Starting from:
$35

$29

Project 1 Buffer Overflow Solution




The goals of this project:




Understanding the concepts of buffer overflow



Exploiting a stack buffer overflow vulnerability
Understanding code reuse attacks (advanced buffer overflow attacks)



Students should be able to clearly explain: 1) what is buffer overflow; 2) why buffer overflow is dangerous; 3) how to exploit a buffer overflow. With the knowledge about buffer overflow, students are expected to launch an attack that exploits a stack buffer overflow vulnerability in a provided toy program. Finally, students are asked to read up on and write about code reuse attacks.




1. Understanding Buffer Overflow




Note: For this task, you may use online resources to show a program with these vulnerabilities, but please cite these online sources. The diagrams should be your own (not copied from the online resources). You can use Purdue OWL format for citing, as well as http://www.easybib.com/website-citation.




Stack buffer overflow (25 points)



(15 points) Memory Architecture. Describe the stack in the address space of the VM, in generalities. Specifically, address where in memory the stack would be located, what the stack structure looks like when data is pushed onto the stack and popped off the stack. Discuss what register values are placed onto the stack, where user variables are placed within the stack, where arguments would be placed in the stack relative to pertinent register storage within the stack, and finally how program control flow is implemented using the stack. How does the stack structure get affected when a buffer of size ‘non-binary’ is allocated by a function (ie – buffer size which causes misalignment within the stack)? When a stack grows, in which direction, relative to overall memory, does a stack consume memory?



(10 points) Write a testing program (not sort.c from task 2) that contains a stack buffer overflow vulnerability. Show what the stack layout looks like and explain how to exploit it. In particular, please include in your diagram: (1) The order of parameters (if applicable), return address, saved registers (if applicable), and local variable(s), (2) their sizes in bytes, (3) size of the overflowing buffer to reach return address, and (4) the overflow direction in the stack (5) What locations within the stack are actually overwritten with your target data to exploit a stack to cause the routine you want to execute to be invoked? You are not required to write the real exploit code, but you may want to use some figures to make your description clear and concise.



Heap buffer overflow (15 points)



(5 points) Memory Architecture. Where is the Heap located in a machine’s memory map, in general. Contrast this to Stack memory allocation.
(10 points) Write a testing program that contains a heap buffer overflow vulnerability. Show what the heap layout looks like and explain how to exploit it. In particular, please include in your diagram: (1) each chunk of memory allocated by malloc(), (2) their sizes in bytes, (3) metadata of heap as it gets overwritten, (4) the sizes of this metadata in bytes, and (5) which metadata get overwritten and how the attacker controls which value can get written to any arbitrary location in memory.
Address the data structure implemented in a heap memory. How are allocated and non-allocated chunks structured? Is heap memory contiguous within memory architecture? Again, you do not need to write and test the real exploit code, but you may want to use some figures to make your description clear and concise.







2. Exploiting Buffer Overflow (50 points)




The attached C code (sort.c) contains a stack buffer overflow vulnerability. Please write an exploit (by modifying data.txt) to open a shell on Linux. The high level idea is to overwrite the return address with the address of function system(), and pass the parameter “/bin/sh” to this function. Once the return instruction is executed, this function will be called to open a shell.




We have provided you with a virtual machine image for this project, use the latest version of VirtualBox. VirtualBox is a general-purpose full virtualizer for x86 hardware, targeted at server, desktop and embedded use. You can download it here: https://www.virtualbox.org/wiki/Downloads







We do not recommend using your own VM image. Our VM’s image link for SPRING 2019 is at the




following:

https://drive.google.com/file/d/1B391eKMzaooouNRPBEKKvH5K9gbLGQHE/view?usp=sharing .




As a general suggestion for the rest of the course (since we will be using virtual machines in 3 of the 4 projects) you will need to figure out how to share files between your VM and your computer, and how to take a screen shot of your VM.




DO NOT UPDATE THE APPLIANCE IN YOUR VM. DO NOT EDIT SETTINGS, RAM, etc.




FAILURE TO FOLLOW THESE INSTRUCTIONS WILL LIKELY RESULT IN A LOWER GRADE.




Steps:




Import the OVA file to VirtualBox. (Username: ubuntu, Password: 123456)
Immediately CLONE the original OVA for use in the video portion of this project. The cloned OVA is not to be used for anything other than video proof of your exploit.
Compile the provided C code (which you will be exploiting): gcc sort.c -o sort -fno-stack-protector. (DO NOT use other options)
To run this program, put some hexadecimal integers in the file: data.txt, and execute sort by:
./sort data.txt

When you put a very long list of integers in data.txt, you will notice sort crashes with memory segfault, this is because the return address has been overwritten by your data. If you first answer step 1, part 1 above, you should understand the goal of this exploit and why a seg fault occurs. Pay attention to the ‘non-binary’ allocated buffer and what it does to the stack structure (and you can see this in GDB).
Now you can craft your shellcode in data.txt. Again, your goal is to overwrite the return address with the address of function “system()” and pass it with the address of string “bin/sh”. Do not use environment variables to store these addresses and then access those environment variables. Use the library addresses of “system()” and “bin/sh” explicitly. GDB (if you’re using GDB for the first time, we recommend checking out GdbInit) can be used to find these library addresses and test/debug your exploit. However, it should be noted that your final exploit (i.e., the final



version of your data.txt) should work outside of GDB. Just running “./sort data.txt” should spawn a shell for you. This needs to be a clean shell, with NO segfaults.




You can verify the exploit has occurred because you will get a new, clean command prompt. But, how do we know it is not the same bash shell that invoked the sort program? To verify you have successfully caused a buffer overflow, issuing echo $$ will give the process ID of the current process. Issuing: echo $$ (shows PID of current bash shell), then run ./sort data.txt, (then after sort completes to a clean shell) issue echo $$ to show the PID of the current exploited shell. (noted – echo $0 instead of or in addition to echo $$ will return the name of the current shell)



Provide a screenshot of you exploiting sort.
Have fun.



Deliverables: the data.txt file you craft, a video, and a screenshot of the exploit. The screenshot should be put into the PDF file (the same from task1). Also, in your report with the screenshot, please identify which OS, Version, and bus width you used which contains your VM (for example, PC, Windows 10, 64 bit).




VIDEO INSTRUCTIONS:




Submit a video using the following steps to document your exploit on your machine. These steps must be precisely followed AFTER you upload your data.txt file to Canvas:




Now, showing each step on video, lets demonstrate the exploit from scratch:




Open the CLONED OVA in Virtual Box.
Compile the sort.c file in your VM.
echo $$ which will show the PID of the current shell.
Run the sort on the initial supplied data.txt file, (not your, data.txt file) showing the original sample data sorted.
Rename the supplied sample data.txt file to original_data.txt
In your VM, log into Canvas and download your submitted data.txt file. Do not edit this file.
Issue the sort command on the downloaded data.txt file. (note – depending on the number of submissions, your data.txt file may have been renamed by Canvas. That is OK –we simply need to see the downloaded file used in the video.)
echo $$ to show the different PID of the new shell.



DO NOT repeat the exploit multiple times to eventually get it to work. First time only will be counted. It must be clear the file you submitted was the data.txt run in your video sort. This video should be succinct and fairly short. DO NOT post this video to any public domain sites to be viewed.




Fine print: there will be no regrade requests accepted on the exploit if it fails the autograder, regardless of whether the exploit works in your machine. This video will serve as proof of your exploit should the autograder fail (which it does occasionally). Failure to supply this video may mean you receive a zero on this portion of the project should your submission unfortunately fail the autograder. We want everyone to receive full credit – especially since this exploit takes significant time.







3. Open Question (10 Points)




First, if you are not familiar with code reuse attacks, please read the following papers:




The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)
On the Effectiveness of Address-Space Randomization
Code-pointer Integrity



Control-Flow Bending: On the Effectiveness of Control-Flow Integrity
ASLR-Guard: Stopping Address Space Leakage for Code Reuse Attacks



Then read the paper - Jump-oriented programming: a new class of code-reuse attack




and explain the similarity and difference between Jump-Oriented Programing and Return-Oriented Programing.




Deliverable: write down your answer in the same pdf file of tasks 1 and 2.




4. The final deliverables:




A pdf file (containing the answers to all of the questions above) named your_gt_studentid_project1.pdf and the modified data.txt file (named data.txt) which exploits sort.c. Also, upload your video as your_gt_studentid_video.mov.




Put your studentID on the top of each page of your deliverable report, to help us when grading. To clarify, if my gt student id is lbrown318, I would submit lbrown318_project1.pdf, lbrown318_video.mov and data.txt.




In Canvas, you will upload your project1.pdf, data.txt, and your video file in assignment: Project 1 - Understanding Buffer and Heap Overflows.




Your gradebook will show the report and exploit in separate assignments under project 1.




DO NOT ZIP THE FILES!




Failure to follow the instructions will cause unnecessary point loss.

More products