Files for the shell-code lab
Exercise 1
Q1. Write a (binary) shell-code allowing to print the content of the /etc/passwd file.
You can use the model provided by the "generic shell-code" available in the lecture slides
Q2. Test your shell-code for instance using the use-after-free vulnerable program provided in the first "software security lab".
Exercise 2
Q1. Run a reverse shell as described on the lecture slides (from slides 43 to 46), where the "attacker" and "victim" are represented by two different shells open
on distinct terminals. You can know the IP address of the machine your are using by running the "hostname -I" command.
Q2(*). Write a (binary) shell-code allowing to open a reverse shell and test it as in Exercise 1.
Exercise 3 (Race conditions)
Run the experiment described in the lecture slides (from slide 13 to 20).
On the Ensimag machine we cannot disable the countermeasure on symbolic links, so we cannot target the /etc/passwd file ...
Alternatively you can:
- Run the attack using two shells (owned the same user) as in Exercise 2, targeting a regular file from your own ...
- More interesting, try to run the attack using two shells owned by different users (using the "su" command).