20-CS-5156 Security Vulnerability Assessment Spring 2018
Lab 4

Authentication, Availability, Confidentiality, Integrity, Defense Principles, Intrusion Detection, Attack vectors, more

 
Reverse Engineer Binary Code and Remove Exploit

Determine for what inputs this ELF-64 bit binary will rewrite stack addresses and what will be the result if it does. Modify the code keeping functionality the same but removing the vulnerability (in place of the effects of the vulnerability, print "vulnerability removed" to the console). Submit the modified binary plus the result of your examination of it.

Where to Start: Find out what the program does by running it (it is harmless so you do not need to run it in a VM). Run it with arguments. Determine for what arguments the 'malware' is triggered. The command line input that triggers the malware is likely to appear in the binary as a compare (cmp) instruction.

Now What? Disassemble lab4 using IDA Pro or objdump (my preference). For objdump do this:

 
   objdump -D lab4 > lab4.dmp 
Open lab4.dmp with a text editor. Usually, you would consider looking for a cmp in procedure main that will direct execution to the malware. But, in this case it is better to look for a call to a function that will be able to directly execute the malware. One such function is found in procedure g. Look at procedure g - it is very short and it should be evident what this function is. A little before the call to that function is a call to puts which sends the string Now you did it - ... to the console. The line before that contains the address of the place where that string resides. It is no more than 48 bytes long. Remember this address as you will later open a file editor and change the string that is there. Look at the address in the callq instruction in that will execute the malware. To prevent that call from executing the malware all you have to do is replace the address in the callq instruction with the address of another function that is known to be safe. You have several to choose from in section .plt. Pick one and remember its address. That address will replace the current address in the callq instruction when editing the file with the file editor in the next step.

Then What? From above you have 1) an address of a safe function that will replace the address of the function that calls the malware and 2) the address of the string Now you did it... that will be replaced by vulnerability removed. Open a file editor like ghex on lab4. Skip to the string address. Starting at that point, just overwrite existing bytes with some message as suggested above. Locate the callq instruction that executes the malware. Change its address to that of the safe function. Save the file and run it to check whether things have changed.

Note to Windows Users: the file you download will not have execute permission. To assign execute permission do the following from the command prompt:

 
   prompt> chmod a+x lab4 
then to run lab4 do this:
   prompt> ./lab4 
or this:
 
   prompt> ./lab4 1000 
and so on.