Finish assignment 4

4 files changed, 75 insertions, 1 deletions

diff --git a/CamilStaps-s4498062-Assignment-4/ex1/ex1.txt b/CamilStaps-s4498062-Assignment-4/ex1/ex1.txt
index 0f72c75..3726769 100644
--- a/CamilStaps-s4498062-Assignment-4/ex1/ex1.txt
+++ b/CamilStaps-s4498062-Assignment-4/ex1/ex1.txt
@@ -38,5 +38,13 @@ b
      * README, 2266 replaced with 2288
 
 c
-    The server crashed on Tuesday evening, I didn't pursue this any further.
+    I tried this, but couldn't get the module working with any of the given tutorials. Even with no significant things changed, I got the message:
+
+        msf exploit(hackme) > exploit
+    
+        [-] Exploit failed: A payload has not been selected.
+
+    The hackme.rb file is still attached.
+
+    Then the server crashed on Tuesday evening, and I didn't pursue this any further in the rest of the week. Sorry.
 
diff --git a/CamilStaps-s4498062-Assignment-4/ex1/hackme.rb b/CamilStaps-s4498062-Assignment-4/ex1/hackme.rb
new file mode 100644
index 0000000..6a93cc4
--- /dev/null
+++ b/CamilStaps-s4498062-Assignment-4/ex1/hackme.rb
@@ -0,0 +1,32 @@
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+
+	include Msf::Exploit::Remote::Tcp
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'	  => 'Hackme',
+			'Description'   => 'hackme.cs.ru.nl:2288 exploit',
+			'License'       => MSF_LICENSE,
+			'Author'	=> ['Camil Staps'],
+			'Version'       => '$Revision: $',
+			'Payload'       => { 'Space' => 1400, 'BadChars' => "\x00" },
+			'Targets'       => [ ['Automatic', {} ] ],
+			'Privileged'    => false,
+			'DefaultOptions'=> { 'EXITFUNC' => 'process' },
+			'DefaultTarget' => 0))
+
+		register_options(
+			[
+				OptString.new('HOST', [ false, 'The host.', 'hackme.cs.ru.nl'] ),
+				Opt::RPORT(2288)
+			], self.class)
+	end
+
+	def exploit
+		connect
+		disconnect
+	end
+end
+
diff --git a/CamilStaps-s4498062-Assignment-4/ex2 b/CamilStaps-s4498062-Assignment-4/ex2
new file mode 100644
index 0000000..fa8c4c5
--- /dev/null
+++ b/CamilStaps-s4498062-Assignment-4/ex2
@@ -0,0 +1,32 @@
+a
+    A heap buffer flow is a buffer overflow on the heap, as opposed to a stack buffer overflow, which is on the stack.
+
+b
+    You can give the program two arguments: a command and a password.
+    The program creates two instances of the Command class: a Shell and a Date. Both receive the password.
+    If the command equals 'shell', run() is called on the Shell instance. Similarly for 'date' and Date.
+    The Date executes /bin/date. The Shell checks the password against a hash, and only executes /bin/sh when the password is correct.
+
+    Examples:
+
+        ./cmd shell password
+        ./cmd date
+
+c
+    I would expect somewhere above 256, but it doesn't work for me (tried values up to 1500; segfaults occur above 266, but I don't get a shell). Since this is on the heap, variables aren't directly next to each other even when malloc'ed directly after each other, because some space around the data is used for accounting purposes.
+
+    Even with 0 in /proc/sys/kernel/randomize_va_space, -fno-stack-protector and -fno-pie it doesn't work.
+
+d
+    Can't do this because it doesn't work. 
+
+e
+    ASLR randomises addresses of dynamic libraries, stack, heap, etc. and the binary itself. This way, it is impossible to get addresses you need to know from one run and use them in a second run (because they will have changed). You can see that this is applied in this program because the `New instance of Command() at address: ...' is different in every run. It does not mitigate this attack because the attack doesn't rely on fixed addresses, but fixed distances between addresses.
+
+    DEP prevents certain parts of the memory from being executed. It makes it impossible (ideally) for the user of a program to input data that will be executed. It does not mitigate this attack because the attack doesn't attempt to execute something that shouldn't be executed.
+
+    SSP is a protection mechanism that puts special values, canaries, on the stack and checks that they are still there when returning from a function (if not, the program is aborted). This makes it impossible to overwrite anything else than the local variables of the current function. In particular, it makes it impossible to change the return address and saved frame pointer. It doesn't mitigate this attack because this attack takes place on the heap, not on the stack.
+
+f
+    For this it would be useful to have seen the attack working in point d, but that wasn't possible. Sorry.
+
diff --git a/CamilStaps-s4498062-Assignment-4/ex3/ex3 b/CamilStaps-s4498062-Assignment-4/ex3/ex3
index ad3d8a7..2af6409 100644
--- a/CamilStaps-s4498062-Assignment-4/ex3/ex3
+++ b/CamilStaps-s4498062-Assignment-4/ex3/ex3
@@ -5,3 +5,5 @@ b
     I didn't find anything in the logs. This seems to be because chmods aren't logged.
     The OS could monitor chmods, and log many chmods on the same file / restrict the number of chmods on the same file within some time frame.
 
+    The programs do consume a lot of CPU, which could be detected. This is because they employ busy waiting. We could reduce CPU usage by adding `sleep` instructions in the busy loops.
+