HW2: Buffer Overflow by Example

CS 493/693 Homework, Dr. Lawlor, 2006/02/06. Due at 5pm on Monday, Feb 13 (Monday the 13th!).

I've started a vulnerable network server process, listening on port 80 of the server "target.cs.uaf.edu". Your assignment is to see firsthand how a buffer overflow attack works, by attacking this port of this server. Allow me to be very clear. DO NOT ATTACK ANY OTHER PORT OR MACHINE.

The server listening on port 80 of target.cs.uaf.edu is NOT a webserver. Instead, it speaks the following very simple protocol:

The server sends you a welcome string followed by a newline.
You send the server your UAF email ID (like "ffosl") followed by a newline.
You send the server an arbitrary attack buffer, followed by a newline.
The server then executes the following laughably insecure code on your attack buffer "req":
```
void parse_request(void)
{
	char buf[32];
	strcpy(buf,req.c_str());
}
```
The server records and sends back your grade and a short explanation, followed by a newline.

The grade levels available for this assignment are:

F (5 points for 493, 2 points for 693): for giving your email ID and a non-dangerous string. (Note: "F" is still more points than a "0".)
D (6 points, 4 points for 693): for crashing the server with a segfault, illegal instruction, or hang. (Don't worry--it'll immediately restart.)
C (7 points, 6 points for 693): for calling the "grade_C" routine.
B (9 points, 8 points for 693): for calling the "grade" routine, and passing in the "grade_B" string.
A (10 points): for calling the "grade" routine with your own string that starts with "A".

I'll keep your highest grade--you can repeatedly attack the server as many times as you like. Please do not denial-of-service the target, or try to break out of the emulated machine.

You should be able to get at least a "D" using just "telnet" run interactively. For higher grade levels, writing your own network attacker program is recommended. If you log in and send two strings-and-newlines without immediately getting a one-line grade back, send me an email--the target may have gone down.

The vulnerable server has this source code, which you'll pretty much have to read. You could even compile and run the server, although be careful not to get hacked yourself! The relevant buffer locations as actually run (hint, hint!) are:

Inside vulnerable routine:
        grade_C routine is at 0x8048d68
        grade_B string is at 0x8082357
        grade routine is at 0x8048cb4
        buf is at 0xbfffff28

This vulnerable server runs:

After a step of logging and filtering on the target front end. This also redirects the attacking port from port 80 on target.cs.uaf.edu to port 1235 on the emulated machine.
As a "nobody" user, inside a "chroot" jail, inside a QEMU virtual machine, run as a "nobody" user, on the worthless machine target.cs.uaf.edu.

So don't worry about breaking anything too important--and have fun! You don't need to turn anything in--I can get your grade out of the server logs!