Due Date: September 14, 2010.
In this assignment, you will configure an attack program to compromise a buffer overflow vulnerability in a victim program. The victim program is instrumented to provide traces that will be helpful in determining how to leverage that vulnerability. Your task will be to modify the attack program, based on the victim traces, to overflow the buffer and start a shell program.
Note that this buffer overflow is 32-bit, x86-specific, so you must use such a machine.
In theory, this project could be done very quickly, so if you get stuck please seek help. There are some ad hoc materials online, but these may not help too much.
Follow these instructions:
Get the project tarball from here. The project tarball contains: (1) a
cse543-victim.c, which contains
a buffer overflow vulnerability and (2) an attack program,
cse543-attack.c, which contains code to leverage
buffer overflow vulnerabilities in victims.
Instructions for what to do are provided in the slide deck: project 1 slides. These instructions are for development on an x86 system running Linux. Please use a Linux system for this. There are several Linux labs around campus, and you can use these machines remotely as well. This project does not require root access.
In general, you need to: (1) configure the stack offset from the buffer to the return address (return address distance); (2) configure the new return address to launch a "jump-to-libc" style (note: we will jump to another function in the victim); and (3) write the necessary code to launch the exploit.
You are to complete this on your own. Any sharing of code or help during the coding of this project is expressly forbidden. Do not discuss this project with anyone.
Identify one method you could use to protect the return address from being modified without detection. You should use web resources to identify one such method (i.e., you don't have to invent it yourself).
Why isn't it possible for the attacker to run code that they inject into the stack in these Linux systems? You will need to look at the victim process's stack traces across multiple runs.
Why do you think that it has been so difficult to provide adequate defenses for buffer overflow attacks? Yes, this question is open-ended, so give it your best shot.