May 2024

Practical exploitation of a vulnerable binary using integer arithmetic and return-oriented programming.

Preparation | Procedure

Preparation

  1. Install the Python ropper tool by running pip install ropper.

  2. Practice using Python to generate strings of arbitrary bytes (like those .dat files associated with our lectures) by creating and then outputting byte strings. See Bytes and Unicode Strings as well as help(bytes.fromhex).

Procedure

Complete the following procedure, showing the steps required to complete the tasks and gather key evidence (e.g., addresses). Show the claims and evidence that support your reasoning.

  1. Download vulnerable.c and compile it into an executable.

    1. How does your compiled executable vulnerable compare to this executable?

    2. Use the ropper tool to examine the ROP gadgets in each binary. How do the number of gadgets compare? Why?

  2. Using a debugger and the data file 1x1 or 4x4, illustrate the contents of the stack just before returning from the load_matrix function (i.e., at line 71 or 72). Show the stack contents from the address in %rsp to the call’s return address. Highlight all parameters, local variables and the return address.

  3. Use a debugger to explain why the fuzzer-generated test cases crash0 and crash1 crash the vulnerable binary.

  4. Create an input file that will cause load_matrix to zero out the stack from matrix to the return address. Use the debugger to verify that the file is successfully read and that the correct address is zeroed out. Why does the program fail to run to completion?

  5. Modify your input file so that the values of file_size and HEADER_SIZE are preserved when the stack is overwritten. Demonstrate that the program now terminates by attempting to execute code at address 0.

  6. Use the ropper tool to generate a ROP-chain payload for the vulnerable-provided binary that I gave you earlier. This ROP chain should execute the shell /bin/sh. Pass this payload into the vulnerable-provided binary and, using the debugger, explain why the process crashes.

  7. Required for ENGI 9823, optional for ENGI 7420: Modify the ROP chain (in Python or in the binary file) to successfully execute the ROP chain. Use the debugger to demonstrate how execution passes through at least the first three gadgets of the chain. Demonstrate that the end result is a shell.