Paxson Spring 2011 CS 161 Computer Security Project 1 Due February 22 11 59pm Background It is a time of rebellion The evil empire of Caltopia oppresses its people with relentless surveillance and the emperor has recently unveiled his latest grim weapon a supremely powerful botnet called Calnet that aims to pervasively observe the citizenry and squash their cherished Internet freedoms Yet in the enlightened city of Birkland a flicker of hope remains The brilliant University of Caltopia alumnus Neo famed for not only his hacking skills but also the excellent YouTube videos he produces illustrating his techniques has infiltrated the empire s byzantine networks and hacked his way to the very heart of the Calnet source code repository As the emperor s dark lieutenant Prof Evil of Junior University attempts to hunt him down Neo feverishly scours the Calnet source code hunting for weaknesses He s in luck He realizes that Prof Evil enlisted ill trained CS students from Junior University in writing Calnet and unbeknownst to the empire the code is assuredly not memory safe Alas just as Neo begins to code up some righteous exploits to pwn Calnet s components a barista at the coffeeshop where Neo gets his free WiFi betrays him to Prof Evil who brutally cancels Neo s YouTube account and swoops in with a SWAT team to make an arrest As the thugs smash through the coffeeshop s doors Neo gets off one final tweet for help Such are his hacking skillz that he crams a veritable boatload of key information into his final 140 characters exhorting the University of Birkland s virtuous computer security students to carry forth the flame of knowledge seize control of Calnet and let freedom ring once more throughout Caltopia Getting Started In this project you will write exploits for 4 vulnerable Calnet components Each program forms one part of the nefarious botnet All you have to go by are your wits your grit and Neo s legacy guidelines on how to proceed and most precious a virtual machine VM image that contains code samples from the main Calnet components Page 1 of 7 VMware Setup Neo placed the image at http cs berkeley edu mavam teaching cs161 sp11 vm zip Download the image and extract it on your local machine You need VMware to launch the VM VMware Player is installed on the instructional machines and is also freely available for Windows and Linux The Mac version of VMware VMware Fusion is available as a free 30 day trial To use the image start VMware select Open a Virtual Machine and browse to where you ve stored the image If it asks whether the VM was moved or copied select I copied it You will run the vulnerable programs and their exploits in the VM The image is a bare bones Linux Ubuntu installation on a 32 bit Intel architecture Valid logins are root and calnet both having the password cs161 The relevant files are located in the home directory of the user calnet We recommend to work as user calnet and use the root login only to modify the VM e g to install additional packages Further a convenient way to use the VM is to launch it find out its IP address via ifconfig eth0 and then work with it remotely via SSH The GNU debugger The GNU debugger gdb will prove useful for this project and worth some time spent becoming comfortable with it A basic gdb workflow begins with loading the executable in the debugger gdb executable You can then start running the program with run arguments to the executable Note here we have changed gdb s default prompt of gdb to In order to stop the execution at a specific line set a breakpoint before issuing the run command When execution halts at that line you can then execute step wise commands next and step or continue command continue until the next breakpoint or the program terminates break line number or function name run arguments to the executable step branch into function calls next step over function calls continue execute until next breakpoint or program termination Project 1 Page 2 of 7 CS 161 SP 11 Once execution stops you will find it useful to look at the stack backtrace and the layout of the current stack frame backtrace info frame 0 info registers You can navigate between stack frames using the up and down commands To inspect memory at a particular location you can use the x FMT command x 16 esp x 32i 0xdeadbeef x 64s buf where the FMT suffix after the slash indicates the output format Other helpful commands are disassemble and info symbol You can get a short description of each command via help command In addition Neo left a concise summary of all gdb commands at http cs berkeley edu mavam teaching cs161 sp11 gdb refcard pdf You may find it very helpful to dump the memory image core of a program that crashes The core captures the process state at the time of the crash providing a snapshot of the virtual address space stack frames etc at that time You can activate core dumping with the shell command ulimit c unlimited A crashing program then leaves a file core in the current directory which you can then hand to the debugger together with the executable gdb executable core bt same as backtrace up move up the call stack i f 1 same as info frame 1 Lastly here is how you step into a second program bar that is launched by a first program foo gdb e foo s bar load executable foo and symbol table of bar set follow fork mode child enable debugging across programs b bar f breakpoint at function f in program bar r run foo and break at f in bar Project 1 Page 3 of 7 CS 161 SP 11 Problems Problem 1 Buffer Overflow 30 points Neo s tweet assures you that given its hasty development by poorly educated programmers Calnet s components contain a number of memory safety vulnerabilities In the VM that Neo provided you will find the first code piece located in the directory home calnet q1 The executable you will exploit is named target1 Neo also placed a copy of the corresponding source code in target1 c You can use it to locate the vulnerability 1 You also discover the in progress exploit that Neo had started working on in the file exploit1 c You are to continue his work and write an exploit for target1 that spawns a root shell To this end you can use shellcode provided in shellcode h To compile your exploit type make After successfully diverting the control flow to the shellcode you will see a root shell prompt calnet cs161 q1 exploit1 To get started read Smashing The Stack For Fun And Profit by AlephOne 1 Neo recommended that you try to absorb the high level concepts of
View Full Document
Unlocking...