Project 1

Part 1 due: Thursday, September 12, 2013, 23:59
Part 2 due: Tuesday, September 24, 2013, 23:59

Goal

The goal of this assignment is to gain hands-on experience with the effect of buffer overflows and other memory-safety bugs.

All work in this project must be done on the VirtualBox virtual machine provided on the course website; see below for information about this environment.

You are given, in the targets directory, the source code for six exploitable programs, target1.c, …, target5.c, and target6.cc. These programs are to be compiled and installed, setuid root, in the /tmp directory of your VM. Your goal is to write six exploit programs sploit1, …, sploit6, each of which will execute the corresponding target with input that exploits that target's bug, giving a root shell on the VM.

We have provided skeletons for these exploits programs in the sploits directory, as sploit1.c, …, sploit6.c. Our own solutions, incidentally, are very short: fewer than 50 lines each. So while understanding and exploiting the bugs will not be easy, you will not need to write a lot of code.

Collaboration

You may work on this project with one other person (and this is encouraged). You will turn in a single set of solutions together, but it is expected that both of you understand and can explain how to exploit each target. You must not discuss the project with anyone in the class besides your partner, nor with anyone outside of class. This includes discussing what particular vulnerabilities in the targets are! You may use online resources for general reference, but not to search for solutions to specific questions posed in this project.

The Environment

You (and we, for grading) will test your exploit programs within a VirtualBox virtual machine. To use this VM on your personal computer (Windows, Mac OS X, and Linux are supported), you will need to download the virtual machine image provided on the course website — sandbox-1.0.tar.bz2 — as well as VirtualBox from the VirtualBox website.

We have also arranged for VirtualBox to be installed on the Windows machines in Maryland 310.

The VM has Debian Stable installed as well as a number of useful utilities such as vim, ssh, and wget.

The Targets

The targets directory in the assignment tarball contains the source code for the targets along with a Makefile specifying how they are to be built. To compile the targets and install them setuid root in /tmp, use the commands make and make install.

Your exploits should assume that the compiled target programs are installed in /tmp — /tmp/target1, …, /tmp/target6.

The Exploits

The sploits directory in the assignment tarball contains skeleton source for the exploits which you are to write, along with a Makefile for building them. Also included is shellcode.h, which contains Aleph One's shellcode.

Along with each exploit skeleton file, there is an empty text file that you should fill with an explanation of the bug in the corresponding target and how your exploit takes advantage of it. You will submit this explanation along with your exploit.

The Assignment

You are to write exploits, one per target. Each exploit, when run in the virtual machine with its target installed setuid-root in /tmp, should yield a root shell (/bin/sh).

Hints

  1. Read Aleph One's “Smashing the Stack for Fun and Profit,” carefully! Also, read the “suggested reading” listed in the project README. You will want to have a good understanding of what happens to the stack, program counter, and relevant registers before and after a function call. Read scut's “Exploiting Format String Vulnerabilities.” It will be helpful to have a solid understanding of the basic buffer overflow exploits before reading the more advanced exploit papers.

  2. The gdb debugger is your best friend in this assignment as you'll want to understand what's going on in the target program's memory space. Specifically, note the disassemble and stepi commands. You may find the x command useful to examine memory (and the different ways you can print the contents such as /a or /i after x). The info register command is helpful for printing out the contents of registers.

  3. A useful way to run gdb is to use the -e and -s command line flags; for example, the command gdb -e ./sploit3 -s /tmp/target3 tells gdb to execute sploit3 and use the symbols from target3 which allows you to trace execution in the target in exactly the way it is executed by the exploit. By contrast, executing just gdb /tmp/target3 will trace the target in the way it is executed by the shell, so the memory layout will be different. (Avoiding a segfault while using this requires careful timing in setting breakpoints. See the assignment README for the details.)

  4. Make sure that your exploits work within the provided virtual machine.

  5. Start early! Theoretical knowledge of exploits does not readily translate into the ability to write working exploits. The first target is relatively simple to exploit, but the difficulty ramps up from there.

Warnings

Aleph One gives code that calculates addresses on the target's stack based on addresses on the exploit's stack. Addresses on the exploit's stack can be changed based on how the exploit is executed (working directory, arguments, environment, etc.); in our testing, we do not guarantee to execute your exploits the same way bash does.

You must, therefore, hard-code target stack locations in your exploits. You should not use a function such as get_sp in the exploits you hand in.

Deliverables

To encourage you to start on the project early, part 1 consists of target1 and target2. Part 2, due a little later consists of the other four targets.

You are to provide a tarball (i.e., a .tar.gz or .tar.bz2 file) containing the source files, the Makefile for building your exploits, and the text files sploit1.txt, …, sploit6.txt as described above. All of the exploits should build if the make command is issued.

There should be no directory structure: all files in the tarball should be in its root directory. (Run tar from inside the sploits directory.)

Finally, you must include a file called ID which contains the names of both partners (or just your own if you worked by yourself).

Setting up the Environment

On your own machine, you will need to install VirtualBox. Follow the instructions on the VirtualBox webpage. If you have trouble, read the documentation.

  1. Download the VM (sandbox-1.0.tar.bz2) and decompress it.

  2. From the Machine menu, choose the Add… menu option.

  3. Navigate the open dialog box to the sandbox-1.0 directory and open sandbox.vbox.

  4. In the main window, select the sandbox VM and start it by clicking on the Start button.

  5. Log in to the VM. There are two accounts, root with password root and user with the password user. The user account can use the sudo command to run commands as root (or sudo -s to get a root shell).

  6. Download the project 1 tarball in the virtual machine.
    wget https://www.cs.jhu.edu/~s/teaching/cs460/2012-fall/project1.tar.gz

  7. Unpack project1.tar.gz and use the Makefile to build and install the targets.

  8. If you reboot the VM, you'll have to reinstall the targets because the /tmp directory will have been wiped clean.