DOC PREVIEW
Stanford CS 155 - Lecture Notes

This preview shows page 1-2 out of 5 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 5 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 5 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 5 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

CS155: Computer Security Spring 2008Project #1Due: Part 1: Thursday, April 17 - 1159 pm, Part 2: Monday, April 21 - 1159 pm.Goal1. The goal of this assignment is to gain hands-on experience with the effect of buffer overflow,format string, and double free bugs. All work in this project must be done on the VMwarevirtual machine provided on the course website. You will need to download VMware Playerfrom http://www.vmware.com/products/player/.2. You are given the source code for seven exploitable programs (/tmp/target1, ... , /tmp/target7).These programs are to be installed as setuid root in the VMware virtual machine. Your goalis to write seven exploit programs (sploit1, ..., sploit7). Program sploit[i] will executeprogram /tmp/target[i] giving it certain input that should result in a root shell on theVMware virtual machine..3. The skeletons for sploit1, ..., sploit7 are provided in the sploits/ directory. Note thatthe exploit programs are very short, so there is no need to write a lot of code here.The Environment1. You will test your exploit programs within a VMware virtual machine. To do this, youwill need to download the virtual machine image provided on the course website as wellas VMware Player from VMware’s website. VMware player can run on Linux, Mac OS X(VMware Fusion), and Windows, and is freely available.2. The virtual machine we provide is configured with Debian Etch. We’ve left the packagemanagement system installed in the image, so should you need any other packages to do yourwork (e.g. emacs), you can install it with the command apt-get (e.g. apt-get installemacs).3. The virtual machine is configured to use NAT (Network Address Translation) for networking.From the virtual machine, you can type ifconfig as root to see the IP address of the virtualmachine. It should be listed under the field inet addr: under eth0.4. The virtual machine also has an ssh server. You can ssh into the vm from the your machine,using the IP address produced by ifconfig (as above) as the destination. You can also usethis to transfer files onto the virtual machine using scp or an sftp client like SecureFX, whichis available for free from University computing. Alternatively, you can fetch files directly fromthe web on the vm using wget.1The Targets1. The targets/ directory in the assignment tarball contains the source code for the targets,along with a Makefile specifying how they are to be built.2. Your exploits should assume that the compiled target programs are installed setuid-root in/tmp – /tmp/target1, /tmp/target2, etc.The ExploitsThe sploits/ directory in the assignment tarball contains skeleton source for the exploits which youare to write, along with a Makefile for building them. Also included is shellcode.h, which givesAleph One’s shellcode.The AssignmentYou are to write exploits, one per target. Each exploit, when run in the virtual machine with itstarget installed setuid-root in /tmp, should yield a root shell (/bin/sh).Hints1. Read Aleph One’s “Smashing the Stack for Fun and Profit.” Carefully. Also read the twooptional handouts — have a good understanding of what happens to the stack, programcounter, and relevant registers before and after a function call. Read scut’s “ExploitingFormat String Vulnerabilities.”. All the papers are linked from the course syllabus. It will behelpful to have a solid understanding of the basic buffer overflow exploits before reading themore advanced exploits.2. gdb is your best friend in this assignment, particularly to understand what’s going on. Specif-ically, note the “disassemble” and “stepi” commands. You may find the ’x’ command use fulto examine memory (and the different ways you can print the contents such as /a /i afterx). The ’info register’ command is helpful in printing out the contents of registers suchas ebp and esp.A useful command to run gdb is to use the -e and -s command line flags; for example, thecommand ‘gdb -e sploit3 -s /tmp/target3’ in the vm tells gdb to execute sploit3 anduse the symbol file in target3. These flags let you trace the execution of the target3 after thesploit has forked off the execve process. When running gdb using these command line flags,be sure to first iss ue ’catch exec’ then ’run’ the program before you set any breakpoints; thecommand ‘run’ naturally breaks the execution at the first execve call before the target isactually exec-ed, so you can set your breakpoints when gdb catches the execve. Note thatif you try to set break points before entering the command ‘run’, you’ll get a s egm entationfault.If you wish, you can instrument your code with arbitrary assembly using the asm () pseud-ofunction.3. Make sure that your exploits work within the provided virtual machine.24. Start early. Theoretical knowledge of exploits does not readily translate into the ability towrite working exploits. Target1 is relatively simple and the other problems are quite a bitmore complicated.WarningsAleph One gives code that calculates addresses on the target’s stack based on addresses on theexploit’s stack. Addresses on the exploit’s stack can change based on how the exploit is executed(working directory, arguments, environment, etc.); in my testing, I do not guarantee to executeyour exploits as bash does.You must therefore hard-code target stack locations in your exploits. You should *not* use afunction such as get sp() in the exploits you hand in.Deliverables1. To encourage students to start on the project early, part 1 (due on April 17 1159 pm) consistsof target1 and target2. Part 2 consists of the other 5 targets.2. You are to provide a tarball (i.e., a .tar.gz or .tar.bz2 file) containing the source files andMakefile for building your exploits. All the exploits should build if the “make” command isissued.3. There should be no directory structure: all files in the tarball should be in its root directory.(Run tar from inside the sploits/ directory.)4. Along with your exploits, you must include file called ID which contains, on a single line,the following: your SUID number; your Leland username; and your name, in the format lastname, comma, first name. An example:$ cat ./ID3133757 hermann Buhl, Hermann$If you did the project with a partner, then both of you will submit only one solution and theID file will have two lines giving the relevant information.You may want to include a README file with comments about your experiences or sugges-tions for improving


View Full Document

Stanford CS 155 - Lecture Notes

Documents in this Course
Lecture 5

Lecture 5

64 pages

Phishing

Phishing

31 pages

Load more
Download Lecture Notes
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Lecture Notes and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Lecture Notes 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?