Project 2

Due: Tuesday, November 20, 2012, 23:59


Unlike the previous project where you were given access to the source code of the target program, for this project, you will have to find the vulnerability using only the binary.

All work in this project must be done on the VirtualBox virtual machine provided on the course website; see below for information about this environment.

You are given a single target binary and a data file model.dat accepted by target. Your goal is to write a sploit.dat file so that when target is run on sploit.dat, you end up with a root shell. Further more, once the shell exits, the program should finish running without any errors.


You may work on this project in groups of up to three (and this is encouraged). You will turn in a single set of solutions together, but it is expected that everyone understand and can explain how to exploit the target. You must not discuss the project with anyone in the class besides your partners and course staff, nor with anyone outside of class. This includes discussing what particular vulnerabilities in the target are! You may use online resources for general reference, but not to search for solutions to specific questions posed in this project.

The Environment

You (and we, for grading) will test your exploit programs within a VirtualBox virtual machine. To use this VM on your personal computer (Windows, Mac OS X, and Linux are supported), you will need to download the virtual machine image provided on the course website — sandbox-1.0.tar.bz2 — as well as VirtualBox from the VirtualBox website.

We have also arranged for VirtualBox to be installed on the Windows machines in Maryland 310.

The VM has Debian Stable installed as well as a number of useful utilities such as vim, ssh, and wget.

The Target

The target must be setuid root in order to run:

user@sandbox:~/project2$ ./target model.dat
Sorry, ./target must be setuid root.
user@sandbox:~/project2$ sudo chown root:root target
user@sandbox:~/project2$ sudo chmod u+s target
user@sandbox:~/project2$ ./target model.dat
But if you need to convince an enemy to work with you, it's a good idea to make use of all costs.
user@sandbox:~/project2$ ./target model.dat
The key to hand-to-hand combat is to be able to keep an eye on your employees during the off-hours and keep listening.

Each time you run the target, it will produce a different, ridiculous, randomly-generated string.

The Exploit

The exploit should be a single sploit.dat file that when run gives you a root shell and does not crash the binary.

user@sandbox:~/project2$ ./target sploit.dat
# whoami
# exit
You just have to wait for the target to party enough to make sure they know it comes with the badge and when.

The Assignment

There are several parts for this assignment.

  1. Create a text file answers and answer the following questions:

    1. What program does target run?

    2. target produces two files. What are their contents? (Hint: One is static, the other depends on the input.)

    3. model.dat is unmangled in two different ways, first by target and then by the program target runs. What are the two ways?

  2. Produce a sploit-small.dat that is as small as possible that gives a root shell. For this one, it's okay to cause the program to crash when the shell exits. (Hint: Our solution is just 56 bytes.)

  3. Produce a sploit.dat that both gives the root shell and does not crash the program. This need not be small.


You are to provide a tarball (i.e., a .tar.gz or .tar.bz2 file) containing answers, sploit-small.dat, sploit.dat, and ID.

As before, ID must contain the names of everyone in the group.

There should be no directory structure: all files in the tarball should be in its root directory.


We highly recommend you use the free version of IDA Pro to aid in your reverse engineering.

Setting up the Environment

Use the same environment from Project 1. You can download the target file from inside the VM: