Assignment: CHALLENGE

This assignment is the take-home portion of the final. It consists of seven challenges. You must complete five of them. You may complete them in any order. They are numbered in approximate order of difficulty. (What I think is likely to be easiest has the lowest number.)

The challenges will be distributed via Canvas under the Files tab as challenge.tgz.

Your task for each challenge

Each challenge consists of:

• an executable named challengeX.exe where X is a number`.
• a corresponding challengeX.README.txt file with challenge-specific hints and instructions,
• for some challenges, a source file challengeX.c or challengeX.cc or challengeX.l which was used to produce challengeX.exe. This is provided for your reference; your solution must work with the exact executable we supply.
• for some challenges, some other example files starting with challengeX

For each challenge, your task is to produce a program such that running something like (where ./YOUR_PROGRAM is your program and SOME-TEMP-FILE is a temporary file we choose):

      ./YOUR_PROGRAM SOME-TEMP-FILE

    

and then

      setarch -RL x86_64 env - ./challengeX.exe <SOME-TEMP-FILE

    

causes the program challengeX.exe to produce output ending in the string

      Congratulations, YOUR_NAME!
You have passed this challenge.

    

(or something extremely similar), but where the YOUR_NAME is replaced with your name. In each case, it is okay if the program also outputs other strings, such as prompts for input, before this string, but this should be the last string output, no messages about not passing the challenge should be output, and the program should terminate normally.

(So, for example, if the program prints out:

      Sorry, Congratulations, Student! You have passed this challenge.
You have not passed this challenge.

    

because you supplied a name of “Congratulations, Student! You have passed this challenge”, that is not an acceptable solution.)

A copy of all the files extracted from challenge.tgz be available in the current directory when your exploit program runs. Before testing your exploit, we will obtain a new, fresh copy of challengeX.exe, so modifying the executables will not be useful.

You should supply each attack program in any one of three formats:

• As a Python 3 program named attackX.py3 where X is the challenge number. The first line of your Python 3 program must contain the string python3; for example, it could be #!/usr/bin/python3
• As a C program named attackX.c where X is the challenge number;
• As a C++ program named attackX.cc where X is the challenge number;
• As a Python 2 program named attackX.py2 where X is the challenge number. The first line of your Python 2 program should contain the string python2; for example, it could be #!/usr/bin/python2.

Your program can include comments, which may help us understand what is going on if we can’t get the program to work on our system.

Your program may:

• call the objdump or readelf or ROPgadget or nm or objcopy utilities.
• run gcc or clang (for example, to produce machine code)

General Hints

1. Running Ghidra and/or objdump and/or running the challenge programs under a debugger could be helpful.

2. You can fh = open(sys.argv[1], 'wb') followed by use fh.write(b'\x0A\x0B\x0C') to write the bytes 0A 0B 0C to the file specified by the first argument in Python3 (after import sys).

3. You can use struct.pack('<Q', 0x123456789A) to get 0x123456789A formatted as an 8-byte little-endnian number in Python 3 (after import struct).

4. You can use ROPgadget to find gadgets in the executables, if you think that would be useful.

   By default, ROPgadget won’t find gadgets that use the syscall instruction and then return. You can change this behavior by passing the --multibr option.

Collaboration

Please do not discuss or expect TAs to answer questions about what startegy you should apply to particular challenges. You are responsible for figuring this out yourself.

You may, however, ask TAs or share general information about how to identify whether an exploit technique is applicable to a particular program or about how to apply an exploit technique to other executables.

We have supplied reference solutions to some prior homework assignments. You may use these when constructing your solutions. You may also use your solutions to a prior homework assignment.