Systems and Network Hacking

Teacher: Giuseppe Lettieri, Pericle Perazzo

CFU: 9

Course Description

The best way to understand what attackers can do is to reason like one of them. In this course we will explore the tecniques that are common knowledge among attackers. The purpose is to understand the strenghts and, most importantantly, the limits of all the countermeasures that modern systems implement to mitigate these attacks. In turn, this requires a study of some topics that are sometimes skipped in architectural courses, like heap implementation, dynamic libraries and Virtual Machines.

News/Alerts

Syllabus

Class Material

Lecture notes

The material for the Web part of the course can be found here. I am restructuring and expanding the lecture notes below to put them in the form of a free book. The chapters will be available here as soon as they are readable, but they may be updated frequently, so it is not advisable to print them.

Part I

Part II [code injection (stack-based buffer overflow), format strings, code reuse (ret2libc, ROP) and heap (metadata, double free, use after free)].
Part III

Appendix

Dynamic libraries
Solutions to the exercises (this will expand over time)

Software

mynix, a didactic implementation of some Unix programs (v3.1).
esh, a didactic elementary shell (v1.0).
test-malloc, a simple program to experiment with malloc (v1.6).
mbaby, a Manchester Baby emulator/binary-translator (v1.6).
mykvm, a very simple KVM-based virtual machine monitor (v1.0).

Final tests

2021-01-20:
- Pwn: files; docker: lettieri.iet.unipi.it/pwn_2021-01-20; writeup
2021-02-09:
- Pwn: files; docker: lettieri.iet.unipi.it/pwn_2021-02-09 (user snh, password snh); writeup
2021-02-26:
- Pwn: files; docker: lettieri.iet.unipi.it/pwn_2021-02-26 (user snh, password snh); writeup
2021-07-29:
- Pwn: files; docker: lettieri.iet.unipi.it/pwn_2021-07-29; writeup
2021-09-23:
- Pwn: files; docker: lettieri.iet.unipi.it/pwn_2021-09-23; writeup
2021-11-26:
- Pwn: files; docker: lettieri.iet.unipi.it/pwn_2021-11-26; writeup
2022-01-19: assignment;
- Web: hint 1; hint 2; docker: lettieri.iet.unipi.it/euroteams; writeup;
- Pwn: files; hint 1; hint 2; docker: lettieri.iet.unipi.it/pwn_2022-01-19; writeup;
2022-02-03: assignment;
- Web: hint 1; hint 2; docker: lettieri.iet.unipi.it/tinycve; writeup;
- Pwn: files; hint 1; hint 2; docker: lettieri.iet.unipi.it/pwn_2022-02-03; writeup;
2022-02-24: assignment;
- Web: hint 1; hint 2; docker: lettieri.iet.unipi.it/frommetoyou; writeup;
- Pwn: files; hint 1; hint 2; docker: lettieri.iet.unipi.it/pwn_2022-02-24; writeup
2022-06-16: assignment;
- Web: hint 1; hint 2; docker: lettieri.iet.unipi.it/ghostcont; writeup;
- Pwn: files; hint 1; hint 2; docker: lettieri.iet.unipi.it/pwn_2022-06-16; writeup
2022-07-07: assignment;
- Web: hint 1; hint 2; docker: lettieri.iet.unipi.it/darkpoetry; writeup;
- Pwn: files; hint 1; hint 2; docker: lettieri.iet.unipi.it/pwn_2022-07-07; writeup
2022-07-28: assignment;
- Web: hint 1; hint 2; docker: lettieri.iet.unipi.it/dydcollection; writeup;
- Pwn: files; hint 1; hint 2; docker: lettieri.iet.unipi.it/pwn_2022-07-28; writeup
2022-09-22: assignment;
- Web: hint 1; hint 2; docker: lettieri.iet.unipi.it/spiderman; writeup;
- Pwn: files; hint 1; hint 2; docker: lettieri.iet.unipi.it/pwn_2022-09-22; writeup
2023-01-19: assignment;
- Web: hint 1; hint 2; docker: lettieri.iet.unipi.it/highfashion; writeup;
- Pwn: files; hint 1; hint 2; docker: lettieri.iet.unipi.it/pwn_2023-01-19; writeup
2023-02-09: assignment, files;
- Web: hint 1; hint 2; docker: lettieri.iet.unipi.it/spaghettiwestern; writeup;
- Pwn: hint 1; hint 2; docker: lettieri.iet.unipi.it/pwn_2023-02-09; writeup
2023-02-23: assignment, files;
- Web: hint 1; hint 2; docker: lettieri.iet.unipi.it/inception; writeup;
- Pwn: hint 1; hint 2; docker: lettieri.iet.unipi.it/pwn_2023-02-23; writeup
2023-07-06: assignment, files;
- Web: hint 1; hint 2; docker: lettieri.iet.unipi.it/messageinbottle; writeup;
- Pwn: hint 1; hint 2; docker: lettieri.iet.unipi.it/pwn_2023-07-06; writeup
2023-07-27: assignment, files;
- Web: hint 1; hint 2; docker: lettieri.iet.unipi.it/firstnum; writeup;
- Pwn: hint 1; hint 2; docker: lettieri.iet.unipi.it/pwn_2023-07-27; writeup
2023-09-21: assignment, files;
- Web: hint 1; hint 2; docker: lettieri.iet.unipi.it/tadasnippets; writeup;
- Pwn: hint 1; hint 2; docker: lettieri.iet.unipi.it/pwn_2023-09-21; writeup
2024-01-17: assignment, files;
- Pwn: hint 1; hint 2; docker: lettieri.iet.unipi.it/pwn_2024-01-17; writeup (updated with an alternative solution by E. Geraci);
2024-02-05: assignment, files;
- Pwn: hint 1; hint 2; docker: lettieri.iet.unipi.it/pwn_2024-02-05; writeup (updated after a bug found by G. Dell'Immagine);
2024-02-21: assignment, files;
- Pwn: hint 1; hint 2; docker: lettieri.iet.unipi.it/pwn_2024-02-21; writeup;
2024-07-03: assignment, files;
- Pwn: hint 1; hint 2; docker: lettieri.iet.unipi.it/pwn_2024-07-03; writeup;
2024-07-24: assignment, files;
- Pwn: hint 1; hint 2; docker: lettieri.iet.unipi.it/pwn_2024-07-24; writeup;
pokermatch (exercise on XSS):
- assignment;
- docker: lettieri.iet.unipi.it/pokermatch;
- writeup.

You can pull the dockers with docker pull docker-name and run them with docker run -P docker-name. The latter command will also assign random local ports to the ports exposed in the container. You can find the assigned ports with docker ps (in the PORTS column).

Lecture notes from previous edition.

Notes about Unix (plus some notes on Ritchie's paper).
How a Unix shell works.
Exploiting environment variables.
Symbolic links.
Shared with the Master's degree in Cybersecurity:
- Code injection.
- Brute forcing.
- Stack canaries.
- Format Strings.
- Dynamic Libraries.
- Non-Executable data.
- Code Reuse.
- ASLR and PIE.
- Heap exploitation.
- Pointer protection.
Kernel exploitation.
Virtual Machines: use the Introduction, Emulation and Hardware assisted virtualization notes from the Old material section below
Modern Linux security (capabilities, namespaces, control groups).

Exercises

Online

Solutions for the online exercises will be uploaded in the file section of the Course's MS Teams page.

Custom

solutions for the bad[0-3]suid exercises (arguments and environment variables).
solutions for the bad[4-6]suid exercises (symbolic links).
solutions for the exercises in the "Brute forcing" notes.
exercises on stack canaries and format strings (solutions, alternative solutions using pwntools).
solutions for the exercises in the "Dynamic Libraries" notes.
exercises on ROP and ASLR/PIE (solutions).
exercises on heap exploitation (solutions).
exercises on kernel exploitation (solutions).
exercises on VM escape (solutions).

Custom exercises from past edition

exercises on VM escaping (solutions).
exercise on attack-defence (solution).

Old material

Part of the course will deal with modern Virtual Machines technology. Here are the lecture notes from a previous course that explored these same topics. The notes in bold are useful for this course too, while the ones in italics can be safely skipped.

Introduction (excluding the formalization slides).
The Manchester Baby emulator.
Emulation (excluding the examples).
Binary Translation.
Hardware assisted virtualization.
- Introduction (without the appendix).
- The Virtual Machine Monitor.
- Intel VM-x.
- The kvm.cc example.
- MMU Virtualization (excluding the virtual-TLB method).
Passthrough (the Linux/QEMU example).
Paravirtualization
- Introduction.
- Virtio (slides by V. Maffione).
The Network File System.
Containers.
Seminary on Docker (by V. Maffione): slides, lab material.