$24
Assignment 8: Buffer Overflows Solution
Introduction
In this assignment you will implement bu er-over ow attacks to hijack victim programs, starting with the example program David attacked in class.
Rules (mostly unchanged from before)
Collaboration policy. Please respect the following collaboration policy: You may discuss prob-lems with up to 3 other students in the class, but you must write up your own responses and your own code. You should never see your collaborators’ writing, code, ags, or the output of their code. At the beginning of your submission write-up, you must indicate the names of your (1, 2, or 3) collaborators, if any. You may switch groups between assignments but not within the same assignment.
Sources. Cite any sources you use. You may Google liberally to learn about Linux commands, assembly, gdb, etc. You must, however, note at the end of your writeup for each task the sources you referenced. Please note any you found particularly helpful since we might include them in future versions of this writeup.
Campuswire. We encourage you to post questions on Campuswire, but do not include any of your code in the Campuswire posts. If you have a question that you believe will reveal secrets you have discovered while working on the assignment, post privately to just the instructors. If you have a question that you believe will be of general interest or clari es the assignment, please post publicly. If you are uncertain, post privately; we will make public posts that we believe are of general interest.
Grading. Responses will be graded for correctness and clarity.
What and How to Submit
Submit a tar le cnetid.tar to Canvas containing:
A le <cnetid-writeup.pdf/txt with information requested from the problems.
The six les sploit0.c, ..., sploit5.c.
1
Tech Set-Up
0.1 Install VirtualBox and the Class VM
For this assignment you will run a virtual machine locally; doing so allows for a controlled envi-ronment (e.g. 32 bit, ASLR turned o , etc) and makes carrying out the attacks much easier. Here are the instructions for setting up your VM:
Download and install VirtualBox at https://www.virtualbox.org/.
Download the class VM at https://people.cs.uchicago.edu/~davidcash/ CS232-Assignment-8.ova.
Open the .ova le with VirtualBox, and follow the prompts to create a new VM. You should not have to change of any of the settings.
Start your VM and con rm that you can log in. There are two accounts: user with password user, and root with password root.
0.2 Build the Victim Programs
In the user home directory there is a directory called assignment8 that contains the les you’ll use. The directory /home/user/assignment8/targets/ contains the source code of victim programs you’ll attack. To build them, run make, and then sudo make install. This will copy the executable les into /tmp/, which is where the attacker programs will expect to nd them. Be sure to always use to the make le for this, to ensure the needed compiler ags and le permissions are set.
0.3 Quality-of-Life Recommendations
Logging into the terminal provided by VirtualBox is workable, but I nd it annoyingly primitive. Instead, I ssh into the VM. This way I can easily open several terminals, and get nice features like syntax highlighting, scrolling in the terminal, and cut-and-paste.
The VM is con gured to have the static IP 192.168.56.232. Accessing the VM should work out of the box, via ssh user@192.168.56.232 on your machine’s command line. If this does not work, then do the following to check that the VM’s network card is properly con gured:
Click on the VM (default name is CS232-Assignment-8).
Click on \Settings" (the gear icon at the top).
Click on \Network" at the top.
Check that the network adapter is enabled, and set to \Host-only Adapter" in the \Attached to:" drop-down list.
If this still does not work, try asking for help in person or on Campuswire.
Note that you can avoid typing a password constantly by installing your SSH public key in the VM under the user account. A simple way to do this from your machine is to change to the di-rectory containing your pub le (usually called id rsa.pub) and run ssh-copy-id -i id rsa.pub user@192.168.56.232. After this, you should be able to log in without typing a password.
2
We can make ssh even easier to use by creating a le on your host machine ~/.ssh/config with the following lines:
Host a8
HostName 192.168.56.232
User user
After doing this, you should be able to access your VM by simply typing ssh a8. This is handy in general; For instance I have the following in my con g le to save typing:
Host uc
Hostname linux.cs.uchicago.edu
User davidcash
You can put several such host con gurations in the same le.
Finally, if you want to install additional packages on the VM, that is ne, but your attacks will need to work on a clean copy of the assignment VM. To install packages, you will need to connect your VM to the Internet to do this. The easiest way to do this is to shut down the VM and change the network adapter from \Host-only Adapter" to \NAT" or \Bridged Adapter", and then reboot. You’ll need to undo this change to connect to the VM from your host machine.
0.4 Resources
You may nd the following classic bu er-over ow readings useful:
Smashing The Stack For Fun And Pro t http://phrack.org/issues/49/14.html#article
Basic Integer Over ows http://phrack.org/issues/60/10.html#article
The textbook also has good coverage of integer over ow bugs.
Problem 0-5
In /home/user/assignment8/sploits/ you will nd skeleton les sploit0.c, ..., sploit5.c, along with shellcode.h. These les can be compiled with the make le included in that directory. When run, the skeleton code will execute their respective target from /tmp/. The args array are the command line arguments passed to the target. You shouldn’t modify env, except perhaps for sploit5 (and even then there are other ways to nish that problem).
You will modify les sploit0.c, ..., sploit5.c so that each, when compiled and run, executes the appropriate target and obtains a shell (since the targets are all root setuid binaries, the shell will be a root shell; you can test this with whoami). For your convenience, shellcode.h contains the classic NULL-free shellcode that I used in class.
You may nd it useful, especially at the very start, to try attacking the targets directly at the command line instead of via the sploit les. But ultimately you must implement your attacks in the sploit les because grading will assume this format. (I nd this easier, since working in C makes it is to feed binary garbage to the program as an argument.)
Note that while debugging your attacks, you will need to run gdb sploitx, and then set gdb to follow the child target process by typing set follow-fork-mode child into gdb. Note that when
3
you set a breakpoint in main, gdb will break at both the main in the sploit and the main in the target. Once you’re in the target, you can set further breakpoints. (Another quality-of-life recommendation: Put the set follow-fork-mode child command in a le /home/user/.gdbinit, and it will run every time you start gdb. You can put other startup commands there, and also alias your favorite commands too.)
You may modify the target les as you like. But be sure to check that your nal sploits work against the original les. For your convenience, the assignment includes a tar le with the original code so you can reset the target les if needed.
Problem 5. The last problem is built to have a non-executable stack. You will need to implement a return-to-libc attack for this sploit. For full credit, your program should exit gracefully after closing the shell instead of crashing the target. This is typically accomplished by calling exit() after the call that produces the shell.
What to submit. In addition to your sploit les, in you write-up, include for each problem a description of how your attack works. You don’t need to include the binary input itself, but describe its structure and how it hijacks control of the program.
Some Hints for Working with gdb
The attached gdb-cmds.txt le contains all of the commands I needed for all of my attacks. I will hold a tutorial session soon; Look on Campuswire for details.
4
