CS 345 - Programming LanguagesFall 2010Homework #2Due: 2pm CDT (in class), September 30, 2010Collaboration policyThis assignment can be done in teams at most two students.Any cheating (e.g., submitting another person’s work as your own, or permitting yourwork to be copied) will automatically result in a failing grade. The Computer ScienceDepartment Code of Conduct can be found at http://www.cs.utexas.edu/academics/conduct/.Late submission policyThis homework is due at the beginning of class on September 30. All late submissionswill be subject to the following policy.You start the semester with a credit of 3 late days. For the purpose of counting latedays, a “day” is 24 hours starting at 2pm on the assignment’s due date. Partial days arerounded up to the next full day. You are free to divide your late days among the take-homeassignments any way you want: submit four assignments 1 day late, submit one assignment3 days late, etc. After your 3 days are used up, no late submissions will be accepted and youwill automatically receive 0 points for each late assignment.1Homework #2 (35 points + 15 bonus points)ObjectiveThe objective of this project is to give you hands-on experience with implementing bufferoverflow exploits. You are given the source code for three exploitable programs (target1.c,target2.c, target3.c). These programs are all installed with root (i.e., superuser) privi-leges in the the VMware virtual machine.Your goal is to write two exploit programs (you only need to write the third exploit ifyou want 15 bonus points). Each exploit program will execute its target, giving it a certaininput that should result in a root shell on the VMware virtual machine. See below (YourAssignment) for more details.FilesYou will need:• The VMware Player:http://www.vmware.com/products/player/• The virtual machine image:http://www.cs.utexas.edu/~shmat/courses/cs345/box.tar.bz2• The project files:http://www.cs.utexas.edu/~shmat/courses/cs345/cs345-hw2.tar.bz2VMware environmentYou will test your exploit programs in a VMware virtual machine. To do this, you will needto download the virtual machine image as well as the VMware Player from VMware’s website(see above). VMware Player can run on Linux, Windows, and Mac OS X (VMware Fusion).The virtual machine we provide is configured with Debian Etch. Should you need anyother packages to do your work (e.g., emacs), you can install it with the command apt-get(e.g., apt-get install emacs).1The virtual machine is configured to use NAT for networking. From the virtual machine,you can type ifconfig as root to see the IP address of the virtual machine. It should belisted under the field inet addr: under eth0.The virtual machine also has an SSH server. You can SSH into the virtual machine fromyour machine, using the IP address produced by ifconfig (see above) as the destination.You can also use this to transfer files onto the virtual machine using scp. Alternatively, youcan fetch files directly from the web on the VM using wget.1You may need to edit the /etc/apt/sources.list file and replace http://mirrors.kernel.org/debian with http://archive.debian.org/debian everywhere.2TargetsThe project files (cs345-hw2.tar.bz2) contain the source code for the targets, along witha Makefile specifying how they are to be built.Your exploits should assume that the compiled target programs are installed setuid-rootin /tmp – /tmp/target1, /tmp/target2, etc.ExploitsThe project files (cs345-hw2.tar.bz2) also contain skeleton source code for the exploitswhich you are to write, along with a Makefile for building them. Also included is shellcode.h,which gives Aleph One’s shellcode. Exploit programs are very short, so there is no need towrite a lot of code.Your assignmentYou are to write one exploit per target. Each exploit, when run in the virtual machine withits target installed setuid-root in /tmp, should yield a root shell (/bin/sh). You can usewhoami to tell if you are root or not.GradingThere are two targets. Each successful exploit will give you a certain amount of points:Target 1: 20 pointsTarget 2: 15 pointsTarget 3 is the bonus target. It is worth 15 extra points on top of the regular points forthis assignment.HintsRead Aleph One’s “Smashing the Stack for Fun and Profit” carefully. Read scut’s “Ex-ploiting Format String Vulnerabilities.” Both are linked from the reference section of thecourse website.gdb is your best friend in this assignment. It will help you inspect the contents of memoryas your target is executing and generally understand what’s going on. In particular, noticethe disassemble and stepi commands. You may find the x command useful to examinememory (and the different ways you can print the contents such as /a /i after x). Theinfo register command is helpful in printing out the contents of registers such as ebp andesp. Another very useful command is info frame. It prints a detailed description of theselected frame.3When you run gdb, you will find the -e and -s command-line flags useful. For example,the command gdb -e sploit1 -s /tmp/target1 in the virtual machine tells gdb to executesploit1 and use the symbol file in target1. These flags let you trace the execution oftarget1 after the sploit has forked off the execve process. When running gdb using thesecommand-line flags, be sure to first issue catch exec, then run the program before you setany breakpoints; the command run naturally breaks the execution at the first execve callbefore the target is actually exec-ed, so you can set your breakpoints when gdb catches theexecve. Note that if you try to set break points before entering the command run, you’ll geta segmentation fault.If gdb has trouble finding the source files of targets, try running it with the -d /tmpcommand-line flag.If you wish, you can instrument your code with arbitrary assembly using the __asm__()pseudofunction.IMPORTANT: Your code must run within the provided virtual machine environment.WarningsAleph One gives code that calculates addresses on the target’s stack based on addresses onthe exploit’s stack. Addresses on the exploit’s stack can change based on how the exploitis executed (working directory, arguments, environment, etc.). In our testing, we do notguarantee to execute your exploits as bash does.You must therefore hard-code target stack locations in your exploits. You should notuse a function such as get_sp() in the exploits you hand in.Your exploit programs should not take any