Goal:
Assuming you just got hired by a company, Macrohard Inc., to fill in
an Unix System Administrator position. The previous employee was
fired recently because he/she recommended the use of the closed-source
and proprietary systems during the dot-com blooming era. With most of
the companies dot-gone nowadays, your company were left with lot of
unsupported software and systems. For better or worst, since you are
taking my class, you are able (I'm crossing my fingers here :) to
migrate most of the existing systems to open-source counterparts,
except one: eon_only_tue
(for Tue's lab) or
eon_only_wed
(for Wed's lab). From now on, unless
explicitly stated, eon_only
will be used to refer to
either eon_only_tue
or eon_only_wed
depends
on which lab you are in.
eon_only
, a software that runs only on eon, is an
internal core business software that generates most of the revenue for
your company. Its main function is to display "You are promoted
and WeeSan is so cool :)" (sorry, can't help it :) so that the
business of your company can go on. On the other hand, if you run
eon_only
on other machines, such as orpheus or any lab
machines, it would display "You are fired!" instead, which is
really bad.
One storm night, eon got hit hard and there was no way to bring it
back up again. Your immediate challenge is to get
eon_only
up and running on another machine in 3 hours or
you are fired. The problem is that the provider of
eon_only
has disappeared a couple months ago and your
company does not have the source code for it. To make the matter
worst, the license of eon_only
will be expired at 2:30pm
today.
So, your goal is to hack er... find a workaround
temporary to resolve this crisis and save your company -- more
importantly, your job -- before a long term solution is in place.
Details:
Not only was eon_only
hard-coded such that it would check
the hostname and hostid of the machine on which it is run against a
piece of internal data it stores in the code, but also it would check
the local time of the machine to determine if itself has expired. In
the real world, instead of being told about the 3 protections
mentioned above, with a little of luck, and hours of trial and error,
you should be able to obtain those information by using the command
'strace' to trace your program and figure out what system
calls/functions the program uses to implement the protections.
For the purpose of this lab, let's assume you have figured out that
eon_only
calls the following 3 functions from the C
library to do the tricks:
eon_only_tue
from here
if you are in the Tue's lab or eon_only_wed
from here
otherwise.
eon_only
(make it executable if necessary) on
both eon and orpheus before 2:30pm to
see the output from both. The first 3 lines represent the protection
methods used by the software. The status of each protection is
shown in front of each line: V means check or OK; whereas X means BAD.
You should see 3 Vs from eon while at least 2 Xs from orpheus.
eon_only
is statically or dynamically
linked by using the 'file' command.
hack.c
workaround.c
with all 3 functions in there. Each of which
outputs (use printf()) something different.
libworkaround.so
by
doing the following:
$ gcc -c -fPIC workaround.c $ gcc -shared -o libworkaround.so workaround.o
eon_only
by doing the following:
$ LD_PRELOAD=./libworkaround.so ./eon_onlyYou should see the "something" from each function. Which is a good sign. It means your workaround was in action.
eon_only
again on
orpheus. You should see that the first protection gets removed. The
reason being that your shared library "cheated" eon_only
by
returning something it was looking for. Of course LD_PRELOAD plays a
very important role in this.
eon_only
to eon_only_nomore
.
Create a Bash script named eon_only
which in turn calls
eon_only_nomore
with your libworkaround.so preloaded.
$ seq 1 2 > a $ seq 1 3 > b $ paste a b 1 1 2 2 3