COMP6236 v1: April 27, 2022 Assignment: Buffer Overflow Attacks and Software Hijacking 

This assignment is an individual assignment and is worth 30% of the module marking in total, and is divided into three parts. Submission Instructions Please use the template provided and submit using Turnitin on the module blackboard page. Deadline The assignment deadline is on 12-05-2022 at 18:00 Purpose of this assignment The assignment is designed to have a balance between knowledge and application. It maps to the following aims and objectives of COMP6236. Subject Specific Practical Skills D1. Identify security weaknesses in software systems and applications D2. Undertake basic reverse engineering of software Knowledge and Understanding A1. Common issues affecting the security of software systems A2. Software analysis A3. Reverse Engineering of Software Transferable and Generic Skills C1. Recognise software vulnerabilities and protection in a range of application domains Subject Specific Intellectual and Research Skills B1. Describe specific methods for exploiting software systems 1 Part 1 This part is on buffer overflow attacks, which is based on Lab 1. You will be assessed on your ability to successfully exploit buffer overflow. This part contains 4 flags. Once you complete each challenge, you will need to submit the your flag, the entry point and the exploit you used. The marks for this are broken down as follows: 1 Mark For each flag. 1 Mark: For explaining each entry point. 1 Mark: For each exploit. Part one is worth 12% of the module mark. Setup Unlike the previous lab setup, this time we will have to use an OVA image. Please download the VM from here, and import it into Virtualbox. 1. You need to go File → Host Network Manager and make a host network if one doesn’t exist already. 2. Make sure DHCP enabled is ticked as illustrated in Figure 1 or vm will hang at boot forever. 3. Then go to VM network settings and check it’s set to that host only network, and specify the network you created or the one that exists. 4. Wait for the VM to boot, and on boot login with User: info and Password: info to see the current IP address printed. 2 Figure 1: DHCP enabled 3 Task1 - Authentication Please Go to the IP address of your VM in a web browser to open the first challenge. For example http://192.168.56.101/ Buffer overflow this login system to get to the next task. Look around the page for clues to help you. Everything you need is there! When you complete this challenge, you will be given a flag and login details for the next challenge. Task 2 - Return to win Login as Task 2 using the credentials you were given at the end of the last challenge. You can login over SSH by typing ssh [email protected] into a terminal or using PuTTY. The challenge2 binary is setuid and compiled with an executable stack. Buffer overflow the binary to become the task2-win user. Read flag2.txt to proceed to obtain your flag and proceed to the next challenge. Task 3 - Shellcoding Login as Task 3 using credentials from the previous task. The challenge3 binary is setuid and compiled with an executable stack. Buffer overflow the binary by injecting and returning to some shellcode to become the task3-win user. Read flag3.txt to proceed to obtain your flag and proceed to the next challenge. Task 4 - Root shell through Ret2Libc Login as Task 4 using the credentials you got from the previous task. The challenge4 binary is setuid but does not have an executable stack. Using the ret2libc technique covered in Lab 1, buffer overflow the binary to become root. Read flag4.txt to proceed to obtain your flag. 4 Part 2 This part is on software hijacking, which is based on Lab 3 and You will be assessed on your ability to carry out a successful exploitation of the software. The marks for this are broken down as follows: 1 Marks: Which function checks the license. ( write the function name only, submit this as your flag) 1 Marks Generate an unpatched key to enable app (check value). ( Flag ) 1 Marks Patch the application to disable online license checks. ( Flag ) 1 Marks Patch the application to enable the advanced features. ( Flag ) 4 Marks Patch the application to remove reporting metrics. ( Patch code and explain the sequence) Part two is worth 8% of the module mark. Setup You may use any Linux distro of your choice so long as you are able to run Ghidra. Our preferred solution is using the official Kali rolling release Vagrant machine. For this machine the username and password are both “vagrant” and this user is in the sudoers group. Create a directory on your host machine, then from the command line run the following commands: vagrant init kalilinux/rolling vagrant up Once the machine launches, give it a bit of time and you will be presented with a GUI login. Enter “vagrant” and “vagrant”. Then you can open a terminal in the new VM and install Ghidra. sudo apt install ghidra Thereafter, open a web browser to download the application for this part your assignment. Download the lab6 application from the following URL: https://git.soton.ac.uk/comp6236/lab6/-/raw/master/lab6- app.zip Use Ghidra and a hex editor of your choice to reverse engineer the binary and complete the steps above. You may find the following Assembly instruction reference useful: http://ref.x86asm.net/coder64.html If you are unable to install Ghidra please ping google or any other site to check your network connection. You will have to close the VM and then change the network options of the VM (VirtualBox -> settings -> network). 5 Part 3 This part although it is based on buffer overflow attacks. It is meant to assess your overall understanding of secure coding. In this part you will be assessed on your ability to write a C program and exploit a piece of code. The marks for this are broken down as follows: 5 Marks: for the code 5 Marks: for the exploit Part three is worth 10% of the module mark. Notes The following notes are intended to highlight some common ”gotchas”. 1. You can resubmit as many times as you want, until the assignment deadline. 2. Remember that Metasploit’s pattern create can be set to a length of your choice and does not have to be 100. 3. If you get stuck, try consulting the man page for the tools you are using. 4. If an exploit seems to work but closes out immediately instead of giving you a shell, remember that both “Cat” and “\bin\sh” can be forced to remain open. Have a look at their man pages (by running “man cat” and “man /bin/sh”). 5. Remember that if you are counting characters including hex values, then the “\x” should be omitted from the count. 6. You might want to increase the memory allocation to your VM when running Ghidra (VirtualBox -> settings -> system). 7. Remember that in Ghidra you can search for functions under the Symbol tree to the left, but you can also click the search option at the top and then select to search for other things, such as strings. 8. The application you have to compromise in part 2 will have multiple popups coming up to com- municate both flags and errors, with more than one coming at a time. So please do not close down the application as soon as you get a popup but instead wait a few seconds. 9. Part 2 has more than one flag, so please read all the information displayed by the application on every popup and in the main window as these may change after you patched something. 6