Task 3 – Real Hacker Journey
This assignment simulates a real hacking process.
You will be provided with a vulnerable C source code, and its corresponding compiled binary executable file. You need to find the vulnerabilities in the source code, and exploit the vulnerabilities to control the execution to `backdoor` function, which has been implemented in the file. If you attack successfully, you should have obtained the shell, and you can execute any command in that shell.
Instruction
You need `pwndbg` and `pwntools` to help you with finishing this task. Please refer https://github.com/pwndbg/pwndbg and https://docs.pwntools.com/en/stable/ to install them.
Using `pwntools` is the best way for you to interact with executable files, especially when there are invisible characters in the input/output. You can spawn the binary like:
from pwn import *
p = process(“./real_hacker”)
You can input to this process by:
p.send(b“Hi! This is Alice speaking!\n”)
You can obtain the output of the process by:
output = p.recv(8) # receive 8 bytes from the stdout of the process
output = p.recvuntil(b“Okay\n”) # receive all the content until the specified string
output = p.recvuntil(b“Okay\n”, drop=True) # The specified string will be dropped out of
`output`
Generally, if you want to calculate the targeted address based on a leaked address, you need to first transfer the leaked address (bytes type) into int type, for example:
address_bytes = p.recv(...)
assert(len(address_bytes) == 8) # Address alignment in 64-bits systems
address_int = u64(address_bytes)
If you want to send the targeted address to the process via stdin, you need to wrap it into bytes with little-ended order first:
target_address = p64(target_address_bytes)
payload = b’A’ * 32 + target_address + b’\n’
p.send(payload)
In the end, if you are sure you have obtained the shell, you can use the following code to interact with the shell:
p.interactive()
Report (40 Points)
1. Please point out the vulnerabilities in the code, and explain how these vulnerabilities occurred. Note that the `backdoor` function itself should not be regarded as a vulnerability. (5 points)
2. Execute `checksec` command in the terminal (this command should be installed along during pwntools ’ installation), include the execution screenshot in the report. What are the status of `Stack`, `NX`, and `PIE` fields? What are their functionalities individually? (5 points)
3. How do you obtain the real address of the `backdoor` function? (5 points)
4. How do you obtain the canary? You need to provide a screenshot to claim a successful canary leakage. (10 points)
5. How do you construct the payload to control the execution flow of the process? Please explain the payload along with the stack frame. and provide a screenshot indicating that you can execute command in the obtained shell (15 points).