You must therefore hard-code target stack locations in your exploits. You should not use a function such as get_sp() in the exploits you hand in.
wget http://www.cs.washington.edu/education/courses/cse599g/07au/project-20071104.tar.bz2
wget http://www.cs.washington.edu/education/courses/cse599g/07au/boxes-20071104.tar.bz2
romieu% tar jxvf boxes-20071104.tar.bz2 ; tar xjvf project-20071104.tar.bz2
romieu% setenv BOXESDIR /tmp/yoshi/boxes
romieu% setenv BOXESHOME /tmp/yoshi
romieu% setenv PATH /tmp/yoshi/boxes:$PATH
For convenience, instead of repeatedly typing in the commands, you may wish to place the three setenv commands into a file and "source" the file whenever you log into a machine.
romieu% xterm -e boxes/string &
Then run boxes, specifying the copy-on-write disk and the virtual private network.
romieu% boxes/openbox cow1 10.64.64.64
box:~# mount none -t hostfs /mnt -o /tmp/yoshi/project
Now you can access the project files in /mnt. Copy the sploits dir to the user's home directory (and make sure to set the ownership so that user can access them "chown -R user:user sploits"), and target dir to root's home directory. Make the targets and copy the targets to /tmp together with the corresponding .c and .h files. Using the following commands, set up the permissions so that the targets are owned by root, are setuid root, and the .c and .h files are publicly readable.
box:~# chown root:root target? ; chmod 4755 target? ; chmod a+r target?.[ch] ; chmod a+r tmalloc.[ch]
box:~# TERM=vt100 ; vi /etc/inittab
and uncomment out lines:
##2:23:respawn:/sbin/getty 38400 vc/2
##3:23:respawn:/sbin/getty 38400 vc/3
to spawn two extra console windows on the next reboot of boxes. The only two editors on the boxes environment are nano and vi. If you prefer other editors, write the code outside of boxes and then use nano to paste the code into a text file in a boxes console.