CS 4740 / CS 6740 - Network Security

Project 3: Remote Memory Exploits, Part 2

This project is due at 11:59pm on April 7, 2015.

Description

In this assignment your goal is to exploit two network services that we have setup for you. Each network service is different, and each includes a specific, exploitable vulnerability that you will need to identify. Once you have identified these vulnerabilities, you will need to construct programs that deliver malicious payloads to each service, triggering and exploiting the vulnerabilities.

The Servers

There are three services running on guldendraak.ccs.neu.edu that you will need to attack. You must attack the Message Signing Server, and you may choose which of the Echo Servers to attack. You do not have to exploit both Echo Servers. The services and their ports are:

The archives linked above contain the source code and build scripts for these services. The exact binaries that are running on Guldendraak are also provided in the archives. Like Project 2, all binaries are compiled without stack protection (-fno-stack-protector), and are running with ASLR disabled. Unlike Project 2 these services have some differences:

Secret Flags

Each service is running in a directory that includes a secret flag. After you have exploited each service you must collect the corresponding secret flag.

How to Approach This Assignment

This project is conceptually similar to Project 2: you will use the same skills and tools to analyze the servers and develop exploits. However, the types of exploits you will need to use against these services are different from Project 2. All three servers require drastically different attack approachs.

You might also be interested in knowing that Guldendraak has the traditional version of netcat installed that supports -e, as opposed to the OpenBSD version that does not support -e. Why am I telling you this? Who knows ;)

Accessibility

For security reasons, the services on Guldendraak only accept TCP connections from machines in the CCIS network. Thus, you must be physically present on campus, tunneled/VPNed to campus, or SSHed into a CCIS machine in order to access the services.

What You Need to Turn In

To receive credit on this assignment, you will need to turn in all your code, as well as a file named secrets.json that contains the following JSON formatted data:

{
    "service1_secret": "secret flag from the cert server, as a string",
    "service2_secret": "secret flag from encr echo server's revenge, as a string",
    "service3_secret": "secret flag from encr echo server 3, as a string"
}
You can use the following Python commands to test whether your file is valid JSON:
% python >>> import json
>>> s = json.loads(open('secrets.json').read())
>>> print isinstance(s["service1_secret"], basestring)
>>> print isinstance(s["service2_secret"], basestring)
>>> print isinstance(s["service3_secret"], basestring)
If you see an exception, then your file is not formatted correctly (or your file couldn't be found).

Language and Libraries

You can write your code in whatever language you choose, as long as your code compiles and runs on unmodified CCIS Linux machines on the command line. Do not use libraries that are not installed by default on the CCIS Linux machines. Similarly, your code must compile and run on the command line. You may use IDEs (e.g. Eclipse) during development, but do not turn in your IDE project without a Makefile. Make sure you code has no dependencies on your IDE.

Shellcode

You may use any shellcode that you wish during this assignment. You may use tools such as Metasploit to help you construct shellcode. If you use shellcode from the Web, you must cite the source of this code. You may use any style of exploit payload that you wish (e.g. command injection, reverse shell, etc.).

Submitting Your Project

If you have not done so already, register yourself for our grading system using the following command:

$ /course/cs6740sp15/bin/register-student [NUID]
NUID is your Northeastern ID number, including any leading zeroes.

Before turning in your project, you and your partner(s) must register your group. To register yourself in a group, execute the following script:

$ /course/cs6740sp15/bin/register project3 [team name]
This will either report back success or will give you an error message. If you have trouble registering, please contact the course staff. You and your partner(s) must all run this script with the same [team name]. This is how we know you are part of the same group.

To turn-in your project, you must submit your code along with a file named secrets.json that contains the secrets obtained from exploiting the services. Your secrets.json file and source code should all be placed in a directory. You submit your project by running the turn-in script as follows:

$ /course/cs6740sp15/bin/turnin project3 [project directory]
[project directory] is the name of the directory with your submission. The script will print out every file that you are submitting, so make sure that it prints out all of the files you wish to submit! The turn-in script will not accept submissions that are missing the secrets.json file. Only one group member needs to submit your project. Your group may submit as many times as you wish; only the last submission will be graded, and the time of the last submission will determine whether your assignment is late.

Grading

This project is worth 13 points, with the potential for 2 points of extra credit. If you submit the correct secret flags for the first two servers, you will receive full credit. If you submit the correct secret flags for servers 1 and 3, you will receive 15 points. There are no bonus points for turning in all three secret flags. We will randomly check student's code to make sure that it works correctly. All student code will be scanned by plagarism detection software to ensure that students are not copying code from the Internet or each other. Students who are caught cheating will receive a zero on the assignment, and will be reported to OSCCR.