CSL865: Assignment 1 on Buffer Overflow Attacks
Goal
- The goal of this assignment is to gain hands-on experience with the
effect of buffer overflow, integer overflow, format string, and double free
bugs. All work in this project must be done on the VMware virtual machine
provided below. You will need to download VMware Player from
http://www.vmware.com/products/player/.
- You are given the source code for seven exploitable programs
(/tmp/target1, ... , /tmp/target7). These programs are to be installed as
setuid root in the VMware virtual machine. Your goal is to write seven
exploit programs (sploit1, ..., sploit7). Program sploit[i] will execute
program /tmp/target[i] giving it certain input that should result in a root
shell on the VMware virtual machine.
- The skeletons for sploit1, ..., sploit7 are provided in the sploits/
directory. Note that the exploit programs are very short, so there is no
need to write a lot of code here.
The Environment
- You will test your exploit programs within a VMware virtual machine. To
do this, you will need to download the virtual machine image provided on
the course website as well as VMware Player from VMware's website. VMware
player can run on Linux, Mac OS X (VMware Fusion), and Windows, and is
freely available.
- The virtual machine we provide is configured with Debian Etch. We've
left the package management system installed in the image, so should you
need any other packages to do your work (e.g., vim, emacs), you can install
it with the command apt-get (e.g., apt-get install vim)
- The virtual machine is configured to use NAT (Network Address
Translation) for networking. From the virtual machine, you can type ifconfig
as root to see the IP address of the virtual machine. It should be listed
under the field "inet addr:" under "eth0".
- The virtual machine also has an ssh server. You can ssh into the vm
(virtual machine) from your machine, using the IP address produced by
ifconfig (as above) as the destination. You can use this to transfer files
ontol the virtual machine using "scp". Alternatively, you can fetch files
directly from the wen on the vm using "wget".
The Targets
- The targets/ directory in the assignment tarball contains the source
code for the targets along with a Makefile specifying how they are to be
built.
- The exploits should assume that the compiled target programs are
installed setuid-root in /tmp. i.e., /tmp/target1, /tmp/target2, etc.
The Exploits
The sploits/ directory in the assignment tarball contains skeleton source for
the exploits which you are to write, along with a Makefile for building them.
Also included is shellcode.h, which gives Aleph One's shellcode.
The Assignment
You are to write exploits, one per target. Each exploit, when run in the
virtual machine with its target installed setuid-root in /tmp, should yield
a root shell (/bin/sh).
Relevant Material
- Aleph One - Smashing the Stack for Fun and Profit
- blexim - Basic Integer Overflows
- scut/team teso - Exploiting Format String Vulnerabilities
- anonymous - Once upon a free()
- c0ntex - How to hijack the Global Offset Table with pointers for root shells
- Intel - Intel Architecture Guide for Software Developers
Files
- pp1-tarball: pp1.tar.bz2
- Virtual machine image: box.tar.bz2
- Untar it.
- Type "vmplayer box.vmx"
- login="root", password="root"
Submission Instructions
You only need to submit a tarball of the sploits/ directory. You will need to
copy your sploits/ directory out of the VM.
Note:
- To be done individually.
- The last date of submission of Part-1 (sploits[1,2]) is Jan 23. The last date
of submission for Part-2 (sploits[3..7]) is Jan 30.