Student: Stanley

General Instructions

General Instructions • Download the HW4 files from Google Drive into your CSE 523 Ubuntu VM. You can decompress its contents with this command: tar -xvf hw4_files.tar.gz • The package contains five binaries: p1, p2, p3, p4, and p5. • At least one binary exhibits a stack buffer overflow vulnerability and at least one binary does not. • Your goal is to find which of the five programs in the package exhibit a stack buffer overflow vulnerability. You will need to provide an explanation for the answer you give for each program, and include any information or material that would be required for me to reproduce your work and reach the same conclusion. • If you determined that a program exhibits a vulnerability, you will need to exploit that vulnerability by opening a shell using the four techniques we learned in class. For each exploit, provide all of the materials needed for me to reproduce your work. Explain every part of your payload, including how you found the addresses, how you determined the payload size, and proof that you were able to exploit the program using the provided payload. You are welcome to use the shellcode and payload patterns from class, along with any other course materials you find helpful. However, you should use first person and your own words when explaining what you did! Things to remember: • You must echo your name in every screenshot you include. It’s okay if the ‘echo’ command fails (like it would in gdb), but we will still be able to see your name in the command. You must echo your name to get credit for the screenshot. • When possible, show the date and time when taking screenshots. (this would be hard to do in gdb, so only do it when taking a screenshot of the terminal). • You will get partial credit for guessing the payload. Full credit for the exploit will be given only if you were able to explain how to correctly construct it. In other words, show us that you understand what you’re doing! You will get no credit if you exploited your program by a coincidence. • Your report should be well-written and consistent. Make sure that the payload shown in your screenshot matches the one you explain!! You will lose points if your answers are inconsistent or unclear. Grading: You can earn up to 3 points for every program you identify correctly. You can earn up to 10 points for each successful exploit. There are N possible exploits, but you to find N-2 exploits to get full credit for the assignment. The last two exploits will earn you extra credit (5 points each). We can’t give you N or the total number of possible points as this will reveal the number of vulnerable programs and possible exploits. Please note that N refers to the number of possible exploits and not to the number of vulnerable programs. We learned four different exploit techniques this semester, so the maximum number of exploits per program is 4. Submission: Copy hw4_notes to your student’s folder, and follow its outline when completing the assignment. In addition to keeping the file in your folder, we ask you to also submit the completed report to Gradescope as a PDF. Use ‘File->Download->PDF Document’ to download the file as a PDF, and use Canvas to submit the PDF to Gradescope. We will use Gradescope to grade the assignments, but we want you to keep the Google Doc version in your folder in case there is a technology glitch (and we’ve seen many of those in the last couple of weeks). Gradescope will ask you to match your answers to the questions and outline of hw4_notes, so make sure you follow the provided outline. Systems Security Homework #4 Student Name: Student ID: Start Time: End Time: Part 1: Identify vulnerable programs 1. Which of the programs exhibits a buffer overflow vulnerable? Mark your answers in the table below. Program Name Your Answer (1 point each) p1 Yes/No p2 Yes/No p3 Yes/No p4 Yes/No p5 Yes/No 2. Explain how you determined your answers to the previous question. For each program, write your explanation between the lines below, add more space if needed. Include commands and screenshots as needed. (10 points: 2 points for each program) a. Program P1: ________________________________________ ________________________________________ b. Program P2: ________________________________________ ________________________________________ c. Program P3: ________________________________________ ________________________________________ d. Program P4: ________________________________________ ________________________________________ e. Program P5: ________________________________________ ________________________________________ Part 2: Exploit the vulnerability Exploit each of the programs you found vulnerable using all applicable exploit techniques. The possible techniques are: 1. !ASLR & !NX: ASLR and NX off, by executing shellcode on the stack. 2. ASLR & !NX: ASLR on and NX off, by executing shellcode on the stack. 3. !ASLR & NX: ASLR off and NX on, using return-to-libc. 4. ASLR & NX: ASLR and NX on, using return-to-libc and a string built by your payload. Use the text between the dashed lines (the next 2 pages) to report your exploits. Copy this text for every vulnerable program Pi. For instance, if you found that P1, P2, and P4 are vulnerable, the text between the dashed lines should be copied three times. One for each program. Remember that there are N possible exploits, and you can get full credit for finding N-2. ------------------------------------------ Program Pi --------------------------------------------------------- 1. !ASLR & !NX: a. Exploit the program using this technique! (5 points) Your answer must be a screenshot showing your payload and proving that it spawned a new shell. You can prove that you have reached a new shell by showing the shell PID before and after you run the payload (using $$), or by showing a gdb message saying that the program invoked a new shell. ________________________________________ Put your answer here. ________________________________________ b. Explain how you constructed the payload shown in ‘a’. (5 points) Your answer should explain how you determined the payload size and how you found the addresses used in your payload. You will likely need to use gdb for that purpose. You don’t need to explain the theory behind the exploit technique, but we need to be able to reproduce your work. For instance, you don’t need to explain why you used &pop-ret(), but you need to explain how you found it. You can use the shellcode we used in the studios if one is required by the exploit technique. ________________________________________ Put your answer here. ________________________________________ 2. ASLR & !NX a. Same as ‘a’ above. ________________________________________ Put your answer here. ________________________________________ b. Same as ‘b’ above. ________________________________________ Put your answer here. ________________________________________ 3. !ASLR & NX a. Same as ‘a’ above. ________________________________________ Put your answer here. ________________________________________ b. Same as ‘b’ above. ________________________________________ Put your answer here. ________________________________________ 4. ASLR & NX a. Same as ‘a’ above. ________________________________________ Put your answer here. ________________________________________ b. Same as ‘b’ above. ________________________________________ Put your answer here. ________________________________________ ------------------------------------------------------------------------------------------------------------------------------

Budget: $80.00

Due on: April 24, 2020 00:00

Posted: 5 months ago.

Answers (0)