Fall 2020

Tue Nov 10

We're not meeting at 2pm today - our regular time - it's plan day.

Instead, I offered to get together at 8pm with anyone who would like to discuss anything.

My goal today is to finish up with the x86 stuff :

So ... I'm open to whatever you'd like to talk about. Anyone want to describe what they did with the bomb lab?

in class

I went over phase1 of the attack lab in detail.

I also wrote up the attached pointers.c code in response to a question.

There were some questions about grading policy, homework assignments and late work. I've updated the "grading" section of the syllabus page in an attempt to be more explicit.

attack lab primer - hex2raw

We need to feed arbitrary bytes into the program ... which means we can't just type them with the keyboard; they aren't ascii.

So we use the provided hex2raw routine to do that for us. But that means we need to send the output from one program to the input of the next ... in unix this idea is called "pipes" , which we should go over.

$ ./program < input.txt > output.txt      

$ cat some_file.txt | some_program | some_other program

(Google "unix pipe" and "unix redirect stdin" if you're not familiar with this syntax.)

Also, we need to run ctarget (the attack lab vulnerable executable for the first few phases) with the "-q" flag, so that it doesn't try to talk to the CMU grading servers.

So to run the target manually with gdb : gdb --args ctarget -q .

But to solve the lab, we'll need to feed in raw bytes.

The hex2raw helper program takes as input an "exploit file" made up of hex pairs, and outputs the corresponding raw bytes. You can even put in comments.

For example, consider the string Hello!\n. Looking up in an ascii table or using a python program can tell us what those bytes are in hex :

$ python
>>> for c in "Hello!":
...     print(f"{ord(c):02x}")

So if we create this file named hello.exploit

/* hello.bytes
 * This file has the bytes for "Hello!"
 * in a format compatible with hex2raw.
 *    $ cat hello.bytes | ./hex2raw
 *    Hello!
48 65 6c 6c 6f 21

then we can send it through hex2raw and print "Hello!".

$ cat hello.bytes | ./hex2raw

For the attack lab, we create our exploit file with the bytes that we think will do something interesting, and send it into the executable.

$ cat exploit.phase1 | ./hex2raw | ./ctarget -q

So our mission is to create an appropriate exploit.phase1. /courses /fall2020 /systems /notes /nov10
last modified Tue November 10 2020 10:07 pm

attachments [paper clip]

  last modified size
TXT pointers.c Tue Nov 10 2020 10:05 pm 1.1K