Due: Thursday, January 18th, 11:59 PM
The goal of this assignment is to gain hands-on experience with the effect of buffer overflow, format string, and double free bugs. Your work in this project will be done in an emulated “sun4m” machine, a line of workstations sold by Sun Microsystems throughout the 1990s, featuring Sun’s 32-bit SPARC CPU. In our experiments, we will run NetBSD 7.0.2, released 2016, instead of SunOS. We strongly recommend that you use QEMU to run the virtual machine; we have supplied an x86_64 VM (also running NetBSD 7.0.2) with QEMU installed; you can run this enclosing VM using VirtualBox or VMware Player.
You can examine the official reference manual for the SPARC 32-bit architecture as needed. You will especially want to understand how the stack and register windows interact, something covered in an excellent writeup by Peter Magnusson.
You are given, the source code for two
target2.c. These programs are to be compiled and
run on your Sun VM. Your goal is
to write two exploit programs (
sploit[i] will send a command to
target[i] that exploits a
vulnerability in the target program and causes it to execute
We have supplied you with shellcode (in
that will spawn a shell and connect to localhost on port 12345.
If you have a program listening for connections on this port,
for example by running
nc -l 12345 on the SPARC VM,
and if your exploit causes the target program to execute the
supplied shellcode, then you should see a connection to nc,
and you should be able to interact with the shell through nc.
(Unfortunately, the shell won’t print a prompt, because
it can tell that it isn’t connected directly to a terminal.)
The skeletons for
sploit2 are provided as
sploit2.c. Note that correct solutions
for the exploit programs can be very short, so there is no need to
write a lot of code here.
You will test your exploit programs within a virtual machine designed to run on an emulated sun4m workstation. This VM is available for download on the course website. To run the VM, you will need an emulator for the sun4m series. An x86_64 virtual machine with QEMU installed is likewise available for download on the course website; we strongly recommend that you use this enclosing VM. You can run the enclosing VM using VirtualBox, which is freely available for Windows, Mac OS X, and Linux.
The SPARC virtual machine we provide is configured with NetBSD 7.0.2. You should be able to use NetBSD’s ports and pkg_add facilities to add software to the virtual machine, should you need to. We have already installed curl, rsync, nano, and git. BSD-derived operating systems like NetBSD have the vi editor already installed; we recommend you try the system vi before installing vim with pkg_add.
The SPARC virtual machine is configured to use NAT (Network Address Translation) for networking. You should be able to make outgoing connections from the virtual machine to any server you control, though not pings, for unimportant technical reasons. In addition, the SPARC virtual machine runs sshd, and we have set up the wrapper script to expose the sshd server on port 1271 of the wrapper virtual machine. You may then be able to connect to port 1271 on the wrapper virtual machine from your physical host computer either directly or by setting up VirtualBox networking to forward the port again to the host.
The download tarball includes a Makefile that specifies how to build the targets.
The Makefile also provides a “
command that will create named pipes
/tmp/target2. The targets will wait to read a command
from the pipe. Your exploit will write a command to the pipe,
which will be received and processed by the target. (It is a
property of named pipes, also called FIFOs, that a reader will block
until a writer arrives, and a writer will block until a reader
arrives.) You may need to rerun
make pipes each time you
restart the SPARC virtual machine.
You should not run the targets directly. Instead, run them through
run-target wrapper. The
wrapper will ask for two arguments. The first is either
to run target1 or
2 to run target2. The second will be
a four-digit ID that we will supply each of you. Make sure always to
use the same, correct ID; this will ensure that addresses for stack
variables remain consistent each time you examine your target, making
your exploits reliable and repeatable. If you work with a partner,
you may use either of your two four-digit IDs.
The assignment tarball also
contains skeleton source for the exploits which you are to write,
along with a Makefile for building them. Also included is
shellcode.h, which gives a shellcode for
NetBSD/sparc, based on Solaris/sparc shellcode by
This shellcode is a “reverse shell” or “connect-back” shellcode: it causes the process that executes it to make a TCP connection to a particular IP address and port, then expose a shell on that connection. If you set up a program to listen for incoming connections on that IP and port, then you can use that program to interact with the shell and give it commands to execute.
The shellcode you are given is hard-coded to connect to the
localhost (127.0.0.1) IP address and to port 12345. You can use
the netcat program installed on the SPARC VM to listen on that
nc -l 12345
If you successfully exploit a target, you should be able to type
ls and hit RETURN in netcat, then
see their output (in the case of ls, a directory listing). You
will not see a shell prompt.
Read Aleph One’s “Smashing the Stack for Fun and Profit.” Carefully. Also read the optional handouts — have a good understanding of what happens to the stack, program counter, and relevant registers before and after a function call. All the papers are linked from the course syllabus. It will be helpful to have a solid understanding of the basic buffer overflow exploits before reading the more advanced exploits.
GDB is your best friend in this assignment, particularly to
understand what’s going on. Specifically, note the
“disassemble” and “nexti” commands. You may
find the “x” command useful to examine memory (and the
different ways you can print the contents such as
x). The “
register” command is helpful in printing out the
contents of registers.
A useful way to run gdb is to connect to the target after it has been executed by the run-target wrapper.
Start early. Theoretical knowledge of exploits does not readily translate into the ability to write working exploits. The first target is relatively simple and the other problems are quite a bit more complicated.
Aleph One gives code that calculates addresses on the target’s stack based on addresses on the exploit’s stack. Addresses on the exploit’s stack can change based on how the exploit is executed (working directory, arguments, environment, etc.); in our testing, we do not guarantee to execute your exploits as bash does.
You must therefore hard-code target stack locations in your
exploits. You should not use a function such
get_sp() in the exploits you hand in.
Download the giftwrap virtual machine,
giftwrap.ova (warning: 470 MB!).
Import the VM into VirtualBox and run it.
Once it boots, log in as root (no password).
Download and decompress the box VM image:
curl -O https://cseweb.ucsd.edu/classes/wi18/cse127-a/sparcbox.tar.bz2 tar xzvf sparcbox.tar.bz2 rm sparcbox.tar.bz2
The virtual machine is now ready to run. The virtual drive is stored in the file boxdisk.raw; you can back this file up to create snapshots.
To launch the VM, you will run QEMU using the supplied wrapper script:
The emulator will take a little while to boot the VM all the way to a login prompt. You may consider getting a cup of coffee.
The SPARC VM has two accounts, root and user. The root account’s
password is “
root” (without the quotes);
the user account’s password is “
(again without the quotes). You can shut the VM down by logging in
as root and typing the command “
will do most of your work as user.
While you can interact with the SPARC VM through the console you get by running boxboot, you will probably have a better experience if you SSH into it from your physical host computer. Expose port 1271 on the giftwrap VM to the host and SSH into it. You can make multiple SSH connections simultaneously.
Log in as user and download and decompress the project tarball:
curl -O https://cseweb.ucsd.edu/classes/wi18/cse127-a/pp1-rev.tar.gz tar xzvf pp1-rev.tar.gz
Your current directory should now have the targets and exploit starter code. Good luck!
To shut down the giftwrap VM type “
Inside the SPARC VM, download the submission script:
curl -O https://cseweb.ucsd.edu/classes/wi18/cse127-a/pp1-turnin.sh
Create a file called GROUP in the same directory as your sploit1.c and sploit2.c solutions. In this file, put your four-digit ID if you worked alone; or both your four-digit ID and your partner’s four-digit ID if you worked with a partner, on a single line, separated by a space. If you worked with a partner, put whichever ID your exploits are tailored for first, then the other ID.
In the directory that contains GROUP, sploit1.c, and sploit2.c, run the turnin script:
chmod 755 ./pp1-turnin.sh ./pp1-turnin.sh
Follow the prompts. If all goes well, you should see a message saying, “Congratulations, your homework was submitted.”
Readings on exploiting SPARC buffer overflows:
Readings on exploiting format string vulnerabilities:
This project is based on Project 1 from CS 460, Software Vulnerability Analysis, which Stephen Checkoway taught while he was at Johns Hopkins.