Project 1: Application SecurityFall 2023
Part 2 due Friday, September 15 at 11:59 p.m.
This project counts for 14% of your course grade. Late submissions will be penalized by 15% of the maximum attainable score. If you or your partner (if you’re working in a team) have a conflict due to travel, interviews, etc., please plan accordingly and turn in your project early.
This is optionally a group project; you may work in teams of two and submit one project per team. You may also work alone. Note that the exams will cover project material, so you and your partner should collaborate closely on each part.
The code and other answers you submit must be entirely your team’s own work, and you are bound by the Honor Code. You may discuss the conceptualization of the project and the meaning of the questions, but you may not look at any part of someone else’s solution or collaborate with anyone other than your partner. You may consult published references, provided that you appropriately cite them (e.g., with program comments).
Solutions must be submitted via the Autograder, following the submission details at the end of this spec.
Introduction
This project will introduce you to control-flow hijacking vulnerabilities in application software, including buffer overflows. We will provide a series of vulnerable programs and a virtual machine environment in which you will develop exploits.
Objectives
- Be able to identify and avoid buffer overflow vulnerabilities in native code.
- Understand the severity of buffer overflows and the necessity of standard defenses.
- Gain familiarity with machine architecture and assembly language.
- Understand the mechanics of buffer overflow exploitation.
Read this First
-
This project asks you to develop attacks and test them in a virtual machine you control. Attempting the same kinds of attacks against others’ systems without authorization is prohibited by law and university policies and may result in fines, expulsion, and jail time. You must not attack anyone else’s system without authorization! Per the course ethics policy, you are required to respect the privacy and property rights of others at all times, or else you will fail the course. See the “Ethics, Law, and University Policies” section on the course website.
-
The target programs for this project are simple, short C programs with (mostly) clear security vulnerabilities. We have provided source code and a build script that compiles all the targets. Your exploits must work against the targets as compiled and executed within the provided VM.
Setup
Buffer-overflow exploitation depends on details of the target system. You must develop and test your attacks inside the Application Security Project VM, as it has been configured to disable certain security features that would complicate your work.
-
Follow the setup instructions on the Application Security Project VM page.
-
Create a new private repository from the Github template. Clone your repository from GitHub inside the VM. You must do this in a folder in the native Linux filesystem. It won’t work correctly if you use a shared folder located in the host OS.
If you’re new to using Git/GitHub, check out this guide to help you get started.
-
Run
./build.sh
. It will prompt you for GT usernames. Each group’s targets will be slightly different, so make sure your usernames are correct! -
Run
./test.sh
to build the targets and test the (currently empty) solutions. The test script will report an error for each of the targets. You can ignore the errors as it is the first time you’re running it and your solutions are blank.
Resources and Guidelines
Primer Videos (Important!)
Before you begin the project, ensure that you watch the following videos. They contain many useful tips to help you along the project.
- Part 1: Buffer Overflows (Updated 8/24)
- Part 2: Shellcode & ROP
- Part 3: GDB (Updated 8/24)
You can find the videos’ slides here: https://files.gtinfosec.org/appsec_primer.pdf (Updated 8/24)
No attack tools allowed!
Except where specifically noted, you may not use special-purpose tools
meant for testing security or exploiting vulnerabilities. You must
complete the project using only general purpose tools, such as gdb
.
Control hijacking tutorials
Review the slides from the control-hijacking lectures and complete the lab. Read “Smashing the Stack for Fun and Profit,” available at https://files.gtinfosec.org/stack_smashing.pdf.
GDB
You will make use of the GDB debugger for dynamic analysis within the
VM. Useful commands that you may
not know are disassemble
, info reg
, x
, and stepi
. See
the GDB help for details, and don’t be afraid to experiment. This quick
reference may also be useful:
https://users.ece.utexas.edu/~adnan/gdb-refcard.pdf.
x86 assembly
These are many good references for Intel’s assembly language, but note that our project targets use the 32-bit x86 ISA. The stack is organized differently in x86 and x64. If you are reading any online documentation, ensure that it is based on the x86 architecture, not x64.
If you are getting a segfault
A segfault means that you’re either jumping execution to or dereferencing an address that is incorrect. This means you’re on the right track because you’ve overwritten something! If you are stuck as to where to start looking, check the addresses that your exploit has, and make sure they are both correct and in the correct place.
Targets (Part 1)
The targets described below must be submitted as part of the first milestone.
target0: Overwriting a variable on the stack 7 pts
This program takes input from stdin
and prints a message. Your job is
to provide input that causes the program to output:
“Hi username! Your grade is A+.
” (You can use any name for the username). To accomplish this, your input will need to overwrite another
variable stored on the stack.
Here’s one approach you might take:
-
Examine
target0.c
. Where is the buffer overflow? -
Disassemble
_main
. What is its starting address? -
Set a breakpoint at the beginning of
_main
and run the program. -
Using GDB from within the VM, set a breakpoint at the beginning of
_main
and run the program.(gdb) break _main (gdb) run
-
Draw a picture of the stack. How are
name[]
andgrade[]
stored relative to each other? -
How could a value read into
name[]
affect the value contained ingrade[]
? Test your hypothesis by running./target0
on the command line with different inputs.
What to submit
Create a Python 3 program named sol0.py
that prints a line to be
passed as input to the target. Test your program with the command line:
$ python3 sol0.py | ./target0
Hint: In Python 3, you should work with bytes rather than Unicode
strings. To construct a byte literal, use this syntax: b"\xnn"
, where
nn is a 2-digit hex value. To repeat a byte n times, you can do:
b"\xnn"*n
. To output a sequence of bytes, use:
import sys
sys.stdout.buffer.write(b"\x61\x62\x63")
Don’t use print()
, because it automatically encodes whatever is being
printed with the default encoding of the console. We don’t want our payload
to be encoded, so we use sys.stdout.buffer.write()
.
target1: Overwriting the return address 7 pts
This program takes input from stdin
and prints a message. Your job is
to provide input that makes it output: “Your grade is perfect.
” Your
input will need to overwrite the return address so that the function
vulnerable()
transfers control to print_good_grade()
when it
returns.
-
Examine
target1.c
. Where is the buffer overflow? -
Examine the function
print_good_grade
. What is its starting address? -
Using GDB from within the VM, set a breakpoint at the beginning of
vulnerable
and run the program.(gdb) break vulnerable (gdb) run
-
Disassemble
vulnerable
and draw the stack. Where isinput[]
stored relative toebp
? How long would an input have to be to overwrite this value and the return address?
When looking at the stack contents via gdb
, you will notice that there are
many null bytes added between ebp
and where the first variable (input[]
) is
stored. This is generally done by the compiler to ensure that esp
is a
multiple of 16 bytes.
-
Examine the
esp
andebp
registers:(gdb) info reg
-
What are the current values of the saved frame pointer and return address from the stack frame? You can examine two words of memory at
ebp
using:(gdb) x/2wx $ebp
-
What should these values be in order to redirect control to the desired function?
What to submit
Create a Python 3 program named sol1.py
that prints a line to be
passed as input to the target. Test your program with the command line:
$ python3 sol1.py | ./target1
When debugging your program, it may be helpful to view a hex dump of the output. Try this:
$ python3 sol1.py | hd
Remember that x86 is little endian. Use Python’s to_bytes
method to
output 32-bit little-endian values like so:
import sys
sys.stdout.buffer.write(0xDEADBEEF.to_bytes(4, "little"))
target2: Redirecting control to shellcode 7 pts
Targets 2 through 7 are owned by the root
user and have the suid
bit set. Your goal is to cause them to launch a shell, which will
therefore have root privileges. This and several of the following targets all take
input as command-line arguments rather than from stdin
. Unless
otherwise noted, you should use the shellcode we have provided in
shellcode.py
. Successfully placing this shellcode in memory and
setting the instruction pointer to the beginning of the shellcode (e.g.,
by returning or jumping to it) will open a shell.
-
Examine
target2.c
. Where is the buffer overflow? -
Create a Python 3 program named
sol2.py
that outputs the provided shellcode:from shellcode import shellcode import sys sys.stdout.buffer.write(shellcode)
-
Disassemble
vulnerable
. Where doesbuf
begin relative toebp
? What is the offset from the start of the shellcode to the saved return address? -
Set up the target in GDB using the output of your program as its argument:
$ gdb --args ./target2 "$(python3 sol2.py)"
-
Set a breakpoint in
vulnerable
and start the target. -
Identify the address after the call to
strcpy
and set a breakpoint there:(gdb) break *<address>
Continue the program until it reaches that breakpoint.
(gdb) cont
-
Examine the bytes of memory where you think the shellcode is to confirm your calculation:
(gdb) x/32bx 0x<address>
-
Disassemble the shellcode:
(gdb) disas/r 0x<address>,+32
How does it work?
-
Modify your solution to overwrite the return address and cause it to jump to the beginning of the shellcode.
What to submit
Create a Python 3 program named sol2.py
that prints a line to be used
as the command-line argument to the target. Test your program with the
command line:
$ ./target2 "$(python3 sol2.py)"
If you are successful, you will see a root shell prompt (#
). Running
whoami
will output “root
”. Running exit
will return to your normal
shell.
If your program segfaults, you can examine the state at the time of the
crash using GDB with the core dump: gdb ./target2 core
. To enable
creating core dumps, run ulimit -c unlimited
. The file core
won’t be
created if a file with the same name already exists. Also, since the
target runs as root, you will need to run it using sudo ./target2
in
order for the core dump to be created.
target3: Overwriting the return address indirectly 16 pts
In this target, the buffer overflow is restricted and cannot directly overwrite the return address. You’ll need to find another way. Your input should cause the provided shellcode to execute and open a root shell.
What to submit
Create a Python 3 program named sol3.py
that prints a line to be used
as the command-line argument to the target. Test your program with the
command line:
$ ./target3 "$(python3 sol3.py)"
target4: Beyond strings 16 pts
This target takes as its command-line argument the name of a data file it will read. The file format is a 32-bit count followed by that many 32-bit integers (all little endian). Create a data file that causes the provided shellcode to execute and opens a root shell.
Hint: First figure out how an attacker can cause a buffer overflow in
this program. Note that the read_elements
function
breaks the for-loop once the end of the file is reached, so the
32-bit count does not need to be truthful.
What to submit
Create a Python 3 program named sol4.py
that outputs the contents of a
data file to be read by the target. Test your program with the command
line:
$ python3 sol4.py > tmp; ./target4 tmp
Targets (Part 2)
The targets described below must be submitted as part of the second milestone.
target5: Bypassing DEP 16 pts
This program resembles target2
, but it has been compiled with data
execution prevention (DEP) enabled. DEP means that the processor will
refuse to execute instructions stored on the stack. You can overflow the
stack and modify values like the return address, but you can’t jump to
any shellcode you inject. You need to find another way to run the
command /bin/sh
and open a root shell.
Hint: You do not need to use shellcode.py
for this target.
What to submit
Create a Python 3 program named sol5.py
that prints a line to be used
as the command-line argument to the target. Test your program with the
command line:
$ ./target5 "$(python3 sol5.py)"
For this target, it’s acceptable if the program segfaults after the root shell is closed.
Warning: Do not try to create a solution that depends on you manually setting environment variables. You cannot assume that the autograder will run your solution with the same environment variables that you have set.
target6: Variable stack position 16 pts
When we constructed the previous targets, we ensured that the stack
would be in the same position every time the vulnerable function was
called, but this is often not the case in real targets. In fact, a
defense called ASLR (address-space layout randomization) makes buffer
overflows harder to exploit by changing the starting location of the
stack and other memory areas on each execution. This target resembles
target2
, but the stack position is randomly offset by 0–255 bytes each
time it runs. You need to construct an input that always opens a root
shell despite this randomization.
What to submit
Create a Python 3 program named sol6.py
that prints a line to be used
as the command-line argument to the target. Test your program with the
command line:
$ ./target6 "$(python3 sol6.py)"
Warning: If you see any output before the root shell is opened, you have not done this target correctly and your solution will not be accepted by the autograder.
target7: Return-oriented programming 15 pts
This target is identical to target2
, but it is compiled with DEP
enabled. Implement a ROP-based attack to bypass DEP and open a root
shell.
It will be helpful to use a tool such as ROPgadget.
The ROPgadget
command is already
installed on the provided VM. View its usage by running ROPgadget -h
. The
--binary
, --badbytes
, and --multibr
flags will be particularly helpful.
(You are also free to use the --ropchain
flag,
but it often produces relatively unintelligible results.
If you’re having trouble interpreting and extending its output,
we’d recommend against using it.
We aren’t able to vouch for the tool’s decisions when using --ropchain
.)
-
Though there are a number of ways you could implement a ROP exploit, for this target you should use the
setuid
syscall to become root, followed by theexecve
syscall to run the/bin/sh
binary. This is equivalent to:setuid(0); execve("/bin/sh", 0, 0);
-
For an extra push in the right direction,
int 0x80
is the assembly instruction for interrupting execution with a syscall. If the EAX register contains the number 23, the syscall will besetuid
; if it contains 11, the syscall will beexecve
. You need to figure out what values you need for EBX, ECX, and EDX, and set them using ROP gadgets! -
We recommend that you start by getting the
execve
call to work on its own, withoutsetuid
. When you do this correctly, it will open a shell, but you won’t be root. Then modify your solution to make it callsetuid
first, and you’ll get a root shell.
What to submit
Create a Python 3 program named sol7.py
that prints a line to be used
as the command-line argument to the target. Test your program with the
command line:
$ ./target7 "$(python3 sol7.py)"
For this target, it’s acceptable if the program segfaults after the root shell is closed.
Frequently Asked Questions
I’m getting an “ignored null byte in input” but I didn’t put any null bytes in my input.
Targets 2, 3, 5, 6, and 7 require you to pass in a value as a
command-line argument, but arguments in Unix cannot contain null bytes.
(The other targets, which read data from stdin
or a file, don’t face this challenge.)
Using target 2 as an example, you can examine the exact bytes of your solution using this command:
$ python3 sol2.py | hd
Do you see a null byte? Something in your Python code like this example may be causing it:
(0xFF).to_bytes(4, little)
This will format the integer as 4 bytes in little endian. If the value is too small, it will be padded with zeros, such that the line produces bytes 0xFF, 0x00, 0x00, and 0x00. It is also possible that an address you’re trying to use happens to have a null byte. In that case, try to find an alternative way to accomplish what you’re trying to do by, for example, using a copy of the data located at a different address, or overwriting a different function’s return address.
I get a root shell when I run sudo ./test.sh
. Am I done?
No! You should only run test.sh
without sudo
. If you run it under sudo
,
then your shells will always be spawned as the root
user, whether you have accomplished
the task of opening a root shell or not. If you previously ran test.sh
with sudo
,
you might get permission errors from Git when you run the test script without sudo
.
To fix this, run the following in the root directory of your local repository:
$ sudo chown -R cs3235:cs3235 .git
My solution works in GDB but not from the command line.
The most likely explanation is that you’re referencing data from argv[]
. Since argv[]
comes from outside of _main
‘s stack frame, its position can vary depending
on the size of the environment and arguments, which can be slightly different when
running under gdb
. The best solution is to find the data you need in the stack
frame of the vulnerable function, rather than from argv[]
.
Submission Details
-
Visit the project on the autograder for either part 1 or 2, and optionally create a team.
-
Submit your
cookie
file and your solutions to the targets (sol0
-sol4.py
for Part 1 andsol5
-sol7.py
for Part 2). You can submit solutions up to 20 times per day. If this limit is exceeded, you will have to wait till 12:00 AM the next day to submit again.
If the files that you want to submit are in the VM and you’re not sure how to upload it to the autograder, follow these steps.
Your files can make use of standard Python 3 libraries and the provided
shellcode.py
, but they must be otherwise self-contained. Do not modify
or include the targets, build script, helper.c
, shellcode.py
, etc. Be
sure to test that your solutions work correctly in an unmodified copy of
the provided VM, without installing or updating any packages or changing
any environment variables.