M.I.T. DEPARTMENT OF EECS
|6.033 - Computer System Engineering||Buffer Overrun Hands-On Assignment|
Complete the following hands-on assignment. Do the activities described, and submit your solutions using the online submission site by 11:59p.
Before attempting this hands-on, you should read Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns, which is also assigned for this recitation.
You should perform this hands-on using a Linux-based machine
athena.dialup.mit.edu is okay).
If you have trouble on a 64-bit Ubuntu system, installing libc6-dev-i386 may help.
Open two terminal windows: a top window for running a web server, and a bottom window for exploiting that web server.
In the top window, download and decompress stack.tgz.
top% wget http://web.mit.edu/6.033/www/assignments/stack.tgz top% tar xf stack.tgz top% cd stack top% make gcc -m32 -g -std=c99 -fno-stack-protector -Wall -D_GNU_SOURCE -c -o httpd.o httpd.c gcc -m32 -z execstack httpd.o -o httpd-ex gcc -m32 httpd.o -o httpd-nx gcc -m32 -c -o shellcode.o shellcode.S objcopy -S -O binary -j .text shellcode.o shellcode.bin top%You should get two web server binaries,
httpd-nx, and two incomplete exploit scripts,
exploit-nx.py. We will provide instructions to help you complete these exploit scripts.
httpd-ex web server in the top window.
top% ./run.sh setarch i386 -R ./httpd-ex Web server running at all-night-tool.mit.edu:4000Your web server may print a different address other than
all-night-tool.mit.edu:4000. In that case, replace all occurrences of
all-night-tool.mit.edu:4000with that printed address for the rest of this hands-on.
To test the web server,
open a web browser and type the URL
in the address bar.
If the web server is running,
you should see a “Grades” web page.
You can stop the web server at any time by pressing Ctrl+C in the
Again, if you saw a different web server address printed in the top window, use that address in the browser. Note that the address (especially the port number like 4000) may change every time you start the web server.
You can also view the web page via a command-line program called
Keep the web server running in the top window.
Run the following command in the bottom window.
bottom% curl http://all-night-tool.mit.edu:4000/app.py <h1>Grades</h1> <pre> Ben Bitdiddle F Alice Jones A </pre>
The web server and clients (e.g., your browser and
communicate using the HTTP protocol.
Here is a
of the HTTP protocol.
If you want to observe the details of HTTP requests and responses,
bottom% curl -v http://all-night-tool.mit.edu:4000/app.py * About to connect() to all-night-tool.mit.edu port 4000 (#0) * Trying 188.8.131.52... connected > GET /app.py HTTP/1.1 > User-Agent: curl/7.22.0 ... > Host: all-night-tool.mit.edu:4000 > Accept: */* > * HTTP 1.0, assume close after body < HTTP/1.0 200 OK < Content-Type: text/html < <h1>Grades</h1> <pre> Ben Bitdiddle F Alice Jones A </pre> * Closing connection #0
Ben Bitdiddle is unhappy with the grades.
He discovers that the content of the “Grades” web page is
loaded from a file named
grades.txt on the TA's web server.
Ben then decides to remove this
Since he doesn't have write access to the TA's web server,
Ben tries to send malicious HTTP requests over the network,
which will trick the web server into removing that file.
Your goal is to “help” Ben in this hands-on.
Ben's TA first runs the
httpd-ex web server.
httpd-ex binary has an executable stack,
which makes it easier to inject executable code into the web server.
The goal of the injected code is to remove
grades.txt on the server.
httpd-ex web server in the top window
and keep it running there.
top% ./run.sh setarch i386 -R ./httpd-ex Web server running at all-night-tool.mit.edu:4000Here
grades.txtfile every time it starts.
We have provided a modified version of Aleph One's shell code in
shellcode.S for injection.
shellcode.S in an editor.
What system call(s) does
shellcode.S invoke to remove the
When you run
a compiled version of the shell code.
We will use
exploit-ex.py to inject
into the web server using a malicious HTTP request.
exploit-ex.py sends malicious HTTP requests
to the web server and
exploits buffer overruns in the function
When executing this function, the stack looks like follows:
+------------------+ | ... | +------------------+ | return address | (4 bytes) +------------------+ ebp ------> | saved %ebp | (4 bytes) +------------------+ | ... | +------------------+ | reqpath | | ... | reqpath ------> | reqpath | +------------------+Normally, before calling the function
process_client, the return address is pushed onto the stack (right above
ebp). The local variables of
httpd.c:162) are below
ebp. When the function exits, the control flow jumps to the return address saved on the stack.
Unfortunately, the web server doesn't check the length when filling
up the buffer
reqpath with a user-provided URL.
In other words, Ben can use a very long URL to trick the web server
into writing memory beyond
Basically, the code injection in
consists of three parts:
reqpath, from bottom to top;
process_clientreturns, the control flow is hijacked to execute the injected code in
To make the exploit work, you need the values of
To get these values,
either visit the web server using your browser,
curl in the bottom window.
bottom% curl http://all-night-tool.mit.edu:4000/app.pyYou should find the values of
ebpprinted in the top window.
exploit-ex.py and fill in the values of
ebp (marked as “FIXME”).
After that, run the exploit in the bottom window.
bottom% ./exploit-ex.py all-night-tool.mit.edu:4000 HTTP request: GET %EB%1B%5E%89...grades.txtxxx...xxx%XX%YY%ZZ%WW HTTP/1.0 Connecting to all-night-tool.mit.edu:4000... Connected, sending request... Request sent, waiting for reply... Received reply. HTTP response: ... bottom%
You should find a long string in the GET line (i.e., the second line in
the output), in the form
GET long-string HTTP/1.0.
This long string is a malicious URL you crafted to help Ben remove
Write down this malicious URL for answering the next question.
Now verify that
grades.txt has been successfully removed,
cat you practiced in the
You can also refresh your browser or re-run
curl in the
This time you should see an error message.
bottom% curl http://all-night-tool.mit.edu:4000/app.py ... IOError: [Errno 2] No such file or directory: 'grades.txt' ...
Explain the malicious URL you wrote down earlier.
The URL consists of three parts:
the first part starts with
%EB%1B%5E%89 and ends with
the second part is a list of "x"s,
after which you should see the third part in the form
Where does each part come from?
Ben's TA notices this attack and upgrades the web server to use
the stack of which is not executable anymore.
Press Ctrl+C in the top window to stop any running web server,
and start the new
httpd-nx web server.
top% ./run.sh setarch i386 -R ./httpd-nx Web server running at all-night-tool.mit.edu:4000
Save a copy of your
http-nx prints different values of
exploit-ex.py with the new values.
exploit-ex.py in the bottom window.
Is your exploit script able to remove
this time? Why or why not?
As the TA deploys
Ben tries to implement a new exploit method called arc injection
(also known as return-to-libc)
This exploit script requires no shell code.
The basic idea is to hijack the return address to execute an
existing function to remove
Ben hasn't completed the exploit script
In addition to
the exploit also needs the address of the
Help Ben fill in the three values marked as
You can observe these values from the output of
httpd-nx in the
top window, either using your browser or by running
curl in the bottom window.
bottom% curl http://all-night-tool.mit.edu:4000/app.pyAfter completing
exploit-nx.py, run it in the bottom window.
bottom% ./exploit-nx.py all-night-tool.mit.edu:4000Verify that this exploit has successfully removed
exploit-nx.py you wrote to
httpd-nx into removing
When executing the function
the stack is shown as the following diagram.
What are the values at the return address and P
after a successful exploit?
Hint: you can find these values in
+------------------+ | ... | +------------------+ | fname | | ... | | fname | +------------------+ | P | (4 bytes) +------------------+ beef ------> | 0xdeadbeef | (4 bytes) +------------------+ | return address | (4 bytes) +------------------+ ebp ------> | saved %ebp | (4 bytes) +------------------+ | ... | +------------------+ | reqpath | | ... | reqpath ------> | reqpath | +------------------+
Linux, as well as many other operating systems, employs
address space layout randomization (ASLR)
to enhance security. To observe ASLR,
start the web server without
top% ./run.sh ./httpd-nx Web server running at all-night-tool.mit.edu:4000 bottom% curl http://all-night-tool.mit.edu:4000/app.pyPress Ctrl+C in the top window to stop the web server. Write down the values of
ebpshown in the top window. Now repeat the above commands in both windows: restart the web server in the top window, and re-run
curlin the bottom window.
Do the values of
in the top window after restarting the web server?
Does the difference “
If you observe any changes, do you think these changes make your exploit
harder to succeed or not? Why?
The web server has other vulnerabilities.
For example, the
/etc/passwd file often contains sensitive
user information and should not be exposed to the network.
However, with a running
httpd-nx web server,
Ben can access that file remotely using a crafted URL.
top% ./run.sh ./httpd-nx Web server running at all-night-tool.mit.edu:4000 bottom% curl http://all-night-tool.mit.edu:4000/[MAGIC-PATH]/etc/passwd
Fill in the
MAGIC-PATH part and complete the URL for
retrieving the server's
Can you use the same URL in your browser to access that file?
Hint: if you're working on the athena cluster or using a somewhat newer
version of curl (>= v7.32), you probably have to encode your URL to get this exploit to
When done, submit your answers to the questions and your source code for
exploit-nx.py to the
online submission site.
Question 7 (optional):
grades.txt doesn't really help Ben Bitdiddle.
Ben decides to raise his grade to an A from an F by exploiting
httpd-nx web server.
Can you modify
exploit-nx.py to help Ben achieve this goal?
Hint: you may find the
sed command (with the
-i option) useful.
Question 8 (optional): Ben's TA discovers some strange entries in the system log, by running the following command in the top window.
top% dmesg -T | grep httpd-nx [Mon Apr 15 10:10:10 2013] httpd-nx: segfault at deadbeef ... error 14Every time Ben runs
httpd-nxprocess crashes, and the system adds one such segfault entry to the log. Can you improve
exploit-nx.pyto avoid such entries (i.e., do not crash
httpd-nx)? Hint: fix the “beef” value.
In real world, it's trickier to make your exploits work.
web servers don't give away critical information (e.g., the values of
Also, many techniques
have been deployed to defend against buffer overruns.
If you want to learn more about systems security,
|Go to 6.033 Home Page|