The goal of this problem set is to perform a code reuse attack against a vulnerable program, and develop a patch to remove the vulnerability.
To complete the problem set, you will need to ssh to your container at $user[@]amplifier.ccs.neu.edu:$port , where $user is your gitlab username and $port is your assigned ssh port (hxxps://seclab-devel.ccs.neu.edu/snippets/6). Authentication is performed using any of your uploaded ssh public keys in gitlab. You will also need to clone the problem set repository located at git[@]seclab-devel.ccs.neu.edu:softvulnsec/prset04.git .
A compiled version of the vulnerable program from prset04.git is located at /usr/local/bin/prset04 on your container. While this program is easily exploitable, it is also protected by ASLR, DEP, and stack canaries.
Take advantage of an information disclosure vulnerability to leak address information from the program. Use this information to derandomize the address space layout and defeat stack protection.
The vulnerable program is running setuid 1001. Design an exploit that leaks the contents of /usr/local/share/prset04.secret , which is only readable by UID 1001.
However, since the program is protected by DEP, you will need to perform a code-reuse attack. Identify a set of gadgets that will implement your attack.
Execute your attack to obtain the secret value.
Fork the repository for this problem set in gitlab. Commit a JSON object to solution.json with the following format:
{
"gadget_chain": [
"<addr1 as 0xhex>",
"<addr2 as 0xhex>",
// ...
],
"secret": "<secret value>"
}
For example, given a gadget chain of 0x1234 → 0x5678 and secret abcd :
{
"gadget_chain": [
"0x1234",
"0x5678"
],
"secret": "abcd"
}
You are responsible for submitting valid JSON at the correct path. Use a validator if you’re unsure about this, and double-check that your JSON follows the format above exactly.
In addition, commit your exploit to exploit/ and a README.md that describes your exploit as precisely as possible.
In an attempt to perform the exploit for the prset04, I created a python script named "exploit.py".
I initially ran the prset04 binary using port 9999 which puts the binary in the listening mode. I tried to overflow the read buffer present in the binary code with more than 1048 bytes of data. I overwritten the return address for the OnClient() function with the address which will point to the gadget sequence.
To create gadget sequence I used the tool called ropeme which is capable of finding the gadget sequence and exploit payload. The tool is not available on the virtual envirnoment hence I was not able to get the gadget sequence for the binary file.
As the binary is protected with DEP (Data Execution Prevention) the external payload can't not be executed directly. Instead we use the gadget sequence which contains the calls to libc.so.6.
In order to beat the ASLR protection on the binary file I found addresses to the fixed libc.so.6 system calls. I found 2 address; one of which points to the first libc.so.6 function call generated by the binary using "grep libc /proc/[$pid for prset04]/maps" command and the second points to system call which can be found using "nm -D /lib/x86_64-linux-gnu/libc.so.6 | grep '<system>'" command. Alternatively ASLR can be beaten by using bruteforcing over 2^28 possibilities.
The successful exploit will allow an attacker to run shell prompt on the system. The attacker will have root level access to the system as the binary file is owned by the root user.
Please find the files/ programs saved at specified location. Thank you! :-)