Smashing The Stack For Fun And Profit Assignment 3
Part 1 – Telnet Server
For the first part of this assignment you will write two programs for either MS Windows or Linux. One program will be a telnet server that listens on a port specified on the command line (make the default port 100). The telnet server should support some form of authentication, you may decide how to incorporate it though. When the server receives a command from an authenticated user, it should run the command and return the results to the user across the network. The server must be implemented in pure C. Your second program will be a client program to test the functionality of the telnet server. The client should read a string from the command line, connect to the telnet server, send the string, and print any output received from the server. The client can be written in any language.
Part 2 – Buffer Overflow 1
For the second part of this assignment you will consciously introduce a buffer overflow vulnerability into your telnet server code (if one does not already exist). A strcpy operation between the input and command execution buffers is an ideal location to introduce the overflow vulnerability.
Once you have introduced the vulnerability into your server, you must use the client program to crash the server by sending a buffer so large that it causes a segmentation fault. This is, in essence, a denial of service attack.
Part 3 – Buffer Overflow 2
For the third part of your assignment you will introduce an uncalled function into your server. This function can do anything you like as long as it is easy to prove that the function is called. An example function might write a line of text to a log file. The function should not be called by any regular operation of yourserver. We might imagine that it is a deprecated function that has just not been removed from the code yet.
You will use the client program to cause a buffer overflow in your server and force the execution of the uncalled function. This is similar to the serial.c example from class.
Part 4 – Buffer Overflow 3
For the fourth part of this assignment you will craft your own custom shellcode and execute it off the stack of your vulnerable server, via the client program. Your shellcode can do anything you like as long as you don’t use any of the example shellcode from class, like calling exit() or spawning a shell. You must however, be able to prove that your shellcode has executed by examining the server. Perhaps your shellcode will create a file, write some text, delete a file or similar. If your shellcode is smaller than your server’s buffer, you must implement a NOP slide before the shellcode payload.
Part 5 – Buffer Overflow 4
For the fifth part of this assignment you will enable the non-executable stack protection feature in your server by removing the “-z execstack” line from your compiler commands. This should prevent any shellcode from executing off of the server’s stack, like in part 4 above. You will then circumvent this protection mechanism by using a “return to libc” attack to spawn a reverse shell that will be sent back to the client, or by performing some action that would allow an attacker to connect to a shell on the server. This must be performed remotely, i.e. you cannot simply spawn a shell using our in-class shellcode. You must return an open connection to the client or otherwise start a listening service, for example via netcat.
Part 6 – Fixes
For the final part of the assignment you must fix your buffer overflow vulnerability in your server code by replacing the vulnerable non-bounds-checking function with a more secure version. You will then demonstrate that the fix works by trying some of your earlier buffer overflow attacks.
Part 7 – Evaluation
Requirement |
Not Complete |
Fully Completed (Must be able to demonstrate) |
Part 1 |
0 |
1 |
Part 2 |
0 |
1 |
Part 3 |
0 |
1.5 |
Part 4 |
0 |
1.5 |
Part 5 |
0 |
1.5 |
Part 6 |
0 |
1 |
Total |
7.5 |
Part 8 - Deliverables
Your submission must include all of your source code for the client & server, both the vulnerable version and the fixed version. You must also include all of your shellcode and exploit code involved in the various buffer overflows. Finally, you must supply screenshots or other proof that your exploits work as required and that the subsequent code fixes make the vulnerability unexploitable. Package all of the code, screenshots and other proof in a zip and uploaded to the appropriate dropbox in SLATE.
Part 9 - Challenge
For an added challenge try encrypting the connection between client and server (highlighting the traditional issues associated with telnet).