|20-CS-5156||Security Vulnerability Assessment||Spring 2020|
Reverse Engineer Binary Code and Remove Exploit
Determine for what inputs this ELF-64 bit binary will
rewrite stack addresses and what will be the result if it does. Modify
the code keeping functionality the same but removing the vulnerability
(in place of the effects of the vulnerability, print "vulnerability
removed" to the console). Submit the modified binary plus the result
of your examination of it.
Where to Start: Find out what the program does by running it (it is harmless so you do not need to run it in a VM). Run it with arguments. Determine for what arguments the 'malware' is triggered. The command line input that triggers the malware is likely to appear in the binary as a compare (cmp) instruction.
Now What? Disassemble lab4 using IDA Pro or objdump (my preference). For objdump do this:
objdump -D lab4 > lab4.dmpOpen lab4.dmp with a text editor. Usually, you would consider looking for a cmp in procedure main that will direct execution to the malware. But, in this case it is better to look for a call to a function that will be able to directly execute the malware. One such function is found in procedure g. Look at procedure g - it is very short and it should be evident what this function is. A little before the call to that function is a call to puts which sends the string Now you did it - ... to the console. The line before that contains the address of the place where that string resides. It is no more than 48 bytes long. Remember this address as you will later open a file editor and change the string that is there. Look at the address in the callq instruction in
Then What? From above you have 1) an address of a safe function that will replace the address of the function that calls the malware and 2) the address of the string Now you did it... that will be replaced by vulnerability removed. Open a file editor like ghex on lab4. Skip to the string address. Starting at that point, just overwrite existing bytes with some message as suggested above. Locate the callq instruction that executes the malware. Change its address to that of the safe function. Save the file and run it to check whether things have changed.
Note to Windows Users: the file you download will not have execute permission. To assign execute permission do the following from the command prompt:
prompt> chmod a+x lab4then to run lab4 do this:
prompt> ./lab4or this:
prompt> ./lab4 1000and so on.