Project #1

Goal

The Environment

The Targets

The Exploits

The sploits/ directory in the user home directory contains the source for the exploits which you are to write, along with a Makefile for building them. Also included is shellcode.h, which gives Aleph One's shellcode.

The Assignment

You are to write exploits for targets 1, 4, and 7. Each exploit, when run in the virtual machine with its target installed setuid-root in /bin, should yield a root shell (/bin/sh).

Since you saw how to do sploit 1 in class, we've changed the buffer size slightly so that you'll have to work through it yourself. However, what was shown as target 1 in class is now target 0. If you are having trouble, you can work through sploit 0 and compare the numbers you get with those in class.

Hints

Warnings

Aleph One gives code that calculates addresses on the target's stack based on addresses on the exploit's stack. Addresses on the exploit's stack can change based on how the exploit is executed (working directory, arguments, environment, etc.); in our testing, we do not guarantee to execute your exploits as bash does.

You must therefore hard-code target stack locations in your exploits. You should not use a function such as get_sp() in the exploits you hand in.

Deliverables

Misc

Credits

This project was originally designed for Dan Boneh and John Mitchell's CS155 course at Stanford, and was then also extended by Hovav Shacham at UCSD. Thanks Dan, John, and Hovav!


*The cake is a lie