Stack Smashing

Note: WSL doesn't work for this lab. Use a VM or a lab machine.

[25pts] Part 1: Identifying a Vulnerability of a Bad Server

Download Bad Server.
For attack individualization, change the helo[] in the source code to additionally contain your full name and alpha.
```
char helo[] = "Welcome to TB Server 1000\r\n"; // add your full name and alpha in the string helo
```
Compile:
```
make bad_server
```
Use the nc chat to connect to the server and play a game (read the source code and get the account information). It's a Tic-Tac-Toe.
By playing games and looking at the source code, get some feel of what each function does.

Your Task

Analyze the source code of Bad Server for a vulnerability.
Create an exploit (exploit1.py) of that vulnerability. In particular, your exploit should connect to the server and smashing the attack so that the return-address is changed to to a garbage, causing the server to crash. At this moment, the exploit doesn't need to be sophisticated; just jam the buffer and mess up the return address.

Tips

The vulnerability of the bad server is not outstandingly obvious. It will not be a strcpy() or anything. Still, it is in some place where buffers are filled.
You really need to carefully read the code especially where buffers are filled.
Important: If the code uses some functions you don't know, do google up and see what they are doing. They may turn out to be critical to pinpoint the vulnerability.

Submit

In your lab report:
- Give a screenshot of playing the game to show that your changed the source code as instructed.
- Explain about the vulnerability very clearly.
- Give the GDB hexdump showing the return address of a function is messed up due to exploit1.py.
Submit exploit1.py as a seprate file.

[35pts] Part 2: Attacking the Bad Server

Your Task

Create an exploit of that vulnerability which launches a reverse shell. In particular, your exploit should connect to the server and launch a stack smashing attack by using the reverse shellcode you created from the previous lab.
Apply the exploit and obtain a reverse shell.
Feel free to run the server inside the GDB and extract all useful information using breakpoints and prints and hexdumps. You are good to go if you attack succesfully in the GDB. Your attack doesn't need to be done without the GDB.
Make sure to have at least 40 bytes of dummy area. The dummy area coincides with the stack area that your reverse shell uses. Having too few dummy bytes could cause your shellcode to be messed up when things are pushed onto the stack (dummy area, possibly overflowed to the shellcode area).

Tip: Checking the assembly instructions of the injected code.

GDB is not overly kind to show the assembly instructions of the injected code. However, it provides a command that allows us to do so. Whenever you want to check the current assembly instruction, you can run the following command:

x/i $rip

Submit

Submit exploit2.py as a seprate file.

[25pts] Part 3: Creating a Video

Create a video that walks through your attack step by step. I am mainly concerned about whether you fully understand the stack smashing attack.

Your video should:

Show the detailed process of how you wrote your exploit. You should show GDB prints and hexdumps to demonstrate how you figured out the numbers and addresses in your exploit.
Show a GDB hexdump that will convince the instructor that your exploit correctly modifies the return address.
Of course, you need to explain in voice what's going on.

Submit

In the lab report, give the link to your video.

You can upload the video on the Google Drive and give the link.
Or you can upload it to YouTube (in private) and give the link.

[15pts] Part 4: Defense Techniques

Your task

We used the following options and command to remove the underlying defense mechanisms against the buffer overflow attacks.

sudo sysctl -w kernel.randomize_va_space=0
gcc option: -z execstack
gcc option: -f-no-stack-protector

Discuss each of the mechanisms in light of the following:

What it does.
How it is beneficial in protecting against stack smashing attacks.
Limitations.

Feel free to google for any relevant materials (and cite them).

Submit

Include the discussion in the lab report. (5 points for each option/command).

Submission Checklist

Write a lab report by using the provided template (check the lab ground rules). The writing quality of the lab report matters.

Part 1: Vulnerability analysis and a screenshot of game play in the lab report an exploit that messes up a return address. In addition, exploit1.py.
Part 2: exploit2.py
Part 3: Video link in the lab report
Part 4: Discussion in the lab report

~/bin/submit -c=IT432 -p=lab05 expolit.py lab05_report.doc