Advanced Computer Security Summer 2006Project #1Goal1. The goal of this assignment is to gain hands-on experience with the effect of buffer overflowbugs. All work in this project is done on a system called boxes (implemented using User-ModeLinux).2. You are given the source code for two exploitable programs (/tmp/target1 and /tmp/target2).These programs are installed as setuid root in the boxes system. Your goal is to writetwo exploit programs (sploit1 and sploit2). Program sploit[i] will execute program/tmp/target[i] giving it certain input that should result in a root shell on the boxes sys-tem.3. The skeletons for sploit1 and sploit2 are provided in the sploit/ directory. Note that theexploit programs are very short, so there is no need to write a lot of code here.The Targets1. The targets/ directory in the assignment tarball contains the source code for the targets,along with a Makefile specifying how they are to be built.2. Your exploits should assume that the compiled target programs are installed setuid-root in/tmp – /tmp/target1, /tmp/target2, etc.The ExploitsThe sploits/ directory in the assignment tarball contains skeleton source for the exploits which youare to write, along with a Makefile for building them. Also included is shellcode.h, which givesAleph One’s shellcode.The AssignmentYou are to write exploits, one per target. Each exploit, when run in the Boxes environment withits target installed setuid-root in /tmp, should yield a root shell (/bin/sh).gdb is your best friend in this assignment, particularly to understand what’s going on. Specif-ically, note the “disassemble” and “stepi” commands. You may find the ’x’ command useful toexamine m em ory (and the different ways you can print the contents such as /a /i after x). The’info register’ command is helpful in printing out the contents of registers such as ebp and esp.A useful command to run gdb is to use the -e and -s command line flags; for example, thecommand ‘gdb -e sploit3 -s /tmp/target3’ in boxes tells gdb to execute sploit3 and use thesymbol file in target3. These flags let you trace the execution of the target3 after the sploit hasforked off the execve process. When running gdb using these command line flags, be sure to ’run’1the program be fore you set any breakpoints; for our purposes, entering the command ‘run’ naturallybreaks the execution at the first SIGTRACE before the target is actually exec-ed, so you can set yourbreakpoints when gdb catches the SIGTRACE. Note that if you try to set break points b efore enteringthe command ‘run’, you’ll get a segmentation fault.How to set up the Environment1. You need to set up a Xwindows server on your machine. The two programs that you needto run are “Start→Hummingbird Connectivity 2006→Exceed” and “Start→HummingbirdConnectivity 2006→Exceed Tools→Xstart”.2. When Xstart runs, change the “method” to “Local Application”, and in the command textbox, type “vsh myth.stanford.edu”. Click on the green run button (second last button).Enter your leland password when the prompt appears.3. Once a terminal window opens, it asks for the terminal type. Type in “vt100”. Once you geta command line, type “xterm &” and another terminal will appear; this new terminal is theone that you’ll want to use from now on.4. Once you’re in the myth m achine, get the setup script by typingwget http://crypto.stanford.edu/cs155/boxessetup.shin the xterm.5. Run the setup and follow the instructions printed outchmod u+x boxessetup.sh ; ./boxessetup.shOnce you’ve finished all the instructions, the environment is set and you’re ready to start.6. There are two accounts on these boxes, root and user. The passwords are the s ame as theusernames. The sploit files are in user’s home directory and the targets are in /tmp.7. vi and nano are the only two editors on boxes.8. To create more virtual terminals, while root in boxes, dobox:~# TERM=vt100 ; vi /etc/inittaband uncomment out lines:##2:23:respawn:/sbin/getty 38400 vc/2##3:23:respawn:/sbin/getty 38400 vc/3to spawn two extra console windows on the next reboot of boxes. The only two editors onthe boxes environment are nano and vi. If you prefer other editors, write the code outsideof boxes and then use ’nano’ to paste the code into a text file in a boxes
View Full Document
Unlocking...