Add to collection(s) Add to saved
  1. No category

EC312 Security Exercise 7 Part 1. Initial Setup

advertisement 
EC312 Security Exercise 7
Part 1. Initial Setup
Today you will use the program sx7.c which has been written for you and placed in the ec310code
directory.
Copy this file to the work directory by carefully entering the following at the home directory prompt:
midshipman@EC310:~ $
cp
ec310code/sx7.c
Make sure you are at your home directory!
work
Enter this!
Verify that you have sx7.c in your work directory by changing to the work directory:
cd work
and then listing the files in the work directory:
ls
If you do not have sx7.c in your work directory
Otherwise, proceed to Part 2.
STOP and ask your instructor or lab tech for help.
Part 2. The Program
Use nano to examine the program sx7.c, which is also shown below:
#include<stdio.h>
#include<string.h>
#include <stdlib.h>
int main( int argc, char *argv[ ] )
{
char schoolone[ 5 ] ;
char schooltwo[ 5 ] ;
if( argc <= 2 )
exit(1);
strcpy(
strcpy(
schoolone , argv[ 1 ] );
schooltwo , argv[ 2 ] );
printf( "The best school is %s \n" , schoolone );
printf( "The second-best school is %s \n" , schooltwo );
}
Save your program ( Control-o ) and exit nano ( Control-x) and then compile your program using
gcc –g sx7.c
1
Before running your program, answer the following questions:
Question 1:
If I were to enter (but do not yet enter):
./a.out
Army
Navy
what would be the values of argc , argv[ 0 ], argv[ 1 ] and argv[ 2 ]?
Question 2:
If I were to enter (but do not yet enter):
./a.out
what would happen?
Now, run the program by entering:
./a.out
Make sure you understand the results.
Now run the program a second time by entering:
./a.out
Army
Navy
and again, make sure you understand what the program is doing.
If you do not understand the operation of the program,
Otherwise, proceed to Part 3.
STOP and ask your instructor or lab tech for help.
Part 3. Your first experience at hacking!
Here is the background on this program: Your friend Cadet Nerdenheimer, who is attending USNA from the
U.S. Military Academy on an inter-service exchange program for the socially impaired, has written the program
on the preceding page.
He says: “Let’s run my program! I’ll enter the name of my school and then you, my dear midshipman friend,
will enter the name of your school, and then we’ll see which school the program says is Number 1.”
Since Cadet Nerdenheimer goes first, and always puts in Army, the string Army will be placed in argv[1].
Since the program copies argv[1] into schoolone, and then announces that schoolone is the best
school, the program is designed so that it will always say:
The best school is Army
The second-best school is (whatever the midshipman entered)
As you can see, he is named Cadet Nerdenheimer for a reason.
2
YOUR MISSION: HACK THE CADET’S PROGRAM!
Your hack should work as follows: Cadet Nerdenheimer runs the program and
enters Army and then let’s you enter your school. After you make your entry,
the program prints out:
The best school is Navy
thus shocking the Cadet into a mind-numbing stupor.
Moreover, the output also provides an indication that the second best school is also Navy! Here is an example
of how the program's output might appear:
Note that you cannot make any changes to the C program!
So… how will you accomplish this? By designing a buffer overflow! (really… you will!)
Enter the following commands:
gcc –g sx7.c
gdb –q ./a.out
set dis intel
list
<Enter>
(Note that the reason for the second <Enter> above is to display the full program. Entering list will only
display the first ten lines of the program.)
Here is what you would like to accomplish: You want to examine the stack while the program is running, and
determine if you can overwrite the cadet's entry by using a buffer overflow. Looking at the program listing, we
see:
3
STEP 1: Determine the proper breakpoint for your program.
You want the program to run up to a certain point, then freeze at a breakpoint, allowing you to examine the
stack. Where should you set the breakpoint? Looking at the figure above, setting the breakpoint at line 2 would
clearly be worthless, since nothing significant has occurred by that line of the program. You want to set the
breakpoint to be at a point after the command line arguments (i.e., the cadet's entry which is Army, and your
entry) are on the stack.
Question 3:
Where should you set the breakpoint?
STOP and show your instructor or lab tech your answer to Question 3.
With their okay, proceed to Step 2
below.
STEP 2: Run to the breakpoint and examine the stack.
To enter a breakpoint for a program that requires command line arguments (where, let’s say, the command line
arguments are Army and Navy, you would enter:
break <whatever number you have for Question 3>
run Army Navy
For example, if you answered Question 3 by deciding the breakpoint should be at line 4, you would enter:
break 4
run Army
Navy
Now, examine the stack by entering
i r esp
i r ebp
Question 4:
How many bytes are on the stack?
Examine the stack by entering
x/60xb
$esp
Question 5:
Label, in the Description column, the locations of the addresses to which main's stack
and base pointer point. Label the base pointer as EBP-main and the stack pointer as
ESP-main.
Question 6:
Locate on the stack the location of where the two command line arguments are stored.
Recall that the program copies argv[1] into schoolone and argv[2] into
schooltwo. Show these on the table below, labeling them as schoolone – cadet's
entry and as schooltwo – midshipman's entry .
4
STEP 3: Determine the attack technique.
Question 7:
Based on your picture of the stack, which is true (a or b):
(a) If schoolone is long enough, it can overwrite schooltwo
(b) If schooltwo is long enough, it can overwrite schoolone
Question 8:
Based on your picture of the stack, design your buffer overflow. Write a clear
explanation of how your attack works in the answer space for Question 8.
Question 9:
Demonstrate your buffer overflow attack during a run of the program. Your instructor or
lab tech will sign off on this.
5
EC312 Security Exercise 7
Name:
Question 1:
Question 2:
Question 3:
Question 4:
Question 5 and Question 6:
Address
BFFFF7CD
BFFFF7CE
BFFFF7CF
BFFFF7D0
BFFFF7D1
BFFFF7D2
BFFFF7D3
BFFFF7D4
BFFFF7D5
BFFFF7D6
BFFFF7D7
BFFFF7D8
BFFFF7D9
BFFFF7DA
BFFFF7DB
BFFFF7DC
BFFFF7DD
BFFFF7DE
BFFFF7DF
BFFFF7E0
BFFFF7E1
BFFFF7E2
BFFFF7E3
BFFFF7E4
BFFFF7E5
BFFFF7E6
BFFFF7E7
BFFFF7E8
BFFFF7E9
BFFFF7EA
BFFFF7EB
BFFFF7EC
BFFFF7ED
BFFFF7EE
BFFFF7EF
BFFFF7F0
BFFFF7F1
BFFFF7F2
Value
Description
6
BFFFF7F3
BFFFF7F4
BFFFF7F5
BFFFF7F6
BFFFF7F7
BFFFF7F8
BFFFF7F9
BFFFF7FA
BFFFF7FB
BFFFF7FC
BFFFF7FD
BFFFF7FE
BFFFF7FF
BFFFF800
BFFFF801
BFFFF802
BFFFF803
BFFFF804
BFFFF805
BFFFF806
BFFFF807
BFFFF808
BFFFF809
BFFFF80A
BFFFF80B
BFFFF80C
BFFFF80D
BFFFF80E
BFFFF80F
BFFFF810
BFFFF811
BFFFF812
BFFFF813
BFFFF814
BFFFF815
BFFFF816
BFFFF817
BFFFF818
BFFFF819
BFFFF81A
Question 7:
Question 8:
Question 9:
When you have successfully hacked the cadet's program, show your instructor or Lab tech.
_________________________________
Instructor or Lab Tech signature
7
Related documents
I am an Army Cadet. Soon I will take an... committed to defending the values which make this nation great....
I am an Army Cadet. Soon I will take an... committed to defending the values which make this nation great....
The Great Book Stack Challenge
The Great Book Stack Challenge
KERWIN LENDON SMITH - West Point Association of Graduates
KERWIN LENDON SMITH - West Point Association of Graduates
Yellow Card
Yellow Card
LDP Blue Card
LDP Blue Card
Preparation of the AFOATS Form 48
Preparation of the AFOATS Form 48
CC Form 156-4A-R (Blue Card)_Jul 09
CC Form 156-4A-R (Blue Card)_Jul 09
Download
advertisement