The goal of this problem set is to perform a basic stack overflow exploit against a vulnerable program, and develop a patch to remove the vulnerability. To complete the problem set, you will need to ssh to your container at $user[@]amplifier.ccs.neu.edu:$port , where $user is your gitlab username and $port is your assigned ssh port (hxxps://seclab-devel.ccs.neu.edu/snippets/6). Authentication is performed using any of your uploaded ssh public keys in gitlab. You will also need to clone the problem set repository located at git[@]seclab-devel.ccs.neu.edu:softvulnsec/prset01.git .
A compiled version of the vulnerable program from prset01.git is located at /usr/local/bin/prset01 on your container. Identify the address on the stack of a saved return address that can be overwritten by examining the source code and running the program in gdb. Additionally, identify the address of a buffer you can overflow on the stack.
Compute the length between the start of the buffer and the location of the saved return address on the stack.
Inject a payload into the program that redirects control flow to your buffer. Convince yourself that this occurs by either tracing execution using gdb, filling the buffer with instructions that trap (e.g., int3 ( 0xcc bytes)), or some other method.
Notice that the vulnerable program is setuid 1001. Write an exploit payload that leaks the contents of /usr/local/share/prset01.secret , which is only readable by UID 1001. Feel free to adapt the example payload from gitlab or develop your own for extra points. Using a shellcode generator like metasploit is not permitted, however.
Fork the repository for this problem set in gitlab – your copy should have the URL git@seclab- devel.ccs.neu.edu:$user/prset01.git . Develop a patch to the original source file that removes the vulnerability while preserving the intended functionality of the program. Commit the patch to your repository (i.e., edit the original source code and commit the changed version).
In your forked repository, commit a JSON object in the file solution.json with the following format: An example solution might look like:
{
"buf_addr": "<buffer address>",
"ret_addr": "<address of return address>",
"payload_len": <length of payload>,
"secret": "<secret value>"
}
The vulnerability in the given C program is because use of unsafe code (strcpy function). This vulnerability causes the buffer to be overflowned beyond its legal bounds. In execution of the program the process_verify() function contains the unsafe code.
For the successful exploit I calculate the frame length (0xe8) and return address (0x7fffffff850) and then overflow the buffer with the explit.py script. After that I ended up in the bash command mode. Now I was able to access the files which permission was denied.
To mitigate the exploit I can use safer version of the strcpy() i.e. strncpy(). Also if the length of the given hash value is not equal to buffer length then I safly show eror message.
I exploited the vulnerability and get access to the bash shell. After that I can use the same code and reuse with different parameters it to get in to another bash shell. If we could do this over and over again we could possibly crash the system containing the buffer overflow vulnerability.