CSC 495/583 Topics of Software Security
2018-Fall Course Website
Advisor: Si Chen
Hi all, since we’ve already finished all the lectures, we do not have any new lectures before the final (No class on Dec 4/5, 2018), instead, please work on our final project. I’ll be in my office to answer any questions that you may have related to the final project. The classroom is also reserved, you can access it during lecture time.
Feel free to contact me if you need my help.
Lab 3 Hint is now available: [Link]
Lab 2 Hint is now available: [Link]
Course Syllabus is now available: [download]
Lab 1 Walkthrough is now available: [Link]
Course Overview
- The legal aspects of reverse engineering.
- Assembly language for IA-32 compatible processors and how to read compiler-generated assembly language code.
- The general principles behind malicious software and how reverse engineering is applied to study such program.
Expected Background
- Basic programming concepts (e.g. complete Java I, II)
- Knowledge with the C programming language, including pointers, arrays, loops, function calls, etc.
- Familiar with Unix/Linux including the command-line shell and gdb
- Familiar with Intel x86 assembly language and architecture
- Familiar with web programming concepts (HTML, HTTP, TCP, network communications)
Textbook
No Textbook
Reference book:
- Randal E. Bryant, Davie Richard O'Hallaron, Computer Systems: A Programmer's Perspective, 3rd Edition, ISBN 978-0134092669
- Kris Kaspersky, Hacker Disassembling Uncovered, 2nd Edition, ISBN 978-1931769648
- Eldad Eilam, Reversing: Secrets of Reverse Engineering, 1st Edition, ISBN 978-0764574818
Course Content
| # | Date | Topic | Slides | Supporting Materials |
|---|---|---|---|---|
| C1 | Aug 28, 2018 | Introduction | ch01.pptx | |
| C2 | Aug 30, 2018 | IA-32 Register, Byte Ordering, x86 ASM | ch02.pptx | abexcm1-voiees.exe LittleEndian.exe LittleEndian.cpp HelloWorld.exe |
| C3 | Sep 4, 2018 | x86 ASM, Stack, Stack Frame | ch03.pptx | Stack.exe stack.py StackFrame.exe StackFrame.cpp |
| L0 (Non-graded) | Sep 4, 2018 | Lab: Hello World
Due on: 09/07/2018
|
Change the text in pop-up window from "Hello World!" to "Hello Reversing", take a screenshot and upload the image to D2L.
Bonus Instead of changing it to "Hello Reversing," can you hack and change the text to "Hello Reversing World!!!" You'll get 1 bonus point.
Lab0 Walkthrough is now available: [Link]
|
HelloWorld.exe Windows XP Environment Disclaimer |
| C4 | Sep 6, 2018 | Stack Frame, Calling Convention | ch04.pptx | StackFrame.exe StackFrame.cpp |
| C5 | Sep 11, 2018 | Calling Convention, System Call, Introduction to PEDA and Pwntools | ch05.pptx | cdecl.c stdcall.c cdecl.exe stdcall.exe helloworld.asm shell.asm code.zip 1_sample.c 2_interactive.c 3_reversing.c |
| C6 | Sep 13, 2018 | Stack Overflow (1) | ch06.pptx | buffer.c buffer2.c overflow.c |
| C7 | Sep 18, 2018 | Stack Overflow (2) | ch07.pptx | hello.asm test.c shellcode.asm Shellcode overflow2.c |
| L1 | Sep 18, 2018 | Lab: Buffer Overflow
Due on: 09/27/2018
|
lab1.pdf |
lab1.c
VM image for Lab1 Username: quake0day Password: chensi
|
| C8 | Sep 25, 2018 | Stack Overflow Review: Classic Exploitation Technique (with PEDA, Pwntools) & Linux Binary Protections (ASLR, DEP, Stack Canaries) | ch08.pptx | hello.asm test.c shellcode.asm Shellcode overflow2.c overflow3.c template.py exploit.py exploit2.py exploit3.py |
| C9 | Sep 27, 2018 | Return-oriented programming (ROP) | ch09.pptx | rop.c exploitROP.py exploitROP_template.py |
| C10 | Oct 2, 2018 | Return-oriented programming (ROP) (2) | ch10.pptx | rop.c exploitROP.py rop2.c exploit_ROP2.py |
| C11 | Oct 4, 2018 | Return-oriented programming (ROP) (3) & Dynamic Linking & Return-to-libc Attack & ASLR | ch11.pptx | reveal_address.c ret2lib.c ret2lib_Exploit.py niklasb/libc-database |
| L2 | Oct 9, 2018 | Lab: Return-oriented programming (ROP)
Due on: 10/23/2018
|
lab2.pdf |
Username: csc495 Password: csc495
|
| C12 | Oct 9, 2018 | Web Security (1) | ch12.pptx | PHP Exercise (1) PHP Exercise (2) PHP Exercise (3) PHP Exercise (4) PHP Exercise (5) |
| R1 | Oct 9, 2018 | Reading Question 1: BlueBorne
Due on: 10/18/2018
|
homework1.pdf | blueborne technical paper Video (smartwatch takeover) |
| C13 | Oct 11, 2018 | Web Security (2) | ch13.pptx | SQL Injection Exercises |
| C14 | Oct 16, 2018 | Web Security (3) & PLT, GOT & Return-to-plt Attack (Bypassing ASLR/NX) | ch14.pptx | ret2plt.c ret2plt_Exp.py |
| C15 | Oct 18, 2018 | GOT Overwrite Attack (1) | ch15.pptx | bypassGOT.c exp_GOT.py |
| C16 | Oct 23, 2018 | GOT Overwrite Attack (2) | ch16.pptx | event1.c event1_exp.py |
| L3 | Oct 23, 2018 | Lab: Multi-Stage Exploits
Due on: 11/06/2018 Your submission should include: A detailed project report in PDF format to describe what you have done, including screenshots and code snippets and content inside flag.txt. |
Target IP: 198.58.101.153 Target Port: 8888 Vulnerable program: lab3 (lab3.c) Target File (flag): flag.txt ASLR/NX is on, StackGuard and PIE is off Hint Libc version: libc6-i386_2.27-3ubuntu1_amd64 [Link] |
Username: csc495 Password: csc495
|
| C17 | Oct 25, 2018 | Multi-Stage Exploits | ch17.pptx | multi_stage.c exp_multi_stage.py |
| C18 | Nov 1, 2018 | Stack Guard & Format String Bug | ch18.pptx | easy_canary_32.c easy_canary_exp_32.py easy_canary_64.c easy_canary_exp_64.py fmt_write.c fmt_wrong.c fmtstr.c fmtstr_exp.py |
| R2 | Nov 6, 2018 | Reading Question 2: Hacking Blind
Due on: 11/13/2018
|
ReadingQuestion2.pdf | Hacking Blind paper Project Website |
| C19 | Nov 6, 2018 | Format String Bug (2) & Heap | ch19.pptx | fmt_write2.c fmt_test.c dump_bin.py fmt_test2.c fmt_test2_exp.py fmt_offset.py heap1.c |
| C20 | Nov 8, 2018 | Heap Exploitation (1) | ch20.pptx | Kali-Linux-2017.2-vbox-i386.ova heap0.c heap1.c |
| C21 | Nov 13, 2018 | Heap Exploitation (2): Unlink | ch21.pptx | unlink unlink.c unlink.py |
| L4 | Nov 13, 2018 | Lab: Heap Exploitation: Unlink
Due on: 11/27/2018
|
lab4.pdf |
unlink
unlink.c
unlink.py
Username: csc495 Password: csc495
|
| C22 | Nov 29, 2018 | Heap Exploitation (3): House of Force & The future of Software Security | ch22.pptx | house_of_force.c bamboobox bamboobox_exp.py bamboobox.c |
| R3 | Nov 29, 2018 | Reading Question 3: Blockchain
Due on: 12/18/2018
|
homework3.pdf | Blockchain papers |
| Final Project | Nov 28, 2017 | Final Project
Due on: 12/18/2018
|
IP:198.58.101.153 Port:9999 Exploit this server, and show me the secret stored in file flag.txt ASLR on Canary found NX enabled No PIE 32-bit Hint Gadget Infomation:[Link] 1. Use format string bug to leak Canary value [Walkthrough] 2. Use write@plt to leak information about libc and then find the memory address for get@plt 3. Use ROP to launch system call execve() to open a shell. You can use get@plt to take user input and write the user input “/bin/sh” to an empty memory address. |
final.c attack.py |
Tutorials and Supporting Materials
- Download OllyDbg for Windows
- Download VirtualBox
- Windows XP Environment Disclaimer
- Manjaro (Arch Linux) 32 Environment Username:quake0day password:chensi
- Manjaro (Arch Linux) 64 Environment Username:csc495 password:csc495
- Get Manjaro (Arch Linux) ISO
- Manjaro User Guide
- RMS's gdb Tutorial
- A Guide to Programming Intel IA32 PC Architecture Credit to Tim :)
- Overview of IA-32 assembly programming Credit to Tim :)
- x86 Assembly Language Reference Manual
- pwntools - CTF toolkit
- Pwntools Tutorials
- PEDA - Python Exploit Development Assistance for GDB
- The Malloc Maleficarum (2004) new