CS155: Computer Security Spring 2002Project #1Due: Thursday, April 25th, 2002.GoalThe goal of this assignment is to gain hands-on experience with the effect of buffer overflow bugs andformat string bugs. All work in this project must be done on a system called boxes (implementedusing User-Mode Linux) available on the course web site.You are given the source code for five exploitable programs (/tmp/target1, ... , /tmp/target5).These programs are all installed as setuid root in the boxes system. Your goal is to write five exploitprograms (exploit1, ..., exploit5). Program exploit[i] will execute program /tmp/target[i]giving it certain input that should result in a root shell on the boxes system.The skeletons for exploit1, ..., exploit5 are provided in the exploit/ directory. Note thatthe exploit programs are very short, so there is no need to write a lot of code here.The EnvironmentYou will test your exploit programs within a system called Boxes. Boxes, based on User-ModeLinux, allows you to boot a fully-functional Linux system as a userland process on another Linuxmachine. Boxes is available from the course website. It should run on x86 GNU/Linux machinesrunning a recent 2.4-series kernel. Boxes is also installed in /opt/boxes on two machines in SweetHall, plebe7 and plebe8 (aka courses2 and courses3). Please refer to the README file in the Boxesdistribution.It is recommended that you test your exploits in a virtual machine booted with a “closedbox”kernel, so that you cannot accidentally damage your host account.You can use the ssh daemons running in the image to transfer files from openboxes (with hostfsaccess) to closedboxes. It is recommended that you develop your code on the host machine, or atleast keep frequent backups. The User-Mode Linux kernel is mostly stable, but can occasionallycrash.The TargetsThe targets/ directory in the assignment tarball contains the source code for the targets, alongwith a Makefile specifying how they are to be built.Your exploits should assume that the compiled target programs are installed setuid-root in the/tmp directory. The targets are called /tmp/target1, /tmp/target2, etc.1The ExploitsThe exploits/ directory in the assignment tarball contains skeleton source for the exploits whichyou are to write, along with a Makefile for building them. Also included is shellcode.h, whichgives Aleph One’s shellcode.The AssignmentYou are to write exploits, one per target. Each exploit, when run in the Boxes environment withits target installed setuid-root in /tmp, should yield a root shell (/bin/sh).HintsRead Aleph One’s “Smashing the Stack for Fun and Profit.” Carefully. Read scut’s “ExploitingFormat String Vulnerabilities.” (Both are linked from the course website.)To understand what’s going on, it is helpful to run code through gdb. In particular, noticethe “disassemble” and “stepi” commands. You can instrument your code with arbitrary assemblyusing theasm () pseudofunction.make sure that your exploits work within the Boxes environment.DeliverablesYou are to provide a tarball (i.e., a .tar.gz or .tar.bz2 file) containing the source files and Makefilefor building your exploits. All the exploits should build if the “make” command is issued. Thereshould be no directory structure: all files in the tarball should be in its root directory.Along with your exploits, you must include file called ID which contains, on a single line, thefollowing: your SUID number; your Leland username; and your name, in the format last name,comma, first name. An example:$ cat ./ID3133757 binky Clown, Binky The$You may want to include a README file with comments about your experiences or suggestionsfor improving the assignment. Again, make sure that you test your exploits within the Boxesenvironment.Submission. Instructions for submitting the tarball will be posted on the course
View Full Document
Unlocking...