6.033 - Computer System Engineering Buffer Overrun Hands-On Assignment

Hands-on: Buffer Overrun

Complete the following hands-on assignment. Do the activities described, and submit your solutions using Gradescope by 11:59p.

Before attempting this hands-on, you should read Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns, which is also assigned for recitation.

You should perform this hands-on using a Linux-based machine (athena.dialup.mit.edu is okay). If you have trouble on a 64-bit Ubuntu system, installing libc6-dev-i386 may help.

I. Warmup

Open two terminal windows: a top window for running a web server, and a bottom window for exploiting that web server.

In the top window, download and decompress stack.tgz.

  top% wget http://web.mit.edu/6.033/www/assignments/stack.tgz
  top% tar xf stack.tgz
  top% cd stack
  top% make
  gcc -m32 -g -std=c99 -fno-stack-protector -Wall -D_GNU_SOURCE   -c -o httpd.o httpd.c
  gcc -m32 -z execstack httpd.o -o httpd-ex
  gcc -m32 httpd.o -o httpd-nx
  gcc -m32   -c -o shellcode.o shellcode.S
  objcopy -S -O binary -j .text shellcode.o shellcode.bin
You should get two web server binaries, httpd-ex and httpd-nx, and two incomplete exploit scripts, exploit-ex.py and exploit-nx.py. We will provide instructions to help you complete these exploit scripts.

Start the httpd-ex web server in the top window.

  top% ./run.sh setarch i386 -R ./httpd-ex
  Web server running at all-night-tool.mit.edu:4000
Your web server may print a different address other than all-night-tool.mit.edu:4000. In that case, replace all occurrences of all-night-tool.mit.edu:4000 with that printed address for the rest of this hands-on.

To test the web server, open a web browser and type the URL http://all-night-tool.mit.edu:4000/ in the address bar. If the web server is running, you should see a “Grades” web page. You can stop the web server at any time by pressing Ctrl+C in the top window.

Again, if you saw a different web server address printed in the top window, use that address in the browser. Note that the address (especially the port number like 4000) may change every time you start the web server.

You can also view the web page via a command-line program called curl. Keep the web server running in the top window. Run the following command in the bottom window.

  bottom% curl http://all-night-tool.mit.edu:4000/app.py
  Ben Bitdiddle    F
  Alice Jones      A

The web server and clients (e.g., your browser and curl) communicate using the HTTP protocol. Here is a tutorial of the HTTP protocol. If you want to observe the details of HTTP requests and responses, add -v to curl.

  bottom% curl -v http://all-night-tool.mit.edu:4000/app.py
  * About to connect() to all-night-tool.mit.edu port 4000 (#0)
  *   Trying connected
  > GET /app.py HTTP/1.1
  > User-Agent: curl/7.22.0 ...
  > Host: all-night-tool.mit.edu:4000
  > Accept: */*
  * HTTP 1.0, assume close after body
  < HTTP/1.0 200 OK
  < Content-Type: text/html
  Ben Bitdiddle    F
  Alice Jones      A
  * Closing connection #0

Ben Bitdiddle is unhappy with the grades. He discovers that the content of the “Grades” web page is loaded from a file named grades.txt on the TA's web server. Ben then decides to remove this grades.txt file. Since he doesn't have write access to the TA's web server, Ben tries to send malicious HTTP requests over the network, which will trick the web server into removing that file. Your goal is to “help” Ben in this hands-on.

II. Questions

Now you're ready for this week's questions.

Like before, the questions are in a read-only google doc. Make sure to enter quesitons in the page indicated (please do not erase the question text) and upload them as a PDF to Gradescope. See more detailed instructions at the end of the first week's hands-on. If you are having Gradescope problems, please post a question on Piazza!

Go to 6.033 Home Page