DOC PREVIEW
Berkeley COMPSCI 161 - CS 161 Project

This preview shows page 1-2 out of 7 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 7 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 7 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 7 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

PaxsonSpring 2011CS 161Computer SecurityProject 1Due: February 22, 11:59pmBackgroundIt is a time of rebellion. The evil empire of Caltopia oppresses its people with relentlesssurveillance, and the emperor has recently unveiled his latest grim weapon: a supremelypowerful botnet, called Calnet, that aims to pervasively observe the citizenry and squashtheir cherished Internet freedoms.Yet in the enlightened city of Birkland, a flicker of hope remains. The brilliant University ofCaltopia alumnus Neo, famed for not only his hacking skills but also the excellent YouTubevideos he produces illustrating his techniques, has infiltrated the empire’s byzantine networksand hacked his way to the very heart of the Calnet source code repository. As the emperor’sdark lieutenant, Prof. Evil of Junior University, attempts to hunt him down, Neo feverishlyscours the Calnet source code hunting for weaknesses. He’s in luck! He realizes that Prof. Evilenlisted ill-trained CS students from Junior University in writing Calnet, and unbeknownstto the empire, the code is assuredly not memory-safe.Alas, just as Neo begins to code up some righteous exploits to pwn Calnet’s components, abarista at the coffeeshop where Neo gets his free WiFi betrays him to Prof. Evil, who brutallycancels Neo’s YouTube account and swoops in with a SWAT team to make an arrest. Asthe thugs smash through the coffeeshop’s doors, Neo gets off one final tweet for help. Suchare his hacking skillz that he crams a veritable boatload of key information into his final140 characters, exhorting the University of Birkland’s virtuous computer security studentsto carry forth the flame of knowledge, seize control of Calnet, and let freedom ring once morethroughout Caltopia . . .Getting StartedIn this project you will write exploits for 4 vulnerable Calnet components. Each programforms one part of the nefarious botnet. All you have to go by are your wits, your grit, andNeo’s legacy: guidelines on how to proceed, and, most precious, a virtual machine (VM)image that contains code samples from the main Calnet components.Page 1 of 7VMware SetupNeo placed the image at http://cs.berkeley.edu/~mavam/teaching/cs161-sp11/vm.zip. Download the image and extract it on your local machine. You need VMware tolaunch the VM. VMware Player is installed on the instructional machines and is also freelyavailable for Windows and Linux. The Mac version of VMware (VMware Fusion) is availableas a free 30-day trial. To use the image, start VMware, select Open a Virtual Machine, andbrowse to where you’ve stored the image. If it asks whether the VM was moved or copied,select I copied it.You will run the vulnerable programs and their exploits in the VM. The image is a bare-bonesLinux Ubuntu installation on a 32-bit Intel architecture. Valid logins are root and calnet,both having the password cs161. The relevant files are located in the home directory of theuser calnet. We recommend to work as user calnet and use the root login only to modifythe VM, e.g., to install additional packages. Further, a convenient way to use the VM is tolaunch it, find out its IP address via ifconfig eth0, and then work with it remotely viaSSH.The GNU debuggerThe GNU debugger gdb will prove useful for this project, and worth some time spent be-coming comfortable with it. A basic gdb workflow begins with loading the executable in thedebugger:gdb executableYou can then start running the program with:$ run [arguments-to-the-executable](Note, here we have changed gdb’s default prompt of (gdb) to $).In order to stop the execution at a specific line, set a breakpoint before issuing the “run”command. When execution halts at that line, you can then execute step-wise (commandsnext and step) or continue (command continue) until the next breakpoint or the programterminates.$ break line-number or function-name$ run [arguments-to-the-executable]$ step # branch into function calls$ next # step over function calls$ continue # execute until next breakpoint or program terminationProject 1 Page 2 of 7 CS 161 – SP 11Once execution stops, you will find it useful to look at the stack backtrace and the layout ofthe current stack frame:$ backtrace$ info frame 0$ info registersYou can navigate between stack frames using the up and down commands. To inspect memoryat a particular location, you can use the x/FMT command$ x/16 $esp$ x/32i 0xdeadbeef$ x/64s &bufwhere the FMT suffix after the slash indicates the output format. Other helpful commandsare disassemble and info symbol. You can get a short description of each command via$ help commandIn addition, Neo left a concise summary of all gdb commands at:http://cs.berkeley.edu/~mavam/teaching/cs161-sp11/gdb-refcard.pdfYou may find it very helpful to dump the memory image (“core”) of a program that crashes.The core captures the process state at the time of the crash, providing a snapshot of thevirtual address space, stack frames, etc., at that time. You can activate core dumping withthe shell command:% ulimit -c unlimitedA crashing program then leaves a file core in the current directory, which you can then handto the debugger together with the executable:gdb executable core$ bt # same as backtrace$ up # move up the call stack$ i f 1 # same as "info frame 1"$ ...Lastly, here is how you step into a second program bar that is launched by a first programfoo:gdb -e foo -s bar # load executable foo and symbol table of bar$ set follow-fork-mode child # enable debugging across programs$ b bar:f # breakpoint at function f in program bar$ r # run foo and break at f in barProject 1 Page 3 of 7 CS 161 – SP 11ProblemsProblem 1 Buffer Overflow (30 points)Neo’s tweet assures you that given its hasty development by poorly educated pro-grammers, Calnet’s components contain a number of memory-safety vulnerabilities. Inthe VM that Neo provided, you will find the first code piece located in the directory/home/calnet/q1. The executable you will exploit is named target1. Neo also placeda copy of the corresponding source code in target1.c. You can use it to locate thevulnerability.1You also discover the in-progress exploit that Neo had started workingon in the file exploit1.c. You are to continue his work and write an exploit for target1that spawns a root shell. To this end, you can use shellcode provided in shellcode.h.To compile your exploit, type make. After successfully diverting the control flow to theshellcode, you will see a root shell


View Full Document

Berkeley COMPSCI 161 - CS 161 Project

Documents in this Course
Rootkits

Rootkits

11 pages

Load more
Download CS 161 Project
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view CS 161 Project and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view CS 161 Project 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?