MIT6.858(Computer Systems Security)

Lab solution of http://css.csail.mit.edu/6.858/2014/, no lab4, lab5 (Browser security) is from 2019 version

Lab1

Bugs

• zookd.c: process_client

static void process_client(int fd)
...
    static char env[8192];  /* static variables are not on the stack */
    static size_t env_len;
    char reqpath[2048]; // $ebp-2064
    const char *errmsg; // $ebp-16
    int i; // $ebp-12
           // $ebp-8 and $ebp -4 is callee-saved reg (%EDI, %ESI)

• http.c: http_request_headers

const char *http_request_headers(int fd)
...
    // i: $ebp-12
    // sp: $ebp-16
    // colon: $ebp-20
    // value: $ebp-532
    static char buf[8192];      /* static variables are not on the stack */
    int i;
    char value[512];
    char envvar[512];

part-1

• bugs.txt

part-2 (cause crash)

• exploit-2a
• exploit-2b

this buffer overflow can cause process crash, but this process is a child process parent process will still alive, so make check-crash will not pass

part-3 (cause file deletion with exstack)

• exploit-3
• shellcode

part-4 (caue file deletion with nxstack)

• exploit-4a
• exploit-4b

part-extra (chaining function calls with return-to-libc)

• exploit-extra (guide)

sys_unlink("/home/httpd/grades.txt") -> pop/ret -> touch("grades.txt") (http.c:18) -> sys_exit()