1
ELEC5616 Computer & Network Security – 2025-S1

Project 2: Common Vulnerabilities

Due Date: Friday 30th May 2025 11:59pm (Week 13)


Marking
• You are to work on this assignment in groups of 2.
• Answer the questions below in no more than four pages - concise
answers are good answers. Diagrams are INCLUDED in the page
limit.
• A typed PDF assignment must be submitted to Canvas.
• Late submissions will receive a penalty of 5% per calendar day (of the
maximum mark).
• You must be able to demonstrate the practical component of
Savegames (1.1 part 1,4) and SQL Exploits (2 part 1) during
your tutorial class in Week 13 to demonstrate your understanding.
• Ensure any code and/or solutions employed are included in a legible
and well documented fashion.
• Report worths 15% and demonstration worths 5% of your final grade.
2



Disable: echo 0 | sudo tee /proc/sys/kernel/randomize va space
Enable: echo | sudo tee /proc/sys/kernel/randomize va space

Task 1: Low Level Exploits [11 Marks]
1.1 Savegames [6 Marks]
Jimmy is becoming increasingly frustrated at the computer game he’s
playing. He has a save right before the level’s boss, but he needs either more
health or more gold in order to win. The game is loaded from a normal file
on disk but the health and gold are encrypted in some complicated fashion.
The character’s name is not, however.
1. Set the character’s gold or health to a number equal to the last four
digits of your unikey (or the unikey of one of your group members) by
utilising a buffer overflow. How did you achieve this? Explain using
reference to bytes and ASCII as to what the exact value was that you
achieved.
If you could not perform this task please explain why and you will be
tasked to set gold to 8999. [2.5 marks]
2. How could this exploit be prevented? [0.5 mark]
3. Could this exploit be useful for more than just the game? Could it be
used to gain access to a system? If not, why not? If so, where might it
be used? [0.5 mark]
Jimmy is interested in speed running, and feels that there might be a faster
way to beat the game by using the name field of his character. Jump to the
secret function and beat the game!
4. Show how Jimmy can jump to the secret function and beat the game.
[2 marks]
5. What is ASLR, and why is it useful? [0.5 mark]
3
1.2 iCubeKinect [3 Marks]
The source code for the (fictional) iCubeKinect system is provided to you.
The operation of the system is intentionally vague and it is up to you to
interpret how the system works. If you can see multiple ways in which the
system could work, you should state these assumptions in your report and
discuss the ramifications for each.
1. Why does the iCubeKinect system use an asymmetric cipher to verify
their DVD games? Would it be possible to use a symmetric cipher
instead? [0.5 mark]
2. What problem exists in the iCubeKinect verification code? How could
you make the machine execute any arbitrary DVD 1? [2 marks]
3. How would you fix it? Would the security vulnerability be made less
serious by using either a stronger hashing scheme (such as SHA-512)
or a different asymmetric cipher? [0.5 mark]

1.3 General Questions [2 Marks]
1. Why is it necessary for us to provide the flag -fno-stack-protector to GCC
(for task 1.1)? What is a canary in terms of a buffer overflow and how can
a canary prevent a buffer overflow exploit? [1 mark]
2. Imagine you were exploiting a program that was running with escalated
privileges (i.e. could read sensitive files, modify other user’s settings and
so on) – is it possible to obtain a BASH shell using buffer overflows? Be
sure to explain what shellcode is and how the shellcode is executed 2.
[1 mark]











1You may assume there are thousands of legitimate game / cert pairs to use to assist
you.
2The traditional introduction to this topic is “Smashing the Stack for Fun and Profit”
4
Task 2: SQL Exploits [4 Marks]
Please setup a SQLite database locally to execute the queries.
1. Show how it is possible to log in as any user by performing an SQL
injection attack on the username/password login page. [1 mark]
2. The website has been clued in on their major security problem and
prevented the previous attack. Is it possible to use the status query to
work out the password of one of the administrators Bobby3? [1 mark]
3. How can these attacks be prevented? Is it a difficult security problem to
fix? Why is it so common? [1 mark]
4. Is an SQL injection vulnerability more or less severe than a buffer
overflow exploit? Justify your reasoning. [1 mark]
































3SQLite (the database in use here) doesn’t allow multiple SQL statements to be exe-
cuted in a single execute query – consider using substr and subqueries

学霸联盟