CS 450/650 Fundamentals of Integrated Computer Security

Fall 2014

Lab 4: Buffer overflow

Due on Tuesday, Nov 18 at 1:00 pm

The goal of this assignment to gain hands-on experience find vulnerabilities in code and mounting buffer overflow attacks. You are given the source code for six exploitable programs which are to be installed with setuid root in a virtual machine we provide. You'll have to identify a vulnerability (buffer overflow, double free, format string vulnerability, etc) in each program. You'll write an exploit for each that executes the vulnerable program with crafted argument, causing it to jump to a exploit string. In each instance, the result will yield a root shell even though the attack was run by an unprivileged user.

Environment

You'll run your exploits in a virtual machine (VM) provided for the assignment. This serves two purposes. First, the vulnerable programs contain real, exploitable vulnerabilities and we strongly advise against installing them with setuid root on your machine. Second, everything from the particular compiler version, to the operating system and installed library versions will affect the exact location of code on the stack. The VM provides an identical environment to the one in which the assignment will be tested for grading.

The VM is configured with Ubuntu Linux 12.04, with ASLR (address randomization) turned off. It has two users, “root” and “user”, both with the password “cs155”. The exploits will be run as “user” and should yield a command line shell (/bin/sh) running as “root”. The VM comes with a set of tools pre-installed (curl, wget, openssh, gcc, vim etc), but feel free to install additional software. For example, to install the emacs editor, you can run as root:

$ apt-get install emacs

When you first run the VM, it will have an OpenSSH server running so you can login from your host machine as well as transfer files using, e.g., ssh and scp.

Targets and Skeleton code

The targets/ directory in the assignment tarball contains the source code for the vulnerable targets as well as a Makefile for building and installing them on the VM. Specifically, to install the target programs, as the non-root “user”:

$ cd targets $ make $ make install

This will compile all of the target programs, set the executable stack flag on each of the resulting executables, and install them with setuid root in /tmp.

Your exploits must assume that the target programs are installed in /tmp/ – /tmp/target1, /tmp/target2, etc.

Exploit Skeleton Code

The sploits/ directory in the assignment tarball contains skeleton code for the exploits you'll write, named sploit1.c, sploit2.c, etc, to correspond with the targets. Also included is the header file shellcode.h, which provides Aleph One's shellcode in the static variable static char* shellcode.

Deliverables

Exploit one of the targets (exploiting additional ones will be awarded with extra 5 points up to 10 points).

In each part, you'll need to submit a gzipped tarball (.tar.gz) with no directory structure,ontaining the exploits and a Makefile to build them. Running make with no arguments from your extrated submission tarball should yield sploit1 through sploit6 executables in the same directory. Finally, the tarball must also include a file ID.csv which conatins a comma-separated line for each group member with your SUID number, Leland username, last name, first name (order matters). The sploits/ directory already contains such a file, so you just need to modify it.

Assuming you use the skeleton code (which is highly recommended), you can create such a tarball by running make submission for the top level directory of the assignment source. This command will output a file sumission.tar.gz which you can submit.

Setup: Set-by-step

Download the VM from http://crypto.stanford.edu/cs155/hw_and_proj/proj1/vm-cs155.tar.gz and extract. The tarball contains a folder, vm-cs155, which contains a virtual hard disk (vm-cs155.vmdk) and a VMWare virtual machine image specification file (vm-cs155.vmx). This allows the machine to be run using most virtualization software.

Run the machine using Qemu, VirtualBox or VMWare Player. To run using Qemu, simply run the following command:

qemu -m 512 -net nic \ -net user,hostfwd=tcp:127.0.0.1:2222-:22 \ vm-cs155/vm-cs155.vmdk

To run with VirtualBox, first register a new vm image and attach the virtual hard disk to it:

vboxmanage createvm --name vm-cs155 --register vboxmanage modifyvm vm-cs155 --nic1 nat --memory 512 vboxmanage storagectl vm-cs155 --name SATA --add sata vboxmanage storageattach vm-cs155 --storagectl SATA --port 0 --type hdd \ --medium $PWD/vm-cs155/vm-cs155.vmdk

Then run the virtual machine:

virtualbox --startvm vm-cs155

Finally, to run with VMWare Player, open the file vm-cs155.vmx in VMWare Player.

Once in the VM, login with username “user” and password “cs155”.

Download the assignment tarball from http://crypto.stanford.edu/cs155/hw_and_proj/proj1/proj1.tar.gz and extract it:

$ wget http://crypto.stanford.edu/cs155/hw_and_proj/proj1/proj1.tar.gz $ tar xzf proj1.tar.gz

Build and install the targets:

$ cd proj1/targets $ make && sudo make install Password: cs155

Write, build and test your exploits:

$ cd ../sploits ...edit,test... $ make $ ./sploit1

Note: This assignment is modified from http://crypto.stanford.edu/cs155/

What to turn in A soft-copy of your results and answers to the questions to be uploaded to WebCampus.