Project 1: Memory Safety

Due: Tuesday, October 11, 2016, 23:59


The goal of this assignment is to gain hands-on experience with the effect of buffer overflows and other memory-safety bugs.

All work in this project must be done in the QEMU virtual machine provided on the course website; see below for information about this environment.

You are given, in the targets directory, the source code for six exploitable programs, target1, …, target6. These programs are to be compiled and installed, setuid root, in the /tmp directory of your VM. Your goal is to write six exploit programs sploit1, …, sploit6, each of which will execute the corresponding target with input that exploits that target’s bug, giving a root shell on the VM.

We have provided skeletons for these exploits programs in the sploits directory, as sploit1.c, …, sploit6.c. Our own solutions, incidentally, are very short: fewer than 50 lines each. So while understanding and exploiting the bugs will not be easy, you will not need to write a lot of code.


You may work on this project in collaboration with a single partner as described on the main page.

You must not discuss the project with anyone other than your partner and course staff. You may use online resources for general reference, but not to search for solutions to specific questions posed in this project.

The Environment

You (and we, for grading) will test your exploit programs within a QEMU ARM virtual machine. This virtual machine emulates an ARM processor.

There are three options for running this virtual machine.

In any case, you will need to download and decompress qemu-arm.tar.bz2. The ARM VM can be started by running the inside the qemu-arm directory. You can log in to the user account using the username/password armuser/armuser. In addition to giving you “console” access to the emulated ARM machine, the script forwards local port 2200 to port 22 (the ssh port) in the VM. Thus, from a Linux or OS X machine, you can ssh to the ARM VM using

$ ssh -larmuser -p 2200 localhost

You can put the following lines in your local machine’s $HOME/.ssh/config to provide easy ssh access:

Host = armguest
HostName = localhost
Port = 2200
User = armuser

You can then use the following to log in.

$ ssh armguest

If you are running the QEMU VM inside a VirtualBox VM which has been configured to forward host port 2222 to guest port 22, then the following line in your $HOME/.ssh/config works (modify username and add an ssh key as necessary):

Host = vboxvm
HostName = localhost
Port = 2222
User = username

Host = armguest
ProxyCommand = ssh -q vboxvm localhost 2200

The VM has Ubuntu installed as well as a number of useful utilities such as vim, ssh, and wget, and several hex editors such as dhex.

Once you have the QEMU VM installed, launch it, log in, and clone your assignment repository. You’ll first need to install git using sudo apt-get install git.

The Targets

The targets directory in the assignment tarball contains the source code for the targets along with a Makefile specifying how they are to be built. To compile the targets and install them setuid root in /tmp, use the commands make and make install.

target5 is fairly complicated. It reads commands for manipulating strings from the file specified as its argument. Due to the way target5 is compiled, the glibc malloc/free/realloc functions are not used. Instead, the replacement functions in smalloc.c are called. It is easiest to set a breakpoint in smalloc/sfreer/srealloc rather than trying to step into calls to malloc.

The Exploits

The sploits directory in the assignment contains skeleton source for the exploits which you are to write, along with a Makefile for building them. Also included is shellcode.h, which contains shellcode for you to use.

Your exploits should assume that the compiled target programs are installed in /tmp/tmp/target1, …, /tmp/target6.

Along with each exploit skeleton file, there is an empty text file that you should fill with an explanation of the bug in the corresponding target and how your exploit takes advantage of it. You will submit this explanation along with your exploit.

The Assignment

You are to write exploits, one per target. Each exploit, when run in the virtual machine with its target installed setuid-root in /tmp, should yield a root shell (/bin/sh).



Aleph One gives code that calculates addresses on the target’s stack based on addresses on the exploit’s stack. Addresses on the exploit’s stack can be changed based on how the exploit is executed (working directory, arguments, environment, etc.); in our testing, we do not guarantee to execute your exploits the same way bash does.

You must, therefore, hard-code target stack locations in your exploits. You should not use a function such as get_sp in the exploits you hand in.