MIT6.858(Computer Systems Security)

Lab solution of http://css.csail.mit.edu/6.858/2014/, no lab4, lab5 (Browser security) is from 2019 version

Lab1

Bugs

zookd.c: process_client

static void process_client(int fd)
...
    static char env[8192];  /* static variables are not on the stack */
    static size_t env_len;
    char reqpath[2048]; // $ebp-2064
    const char *errmsg; // $ebp-16
    int i; // $ebp-12
           // $ebp-8 and $ebp -4 is callee-saved reg (%EDI, %ESI)

http.c: http_request_headers

const char *http_request_headers(int fd)
...
    // i: $ebp-12
    // sp: $ebp-16
    // colon: $ebp-20
    // value: $ebp-532
    static char buf[8192];      /* static variables are not on the stack */
    int i;
    char value[512];
    char envvar[512];

part-1

bugs.txt

part-2 (cause crash)

exploit-2a
exploit-2b

this buffer overflow can cause process crash, but this process is a child process parent process will still alive, so make check-crash will not pass

part-3 (cause file deletion with exstack)

exploit-3
shellcode

part-4 (caue file deletion with nxstack)

exploit-4a
exploit-4b

part-extra (chaining function calls with return-to-libc)

exploit-extra (guide)

sys_unlink("/home/httpd/grades.txt") -> pop/ret -> touch("grades.txt") (http.c:18) -> sys_exit()

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

README.md

README.md

MIT6.858(Computer Systems Security)

Lab1

Bugs

part-1

part-2 (cause crash)

part-3 (cause file deletion with exstack)

part-4 (caue file deletion with nxstack)

part-extra (chaining function calls with return-to-libc)

Files

README.md

Latest commit

History

README.md

File metadata and controls

MIT6.858(Computer Systems Security)

Lab1

Bugs

part-1

part-2 (cause crash)

part-3 (cause file deletion with exstack)

part-4 (caue file deletion with nxstack)

part-extra (chaining function calls with return-to-libc)