CFI Bypass

In this assignment, you will:

  1. Use multiple information leakages to practice defeating ASLR
  2. Learn about forward-edge control-flow integrity enforcement for C++
  3. Exploit a vulnerable pedagogic CFI implementation

Derandomizing Memory

In Canvas, you will find vuln07 which contains a simple C++ vptr-overwrite vulnerability. Similarly to the UAF assignment, your goal is to point the vulnerable object’s vptr to a fake vtable in order to achieve remote code execution.

However, in contrast to the last assignment, ASLR is enabled and no data is injected onto the stack. Thus, your exploit will have to leverage multiple information leakages to derandomize the heap and libc. You will then have to implement a ROP chain that pivots the stack pointer to the heap.

A copy of the server is running on memory.neu.lol on port 6709 + $team_id. Exploit the server to locate a secret value.

Control-Flow Integrity

Control-flow integrity, commonly referred to as CFI, is the security property that an attacker cannot force a program’s execution to deviate from intended control-flow transitions. First introduced in 2005, it has been the focus of a sustained research effort to secure programs written in memory-unsafe languages like C/C++. It is now available in several forms in commodity toolchains like GCC and Clang.

In Canvas, you will find vuln07.02 which implements a toy version of forward-edge CFI for C++ virtual function calls. This implementation mimics a popular technique that restricts virtual table pointers to address ranges corresponding to a small set of C++ classes. In this way, efficient CFI checks can be performed at runtime for virtual method calls using a small number of arithmetic instructions.

However, this implementation suffers from a vulnerability known as a time-of-check-to-time-of-use (TOCTTOU) bug. Your goal is to exploit this vulnerability to bypass the CFI check and hijack control flow. As in previous assignments, your objective is to execute a ROP chain to invoke a server-side command to obtain a secret value.

If you wish to attempt this extra credit, notify the professor.

Submission Instructions

  1. Upload a tgz archive to Canvas containing the following files:
    • A README.md containing the secret and a description of your attack
    • The source code for your attack

© 2022 wkr