RubNoobs/Systemsicherheit
RubNoobs/Systemsicherheit
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Assignment-5 #2

Merged
saschato merged 18 commits from Assignment-5 into master 2024-06-10 14:32:32 +02:00
Conversation 0 Commits 18 Files changed 20 +476
4 changed files with 476 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit e8edfc9f39 - Show all commits

176
Assignment 5 - Software Security - Teil 1/abgabe.tex
View file

@ -70,6 +70,182 @@
\sheetnr{5} \sheetnr{5}
% <-- Anpassen % % <-- Anpassen %
\begin{document} \begin{document}
\begin{exercise}[Analyse von Binärdaten]{1}
\begin{subexercises}
\item Der Output von \texttt{objdump} mit der \texttt{secret} Funktion extrahiert.
\begin{lstlisting}[language=bash]
user@intro:~$ objdump -d intro | awk -v RS= '/^[[:xdigit:]]+ <secret>/'
0000120d <secret>:
120d: f3 0f 1e fb endbr32
1211: 55 push %ebp
1212: 89 e5 mov %esp,%ebp
1214: 8b 45 08 mov 0x8(%ebp),%eax
1217: 8d 50 ff lea -0x1(%eax),%edx
121a: 89 d0 mov %edx,%eax
121c: 01 c0 add %eax,%eax
121e: 01 d0 add %edx,%eax
1220: 83 c0 05 add $0x5,%eax
1223: 5d pop %ebp
1224: c3 ret
\end{lstlisting}
\item Man kann durch den Command \lstinline[language=bash]{gdb -x commands} gdb mit der Datei \texttt{commands} ausgeben.
\begin{figure}[H]
\begin{lstlisting}[]
# Lines starting with a '#' symbol are comments
# Do not remove this intial line; it will disable pagination
set pagination off
file intro
break secret
# TODO: your commands go here
r 5
i r eax
stepi 6
# after 5. instruction
i r eax
stepi
# after 6. instruction
i r eax
stepi
# after 7. instruction
i r eax
stepi
# after 8. instruction
i r eax
# continue program to end
continue
# END of your commands
# Do not remove the final quit; it will exit GDB automatically
quit
\end{lstlisting}
\caption[short]{Inhalt der command Datei}
\end{figure}
Dabei wird zuerst die Datei \texttt{intro} in gdb eingelesen.
Anschließend wird ein Breakpoint bei der Funktion secret gesetzt.
Dann wird das Programm mit dem Parameter gestartet und, wie in der Aufgabe gewollt, wird das Register eax an verschiedenen Stellen ausgelesen.
Der Ausgabewert der Funktion ist dann 17.
\begin{lstlisting}[language=bash]
user@intro:~$ gdb -x commands
GNU gdb (Ubuntu 9.2-0ubuntu1~20.04.1) 9.2
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".
Breakpoint 1 at 0x120d: file intro.c, line 5.
Breakpoint 1, secret (num=5) at intro.c:5
5 intro.c: No such file or directory.
eax 0x5 5
0x5655621c 6 in intro.c
eax 0x4 4
0x5655621e 6 in intro.c
eax 0x8 8
6 in intro.c
eax 0xc 12
7 in intro.c
eax 0x11 17
[Inferior 1 (process 630) exited normally]
\end{lstlisting}
\item Für die Herleitung der Funktion werden zuerst ein paar Probewerte genommen.
\begin{align*}
f(0) &= 2\\
f(3) &= 11\\
f(4) &= 14\\
f(5) &= 17\\
f(7) &= 23\\
\end{align*}
Die Funktion $f(n)$ muss eine konstante 2 haben, da $f(0) = 2$.
Anschließend gehe man davon aus, dass $f(n)$ linear sei. Dann müsste $f(n) = an + 2$ sein.
Das gilt genau dann, wenn der ggT aller Paare $(n, f(n) - 2)$ für jeden Wert gleich ist. Das gilt mit $\forall n \in \mathbb{N} : ggT(n, f(n) - 2) = 3$.
Also:
\begin{align*}
f(n) = 3n + 2
\end{align*}
\item Das Programm liefert den Output
\begin{lstlisting}[language=bash]
user@intro:~$ readelf -S intro
There are 36 section headers, starting at offset 0x413c:
Section Headers:
[Nr] Name Type Addr Off Size ES Flg Lk Inf Al
[ 0] NULL 00000000 000000 000000 00 0 0 0
[ 1] .interp PROGBITS 000001b4 0001b4 000013 00 A 0 0 1
[ 2] .note.gnu.build-i NOTE 000001c8 0001c8 000024 00 A 0 0 4
[ 3] .note.gnu.propert NOTE 000001ec 0001ec 00001c 00 A 0 0 4
[ 4] .note.ABI-tag NOTE 00000208 000208 000020 00 A 0 0 4
[ 5] .gnu.hash GNU_HASH 00000228 000228 000020 04 A 6 0 4
[ 6] .dynsym DYNSYM 00000248 000248 0000a0 10 A 7 1 4
[ 7] .dynstr STRTAB 000002e8 0002e8 0000a7 00 A 0 0 1
[ 8] .gnu.version VERSYM 00000390 000390 000014 02 A 6 0 2
[ 9] .gnu.version_r VERNEED 000003a4 0003a4 000030 00 A 7 1 4
[10] .rel.dyn REL 000003d4 0003d4 000060 08 A 6 0 4
[11] .rel.plt REL 00000434 000434 000020 08 AI 6 24 4
[12] .init PROGBITS 00001000 001000 000024 00 AX 0 0 4
[13] .plt PROGBITS 00001030 001030 000050 04 AX 0 0 16
[14] .plt.got PROGBITS 00001080 001080 000010 10 AX 0 0 16
[15] .plt.sec PROGBITS 00001090 001090 000040 10 AX 0 0 16
[16] .text PROGBITS 000010d0 0010d0 000249 00 AX 0 0 16
[17] .fini PROGBITS 0000131c 00131c 000018 00 AX 0 0 4
[18] .rodata PROGBITS 00002000 002000 00001c 00 A 0 0 4
[19] .eh_frame_hdr PROGBITS 0000201c 00201c 000054 00 A 0 0 4
[20] .eh_frame PROGBITS 00002070 002070 00013c 00 A 0 0 4
[21] .init_array INIT_ARRAY 00003ec8 002ec8 000004 04 WA 0 0 4
[22] .fini_array FINI_ARRAY 00003ecc 002ecc 000004 04 WA 0 0 4
[23] .dynamic DYNAMIC 00003ed0 002ed0 000100 08 WA 7 0 4
[24] .got PROGBITS 00003fd0 002fd0 000030 04 WA 0 0 4
[25] .data PROGBITS 00004000 003000 000008 00 WA 0 0 4
[26] .bss NOBITS 00004008 003008 000004 00 WA 0 0 1
[27] .comment PROGBITS 00000000 003008 00002b 01 MS 0 0 1
[28] .debug_aranges PROGBITS 00000000 003033 000020 00 0 0 1
[29] .debug_info PROGBITS 00000000 003053 000369 00 0 0 1
[30] .debug_abbrev PROGBITS 00000000 0033bc 00011f 00 0 0 1
[31] .debug_line PROGBITS 00000000 0034db 00010a 00 0 0 1
[32] .debug_str PROGBITS 00000000 0035e5 0002b9 01 MS 0 0 1
[33] .symtab SYMTAB 00000000 0038a0 0004d0 10 34 51 4
[34] .strtab STRTAB 00000000 003d70 000271 00 0 0 1
[35] .shstrtab STRTAB 00000000 003fe1 000158 00 0 0 1
Key to Flags:
W (write), A (alloc), X (execute), M (merge), S (strings), I (info),
L (link order), O (extra OS processing required), G (group), T (TLS),
C (compressed), x (unknown), o (OS specific), E (exclude),
p (processor specific)
\end{lstlisting}
\item Die in dem Code angegebenen labels können wie folgt eingeteilt werden:
\begin{enumerate}[<A>:]
\item .bss
\item .data
\item Stack
\item Stack
\item Stack
\end{enumerate}
\end{subexercises}
\end{exercise}
\begin{exercise}[Crackme]{2} \begin{exercise}[Crackme]{2}
Die Funkion \lstinline{verify_key} leitet das Passwort aus einem geheimen Schlüssel ab, indem der ASCII-Wert jedes Zeichens, abhängig von dessen Position, verändert wird. Die Funkion \lstinline{verify_key} leitet das Passwort aus einem geheimen Schlüssel ab, indem der ASCII-Wert jedes Zeichens, abhängig von dessen Position, verändert wird.
Dem ASCII-Wert jedes Zeichens wird der doppelte Positionswert, bei 0 startend, abgezogen. Dem ASCII-Wert jedes Zeichens wird der doppelte Positionswert, bei 0 startend, abgezogen.

272
Assignment 5 - Software Security - Teil 1/analyse/.bash_history Normal file
View file

@ -0,0 +1,272 @@
#1717414602
ls
#1717414605
cat commands
#1717415348
clear
#1717415350
ls
#1717415351
ls intro
#1717415354
./intro
#1717415361
objdump
#1717415381
objdump intro
#1717415420
objdump -d intro
#1717415434
man objdump
#1717415443
objdump -d=secret intro
#1717415453
objdump -d intro
#1717415900
man objdump
#1717415917
objdump -d -j=secret intro
#1717415921
man objdump
#1717415972
objdump -d -j=secret intro awk -v RS= '/^[[:xdigit:]]+ <myfunc>/'
#1717415994
objdump -d intro | awk -v RS= '/^[[:xdigit:]]+ <secret>/'
#1717939441
ls
#1717939451
cat commands
#1717939475
cat intro
#1717939479
clear
#1717939481
ls
#1717939483
ll
#1717939485
l
#1717939490
ls -la
#1717939492
ls -lh
#1717939514
cat .bash_history
#1717939524
objdump -d intro | awk -v RS= '/^[[:xdigit:]]+ <secret>/'
#1717939721
task help
#1717939731
task info
#1717939739
task id
#1717939745
task check
#1717939826
man gdb
#1717939894
gdb intro
#1717940125
clear
#1717940125
ls
#1717940129
gdb intro
#1717942144
ls
#1717942149
nano commands
#1717942239
task check
#1717942298
cat commands
#1717942311
clear
#1717942321
man gdb
#1717942339
nano commands
#1717942350
man gdb
#1717942403
gdb -x commands intro
#1717942416
nano commands
#1717942422
gdb -x commands intro
#1717942426
task check
#1717942451
gdb
#1717942499
nano commands
#1717942514
gdb -x commands intro
#1717942520
task check
#1717942557
nano commands
#1717942567
gdb -x commands intro
#1717942582
nano commands
#1717942590
gdb -x commands intro
#1717942602
task check
#1717942691
nano commands
#1717942711
gdb
#1717942722
ls
#1717942726
gdb intro
#1717942741
gdb
#1717942836
nano commands
#1717942847
gdb
#1717942850
nano commands
#1717942862
gdb -x commands
#1717942872
task check
#1717942885
nano commands
#1717943082
gdb intro
#1717943152
nano commands
#1717943162
gdb -x commands
#1717943164
nano commands
#1717943179
gdb -x commands
#1717943183
clear
#1717943183
ls
#1717943186
task check
#1717943204
nano commands
#1717943214
task check
#1717943219
nano commands
#1717943238
task check
#1717943241
task submit
#1717943604
gdb intro
#1717943679
objdump intro
#1717943687
objdump -D intro
#1717943691
objdump -d intro
#1717943870
objdump -d intro | awk -v RS= '/^[[:xdigit:]]+ <secret>/'
#1717943884
gdb intro
#1717944098
gdb intro
#1717944117
ls
#1717944130
cp commands find_func
#1717944132
nano find_func
#1717944188
gdb -x find_func
#1717944202
./intro
#1717944204
./intro 5
#1717944207
./intro 6
#1717944208
7
#1717944210
./intro 7
#1717944212
./intro 8
#1717944219
clear
#1717944231
nano find_func
#1717944240
gdb -x find_func
#1717944295
nano find_func
#1717944344
gdb -x find_func
#1717944382
nano find_func
#1717944388
gdb -x find_func
#1717944397
nano find_func
#1717944402
gdb -x find_func
#1717944430
nano find_func
#1717944440
gdb -x find_func
#1717944470
gdb intro
#1717944479
readelf
#1717944487
readelf intro
#1717944516
readelf ßS intro
#1717944519
readelf -S intro
#1717945558
objdump -d intro | awk -v RS= '/^[[:xdigit:]]+ <secret>/'
#1717947140
ls
#1717947141
clear
#1717947141
ls
#1717947166
readelf -S intro
#1717948566
ls
#1717948569
clear
#1717948572
readelf -S intro
#1717948913
man 5 elf
#1717949114
elf
#1717949128
man 5 elf
#1717949898
task check
#1717949902
task info
#1717949906
task help
#1717949922
ls
#1717949924
rm find_func
#1717949925
clear
#1717949926
ls
#1717949929
task check
#1717950826
ls
#1717950831
cat commands

28
Assignment 5 - Software Security - Teil 1/analyse/commands Normal file
View file

@ -0,0 +1,28 @@
# Lines starting with a '#' symbol are comments
# Do not remove this intial line; it will disable pagination
set pagination off
file intro
break secret
# TODO: your commands go here
r 5
i r eax
stepi 6
# after 5. instruction
i r eax
stepi
# after 6. instruction
i r eax
stepi
# after 7. instruction
i r eax
stepi
# after 8. instruction
i r eax
# continue program to end
continue
# END of your commands
# Do not remove the final quit; it will exit GDB automatically
quit

BIN
Assignment 5 - Software Security - Teil 1/analyse/intro Executable file
View file

Binary file not shown.