newhw5files.zip
.
So, your job for this assignment is to figure out what input to this software will do the trick -- allow you to gain root privilege.
hw5.c
) of the source for the guts of the application.
(The source to some libraries is missing, but you have the rest.)
You also have a symbol table (a.sym
)
for the actual exectuable image running on the system you're going to attack.
Finally, you have a copy of the executable (a.out
),
so you can run it yourself and observe its behavior.
You'll find these files in newhw5files.zip.
The executable, a.out
,
is a (thin) imitation of a remote login service. When you
connect to it (which for us just means when you run it) it asks for a
password.
The password, "ABabCDcd" is hard-coded into the application,
and is publically known in any case since all it gives you is
"anonymous login" (that is, login with only public privileges).
To make your hacking job easier, I wrote the application to take the password in hex. (Why does that make it easier for you?) Start the application
$ cebsim a.out
41426162 43446364
When given that input, the application will tell you that the login is successful, and then say "bye" (since there's no real work to do). If you give it most other inputs it will indicate you've typed a bad password.
$ cebsim a.out Loaded exe. text=4784 data=312 stack=4096 heap=4096 c:\Documents and Settings\zahorjan\Desktop\HW5 Reading: TermDev: 0: 0: 1: 0 41426162 43446364 Connecting to june.cs.washington.edu Enter telnet password (in hex): Reading: TermDev: 0: 52: 1: 10 got 4 Reading: TermDev: 0: 49: 1: 10 got 1 Reading: TermDev: 0: 52: 1: 10 got 4 Reading: TermDev: 0: 50: 1: 10 got 2 Reading: TermDev: 0: 54: 1: 10 got 6 Reading: TermDev: 0: 49: 1: 10 got 1 Reading: TermDev: 0: 54: 1: 10 got 6 Reading: TermDev: 0: 50: 1: 10 got 2 Reading: TermDev: 0: 32: 1: 10 Reading: TermDev: 0: 52: 1: 10 got 4 Reading: TermDev: 0: 51: 1: 10 got 3 Reading: TermDev: 0: 52: 1: 10 got 4 Reading: TermDev: 0: 52: 1: 10 got 4 Reading: TermDev: 0: 54: 1: 10 got 6 Reading: TermDev: 0: 51: 1: 10 got 3 Reading: TermDev: 0: 54: 1: 10 got 6 Reading: TermDev: 0: 52: 1: 10 got 4 Reading: TermDev: 0: 13: 1: 10 Logged in as anonymous bye Syscall: Exit Total instructions = 18756 Arithmetic = 10515 Loads = 4193 Stores = 2318 Branches = 886 (677 taken) Jumps = 843 Syscalls = 1Besides all that annoying trace information, the input I typed doesn't appear until I hit Enter. (There's a good reason for that, but for this assignment it's not an advantage.)
A more convenient way to run than typing at Cebollita is to put the
input into a file. The file input-good
in the distribution
for this assignment shows the format to use. You can then invoke
the Cebollita simulator with
cebsim a.out <input-goodThis will bring up the simulator GUI. Hit
Run
or
Step
, perhaps after having set a breakpoint or two.
(Right-click on a line of code to toggle a breakpoint.)
When developing your attack, putting your input in a file is really the only way to go. Note that you have to shut down Cebollita after each run, though, as it will have consumed the input file and there is no way to get it to read the file from the beginning again. (That's because it's not actually reading the file, we're simply redirecting standard input from the file - i.e., it's not Cebollita's fault.)
$ cebsim a.out <input-bad Loaded exe. text=4784 data=312 stack=4096 heap=4096 c:\Documents and Settings\zahorjan\Desktop\HW5 Connecting to june.cs.washington.edu Enter telnet password (in hex): You are now running as root. Logged in as anonymous bye Syscall: Exit Total instructions = 59427 Arithmetic = 33313 Loads = 13004 Stores = 7632 Branches = 2687 (1881 taken) Jumps = 2790 Syscalls = 1(Obviously, the particular instruction counts you end up with might differ slightly.)
Your goal is to find input that you can give to the program
(a.out
) so that it produces the output just shown.
You have the source, but that's only for examination - you will not (cannot) modify the source. All you're doing is finding some magic input that will cause the program to misbehave in the particular way shown above. That magic has to do with the topics we've been discussing, of course, so your test-taking skills should lead you to thinking about how they may help.
This assignment takes some thinking, then some trying, then more thinking, then more trying, and around it goes. The first step is to understand how you might go about attacking the program, in very general terms. (That has been mentioned, if not fully emphasized, in class...) The iterations happen as you try to work out the details required to make that attack a success.
We may have very particular requirements for the format in which these are delivered, including the naming of files attached to mail messages. We'll figure that out and let you know shortly.
It would be a much more than ordinarily bad idea to leave this until the last moment. Being under the pressure of a close deadline will definitely not make it any easier to finish this.
And one last thing: DO NOT WAIT UNTIL A DAY STARTING WITH 'S' TO START THIS unless you've had prior successes hacking into other people's systems.
a.out
requires at least Cebollita Version 1.3 (build 60).
Here is a ceb.jar file with that version.