The primary purpose of this assignment is to become intimately familiar with procedure call linkages. (We'll be working with Cebollita, and so its particular conventions, but the lessons are more general than that.) Secondary purposes are to reinforce the ideas of the past few weeks: machine code and assembling/linking/loading.
Your goal is to break into a remote system by exploiting a security flaw in its implementation. The flaw is called "buffer overflow": the software obtains input from the user (you) and writes it into a stack allocated array of characters, but does not check that the input fits in the amount of space allocated. You, having figured this out, exploit this bug by sending it data of your choosing, with the result that you end up running as root (to use Unix parlance).So, your job for this assignment is to figure out what input to this software will do the trick -- allow you to gain root privilege.
So, your job for this assignment is to figure out what input to this software will do the trick -- allow you to gain root privilege.You will be able to read, compile, and run on your own machine the code the server is running. But, you cannot modify the server's code -- it's running on the server, and you do not have access to the server (until you break in by other means).
Nothing in this assignment is about writing code.
You're a fortunate hacker in that you have obtained a copy (server.c) of the source for the guts of the application. (The source to some libraries is missing, but you have the rest.) You also have a symbol table (server.sym) for the actual exectuable image running on the system you're going to attack. Finally, you have a copy of the executable (server), so you can run it yourself and observe its behavior.You'll find these files (plus some others that might be useful to you) in hw3B.tar.gz.
The executable,
server, is a (thin) imitation of a remote login service. When you connect to it (which for us just means when you run it) it asks for a password. The password, "ABabCDcd" is hard-coded into the application, and is publically known in any case since all it gives you is "anonymous login" (that is, login with only public privileges).To make your hacking job easier, I wrote the application to take the password in hex. (Why does that make it easier for you?) Start the application
It will prompt you in the window where you started it. Type the password, in hex:
$ cebsim serverThat's hex of the ASCII for the password, in ASCII (got that?). The application reads whatever you type character by character, up to the carriage-return. It simply ignores any character that is not a hex digit (like the space in the above). Everything else is concatenated.
41426162 43446364When given that input, the application will tell you that the login is successful, and then say "bye" (since there's no real work to do). If you give it most other inputs it will indicate you've typed a bad password.
Here's the actual output while providing the correct password as input.$ cebsim server Loading Cebollita program file server Sizes: text=00000838(2104) data=000000f4(244) stack=00000800(2048) heap=00000200(512) c:\cse378\bufferOverflowAssignment Connecting to attu.cs.washington.edu Enter telnet password (in hex): 41426162 43446364 Logged in as anonymous bye Syscall: Exit Total instructions = 2390 Arithmetic = 1216 Loads = 483 Stores = 311 Branches = 188 (115 taken) Jumps = 169 Syscalls = 23As you work on breaking into the server, you'll have to type strings of hex over and over. A more convenient way to run than actually typing them each time is to put the input into a file. The fileinput-goodin the distribution for this assignment shows the format to use. You can then invoke the Cebollita simulator withcebsim --dataFile input-good serverThis will bring up the simulator GUI. HitRunorStep, perhaps after having set a breakpoint or two. (Right-click on a line of code to toggle a breakpoint.)When developing your attack, putting your input in a file is really the only way to go. Note that you have to shut down Cebollita after each run, though, as it will have consumed the input file and there is no way to get it to read the file from the beginning again.
Here's what the output looks like for the input I created to break into the system. (Fortunately, because the input comes from a file, it's not shown here.)$ cebsim --dataFile input-solution server Loading Cebollita program file server Sizes: text=00000838(2104) data=000000f4(244) stack=00000800(2048) heap=00000200(512) c:\cse378\bufferOverflowAssignment Connecting to attu.cs.washington.edu Enter telnet password (in hex): You are now running as root. Syscall: Exit Total instructions = 8305 Arithmetic = 4233 Loads = 1644 Stores = 1122 Branches = 623 (360 taken) Jumps = 607 Syscalls = 76(Obviously, the particular instruction counts you end up with might differ slightly.)Note that the output says I authenticated as root. Note also that the program terminated cleanly.
Yes, this is an unusual assignment.Your goal is to find input that you can give to the program (
server) so that it produces the output just shown.You have the source, but that's only for examination - you will not (cannot) modify the source. All you're doing is finding some magic input that will cause the program to misbehave in the particular way shown above. That magic has to do with the topics we've been discussing, of course, so your test-taking skills should lead you to thinking about how they may help.
This assignment takes some thinking, then some trying, then more thinking, then more trying, and around it goes. The first step is to understand how you might go about attacking the program, in very general terms. (As already mentioned, the attack is called a stack overflow, so there's a hint right there.) The iterations happen as you try to work out the details required to make that attack a success.
Typing thecebsim --dataFile input-solution serverline over and over can be aggravating, so don't do it. Here are some ways to avoid it, all of which involve standard Unix facilities (including cygwin). Some of these may be shell specific. I runbash, so they're guaranteed to work with it.
- Use the up arrow key to repeat previously typed commands.
- Use shell history. Typing '!cebsim' should do it. (It will re-execute the last command you issued (in that shell, basically) that starts 'cebsim'.)
- Use the supplied makefile, which has a target for launching the server program using the input-solution file: make rungood.
- Write your own shell script, to do whatever it is you want.
We will want two things: your input file, and a brief writeup of what your attack does.https://catalysttools.washington.edu/collectit/dropbox/zahorjan/5621