微信客服:xiaoxionga100
微信客服:ITCS521
COMP6236 2023-无代写-Assignment 2
时间:2023-04-27
COMP6236 2023
Assignment 2: Buffer Overflow Attacks and Software Hijacking
This assignment is divided into two parts. Part one is on buffer overflow attacks, which
are based on Lab 1. You will be assessed on your ability to successfully exploit buffer
overflows and other vulnerabilities and explain your methodology. Part two is on software
hijacking, based on Lab 3 and will assess your ability to carry out the successful exploitation
of software. The assignment is an individual assignment and is worth 30% of the module
marking in total.
Notes
The following notes are intended to highlight some common ”gotchas”.
1. Remember that Metasploit’s pattern create can be set to a length of your choice and does not have
to be 100.
2. If you get stuck, try consulting the man page for the tools you are using.
3. If an exploit seems to work but closes out immediately instead of giving you a shell, remember
that both “Cat” and “\bin\sh” can be forced to remain open. Have a look at their man pages (by
running “man cat” and “man /bin/sh”).
4. Remember that if you are counting characters including hex values, then the “\x” should be omitted
from the count.
5. You might want to increase the memory allocation to your VM when running Ghidra (VirtualBox
-> settings -> system).
6. Remember that in Ghidra you can search for functions under the Symbol tree to the left, but you
can also click the search option at the top and then select to search for other things, such as strings.
7. The application you have to compromise in part 2 will have multiple popups coming up to com-
municate both flags and errors, with more than one coming at a time. So please do not close down
the application as soon as you get a popup but instead wait a few seconds.
8. Part 2 has more than one flag, so please read all the information displayed by the application on
every popup and in the main window as these may change after you patched something.
9. In the settings tab for your VM, find the advanced section (settings -> general -> advanced) and
then enable shared clipboard for ”host to virtual machine”. This will allow you to type commands
on your host system and then copy them over to the VM.
Submission Instructions
Please use the template provided and submit using Turnitin on the module blackboard page at this link.
(You should be able to see the “Assignments” tab on the left panel)
Deadline
The coursework deadline is on 28-04-2023 at 16:00. Note that late submissions will be penalised using
the standard University rules (10% per working day) and that no work will be accepted that is more
than five days late.
1
Purpose of this coursework
The coursework maps to the following aims and objectives of COMP6236:
Knowledge and Understanding
A2. Software analysis
A3. Reverse Engineering of Software
Subject-specific Intellectual and Research Skills
B1. Describe specific methods for exploiting software systems
Subject-specific Practical Skills
D1. Identify security weaknesses in software systems and applications
D2. Undertake basic reverse engineering of software
Academic Integrity
This coursework is an individual piece of work and the usual rules regarding individual coursework and
academic integrity apply. In particular, please note the University Academic Integrity Regulations. All
the reports will be checked for plagiarism by scanning them in Turnitin.
Marking Criteria
Your submission will be marked out of 35 and then refactored to a mark out of 30. The following criteria
will be used.
Part Criteria Marking Scheme
Part 1
Ability to identify and exploit
the vulnerabilities introduced
during main lectures and labs,
such as buffer overflows.
Up to 20 marks, awarded based
on (i) how many flags are cor-
rectly retrieved and (ii) the cor-
rectness and completeness of the
description about vulnerabilities
and exploits.
Part 2
Ability to decompile, reverse en-
gineer and patch a given applica-
tion.
Up to 15 marks, awarded based
on (i) how many flags are cor-
rectly retrieved and (ii) the cor-
rectness and completeness of the
description about each process in
the licence-checking function.
Marks calculation
This coursework counts for 30%
of the module mark. It has a to-
tal of 35 points available which
are then refactored to a mark out
of 30.
File format
Submitted file is in PDF format,
the report is compliant with the
provided template. If the format
is not PDF, a 5 marks penalty
will be applied. If the report is
corrupted or cannot be opened,
0 mark will be awarded for the
coursework.
2
Part 1
Setup
As in Lab 3, we will have to use an OVA image. Please download the VM from here, and import it into
Virtualbox. To import the OVA, first open VirtualBox, then hit ”CTRL + I” or select ”import appliance”
from the ”File” menu (top left). Then click next and follow the installation procedure. Thereafter please
check the following before launching the VM:
VirtualBox 6 and earlier - Most university machines
1. Once the machine is imported, single-click on it in VirtualBox and then to the right go to ”net-
working” and select ”Bridged adaptor”
2. Wait for the VM to boot, and on boot login with User: info and Password: info to see the current
IP address printed.
VirtualBox 7
1. You need to go File → Tools → Network Manager and make a host network if one doesn’t exist
already.
2. Make sure DHCP enabled is ticked as illustrated in Figure 1 or the VM will hang at boot forever.
3. Then go to VM network settings and check it’s set to that host-only network, and specify the
network you created or the one that exists.
4. Wait for the VM to boot, and on boot login with User: info and Password: info to see the current
IP address printed.
Troubleshooting: If, after successfully importing it, the VM fails to launch with a networking error,
just go to networking settings and change the option to one not already selected.
3
Figure 1: DHCP enabled
4
Marks Breakdown
This Lab contains 4 flags. Once you complete each challenge, you will need to submit your flag alongside
a step-by-step guide of how you found it on the marking form.
The marks for this are broken down as follows:
1 Mark For each flag.
4 Marks For your step-by-step guide on how you completed the challenge, consisting of:
1 Mark: For clarity of your description.
1 Mark: For identifying and deploying an appropriate exploit.
2 Mark: For the process you used and the troubleshooting and problem-solving you performed.
Ultimately, The aim of the step-by-step guide is to provide the marker with evidence that you have an
in-depth understanding of the task at hand. The more creative your guide, the better.
Task1 - Authentication Please
Go to the IP address of your VM in a web browser to open the first challenge. For example
http://192.168.56.101/
Buffer overflow this login system to get to the next task.
Look around the page for clues to help you. Everything you need is there!
When you complete this challenge, you will be given a flag and login details for the next challenge.
Task 2 - Return to win
Login as Task 2 using the credentials you were given at the end of the last challenge.
The challenge2 binary is setuid and compiled with an executable stack.
Buffer overflow the binary to become the task2-win user.
Read flag2.txt to proceed to obtain your flag and proceed to the next challenge.
Task 3 - Shellcoding
Login as Task 3 using credentials from the previous task.
The challenge3 binary is setuid and compiled with an executable stack.
Buffer overflow the binary by injecting and returning to some shellcode to become the task3-win user.
Read flag3.txt to proceed to obtain your flag and proceed to the next challenge.
Task 4 - Root shell through Ret2Libc
Login as Task 4 using the credentials you got from the previous task.
The challenge4 binary is setuid but does not have an executable stack.
Using the ret2libc technique covered in Lab 1, buffer overflow the binary to become root.
Read flag4.txt to proceed to obtain your flag.
5
Submit flags and Methodology
Follow the submission instructions above to submit the flags you found with a step-by-step guide of how
you found them.
6
Part 2
Task 5: Decompile the application
5 Marks Decompile the application and figure out:
1 Marks: Which function checks the license. ( write the function name only)
2 Marks: When this function is run. ( Code and explain the sequence)
2 Marks: How the license key is checked? (What makes a valid license?) ( Code and explain the
sequence)
Task 6: Initial patching
5 Marks Initial patching process:
2 Marks Generate an unpatched key to enable app (check value). ( Flag and explain the process)
3 Marks Patch the application to disable online license checks. ( Flag and explain the process)
Task 7: Secondary patching
5 Marks Secondary patching exploits:
2 Marks Patch the application to enable the advanced features. ( Flag and explain the process)
3 Marks Patch the application to remove reporting metrics. ( Code and explain the sequence)
Setup
You may use any Linux distro of your choice so long as you are able to run Ghidra. However, do not
use the VM from the previous lab as it will not be able to run the assignment application.
Kali Vagrant The official Kali rolling release Vagrant machine can be installed as follows: For this
machine, the username and password are both “vagrant” and this user is in the sudoers group.
Create a directory on your host machine, then from the command line run the following commands:
vagrant init kalilinux/rolling
vagrant up
Once the machine launches, give it a bit of time and you will be presented with a GUI login. Enter
“vagrant” and “vagrant”. Then you can open a terminal in the new VM and install Ghidra.
go to settings in VirtualBox and adjust as needed (be sure to enable 3D acceleration
under "display" options)
double click the VM to launch it
sudo apt update
sudo apt install openjdk-17-jdk
wget https://github.com/NationalSecurityAgency/ghidra/releases/download/Ghidra_10.2.3
_build/ghidra_10.2.3_PUBLIC_20230208.zip
unzip ghidra_10.2.3_PUBLIC_20230208.zip
cd ghidra_10.2.3_PUBLIC
./ghidraRun (wait for a second or two after running this command)
Kali for VirtualBox You can also get the official Kali release for VirtualBox, where both username
and password are ’kali’.
7
https://cdimage.kali.org/kali-2023.1/kali-linux-2023.1-virtualbox-amd64.7z
extract with 7zip
Double-click on the "Virtual machine definition" file (blue icon)
go to settings in VirtualBox and adjust as needed (be sure to enable 3D acceleration
under "display" options)
double click the VM to launch it
sudo apt update
sudo apt install openjdk-17-jdk
wget https://github.com/NationalSecurityAgency/ghidra/releases/download/Ghidra_10.2.3
_build/ghidra_10.2.3_PUBLIC_20230208.zip
unzip ghidra_10.2.3_PUBLIC_20230208.zip
cd ghidra_10.2.3_PUBLIC
./ghidraRun (wait for a second or two after running this command)
For other Kali install options, please see:
https://www.kali.org/get-kali/#kali-platforms
Video guide: https://www.youtube.com/watch?v=Hu1Gs3Jqymw
Thereafter, open a web browser to download the application for this part your assignment.
Download the lab6 application from the following URL: https://git.soton.ac.uk/comp6236/lab6/-/raw/master/lab6-
app.zip
Use Ghidra and a hex editor of your choice to reverse engineer the binary and complete the tasks
instroduced under ”Tasks and marks breakdown.
You may find the following Assembly instruction reference useful: http://ref.x86asm.net/coder64.html
If you are unable to install Ghidra please ping google or any other site to check your network connection.
You will have to close the VM and then change the network options of the VM (VirtualBox -> settings
-> network).
8
FAQ
Question: I made an error in the submission, can I resubmit?
Answer: You can resubmit as many times as you want, until the assignment deadline.
Question: What do you mean by ( Code and explain the sequence ) ?
Answer: It depends on the question, if you want to copy the code and explain what the code does, then
it’s fine. You will get some marks for explaining the obvious. However, in Task 5 (q2) I used the
keyword “when”. This means I am looking for the sequence of events in regard to the timeline.
Question: How much code are we expected to add for these questions? Obviously, we could add the
whole decompiled function, but for the example, I’ve found it in two areas and this would add a
lot of source code to my answer. Any recommendations?
Answer: The code itself is not important. In the end, I don’t care how you present it. What is important
your problem solving ability to answer the question. I care how you show me, “What you learned,
Not what you can do”. (Hint: The use of Pseudo code is highly encouraged.)
Question: What do you mean by ( Flag and explain the sequence ) ?
Answer: Follow the same logic in the previous question. But, this has more weight, so here is a further
breakdown
1 Mark: Just the flag.
1 Mark: How you did it.
1 Mark: Why it worked.
1 Mark: Other possible solutions.
1 Mark: What would have been a better implementation.
Please note: Although there is no marks for style, or grammar. If I can’t tell one category from another,
I will award a mark for one and not both. For example, if I can’t distinguish between “How you
did it” and “Why it worked” I will award 1 mark for both.
Suggestion: You can use spaces, new lines and headings. For example (===Why it worked===)
Assignment 2: Buffer Overflow Attacks and Software Hijacking
This assignment is divided into two parts. Part one is on buffer overflow attacks, which
are based on Lab 1. You will be assessed on your ability to successfully exploit buffer
overflows and other vulnerabilities and explain your methodology. Part two is on software
hijacking, based on Lab 3 and will assess your ability to carry out the successful exploitation
of software. The assignment is an individual assignment and is worth 30% of the module
marking in total.
Notes
The following notes are intended to highlight some common ”gotchas”.
1. Remember that Metasploit’s pattern create can be set to a length of your choice and does not have
to be 100.
2. If you get stuck, try consulting the man page for the tools you are using.
3. If an exploit seems to work but closes out immediately instead of giving you a shell, remember
that both “Cat” and “\bin\sh” can be forced to remain open. Have a look at their man pages (by
running “man cat” and “man /bin/sh”).
4. Remember that if you are counting characters including hex values, then the “\x” should be omitted
from the count.
5. You might want to increase the memory allocation to your VM when running Ghidra (VirtualBox
-> settings -> system).
6. Remember that in Ghidra you can search for functions under the Symbol tree to the left, but you
can also click the search option at the top and then select to search for other things, such as strings.
7. The application you have to compromise in part 2 will have multiple popups coming up to com-
municate both flags and errors, with more than one coming at a time. So please do not close down
the application as soon as you get a popup but instead wait a few seconds.
8. Part 2 has more than one flag, so please read all the information displayed by the application on
every popup and in the main window as these may change after you patched something.
9. In the settings tab for your VM, find the advanced section (settings -> general -> advanced) and
then enable shared clipboard for ”host to virtual machine”. This will allow you to type commands
on your host system and then copy them over to the VM.
Submission Instructions
Please use the template provided and submit using Turnitin on the module blackboard page at this link.
(You should be able to see the “Assignments” tab on the left panel)
Deadline
The coursework deadline is on 28-04-2023 at 16:00. Note that late submissions will be penalised using
the standard University rules (10% per working day) and that no work will be accepted that is more
than five days late.
1
Purpose of this coursework
The coursework maps to the following aims and objectives of COMP6236:
Knowledge and Understanding
A2. Software analysis
A3. Reverse Engineering of Software
Subject-specific Intellectual and Research Skills
B1. Describe specific methods for exploiting software systems
Subject-specific Practical Skills
D1. Identify security weaknesses in software systems and applications
D2. Undertake basic reverse engineering of software
Academic Integrity
This coursework is an individual piece of work and the usual rules regarding individual coursework and
academic integrity apply. In particular, please note the University Academic Integrity Regulations. All
the reports will be checked for plagiarism by scanning them in Turnitin.
Marking Criteria
Your submission will be marked out of 35 and then refactored to a mark out of 30. The following criteria
will be used.
Part Criteria Marking Scheme
Part 1
Ability to identify and exploit
the vulnerabilities introduced
during main lectures and labs,
such as buffer overflows.
Up to 20 marks, awarded based
on (i) how many flags are cor-
rectly retrieved and (ii) the cor-
rectness and completeness of the
description about vulnerabilities
and exploits.
Part 2
Ability to decompile, reverse en-
gineer and patch a given applica-
tion.
Up to 15 marks, awarded based
on (i) how many flags are cor-
rectly retrieved and (ii) the cor-
rectness and completeness of the
description about each process in
the licence-checking function.
Marks calculation
This coursework counts for 30%
of the module mark. It has a to-
tal of 35 points available which
are then refactored to a mark out
of 30.
File format
Submitted file is in PDF format,
the report is compliant with the
provided template. If the format
is not PDF, a 5 marks penalty
will be applied. If the report is
corrupted or cannot be opened,
0 mark will be awarded for the
coursework.
2
Part 1
Setup
As in Lab 3, we will have to use an OVA image. Please download the VM from here, and import it into
Virtualbox. To import the OVA, first open VirtualBox, then hit ”CTRL + I” or select ”import appliance”
from the ”File” menu (top left). Then click next and follow the installation procedure. Thereafter please
check the following before launching the VM:
VirtualBox 6 and earlier - Most university machines
1. Once the machine is imported, single-click on it in VirtualBox and then to the right go to ”net-
working” and select ”Bridged adaptor”
2. Wait for the VM to boot, and on boot login with User: info and Password: info to see the current
IP address printed.
VirtualBox 7
1. You need to go File → Tools → Network Manager and make a host network if one doesn’t exist
already.
2. Make sure DHCP enabled is ticked as illustrated in Figure 1 or the VM will hang at boot forever.
3. Then go to VM network settings and check it’s set to that host-only network, and specify the
network you created or the one that exists.
4. Wait for the VM to boot, and on boot login with User: info and Password: info to see the current
IP address printed.
Troubleshooting: If, after successfully importing it, the VM fails to launch with a networking error,
just go to networking settings and change the option to one not already selected.
3
Figure 1: DHCP enabled
4
Marks Breakdown
This Lab contains 4 flags. Once you complete each challenge, you will need to submit your flag alongside
a step-by-step guide of how you found it on the marking form.
The marks for this are broken down as follows:
1 Mark For each flag.
4 Marks For your step-by-step guide on how you completed the challenge, consisting of:
1 Mark: For clarity of your description.
1 Mark: For identifying and deploying an appropriate exploit.
2 Mark: For the process you used and the troubleshooting and problem-solving you performed.
Ultimately, The aim of the step-by-step guide is to provide the marker with evidence that you have an
in-depth understanding of the task at hand. The more creative your guide, the better.
Task1 - Authentication Please
Go to the IP address of your VM in a web browser to open the first challenge. For example
http://192.168.56.101/
Buffer overflow this login system to get to the next task.
Look around the page for clues to help you. Everything you need is there!
When you complete this challenge, you will be given a flag and login details for the next challenge.
Task 2 - Return to win
Login as Task 2 using the credentials you were given at the end of the last challenge.
The challenge2 binary is setuid and compiled with an executable stack.
Buffer overflow the binary to become the task2-win user.
Read flag2.txt to proceed to obtain your flag and proceed to the next challenge.
Task 3 - Shellcoding
Login as Task 3 using credentials from the previous task.
The challenge3 binary is setuid and compiled with an executable stack.
Buffer overflow the binary by injecting and returning to some shellcode to become the task3-win user.
Read flag3.txt to proceed to obtain your flag and proceed to the next challenge.
Task 4 - Root shell through Ret2Libc
Login as Task 4 using the credentials you got from the previous task.
The challenge4 binary is setuid but does not have an executable stack.
Using the ret2libc technique covered in Lab 1, buffer overflow the binary to become root.
Read flag4.txt to proceed to obtain your flag.
5
Submit flags and Methodology
Follow the submission instructions above to submit the flags you found with a step-by-step guide of how
you found them.
6
Part 2
Task 5: Decompile the application
5 Marks Decompile the application and figure out:
1 Marks: Which function checks the license. ( write the function name only)
2 Marks: When this function is run. ( Code and explain the sequence)
2 Marks: How the license key is checked? (What makes a valid license?) ( Code and explain the
sequence)
Task 6: Initial patching
5 Marks Initial patching process:
2 Marks Generate an unpatched key to enable app (check value). ( Flag and explain the process)
3 Marks Patch the application to disable online license checks. ( Flag and explain the process)
Task 7: Secondary patching
5 Marks Secondary patching exploits:
2 Marks Patch the application to enable the advanced features. ( Flag and explain the process)
3 Marks Patch the application to remove reporting metrics. ( Code and explain the sequence)
Setup
You may use any Linux distro of your choice so long as you are able to run Ghidra. However, do not
use the VM from the previous lab as it will not be able to run the assignment application.
Kali Vagrant The official Kali rolling release Vagrant machine can be installed as follows: For this
machine, the username and password are both “vagrant” and this user is in the sudoers group.
Create a directory on your host machine, then from the command line run the following commands:
vagrant init kalilinux/rolling
vagrant up
Once the machine launches, give it a bit of time and you will be presented with a GUI login. Enter
“vagrant” and “vagrant”. Then you can open a terminal in the new VM and install Ghidra.
go to settings in VirtualBox and adjust as needed (be sure to enable 3D acceleration
under "display" options)
double click the VM to launch it
sudo apt update
sudo apt install openjdk-17-jdk
wget https://github.com/NationalSecurityAgency/ghidra/releases/download/Ghidra_10.2.3
_build/ghidra_10.2.3_PUBLIC_20230208.zip
unzip ghidra_10.2.3_PUBLIC_20230208.zip
cd ghidra_10.2.3_PUBLIC
./ghidraRun (wait for a second or two after running this command)
Kali for VirtualBox You can also get the official Kali release for VirtualBox, where both username
and password are ’kali’.
7
https://cdimage.kali.org/kali-2023.1/kali-linux-2023.1-virtualbox-amd64.7z
extract with 7zip
Double-click on the "Virtual machine definition" file (blue icon)
go to settings in VirtualBox and adjust as needed (be sure to enable 3D acceleration
under "display" options)
double click the VM to launch it
sudo apt update
sudo apt install openjdk-17-jdk
wget https://github.com/NationalSecurityAgency/ghidra/releases/download/Ghidra_10.2.3
_build/ghidra_10.2.3_PUBLIC_20230208.zip
unzip ghidra_10.2.3_PUBLIC_20230208.zip
cd ghidra_10.2.3_PUBLIC
./ghidraRun (wait for a second or two after running this command)
For other Kali install options, please see:
https://www.kali.org/get-kali/#kali-platforms
Video guide: https://www.youtube.com/watch?v=Hu1Gs3Jqymw
Thereafter, open a web browser to download the application for this part your assignment.
Download the lab6 application from the following URL: https://git.soton.ac.uk/comp6236/lab6/-/raw/master/lab6-
app.zip
Use Ghidra and a hex editor of your choice to reverse engineer the binary and complete the tasks
instroduced under ”Tasks and marks breakdown.
You may find the following Assembly instruction reference useful: http://ref.x86asm.net/coder64.html
If you are unable to install Ghidra please ping google or any other site to check your network connection.
You will have to close the VM and then change the network options of the VM (VirtualBox -> settings
-> network).
8
FAQ
Question: I made an error in the submission, can I resubmit?
Answer: You can resubmit as many times as you want, until the assignment deadline.
Question: What do you mean by ( Code and explain the sequence ) ?
Answer: It depends on the question, if you want to copy the code and explain what the code does, then
it’s fine. You will get some marks for explaining the obvious. However, in Task 5 (q2) I used the
keyword “when”. This means I am looking for the sequence of events in regard to the timeline.
Question: How much code are we expected to add for these questions? Obviously, we could add the
whole decompiled function, but for the example, I’ve found it in two areas and this would add a
lot of source code to my answer. Any recommendations?
Answer: The code itself is not important. In the end, I don’t care how you present it. What is important
your problem solving ability to answer the question. I care how you show me, “What you learned,
Not what you can do”. (Hint: The use of Pseudo code is highly encouraged.)
Question: What do you mean by ( Flag and explain the sequence ) ?
Answer: Follow the same logic in the previous question. But, this has more weight, so here is a further
breakdown
1 Mark: Just the flag.
1 Mark: How you did it.
1 Mark: Why it worked.
1 Mark: Other possible solutions.
1 Mark: What would have been a better implementation.
Please note: Although there is no marks for style, or grammar. If I can’t tell one category from another,
I will award a mark for one and not both. For example, if I can’t distinguish between “How you
did it” and “Why it worked” I will award 1 mark for both.
Suggestion: You can use spaces, new lines and headings. For example (===Why it worked===)
