Finished the issue

Signed-off-by: Vica Teodor Andrei <[email protected]>

chapters/data/memory-security/drills/tasks/aslr/README.md

@@ -1,5 +1,10 @@
 # ASLR
 
+For the beggining, use the `generate_skels.py` script to generate the `support` directory where you will solve the task. To use the script, simply type `make skels` in the `aslr` directory.
+
+Then, go to `support`. Here, you need to access the directory named `src` where you will find the checker and all the files needed for this task.
+
+
 Use the `Makefile.aslr` file to compile the `chapters/data/memory-security/drills/tasks/aslr/support/aslr.c` file:
 
 ```console
@@ -26,3 +31,16 @@ Disable PIC by uncommenting the `-fno-PIC` and `LDFLAGS` lines.
 We observe that for randomization to work, we need to instruct the OS to randomize the program sections and the compiler to generate code that is position independent.
 
 If you're having difficulties solving this exercise, go through [this](../../../reading/memory-security.md) reading material.
+
+### Checker ###
+To run the checker, go into the `tests` directory located in `src`, then type `make check`.
+A successful output of the checker should look like this :
+
+```console
+student@os:~/.../drills/tasks/aslr/support/src/tests make check
+test_aslr                        ........................ passed ... 100
+
+========================================================================
+
+Total:                                                           100/100
+```

chapters/data/memory-security/drills/tasks/aslr/generate_skels.py

@@ -16,6 +16,8 @@ def process_file(src, dst, pattern, replace, remove, replace_pairs, end_string=N
         sys.exit(1)
 
     fin = open(src, "r")
+    # fout = open(dst, "w")
+    os.makedirs(os.path.dirname(dst), exist_ok=True)
     fout = open(dst, "w")
     remove_lines = 0
     skip_lines = 0

chapters/data/memory-security/drills/tasks/aslr/solution/src/.gitignore

@@ -0,0 +1 @@
+/aslr

chapters/data/memory-security/drills/tasks/exec-shellcode/support/tests/Makefile → chapters/data/memory-security/drills/tasks/aslr/solution/tests/Makefile

@@ -1,6 +1,6 @@
-SRC_PATH ?= ../src
-FULL_SRC_PATH = "$(realpath $(SRC_PATH))"
-CPPFLAGS = -I. -I$(FULL_SRC_PATH) -I../utils
+SRC_PATH ?= ../
+FULL_SRC_PATH = $(realpath $(SRC_PATH))
+CPPFLAGS = -I. -I$(realpath $(SRC_PATH)) -I../utils
 CFLAGS = -Wall -Wextra
 # Remove the line below to disable debugging support.
 CFLAGS += -g -O0
@@ -22,7 +22,7 @@ check: $(SHELLCODES)
 	make -C $(FULL_SRC_PATH) clean
 	make clean
 	make -i SRC_PATH=$(FULL_SRC_PATH)
-	./run_all_tests.sh
+	sudo bash ./run_all_tests.sh
 
 lint:
 	-cd .. && checkpatch.pl -f src/*.c
@@ -31,4 +31,4 @@ lint:
 	-cd .. && shellcheck tests/*.sh
 
 clean:
-	-rm -f *~
+	-rm -f *~

chapters/data/memory-security/drills/tasks/aslr/solution/tests/graded_test.inc.sh

@@ -0,0 +1,41 @@
+#!/bin/bash
+# SPDX-License-Identifier: BSD-3-Clause
+
+#
+# Print test result. Printed message should fit in 72 characters.
+#
+# Print format is:
+#
+# description ...................... passed ... NNN
+# description ...................... failed ... NNN
+#   32 chars        24 chars           6     3   3
+#
+
+print_test()
+{
+    func="$1"
+    result="$2"
+    points="$3"
+
+    if test "$points" -gt 999; then
+        points=999
+    fi
+
+    printf "%-32s " "${func:0:31}"
+    printf "........................"
+    if test "$result" -eq 0; then
+        printf " passed ... %3d\n" "$points"
+    else
+        printf " failed ...  0\n"
+    fi
+}
+
+run_test()
+{
+    func="$1"
+    points="$2"
+
+    # Run in subshell.
+    (eval "$func")
+    print_test "$func" "$?" "$points"
+}

chapters/data/memory-security/drills/tasks/exec-shellcode/support/tests/run_all_tests.sh → chapters/data/memory-security/drills/tasks/aslr/solution/tests/run_all_tests.sh

@@ -2,22 +2,20 @@
 # SPDX-License-Identifier: BSD-3-Clause
 
 if test -z "$SRC_PATH"; then
-    SRC_PATH=../src
+    SRC_PATH=../
 fi
 
 export SRC_PATH
-
+echo ""
 (
-./test_helloworld.sh
-./test_getpid.sh
-./test_openfile.sh
-./test_brk.sh
+  bash test.sh
 ) | tee results.txt
-
+echo ""
+echo "========================================================================"
 total=$(grep '\( passed \| failed \)' results.txt | rev | cut -d ' ' -f 1 | rev | paste -s -d'+' | bc)
 echo ""
 echo -n "Total:                           "
 echo -n "                                "
 LC_ALL=C printf "%3d/100\n" "$total"
 
-rm results.txt
+rm results.txt

chapters/data/memory-security/drills/tasks/aslr/solution/tests/test.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+# SPDX-License-Identifier: BSD-3-Clause
+
+source graded_test.inc.sh
+
+shellcode=./../aslr
+#result=./../solution/results.txt
+
+if test -z "$SRC_PATH"; then
+    SRC_PATH=./..
+fi
+
+test_aslr()
+{
+    # echo -n "edx,0x" >> result
+    # objdump -M intel -d "$shellcode" | grep "<pawned>:" | awk '{gsub(/^0+/, "", $1); print $1}' >> result
+    # vari=$(cat result)
+
+    # objdump -M intel -d "$shellcode" | grep "$vari" >> result
+
+    # if [ $? -eq 0 ]; then
+    #     rm result
+    #     exit 0
+    # fi
+
+    # rm result
+    # exit 1
+    nm "$shellcode" | grep -q "w _ITM_deregisterTMCloneTable"
+    if [ $? -eq 0 ]; then
+        exit 0
+    fi
+
+    exit 1
+}
+
+run_test test_aslr 100

chapters/data/memory-security/drills/tasks/bypassing-stack-protector/README.md

@@ -1,9 +1,27 @@
 # Bypassing the Stack Protector
 
+For the beggining, use the `generate_skels.py` script to generate the `support` directory where you will solve the task. To use the script, simply type `make skels` in the `bypassing-stack-protector` directory.
+
+Then, go to `support`. Here, you need to access the directory named `src` where you will find the checker and all the files needed for this task.
+
+
 Inspect the `chapters/data/memory-security/drills/tasks/bypassing-stack-protector/support/stack_protector.c` source file.
 Compile the program and examine the object code.
 Try to identify the canary value.
 Using the `addr` variable, write 2 `scanf` instructions: one that overwrites the canary with the correct value and one that overwrites the return address with the address of function `pawned`.
 In case of a successful exploit a video will be offered as reward.
 
 If you're having difficulties solving this exercise, go through [this](../../../reading/memory-security.md) reading material.
+
+### Checker ###
+To run the checker, go into the `tests` directory located in `src`, then type `make check`.
+A successful output of the checker should look like this :
+
+```console
+student@os:~/.../drills/tasks/aslr/support/src/tests make check
+test_bypassing-stackprotector    ........................ passed ... 100
+
+========================================================================
+
+Total:                                                           100/100
+```

chapters/data/memory-security/drills/tasks/bypassing-stack-protector/generate_skels.py

@@ -16,6 +16,8 @@ def process_file(src, dst, pattern, replace, remove, replace_pairs, end_string=N
         sys.exit(1)
 
     fin = open(src, "r")
+    # fout = open(dst, "w")
+    os.makedirs(os.path.dirname(dst), exist_ok=True)
     fout = open(dst, "w")
     remove_lines = 0
     skip_lines = 0

chapters/data/memory-security/drills/tasks/bypassing-stack-protector/solution/src/.gitignore

@@ -0,0 +1 @@
+/stack_protector

chapters/data/memory-security/drills/tasks/bypassing-stack-protector/solution/stack_protector.c → chapters/data/memory-security/drills/tasks/bypassing-stack-protector/solution/src/stack_protector.c

@@ -19,10 +19,12 @@ void fun1(char *p)
 	}
 
 	printf("overwrite canary:\n");
-	// TODO(Student): Add code that overwrites the canary
+	/* TODO 1: Add code that overwrites the canary. */
+	addr[6] = 0;
 
 	printf("overwrite return address:\n");
-	// TODO(Student): Add code that overwrites the return address with the addess of pawned
+	/* TODO 2: Add code that overwrites the return address with the address of pawned. */
+	addr[7] = &pawned;
 
 	(void) p;
 }

chapters/data/memory-security/drills/tasks/bypassing-stack-protector/solution/tests/Makefile

@@ -0,0 +1,34 @@
+SRC_PATH ?= ../
+FULL_SRC_PATH = $(realpath $(SRC_PATH))
+CPPFLAGS = -I. -I$(realpath $(SRC_PATH)) -I../utils
+CFLAGS = -Wall -Wextra
+# Remove the line below to disable debugging support.
+CFLAGS += -g -O0
+
+SRCS = $(wildcard *.asm)
+SHELLCODES = $(patsubst %.asm,%,$(SRCS))
+
+.PHONY: all src check lint clean
+
+all: $(SHELLCODES) src
+
+$(SHELLCODES): %:%.asm | src
+	nasm -o $@ $<
+
+src:
+	make -C $(FULL_SRC_PATH)
+
+check: $(SHELLCODES)
+	make -C $(FULL_SRC_PATH) clean
+	make clean
+	make -i SRC_PATH=$(FULL_SRC_PATH)
+	sudo bash ./run_all_tests.sh
+
+lint:
+	-cd .. && checkpatch.pl -f src/*.c
+	-cd .. && checkpatch.pl -f tests/*.sh
+	-cd .. && cpplint --recursive src/
+	-cd .. && shellcheck tests/*.sh
+
+clean:
+	-rm -f *~

chapters/data/memory-security/drills/tasks/exec-shellcode/support/tests/graded_test.inc.sh → chapters/data/memory-security/drills/tasks/bypassing-stack-protector/solution/tests/graded_test.inc.sh

@@ -38,4 +38,4 @@ run_test()
     # Run in subshell.
     (eval "$func")
     print_test "$func" "$?" "$points"
-}
+}

chapters/data/memory-security/drills/tasks/bypassing-stack-protector/solution/tests/run_all_tests.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+# SPDX-License-Identifier: BSD-3-Clause
+
+if test -z "$SRC_PATH"; then
+    SRC_PATH=../
+fi
+
+export SRC_PATH
+echo ""
+(
+  bash test.sh
+) | tee results.txt
+echo ""
+echo "========================================================================"
+total=$(grep '\( passed \| failed \)' results.txt | rev | cut -d ' ' -f 1 | rev | paste -s -d'+' | bc)
+echo ""
+echo -n "Total:                           "
+echo -n "                                "
+LC_ALL=C printf "%3d/100\n" "$total"
+
+rm results.txt