CSL865: Assignment 1 on Buffer Overflow Attacks

Goal

  1. The goal of this assignment is to gain hands-on experience with the effect of buffer overflow, integer overflow, format string, and double free bugs. All work in this project must be done on the VMware virtual machine provided below. You will need to download VMware Player from http://www.vmware.com/products/player/.
  2. You are given the source code for seven exploitable programs (/tmp/target1, ... , /tmp/target7). These programs are to be installed as setuid root in the VMware virtual machine. Your goal is to write seven exploit programs (sploit1, ..., sploit7). Program sploit[i] will execute program /tmp/target[i] giving it certain input that should result in a root shell on the VMware virtual machine.
  3. The skeletons for sploit1, ..., sploit7 are provided in the sploits/ directory. Note that the exploit programs are very short, so there is no need to write a lot of code here.

The Environment

  1. You will test your exploit programs within a VMware virtual machine. To do this, you will need to download the virtual machine image provided on the course website as well as VMware Player from VMware's website. VMware player can run on Linux, Mac OS X (VMware Fusion), and Windows, and is freely available.
  2. The virtual machine we provide is configured with Debian Etch. We've left the package management system installed in the image, so should you need any other packages to do your work (e.g., vim, emacs), you can install it with the command apt-get (e.g., apt-get install vim)
  3. The virtual machine is configured to use NAT (Network Address Translation) for networking. From the virtual machine, you can type ifconfig as root to see the IP address of the virtual machine. It should be listed under the field "inet addr:" under "eth0".
  4. The virtual machine also has an ssh server. You can ssh into the vm (virtual machine) from your machine, using the IP address produced by ifconfig (as above) as the destination. You can use this to transfer files ontol the virtual machine using "scp". Alternatively, you can fetch files directly from the wen on the vm using "wget".

The Targets

  1. The targets/ directory in the assignment tarball contains the source code for the targets along with a Makefile specifying how they are to be built.
  2. The exploits should assume that the compiled target programs are installed setuid-root in /tmp. i.e., /tmp/target1, /tmp/target2, etc.

The Exploits

The sploits/ directory in the assignment tarball contains skeleton source for the exploits which you are to write, along with a Makefile for building them. Also included is shellcode.h, which gives Aleph One's shellcode.

The Assignment

You are to write exploits, one per target. Each exploit, when run in the virtual machine with its target installed setuid-root in /tmp, should yield a root shell (/bin/sh).

Relevant Material

  1. Aleph One - Smashing the Stack for Fun and Profit
  2. blexim - Basic Integer Overflows
  3. scut/team teso - Exploiting Format String Vulnerabilities
  4. anonymous - Once upon a free()
  5. c0ntex - How to hijack the Global Offset Table with pointers for root shells
  6. Intel - Intel Architecture Guide for Software Developers

Files

Submission Instructions

You only need to submit a tarball of the sploits/ directory. You will need to copy your sploits/ directory out of the VM.

Note:

  1. To be done individually.
  2. The last date of submission of Part-1 (sploits[1,2]) is Jan 23. The last date of submission for Part-2 (sploits[3..7]) is Jan 30.