Assignment 1: Writing Application Exploits (20 points)

This assignment is a scaled down version of a semester project at Drexel University, USA.
https://www.cs.drexel.edu/~greenie/cs475/proj1.pdf
This assignment is due on Thursday, March 27
th
, 2014, at 1700hrs. It will count approximately 5% to
your final grade. There are some optional questions, from which you can earn bonus points.
Late submissions will be not entertained. This is an individual assignment. You may consult with
other students, e.g., to understand the meanings of the questions. Solutions must be submitted
electronically via LMS.
Introduction
This assignment will provide you an opportunity to experiment with buffer overflow vulnerabilities
in application software. A series of vulnerable programs and a virtual machine environment is
provided, in which you will write small exploits. It is recommended that you go through the reading
material provided with the assignment.
In this assignment, you will develop attacks and test them in a virtual machine you control. Buffer-
overflow vulnerabilities depend on specific implementation details, so make sure to follow the
instructions carefully.
Instructions
1. Download VirtualBox from < https://www.virtualbox.org/ > and install it on your computer.
2. Get the VM appliance file at
< https://www.cs.drexel.edu/~greenie/cs475/cs475-appsec.ova >.
This file is slightly less than 1.4 GB, so it is recommended to use a download manager and a
good internet connection.
3. Launch VirtualBox and import the appliance file.
4. Start the VM. The user name and password are both ubuntu .
5. Download source files from
https://www.cs.drexel.edu/~greenie/cs475/cs475-targets.tar.gz
or download it from the assignment folder on LMS. This file contains the target programs
you will exploit.
6. Extract the files using the following command in download directory:
tar xf cs475-targets.tar.gz
7. Change directory to targets: cd targets
8. Personalize the targets by running: ./setcookie firstname middlename lastname
9. Make the targets (the password is ubuntu):
sudo make
10. Download the instruction file inside the VM:
https://www.cs.drexel.edu/~greenie/cs475/proj1.pdf
or download it from the assignment folder on LMS.
Complete the following tasks as described in proj1.pdf.
Task Type Points
Target0: Overwriting a variable
on the stack
Mandatory 7
Target1: Overwriting the return
address
Mandatory 7
Target2: Redirecting control to
shellcode
Mandatory 6
Target4,5,6,7,8,9 Optional Up to 10 bonus points

Note that you can also use C/C++ instead of Python to write your exploits.
Submit a report describing your work to LMS. It is also required that you submit all source files of
your exploits (as well as all the executables).