代写COMP6236 Buffer Overflow Attacks and Software Hijacking

COMP6236

2024

Coursework 1: Buffer Overflow Attacks and Software Hijacking

This coursework is divided into two parts. Part one is on buffer overflow attacks, which are based on Buffer Overflow Lab. You will be assessed on your ability to successfully exploit buffer overflows and other vulnerabilities and explain your methodology. Part two is on software hijacking, based on Reverse Engineering Lab and will assess your ability to carry out the successful exploitation of software. The coursework is an individual coursework and is worth 30% of the module marking in total.

Notes

The following notes are intended to highlight some common ”gotchas”.

1. Remember that Metasploit’s pattern create can be set to a length of your choice and does not have to be 100.

2. If you get stuck, try consulting the man page for the tools you are using.

3. If an exploit seems to work but closes out immediately instead of giving you a shell, remember that both “Cat” and “\bin\sh” can be forced to remain open. Have a look at their man pages (by running “man cat” and “man /bin/sh”).

4. Remember that if you are counting characters including hex values, then the “\x” should be omitted from the count.

5. You might want to increase the memory allocation to your VM when running Ghidra (VirtualBox -> settings -> system).

6. Remember that in Ghidra you can search for functions under the Symbol tree to the left, but you can also click the search option at the top and then select to search for other things, such as strings.

7. The application you have to compromise in part 2 will have multiple popups coming up to communicate both flags and errors, with more than one coming at a time. So please do not close down the application as soon as you get a popup but instead wait a few seconds.

8. Part 2 has more than one flag, so please read all the information displayed by the application on every popup and in the main window as these may change after you patched something.

9. In the settings tab for your VM, find the advanced section (settings -> general -> advanced) and then enable shared clipboard for ”host to virtual machine”. This will allow you to type commands on your host system and then copy them over to the VM.

Submission Instructions

Please use the template provided and submit using Turnitin on the module blackboard page at this link. (You should be able to see the “Assignments” tab on the left panel)

Marking Criteria

Your submission will be marked out of 35 and then refactored to a mark out of 30. The following criteria will be used.

Part

Criteria

Marking Scheme

Part 1

Ability to identify and exploit the vulnerabilities introduced during main lectures and labs, such as buffer overflows.

Up to 20 marks, awarded based on (i) how many flags are correctly retrieved and (ii) the correctness and completeness of the description about vulnerabilities and exploits.

Part 2

Ability to decompile, reverse engineer and patch a given application.

Up to 15 marks, awarded based on (i) how many flags are correctly retrieved and (ii) the correctness and completeness of the description about each

process in the licence-checking function.

Marks calculation

This coursework counts for 30% of the module mark. It has a total of 35 points available which are then refactored to a mark out of 30.

File format

Submitted file is in PDF format, the report is compliant with the provided template. If the format is not PDF, a 5 marks penalty will be applied. If the report is corrupted or cannot be opened, 0 mark will be awarded for the coursework.

Part 1

Setup

As in Reverse Engineering Lab, we will have to use an OVA image. Please download the VM from here, and import it into Virtualbox. To import the OVA, first open VirtualBox, then hit ”CTRL + I” or select ”import appliance” from the ”File” menu (top left). Then click next and follow the installation procedure. Thereafter please check the following before launching the VM:

VirtualBox 6 and earlier - Most university machines

1. Once the machine is imported, single-click on it in VirtualBox and then to the right go to ”networking” and select ”Bridged adaptor”

2. Wait for the VM to boot, and on boot login with User: info and Password: info to see the current IP address printed.

VirtualBox 7

1. You need to go File → Tools → Network Manager and make a host network if one doesn’t exist already.

2. Make sure DHCP enabled is ticked as illustrated in Figure 1 or the VM will hang at boot forever.

3. Then go to VM network settings and check it’s set to that host-only network, and specify the network you created or the one that exists.

4. Wait for the VM to boot, and on boot login with User: info and Password: info to see the current IP address printed.

Troubleshooting: If, after successfully importing it, the VM fails to launch with a networking error, just go to networking settings and change the option to one not already selected.

Figure 1: DHCP enabled

Marks Breakdown

This Lab contains 4 flags. Once you complete each challenge, you will need to submit your flag alongside a step-by-step guide of how you found it on the marking form.

The marks for this are broken down as follows:

1 Mark For each flag.

4 Marks For your step-by-step guide on how you completed the challenge, consisting of:

1 Mark: For clarity of your description.

1 Mark: For identifying and deploying an appropriate exploit.

2 Mark: For the process you used and the troubleshooting and problem-solving you performed.

Ultimately, The aim of the step-by-step guide is to provide the marker with evidence that you have an in- depth understanding of the task at hand. The more creative your guide, the better.

Task1 - Authentication Please

Go to the IP address of your VM in a web browser to open the first challenge. For example

http://192.168.56.101/

Buffer overflow this login system to get to the next task.

Look around the page for clues to help you. Everything you need is there!

When you complete this challenge, you will be given a flag and login details for the next challenge.

Task 2 - Return to win

Login as Task 2 using the credentials you were given at the end of the last challenge. The challenge2 binary is setuid and compiled with an executable stack.

Buffer overflow the binary to become the task2-win user.

Read flag2.txt to proceed to obtain your flag and proceed to the next challenge.

Task 3 - Shellcoding

Login as Task 3 using credentials from the previous task.

The challenge3 binary is setuid and compiled with an executable stack.

Buffer overflow the binary by injecting and returning to some shellcode to become the task3-win user. Read flag3.txt to proceed to obtain your flag and proceed to the next challenge.

Task 4 - Root shell through Ret2Libc

Login as Task 4 using the credentials you got from the previous task. The challenge4 binary is setuid but does not have an executable stack.

Using the ret2libc technique covered in Lab 1, buffer overflow the binary to become root. Read flag4.txt to proceed to obtain your flag.

Submit flags and Methodology

Follow the submission instructions above to submit the flags you found with a step-by-step guide of how you found them.

Part 2

Task 5: Decompile the application

5 Marks Decompile the application and figure out:

1 Marks: Which function checks the license. ( write the function name only)

2 Marks: When this function is run. ( Code and explain the sequence)

2 Marks: How the license key is checked? (What makes a valid license?) ( Code and explain the sequence)

Task 6: Initial patching

5 Marks Initial patching process:

2 Marks Generate an unpatched key to enable app (check value). ( Flag and explain the process)

3 Marks Patch the application to disable online license checks. ( Flag and explain the process)

Task 7: Secondary patching

5 Marks Secondary patching exploits:

2 Marks Patch the application to enable the advanced features. ( Flag and explain the process)

3 Marks Patch the application to remove reporting metrics. ( Code and explain the sequence)

Setup

You may use any Linux distro of your choice so long as you are able to run Ghidra. However, do not use the VM from the previous lab as it will not be able to run the coursework application.

Kali Vagrant The official Kali rolling release Vagrant machine can be installed as follows: For this machine, the username and password are both “vagrant” and this user is in the sudoers group. Create a directory on your host machine, then from the command line run the following commands:

vagrant init kalilinux/rolling vagrant up

Once the machine launches, give it a bit of time and you will be presented with a GUI login. Enter “vagrant” and “vagrant”. Then you can open a terminal in the new VM and install Ghidra.

go to settings in VirtualBox and adjust as needed (be sure to enable 3D acceleration under "display" options) double click the VM to launch it

sudo apt update

sudo apt install openjdk-17-jdk

wget https://github.com/NationalSecurityAgency/ghidra/releases/download/Ghidra_10.2.3

_build/ghidra_10.2.3_PUBLIC_20230208.zip unzip ghidra_10.2.3_PUBLIC_20230208.zip

cd ghidra_10.2.3_PUBLIC

./ghidraRun (wait for a second or two after running this command)

Kali for VirtualBox You can also get the official Kali release for VirtualBox, where both username and password are ’kali’.

https://cdimage.kali.org/kali-2023.3/kali-linux-2023.3-virtualbox-amd64.7z extract with 7zip

Double-click on the "Virtual machine definition" file (blue icon) go to settings in VirtualBox and adjust as needed (be sure to enable 3D acceleration under "display" options)

double click the VM to launch it sudo apt update

sudo apt install openjdk-17-jdk

wget https://github.com/NationalSecurityAgency/ghidra/releases/download/Ghidra_10.2.3

_build/ghidra_10.2.3_PUBLIC_20230208.zip unzip ghidra_10.2.3_PUBLIC_20230208.zip

cd ghidra_10.2.3_PUBLIC

./ghidraRun (wait for a second or two after running this command)

For other Kali install options, please see:

https://www.kali.org/get-kali/#kali-platforms Video guide: https://www.youtube.com/watch?v=Hu1Gs3Jqymw

Thereafter, open a web browser to download the application for this part your coursework.

Download the lab6 application from the following URL: https://git.soton.ac.uk/comp6236/lab6/-

/raw/master/lab6app.zip

Use Ghidra and a hex editor of your choice to reverse engineer the binary and complete the tasks instroduced under ”Tasks and marks breakdown.

You may find the following Assembly instruction reference useful: http://ref.x86asm.net/coder64.html

If you are unable to install Ghidra please ping google or any other site to check your network connection. You will have to close the VM and then change the network options of the VM (VirtualBox -> settings -> network).

FAQ

Question: I made an error in the submission, can I resubmit?

Answer: You can resubmit as many times as you want, until the coursework deadline.

Question: What do you mean by ( Code and explain the sequence ) ?

Answer: It depends on the question, if you want to copy the code and explain what the code does, then it’s fine. You will get some marks for explaining the obvious. However, in Q2 I used the keyword “when”. This means I am looking for the sequence of events in regard to the timeline. Another example, in Q3 When I used the keyword “how” then I am looking for the function/algorithm that is used to generate the key.

Question: How much code are we expected to add for these questions? Obviously, we could add the whole decompiled function, but for the example, I’ve found it in two areas and this would add a lot of source code to my answer. Any recommendations?

Answer: The code itself is not important. In the end, I don’t care how you present it. What is important your problem solving ability to answer the question. I care how you show me, “What you learned, Not what you can do”. (Hint: The use of Pseudo code is highly encouraged.)

Question: What do you mean by ( Flag and explain the sequence ) ?

Answer: Follow the same logic in the previous question. But, this has more weight, so here is a further breakdown

1 Mark: Just the flag.

1 Mark: How you did it.

1 Mark: Why it worked.

1 Mark: Other possible solutions.

1 Mark: What would have been a better implementation.

Please note: Although there is no marks for style, or grammar. If I can’t tell one category from another, I will award a mark for one and not both. For example, if I can’t distinguish between “How you did it” and “Why it worked” I will award 1 ma