Starting from:
$34.99
CS642 HW4 Solved
This homework assignment needs you to understand vulnerabilities in 5 target programs. The first 4 are required; if you do the 5th you can earn extra credit. You may pair up for this home work (but it's not a requirement). No extra credit for doing it alone. Click here to download HW4 files: HW4.zip.
Prerequisites
For this project, you are going to use a virtual machine configured with Debian stable ("Lenny"), with ASLR (address space layout randomization) turned off. We provide basic VM images for Oracle VirtualBox.
· Download Oracle's Virtual Box: https://vvww.virtualbox.org/wiki/Downloads (https://www.virtualbox.org/wiki/Downloads)
· Download a virtual machine description file.
· Download a virtual disk image file.
Environment Setup
· The user name and password are 'user' and 'user'.
· The root name and password are 'root' and 'root'.
SSH Configuration
It might be easier to work on the VM over SSH from the guest --- easier to do copy-paste commands. Here are some guidelines in case you want to use SSH. (You are free to use the native VM environment or SSH.)
Step 1: Enable Port Forwarding Feature for VM
You will have to enable port forwarding feature to access VM from any terminal using SSH.
On the VirtualBox application window where VM is listed, right click VM listed and click (settings). In (Network, tab, under (Adapter 1\, select `NAT) in (Attached to option.
UnderAcrianced click (Port Forwarding which open a window to set port forwarding option. Add an entry there with following fields
Name Protocol 1-lost IP Host Port Guest IP Guest Port
4/3/2020 HW4
SSH TCP 0.0.0.0 2222 22
Step 2: Using SSH to Access VM and SCP to Transfer Files/Folders
Save the settings in step 1 and restart your VM.
Now sshinto the VM from terminal using the following command
ssh -p 2222 user@127.0.0.1
You can also SCP file/folder into VM using the following command
scp -P 2222 file user@127.0.0.1:—/
scp -r -P 2222 folder user@127.0.0.1:—/
d
The Targets
The `targets/ directory contains the source code for the vulnerable targets, along with a riakefiie) for building them.
Your exploits should assume that the compiled target programs are installed setuid-root in /tmp) --
, /tmp/target0 „ ,/tmp/target1), etc.
To build the targets, change to the targets/ directory and type on the command line; the
,Makefile will take care of building the targets. To install the target binaries in , run:
make install
To make the target binaries setuid-root, run:
su
make setuid
exit # to get out of the root shell
Once you've run :make setuid' use exit to return to your user shell.
Keep in mind that it'll be easier to debug the exploits if the targets aren't setuid. (See below for more on debugging.) If an exploit succeeds in getting a user shell on a non-setuid target in (/tmp , it should succeed in getting a root shell on that target when it is setuid. (But be sure to test that way, too, before submitting your solutions!)
The Exploits
The (sT:doits/ 'contains skeleton source for the exploits which you are to write, along with a Make-le for building them. Also included is ,shellcode. h), which gives Aleph One's shellcode (code which leads a vulnerable target to a shell).
4/3/2020 HW4
The Assignment
You are to write exploits for vulnerable targets, with one exploit per target.
1. The goal of sploit0 is different from the rest of the exploits. Take a look at 1target0. c , the output is "Grade = F" for any string (<20 bytes) you pass. Your goal as an attacker is to hijack the control flow of to print "Grade = A". Use sploit0. c . to generate and pass a "string" that is going to
aid you in obtaining the desired grade, which is A obviously.
2. The rest of the exploits (sploite through sploit4 ), when run in the virtual machine with its target installed setuid-root in (mp , should yield a root shell (
x /bin/sh )).
3. For full credit you must provide an explanation in the sploit[0-4].txt files.
4. We will grade each of your exploits implementation on a zero or all basis. So make sure your code works before submission!
Once again, (spioite-: are required; (sploit4 is extra credit.
Hints
Read the Phrack articles suggested below. Read Aleph One's paper carefully, in particular.
To understand what's going on, it is helpful to run code through gdb. See the GDB tips section below. Make sure that your exploits work within the provided virtual machine.
Start early! Theoretical knowledge of exploits does not readily translate into the ability to write working exploits. target0 is relatively simple and the other problems are quite challenging.
GDB Tips
Notice the (disassemble) andFtepi commands.
You may find the command useful to examine memory (and the different ways you can print the contents such as , /a , /i after 01)). The Linfo register command is helpful in printing out the contents of registers such as el:1 and e sT'.
A useful way to run gdb is to use the and command line flags; for example, the command gdb
-e sploit3 -s /tmp/target3 in the VM tells gdb to execute sploit3 and use the symbol file in target3]. These flags let you trace the execution of the ,targej after the sploit's memory image has been replaced with the target's through the execve system call.
When running gdb using these command line flags, you should follow the following procedure for setting breakpoints and debugging memory:
1. Tell gdb to notify you on exec(), by issuing the command :catch exec‘
2. Run the program. gdb will execute the sploit until the execve syscall, then return control to you
3. Set any breakpoints you want in the target
4. Resume execution by telling gdb (continue ' (or just ).
4/3/2020 HW4
If you wish, you can instrument the target code with arbitrary assembly using the _asm_ () pseudofunction, to help with debugging. Be sure, however, that your final exploits work against the unmodified targets, since these we will use these in grading.
Warnings
Aleph One gives code that calculates addresses on the target's stack based on addresses on the exploit's stack. Addresses on the exploit's stack can change based on how the exploit is executed (working directory, arguments, environment, etc.); during grading, we do not guarantee to execute your exploits exactly the same way bash does. You must therefore hard-code target stack locations in your exploits. You should *not* use a function such as get_sp() in the exploits you hand in.
(In other words, during grading the exploits may be run with a different environment and different working directory than one would get by logging in as user, changing directory to (-inw4ispioits , and running . /sploitl , etc.; your exploits must work even so.)
Your exploit programs should not take any command-line arguments.
Submission
You need to submit:
1. The source code for your exploits ( sploit0 . c through sploit3 . c and/or sploit4.c ).
2. ID: this include both you and your partner's wisc emails and names.
3. The explanation for your exploits( sploitO.txt through sploit3 .txt and/or sploit4.txt ) to explain how your exploit works: what is the bug in the corresponding target, how you exploit it, and where the various constants in your exploit come from. If you don't explain, you won't get full credits even if your code works.
As a team, only one person should submit the homework. That person should compress all the files into one zip file, name it with his/her own netlD.
Suggested Readings
Basic readings:
· Aleph One, Smashing the stack for fun and profit (https://insecure.org/stf/smashstack.html)
· blexim, Basic Integer Overflows (http://phrack.org/issues/60/10.html)_, Phrack 60 #0x10.
· Gera and Riq, Advances in Format String Exploiting (http://phrack.org/isbues/59/..html) , Phrack 59 #0x04.
· klog, . Frame Pointer Overwrite (http://phrack.org/issues/55/8.html)_, Phrack 55 #08.
· Anonymous, Once Upon a free()... (http://phrack.org/issues/57/9.html) , Phrack 57 #0x09.
Advanced readings:
· Bulba and Kil3r, Bypassing StackGuard and StackShield (http://phrack.org/issues/56/5.html)_, Phrack 56 #0x05.
https://canvas.wisc.edu/courses/190368/assignments/801571
Prerequisites
For this project, you are going to use a virtual machine configured with Debian stable ("Lenny"), with ASLR (address space layout randomization) turned off. We provide basic VM images for Oracle VirtualBox.
· Download Oracle's Virtual Box: https://vvww.virtualbox.org/wiki/Downloads (https://www.virtualbox.org/wiki/Downloads)
· Download a virtual machine description file.
· Download a virtual disk image file.
Environment Setup
· The user name and password are 'user' and 'user'.
· The root name and password are 'root' and 'root'.
SSH Configuration
It might be easier to work on the VM over SSH from the guest --- easier to do copy-paste commands. Here are some guidelines in case you want to use SSH. (You are free to use the native VM environment or SSH.)
Step 1: Enable Port Forwarding Feature for VM
You will have to enable port forwarding feature to access VM from any terminal using SSH.
On the VirtualBox application window where VM is listed, right click VM listed and click (settings). In (Network, tab, under (Adapter 1\, select `NAT) in (Attached to option.
UnderAcrianced click (Port Forwarding which open a window to set port forwarding option. Add an entry there with following fields
Name Protocol 1-lost IP Host Port Guest IP Guest Port
4/3/2020 HW4
SSH TCP 0.0.0.0 2222 22
Step 2: Using SSH to Access VM and SCP to Transfer Files/Folders
Save the settings in step 1 and restart your VM.
Now sshinto the VM from terminal using the following command
ssh -p 2222 user@127.0.0.1
You can also SCP file/folder into VM using the following command
scp -P 2222 file user@127.0.0.1:—/
scp -r -P 2222 folder user@127.0.0.1:—/
d
The Targets
The `targets/ directory contains the source code for the vulnerable targets, along with a riakefiie) for building them.
Your exploits should assume that the compiled target programs are installed setuid-root in /tmp) --
, /tmp/target0 „ ,/tmp/target1), etc.
To build the targets, change to the targets/ directory and type on the command line; the
,Makefile will take care of building the targets. To install the target binaries in , run:
make install
To make the target binaries setuid-root, run:
su
make setuid
exit # to get out of the root shell
Once you've run :make setuid' use exit to return to your user shell.
Keep in mind that it'll be easier to debug the exploits if the targets aren't setuid. (See below for more on debugging.) If an exploit succeeds in getting a user shell on a non-setuid target in (/tmp , it should succeed in getting a root shell on that target when it is setuid. (But be sure to test that way, too, before submitting your solutions!)
The Exploits
The (sT:doits/ 'contains skeleton source for the exploits which you are to write, along with a Make-le for building them. Also included is ,shellcode. h), which gives Aleph One's shellcode (code which leads a vulnerable target to a shell).
4/3/2020 HW4
The Assignment
You are to write exploits for vulnerable targets, with one exploit per target.
1. The goal of sploit0 is different from the rest of the exploits. Take a look at 1target0. c , the output is "Grade = F" for any string (<20 bytes) you pass. Your goal as an attacker is to hijack the control flow of to print "Grade = A". Use sploit0. c . to generate and pass a "string" that is going to
aid you in obtaining the desired grade, which is A obviously.
2. The rest of the exploits (sploite through sploit4 ), when run in the virtual machine with its target installed setuid-root in (mp , should yield a root shell (
x /bin/sh )).
3. For full credit you must provide an explanation in the sploit[0-4].txt files.
4. We will grade each of your exploits implementation on a zero or all basis. So make sure your code works before submission!
Once again, (spioite-: are required; (sploit4 is extra credit.
Hints
Read the Phrack articles suggested below. Read Aleph One's paper carefully, in particular.
To understand what's going on, it is helpful to run code through gdb. See the GDB tips section below. Make sure that your exploits work within the provided virtual machine.
Start early! Theoretical knowledge of exploits does not readily translate into the ability to write working exploits. target0 is relatively simple and the other problems are quite challenging.
GDB Tips
Notice the (disassemble) andFtepi commands.
You may find the command useful to examine memory (and the different ways you can print the contents such as , /a , /i after 01)). The Linfo register command is helpful in printing out the contents of registers such as el:1 and e sT'.
A useful way to run gdb is to use the and command line flags; for example, the command gdb
-e sploit3 -s /tmp/target3 in the VM tells gdb to execute sploit3 and use the symbol file in target3]. These flags let you trace the execution of the ,targej after the sploit's memory image has been replaced with the target's through the execve system call.
When running gdb using these command line flags, you should follow the following procedure for setting breakpoints and debugging memory:
1. Tell gdb to notify you on exec(), by issuing the command :catch exec‘
2. Run the program. gdb will execute the sploit until the execve syscall, then return control to you
3. Set any breakpoints you want in the target
4. Resume execution by telling gdb (continue ' (or just ).
4/3/2020 HW4
If you wish, you can instrument the target code with arbitrary assembly using the _asm_ () pseudofunction, to help with debugging. Be sure, however, that your final exploits work against the unmodified targets, since these we will use these in grading.
Warnings
Aleph One gives code that calculates addresses on the target's stack based on addresses on the exploit's stack. Addresses on the exploit's stack can change based on how the exploit is executed (working directory, arguments, environment, etc.); during grading, we do not guarantee to execute your exploits exactly the same way bash does. You must therefore hard-code target stack locations in your exploits. You should *not* use a function such as get_sp() in the exploits you hand in.
(In other words, during grading the exploits may be run with a different environment and different working directory than one would get by logging in as user, changing directory to (-inw4ispioits , and running . /sploitl , etc.; your exploits must work even so.)
Your exploit programs should not take any command-line arguments.
Submission
You need to submit:
1. The source code for your exploits ( sploit0 . c through sploit3 . c and/or sploit4.c ).
2. ID: this include both you and your partner's wisc emails and names.
3. The explanation for your exploits( sploitO.txt through sploit3 .txt and/or sploit4.txt ) to explain how your exploit works: what is the bug in the corresponding target, how you exploit it, and where the various constants in your exploit come from. If you don't explain, you won't get full credits even if your code works.
As a team, only one person should submit the homework. That person should compress all the files into one zip file, name it with his/her own netlD.
Suggested Readings
Basic readings:
· Aleph One, Smashing the stack for fun and profit (https://insecure.org/stf/smashstack.html)
· blexim, Basic Integer Overflows (http://phrack.org/issues/60/10.html)_, Phrack 60 #0x10.
· Gera and Riq, Advances in Format String Exploiting (http://phrack.org/isbues/59/..html) , Phrack 59 #0x04.
· klog, . Frame Pointer Overwrite (http://phrack.org/issues/55/8.html)_, Phrack 55 #08.
· Anonymous, Once Upon a free()... (http://phrack.org/issues/57/9.html) , Phrack 57 #0x09.
Advanced readings:
· Bulba and Kil3r, Bypassing StackGuard and StackShield (http://phrack.org/issues/56/5.html)_, Phrack 56 #0x05.
https://canvas.wisc.edu/courses/190368/assignments/801571
1 file (1.2MB)
