Due: Tuesday, November 20, 2012, 23:59
Unlike the previous project where you were given access to the source code of the target program, for this project, you will have to find the vulnerability using only the binary.
All work in this project must be done on the VirtualBox virtual machine provided on the course website; see below for information about this environment.
You are given a single
target binary and a data file
model.dat accepted by
target. Your goal is to write a
sploit.dat file so that when
target is run on
sploit.dat, you end up with a root shell. Further more, once the shell exits, the program should finish running without any errors.
You may work on this project in groups of up to three (and this is encouraged). You will turn in a single set of solutions together, but it is expected that everyone understand and can explain how to exploit the target. You must not discuss the project with anyone in the class besides your partners and course staff, nor with anyone outside of class. This includes discussing what particular vulnerabilities in the target are! You may use online resources for general reference, but not to search for solutions to specific questions posed in this project.
You (and we, for grading) will test your exploit programs within a VirtualBox virtual machine. To use this VM on your personal computer (Windows, Mac OS X, and Linux are supported), you will need to download the virtual machine image provided on the course website — sandbox-1.0.tar.bz2 — as well as VirtualBox from the VirtualBox website.
We have also arranged for VirtualBox to be installed on the Windows machines in Maryland 310.
The VM has Debian Stable installed as well as a number of useful utilities such as vim, ssh, and wget.
The target must be setuid root in order to run:
user@sandbox:~/project2$ ./target model.dat Sorry, ./target must be setuid root. user@sandbox:~/project2$ sudo chown root:root target user@sandbox:~/project2$ sudo chmod u+s target user@sandbox:~/project2$ ./target model.dat But if you need to convince an enemy to work with you, it's a good idea to make use of all costs. user@sandbox:~/project2$ ./target model.dat The key to hand-to-hand combat is to be able to keep an eye on your employees during the off-hours and keep listening.
Each time you run the target, it will produce a different, ridiculous, randomly-generated string.
The exploit should be a single
sploit.dat file that when run gives you a root shell and does not crash the binary.
user@sandbox:~/project2$ ./target sploit.dat # whoami root # exit exit You just have to wait for the target to party enough to make sure they know it comes with the badge and when.
There are several parts for this assignment.
Create a text file
answers and answer the following questions:
What program does
target produces two files. What are their contents? (Hint: One is static, the other depends on the input.)
model.dat is unmangled in two different ways, first by
target and then by the program
target runs. What are the two ways?
sploit-small.dat that is as small as possible that gives a root shell. For this one, it's okay to cause the program to crash when the shell exits. (Hint: Our solution is just 56 bytes.)
sploit.dat that both gives the root shell and does not crash the program. This need not be small.
You are to provide a tarball (i.e., a
.tar.bz2 file) containing
ID must contain the names of everyone in the group.
There should be no directory structure: all files in the tarball should be in its root directory.
We highly recommend you use the free version of IDA Pro to aid in your reverse engineering.
Use the same environment from Project 1. You can download the target file from inside the VM: