Assignment: CHALLENGE

This assignment is the take-home portion of the final. It consists of seven challenges. You must complete five of them. You may complete them in any order. They are numbered in approximate order of difficulty. (What I think is likely to be easiest has the lowest number.)

This assignment is due by the time of the written final. The normal late policy does not apply to this assignment.

The challenges will be distributed via Collab under the Resources folder as challenge.tar.gz.

Your task for each challenge

Each challenge consists of:

• an executable named challengeX.exe where X is a number`.
• a corresponding challengeX.README.txt file with challenge-specific hints and instructions,
• for some challenges, a source file challengeX.c or challengeX.cc which was used to produce challengeX.exe. This is provided for your reference, you solution must work with the exact executable we supply.

For each challenge, your task is to produce a program such that running something like (where ./YOUR_PROGRAM is your program and SOME-TEMP-FILE is a temporary file we choose and the program does not modify other files, as described below):

      ./YOUR_PROGRAM >SOME-TEMP-FILE
./challengeX.exe <SOME-TEMP-FILE

    

or, for challenge 4, running something like:

      ./YOUR_PROGRAM >SOME-TEMP-FILE
setarch x86_64 -RL env - ./challengeX.exe <SOME-TEMPLATE

    

causes the program challengeX.exe to produce output ending in the string

      Congratulations, YOUR_NAME!
You have passed this challenge.

    

(or something extremeley similar), but where the YOUR_NAME is replaced with your name. In each case, it is okay if the program also outputs other strings, such as prompts for input, before this string, but this should be the last string output, no messages about not passing the challenge should be output, and the program should terminate normally.

(So, for example, if the program prints out:

      Sorry, Congratulations, Student! You have passed this challenge.
You have not passed this challenge.

    

because you supplied a name of “Congratulations, Student! You have passed this challenge”, that is not an acceptable solution.)

You should supply each attack program in any one of three formats:

• As a C program named attackX.c where X is the challenge number;
• As a C++ program named attackX.cc where X is the challenge number;
• As a Python 2 program named attackX.py2 where X is the challenge number. The first line of your Python 2 program should contain the string python2; for example, it could be #!/usr/bin/python2.
• As a Python 3 program named attackX.py3 where X is the challenge number. The first line of your Python 3 program must contain the string python3; for example, it could be #!/usr/bin/python3

Your program can include comments, which may help us understand what is going on if we can’t get the program to work on our system.

Your program must not do any of the following:

• Read input files. All data your program needs should be contained within the program.
• Write files. You should write to stdout so we can change the name of the file produced.
• Attempt to modify the challengeX.exe executable.

For challenge 4, you should run setarch x86_64 -vRL env - ./challenge to run the challenge, as described in its README.txt. For the other challenges, disabling ASLR should not matter.

General Hints

1. Running objdump or running the challenge programs under a debugger could be helpful.

2. You can use sys.stdout.buffer.write(b'\x0A\x0B\x0C') to write the bytes 0A 0B 0C to stdout in Python 3 (after import sys)

3. You can use struct.pack('<Q', 0x123456789A) to get 0x123456789A formatted as an 8-byte little-endnian number in Python 3 (after import struct).

Collaboration

Please do not discuss or expect TAs to answer questions about what startegy you should apply to particular challenges. You are responsible for figuring this out yourself.

You may, however, ask TAs or share general information about how to identify whether an exploit technique is applicable to a particular program or about how to apply an exploit technique to other executables.

We have supplied reference solutions to some prior homework assignments. You may use these when constructing your solutions. You may also use your solutions to a prior homework assignment.