Lab Assignment #1

Exploiting Simple Stack overflow

Software Security (CS52700) Fall-16, Purdue University

Byoungyoung Lee

As the first lab assignment, we will learn how to exploit a simple stack overflow in the target binary (i.e., lab-1/target in our git repository https://github.com/lifeasageek/cs52700-public). Specifically, you will need to reverse-engineer target in order to (1) understand how the stack overflow happens, (2) manipulate a return address value, and (3) achieve the final exploitation goal, reading the flag.

Instruction

Before getting started, follow the setup instruction to setup the working environment. After setting up the environment, you can run the following commands to run the target binary.

# ssh to VM
$ vagrant ssh

[vm]:~$ cd /vagrant/cs52700-public/lab-1

# Run the target binary will ask you to enter stdin inputs.
[vm]:/vagrant/cs52700-public/lab-1$ ./target
Please input something...

Exploitation Goal: Reading a Flag

In this lab assignment (as well as all the following lab assignments), your exploitation goal is to read a flag. This flag can be retrieved by reading the file, /proc/flag. If you simply tried to read this /proc/flag without going through a proper exploitation process, it will return a meaningless flag.

# This simple flag reading attempt will return a meaningless flag 
# (NOT A VALID FLAG)
[vm]:~$ cat /proc/flag 
F38FE749E36CD0437AD0062D6836C393618FCC4A412FDE666C89EB41AC0814D5
                  >>> NOT A VALID FLAG  <<<
l2AF0AEC61229004D9E8CF6F4E3622419A37F6D410526951D6EB2F639DBEA49AD

However, if you truly exploited (i.e., reading /proc/flag by hijacking the control flows of target), it will generate valid, long flag strings (at least 5 lines), which encrypts various information on how you exploited. Using this information, we can later verify whether you truly exploited or cheated the exploitation process:(

For example, once we run the reference exploit, exploit.py (of course this is NOT include in the repository), following outputs are shown. Since this flag sting can be randomly changed, you may assume that you got a valid flag as long as your flag strings do not include the string "NOT A VALID FLAG".

# Running the target binary with a reference exploit (i.e.,
# exploit.py), a flag is dumped.
[vm]:/vagrant/cs52700-public/lab-1$ ./exploit.py|./target
Please input something...
This is your flag:

5CA37AA3E5B205B01DAF416952A8291B4EDA28CB96D0FC0B7056B0199F5160D3
# More flags strings will be shown here.

Submission

Make your own tarball, named lab1.tar.gz, and submit it through the submission site. Your tarball must include following files.