Encryption and Network Security
 
Home Outline Lectures Tutorials Assignments Resources

CSE3ENS - Network Security Assignment, 2008

Due Date: 5pm, Friday 24th October 2008

This assignment is worth 20% of your final mark for this subject and consists of two parts plus a brief written report (1-2 pages). Part 1 is worth 5%, part 2 is worth 3% and your report accounts for the remaining 12%.

Your Task

For this assignment you are required to exploit a buffer overflow vulnerability in an application by carefully crafting the input that you provide to it. Your task is to have the application misbehave in such a way that you can change the path of execution.

There are two parts to this assignment - the first part requires you to overwrite the return instruction pointer and have it call the function named ens_part1(). The second part requires you to not only overwrite the return instruction pointer, but also pass a value on the stack, calling the ens_part2() function with your student number. Your student number should be passed as an array of eight printable ASCII characters.

You will also need to submit a 1-2 page report detailing the approach that you have used in order to attempt or complete each part. This should include a summary of the tools that you have used and a brief description of your analysis.

This assignment will require you to spend an amount of time carefully studying the code and the execution path, in order to successfully complete both part 1 and part 2. However, having completed both parts of this assignment, you will have gained a solid understanding of buffer overflows, stack based programming languages and a sense of achievement! Even if you have not successfully completed part 1 or part 2, the submission of your report will still result in a pass mark providing you have put sufficient time and effort into the task.

I would strongly suggest working in pairs (or even a small group). You will still need to submit individual reports and solutions, however this will allow you to share knowledge and bounce ideas around.

The Code

The source code for this assignment is available here (it is only about 20 lines of C!). You need to change the define for LAST_DIGIT so that it has a value which matches the last digit of your student number. No other changes should be made to this code.

Your development and exploitation needs to be done on an Intel IA32 based machine running Linux - do not attempt to use a Mac for this assignment (although if you can get it working on both systems I will be suitably impressed!). I will be testing your submission on one of the machines in B1.11 - so this is where you should also be doing your work.

Compile the assign1.c file using the following command: 

gcc -g -o assign1 assign1.c

This will create a binary named assign1 which has support for debugging compiled in (the -g option for gcc achieves this). The GNU Debugger (gdb) will now be your friend!

Exploiting the Buffer Overflow

In order to exploit the buffer overflow and overwrite the return instruction pointer you will need to feed a string of bytes into the application. There are two things to be aware of - firstly, only a subset of byte values are printable ASCII. This means that you will not be able to generate all 256 byte values using a keyboard. Secondly, a Unix string is terminated by a line feed (ASCII decimal 10 or hexidecimal 0x0a) character. You will need to include this at the end of your input to stop it from reading in data. Likewise this byte value cannot appear in your input, otherwise everything after it will be ignored.

In order to make your life a little bit easier a Perl script called hextostr.pl can be found here. This script will take a series of hexidecimal values and convert them to a string of bytes. You do not need to understand how this works to use it - just make it executable! This means that you could create a file that contained the following: 

61 61 61 61
0a 0b 0c 0d
63 63 63 63
64 64 64 64
0a

And then you could feed it to the application by running the following: 

$ ./hextostr.pl < myexploit.txt | ./assign1

Or you could generate a file that you can then feed in separately: 

$ ./hextostr.pl < myexploit.txt > myexploit
$ ./assign1 < myexploit

This second method can also be used from within GDB, so that you can observe what us occurring during execution. For example: 

$ ./hextostr.pl < myexploit.txt > myexploit
$ gdb assign1
(gdb) break getstr
(gdb) run < myexploit

Some Hints

  • You will need to keep in mind that on most Intel platforms, data is stored in "little endian" form. This means that the Least Significant Byte (LSB) is stored at the lowest memory address and the Most Significant Byte (MSB) is stored at the highest memory address. On IA32 memory addresses are 32-bit words, which in little endian format are in reversed byte order (ie. 0x01020304 is stored as 0x04030201). You will need to take this into account when encoding addresses within your exploit.
  • The debugger really is your friend! Start by using the disassemble command to identify the addresses of the ens_part1() and ens_part2() functions. Next you probably want to set a breakpoint (break command, followed by the name of the function) on the exploitable function so that you can inspect the stack (info frame and x/32w). Remember that the stack grows towards lower memory addresses. You can also find out the address of a variable by using print &varname - you could use this to find out where the buffer lives... See the appropriate tutorial for more goodness!
  • For part 2, you need to pass your student number to the ens_part2() function - keep in mind that the variable is passed on the stack (pushed onto the stack) prior to calling the function. Again, GDB will probably help you understand this more readily.

Submission Requirements

What to submit:

  • A brief 1-2 page report detailing your approach and analysis of the problem.
  • Your exploits for part 1 and part 2 as a sequence of hexidecimal values that can be run through hextostr.pl.
  • You also need to provide electronic copies of your exploits, either in the form of binary files (the output from hextostr.pl) or hexidecimal strings (that can be feed into hextostr.pl). You should make these available from your student web space on Redgum and include the appropriate URLs in your printed submission.

Your submission must adhere to the requirements of the La Trobe University, Assignment Guide. Specifically, you must use a folder/binder and ensure that you include a printed and personally signed Statement of Authorship.

Administrivia

A reminder regarding La Trobe University's policy on Academic Misconduct and Plagarism - please take care to acknowledge the sources of information used in your assignment. The work submitted must be your own.

Late submissions will not be accepted, unless a prior arrangement has been made or exceptional circumstances apply. In the case of exceptional circumstances, individual extensions may be granted after application using a Special Consideration form. If the necessity for an extension is based on medical grounds then a medical certificate is required. If the basis is personal circumstances, then the appropriate section of the Special Consideration form should be filled out.

Ionix Security Award

The first student to successfully complete both part 1 and part 2 of this assignment, shall be the winner of the Ionix Security Award for 2008 ($250 cash prize). You will need to provide electronic copies of your exploits in order to prove successful completion - submit these via email to your lecturer. If no student successfully completes both part 1 and part 2 prior to the due date, the award will go to the student who achieves the highest overall mark for their assignment.