Your goal is to break into a remote system by exploiting a security flaw in its implementation. The flaw is called "buffer overflow": the software obtains input from the user (you) and writes it into a stack allocated array of characters, but does not check that the input fits in the amount of space allocated. You, having figured this out, exploit this bug by sending it data of your choosing, with the result that you end up running as root (to use Unix parlance).So, your job for this assignment is to figure out what input to this software will do the trick -- allow you to gain root privilege.
So, your job for this assignment is to figure out what input to this software will do the trick -- allow you to gain root privilege.You will be able to read, compile, and run on your own machine the code the server is running. But, you cannot modify the server's code -- it's running on the server, and you do not have access to the server (until you break in by other means).
Nothing in this assignment is about writing code.
You're a fortunate hacker in that you have obtained a copy (server.c) of the source for the guts of the application. (The source to some libraries is missing, but you have the rest.) You also have a symbol table (server.sym) for the actual exectuable image running on the system you're going to attack. Finally, you have a copy of the executable (server), so you can run it yourself and observe its behavior.You'll find these files (plus some others that might be useful to you) in hw3extracredit.tar.gz. Fetch that file, and then use this command to expand it (it will create a subdirectory in whatever directory you're currently in):
$ tar xzf hw3extracredit.tar.gzThe executable,
server, is a (thin) imitation of a remote login service. When you connect to it (which for us just means when you run it) it asks for a password. The password, "ABabCDcd" is hard-coded into the application, and is publically known in any case since all it gives you is "anonymous login" (that is, login with only public privileges).To make your hacking job easier, I wrote the application to take the password in hex. (Why does that make it easier for you?) Start the application
It will prompt you in the window where you started it. Type the password, in hex:
$ cebsim serverThat's hex of the ASCII for the password, in ASCII (got that?). The application reads whatever you type character by character, up to the carriage-return. It simply ignores any character that is not a hex digit (like the space in the above). Everything else is concatenated.
41426162 43446364When given that input, the application will tell you that the login is successful, and then say "bye" (since there's no real work to do). If you give it most other inputs it will indicate you've typed a bad password.
Here's the actual output while providing the correct password as input.$ cebsim server Loading Cebollita program file server Sizes: text=00000838(2104) data=000000f4(244) stack=00000800(2048) heap=00000200(512) c:\cse378\bufferOverflowAssignment Connecting to attu.cs.washington.edu Enter telnet password (in hex): 41426162 43446364 Logged in as anonymous bye Syscall: Exit Total instructions = 2390 Arithmetic = 1216 Loads = 483 Stores = 311 Branches = 188 (115 taken) Jumps = 169 Syscalls = 23As you work on breaking into the server, you'll have to type strings of hex over and over. A more convenient way to run than actually typing them each time is to put the input into a file. The fileinput-goodin the distribution for this assignment shows the format to use. You can then invoke the Cebollita simulator with either of the following commandsThis will bring up the simulator GUI. Hit$ cebsim --dataFile input-good server$ make rungoodRunorStep, perhaps after having set a breakpoint or two. (Right-click on a line of code to toggle a breakpoint.)When developing your attack, putting your input in a file is really the only way to go. The
makefilehas a target,runsolution, that expects your input to be in a file calledinput-solution. You might find working that way handy.
Here's what the output looks like for the input I created to break into the system. (Fortunately, because the input comes from a file, it's not shown here.)$ cebsim --dataFile input-solution server Loading Cebollita program file server Sizes: text=00000838(2104) data=000000f4(244) stack=00000800(2048) heap=00000200(512) c:\cse378\bufferOverflowAssignment Connecting to attu.cs.washington.edu Enter telnet password (in hex): You are now running as root. Syscall: Exit Total instructions = 8305 Arithmetic = 4233 Loads = 1644 Stores = 1122 Branches = 623 (360 taken) Jumps = 607 Syscalls = 76(Obviously, the particular instruction counts you end up with might differ slightly.)
Yes, this is an unusual assignment.Your goal is to find input that you can give to the program (
server) so that it produces the output just shown.You have the source, but that's only for examination - you will not (cannot) modify the source. All you're doing is finding some magic input that will cause the program to misbehave in the particular way shown above. That magic has to do with the topics we've been discussing, of course, so your test-taking skills should lead you to thinking about how they may help.
This assignment takes some thinking, then some trying, then more thinking, then more trying, and around it goes. The first step is to understand how you might go about attacking the program, in very general terms. (That has been mentioned, if not fully emphasized, in class...) The iterations happen as you try to work out the details required to make that attack a success.
We will want two things: your input file, and a brief writeup of what your attack does.In the directory containing main.s and max.s, create a directory called extracredit, and put your input file and brief writeup (only) in it. Use the command 'turnin -ccse378 main.s max.s extracredit' to submit both your regular assignment and extra credit problem.