The goals of this project:
Students should be able to clearly explain: 1) what is buffer overflow; 2) why buffer overflow is dangerous; 3) how to exploit a buffer overflow. With the knowledge about buffer overflow, students are expected to launch an attack that exploits a stack buffer overflow vulnerability in a provided toy program. Finally, students are asked to read up on and write about code reuse attacks.
Note: For this task, you may use online resources to show a program with these vulnerabilities, but please cite these online sources. The diagrams should be your own (not copied from the online resources).
Write a testing program (not sort.c from task 2) that contains a stack buffer overflow vulnerability. Show what the stack layout looks like and explain how to exploit it. In particular, please include in your diagram: (1) The order of parameters (if applicable), return address, saved registers (if applicable), and local variable(s), (2) their sizes in bytes, (3) size of the overflowing buffer to reach return address, and (4) the overflow direction in the stack. You are not required to write the real exploit code, but you may want to use some figures to make your description clear and concise.
Write a testing program that contains a heap buffer overflow vulnerability. Show what the heap layout looks like and explain how to exploit it. In particular, please include in your diagram: (1) each chunk of memory allocated by malloc(), (2) their sizes in bytes, (3) metadata of heap as it gets overwritten, (4) the sizes of this metadata in bytes, and (5) which metadata get overwritten and how the attacker controls which value can get written to any arbitrary location in memory. Again, you do not need to write the real exploit code, but you may want to use some figures to make your description clear and concise.
Deliverable: a pdf file containing your vulnerable programs (paste your code into the pdf directly) and your explanations.
The attached C code (sort.c) contains a stack buffer overflow vulnerability. Please write an exploit (by modifying data.txt) to open a shell on Linux. The high level idea is to overwrite the return address with the address of function system(), and pass the parameter “sh” to this function. Once the return instruction is executed, this function will be called to open a shell.
We have provided you with a virtual machine image for this project, use the latest version of VirtualBox. We do not recommend using your own VM image. Our VM’s image will be located at the following links which will allow you to download the .ova file
md5 hash: 0d8e71ed88646842f3dde4ab2e4e2b21
Deliverables: the data.txt file you craft and a screenshot of the exploit. The screenshot should be put into the PDF file (the same from task1).
First, if you are not familiar with code reuse attacks, please read the following papers:
Task 2 is successful only when two major countermeasures, viz. stack canaries (which was disabled using the flag -fno-stack-protector) and ASLR (which has been disabled system wide on the VM – hint: check out /proc/sys/kernel/randomize_va_space) are disabled. DEP is another major counter measure which can be disabled using the “-z execstack” flag during compilation. However, in the real world both of these counter measures will not be serendipitously turned off. Explain the techniques used to defeat ASLR and DEP respectively.
Deliverable: write down your answer in the same pdf file of tasks 1 and 2.
The final deliverables: A pdf file (containing the answers to all of the questions above) and the modified data.txt file which exploits sort.c