CSE 378 Assignment 5

CSE 378 Homework 5

Due: Monday 2/10/03
Work in pairs or individually

The distribution was updated 2/3/03 at 1:50pm. The .zip file is now newhw5files.zip.
Please use the new files to develop your solution (as that's what we'll run against.)

Purpose

The primary purpose of this assignment is to become intimately familiar with procedure call linkages. (We'll be working with Cebollita, and so its particular conventions, but the lessons are more general than that.) Secondary purposes are to reinforce the ideas of the past few weeks: machine code and assembling/linking/loading.

Overview

Your goal is to break into a remote system by exploiting a security flaw in its implementation. The flaw is called "buffer overflow": the software obtains input from the user (you) and writes it into a stack allocated array of characters, but does not check that the input fits in the amount of space allocated. You, having figured this out, exploit this bug by sending it data of your choosing, with the result that you end up running as root (to use Unix parlance).

So, your job for this assignment is to figure out what input to this software will do the trick -- allow you to gain root privilege.

What You Start With

You're a fortunate hacker in that you have obtained a copy (hw5.c) of the source for the guts of the application. (The source to some libraries is missing, but you have the rest.) You also have a symbol table (a.sym) for the actual exectuable image running on the system you're going to attack. Finally, you have a copy of the executable (a.out), so you can run it yourself and observe its behavior.

You'll find these files in newhw5files.zip.

The executable, a.out, is a (thin) imitation of a remote login service. When you connect to it (which for us just means when you run it) it asks for a password. The password, "ABabCDcd" is hard-coded into the application, and is publically known in any case since all it gives you is "anonymous login" (that is, login with only public privileges).

To make your hacking job easier, I wrote the application to take the password in hex. (Why does that make it easier for you?) Start the application

$ cebsim a.out

It will prompt you in the window where you started it. Type the password, in hex:

41426162 43446364

That's hex of the ASCII for the password, in ASCII (got that?). The application reads whatever you type character by character, up to the carriage-return. It simply ignores any character that is not a hex digit (like the space in the above). Everything else is concatenated.

When given that input, the application will tell you that the login is successful, and then say "bye" (since there's no real work to do). If you give it most other inputs it will indicate you've typed a bad password.

Working Within the Limits of Cebollita

The Cebollita simulator insists on printing diagnostic messages of its own while running. (Plus, the sloppy application programmer seemed to have left some trace output of his own in his code.) So, here's the actual output while providing the correct password as input.

$ cebsim a.out
Loaded exe. text=4784 data=312 stack=4096 heap=4096
c:\Documents and Settings\zahorjan\Desktop\HW5
Reading: TermDev: 0: 0: 1: 0
41426162 43446364

Connecting to june.cs.washington.edu
Enter telnet password (in hex):
Reading: TermDev: 0: 52: 1: 10
got 4
Reading: TermDev: 0: 49: 1: 10
got 1
Reading: TermDev: 0: 52: 1: 10
got 4
Reading: TermDev: 0: 50: 1: 10
got 2
Reading: TermDev: 0: 54: 1: 10
got 6
Reading: TermDev: 0: 49: 1: 10
got 1
Reading: TermDev: 0: 54: 1: 10
got 6
Reading: TermDev: 0: 50: 1: 10
got 2
Reading: TermDev: 0: 32: 1: 10
Reading: TermDev: 0: 52: 1: 10
got 4
Reading: TermDev: 0: 51: 1: 10
got 3
Reading: TermDev: 0: 52: 1: 10
got 4
Reading: TermDev: 0: 52: 1: 10
got 4
Reading: TermDev: 0: 54: 1: 10
got 6
Reading: TermDev: 0: 51: 1: 10
got 3
Reading: TermDev: 0: 54: 1: 10
got 6
Reading: TermDev: 0: 52: 1: 10
got 4
Reading: TermDev: 0: 13: 1: 10

Logged in as anonymous
bye

Syscall: Exit
Total instructions = 18756
 Arithmetic  = 10515
 Loads       = 4193
 Stores      = 2318
 Branches    = 886 (677 taken)
 Jumps       = 843
 Syscalls    = 1

Besides all that annoying trace information, the input I typed doesn't appear until I hit Enter. (There's a good reason for that, but for this assignment it's not an advantage.)

A more convenient way to run than typing at Cebollita is to put the input into a file. The file input-good in the distribution for this assignment shows the format to use. You can then invoke the Cebollita simulator with

cebsim a.out <input-good

This will bring up the simulator GUI. Hit Run or Step, perhaps after having set a breakpoint or two. (Right-click on a line of code to toggle a breakpoint.)

When developing your attack, putting your input in a file is really the only way to go. Note that you have to shut down Cebollita after each run, though, as it will have consumed the input file and there is no way to get it to read the file from the beginning again. (That's because it's not actually reading the file, we're simply redirecting standard input from the file - i.e., it's not Cebollita's fault.)

A Successful Attack

Here's what the output looks like for the input I created to break into the system. (I've deleted the trace output, as it's both annoying and a homework solution.)

$ cebsim a.out <input-bad
Loaded exe. text=4784 data=312 stack=4096 heap=4096
c:\Documents and Settings\zahorjan\Desktop\HW5

Connecting to june.cs.washington.edu
Enter telnet password (in hex):

You are now running as root.
Logged in as anonymous
bye

Syscall: Exit
Total instructions = 59427
 Arithmetic  = 33313
 Loads       = 13004
 Stores      = 7632
 Branches    = 2687 (1881 taken)
 Jumps       = 2790
 Syscalls    = 1

(Obviously, the particular instruction counts you end up with might differ slightly.)

I'm Lost

Yes, this is an unusual assignment.

Your goal is to find input that you can give to the program (a.out) so that it produces the output just shown.

You have the source, but that's only for examination - you will not (cannot) modify the source. All you're doing is finding some magic input that will cause the program to misbehave in the particular way shown above. That magic has to do with the topics we've been discussing, of course, so your test-taking skills should lead you to thinking about how they may help.

This assignment takes some thinking, then some trying, then more thinking, then more trying, and around it goes. The first step is to understand how you might go about attacking the program, in very general terms. (That has been mentioned, if not fully emphasized, in class...) The iterations happen as you try to work out the details required to make that attack a success.

Deliverables

We will want two things: your input file, and a brief writeup of what your attack does.

We may have very particular requirements for the format in which these are delivered, including the naming of files attached to mail messages. We'll figure that out and let you know shortly.

Advice

I think this may be a very fun, but very difficult, assignment. For almost everyone (maybe without exception), it will require some talking over. PLEASE DO talk to the staff - the earlier the better. I suspect the variety of questions about this will be much larger than normal, meaning that I'm sure I haven't managed to make everything clear in this writeup (nor could I, I don't (or is it do?) think).

It would be a much more than ordinarily bad idea to leave this until the last moment. Being under the pressure of a close deadline will definitely not make it any easier to finish this.

And one last thing: DO NOT WAIT UNTIL A DAY STARTING WITH 'S' TO START THIS unless you've had prior successes hacking into other people's systems.

Working Not in the Lab

The a.out requires at least Cebollita Version 1.3 (build 60). Here is a ceb.jar file with that version.