Project (Attack Lab)

Out: Nov 6.
Due: Nov 20, 11:59pm (25% per day late, as with most of the other course deadlines).

Goal

The Environment

The Targets

The Exploits

The sploits/ directory in the assignment tarball contains skeleton source for the exploits which you are to write, along with a Makefile for building them. Also included is shellcode.h, which gives Aleph One's shellcode.

The Assignment

You are to write exploits, one per target. Each exploit, when run in the Boxes environment with its target installed setuid-root in /tmp, should yield a root shell (/bin/sh).

Hints

Warnings

Aleph One gives code that calculates addresses on the target's stack based on addresses on the exploit's stack. Addresses on the exploit's stack can change based on how the exploit is executed (working directory, arguments, environment, etc.); in our testing, we do not guarantee to execute your exploits as bash does.

You must therefore hard-code target stack locations in your exploits. You should not use a function such as get_sp() in the exploits you hand in.

Deliverables

How to set up the Environment

Here are the following steps to set up the environment on the Linux machines in CSE 002, 006, and 022; you can probably use any machine running Linux, but I've only used these machines to work on this project. (The names of the machines in the three labs are, garloff, hch, jgarzik, maxk, romieu, gregkh, herbert, ralf, tori, faith, linus, aliakc, ajk, davej, dwmw2, ehaase, marcel, ink, kas, mchehab, shemminger, starvik, tali, davem, mhw, philb, simon, sziwan, zippel, rmk, scottm, tigran, sfrench, and fubar. These machines are intended for the use of those sitting at their consoles.)

Misc

There's lots of online documentation for GDB. Here's one you might start with: http://csapp.cs.cmu.edu/public/docs/gdbnotes.pdf.

Credits

This project was originally designed for Dan Boneh and John Mitchell's CS155 course at Stanford. Thanks Dan and John!