Project 1: Memory Safety

Due: 2020-10-02 at 23:59


The goal of this assignment is to gain hands-on experience with the effect of buffer overflows and other memory-safety bugs.

All work in this project must be done in the VirtualBox virtual machine provided on Blackboard; see below for information about this environment.

You are given a Python script which, when run, will generate six vulnerable targets in a targets directory. The targets will be generated from an ID file that you must first fill out. See below for details.

These programs are to be compiled and installed, setuid root, in the /tmp directory of your VM. Your goal is to write six exploit programs sploit1, …, sploit6, each of which will execute the corresponding target with input that exploits that target’s bug, giving a root shell on the VM.

We have provided skeletons for these exploits programs in the sploits directory, as sploit1.c, …, sploit6.c. Our own solutions, incidentally, are very short: fewer than 50 lines each. So while understanding and exploiting the bugs will not be easy, you will not need to write a lot of code.


You may work on this project in collaboration with a single partner as described on the main page.

You must not discuss solutions to the project with anyone other than your partner and course staff. You may use online resources for general reference, but not to search for solutions to specific questions posed in this project.

The Environment

You (and we, for grading) will test your exploit programs within a VirtualBox virtual machine. This virtual machine emulates a 32-bit x86 processor and has the latest version of Debian installed.

You should first install VirtualBox.

Next, download and decompress from the Blackboard course site.

Launch VirtualBox and select the menu option File > Import Appliance. Choose the sandbox 3.0.ova file you just decompressed.

Once you start the virtual machine, Linux will boot and you’ll be presented with a login prompt. The default account has a user name of user and a password of pass.

You will need to configure Git inside the VM.

$ git config --global "Your name here"
$ git config --global "Your email here"

You’re now ready to clone the assignment repository.

The VM has a number of tools installed including the gcc compiler and gdb debugger. It has vim installed. If you want to install additional tools such as other text editors, you may install them. E.g.,

$ sudo apt install emacs

The password is pass.

The Assignment Repository

Go to the GitHub Classroom page and accept the assignment.

Warning: Do not join any team other than your partner’s. There’s no way to change teams for the assignment so just don’t do it! (If you do join the wrong team by mistake, let me know immediately.)

You should now be able to clone the assignment repository in your VM.

The Targets

Once you have cloned your assignment repository in the VM, you need to enter your name and your partner’s name in the ID file. If you’re working with a partner, one of you should edit the ID file, commit it, and push it to GitHub. The other partner should git pull the change.

After you have done this, run

$ ./

to generate the targets directory.

WARNING: Once you have generated the targets directory, any changes to your ID file at all will cause the script to generate different targets and your exploits will likely not work when we’re grading.

The targets directory contains the source code for the targets along with a Makefile specifying how they are to be built. To compile the targets and install them setuid root in /tmp, use the commands make and make install. You will need to enter the password pass at the prompt when you run make install.

target5 is fairly complicated. It reads commands for manipulating strings from the file specified as its argument. Due to the way target5 is compiled, the glibc malloc/free/realloc functions are not used. Instead, the replacement functions in smalloc.c are called. It is easiest to set a breakpoint in smalloc/sfreer/srealloc rather than trying to step into calls to malloc.

Do not commit the targets directory. For grading, we will run the script and run your exploits against those targets.

The Exploits

The sploits directory in the assignment contains skeleton source for the exploits which you are to write, along with a Makefile for building them. Also included is shellcode.h, which contains shellcode for you to use.

Your exploits should assume that the compiled target programs are installed in /tmp/tmp/target1, …, /tmp/target6.

Along with each exploit skeleton file, there is an empty text file that you should fill with an explanation of the bug in the corresponding target and how your exploit takes advantage of it. You will submit this explanation along with your exploit.

The Assignment

You are to write exploits, one per target. Each exploit, when run in the virtual machine with its target installed setuid-root in /tmp, should yield a root shell (/bin/sh).



Aleph One gives code that calculates addresses on the target’s stack based on addresses on the exploit’s stack. Addresses on the exploit’s stack can be changed based on how the exploit is executed (working directory, arguments, environment, etc.); in our testing, we do not guarantee to execute your exploits the same way bash does.

You must, therefore, hard-code target stack locations in your exploits. You should not use a function such as get_sp in the exploits you hand in.