M.I.T. DEPARTMENT OF EECS
|6.033 - Computer System Engineering||Buffer Overrun Hands-On Assignment|
Complete the following hands-on assignment. Do the activities described, and submit your solutions using Gradescope by 11:59p.
Before attempting this hands-on, you should read Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns, which is also assigned for recitation.
You should perform this hands-on using a Linux-based machine
athena.dialup.mit.edu is okay).
If you have trouble on a 64-bit Ubuntu system, installing libc6-dev-i386 may help.
Open two terminal windows: a top window for running a web server, and a bottom window for exploiting that web server.
In the top window, download and decompress stack.tgz.
top% wget http://web.mit.edu/6.033/www/assignments/stack.tgz top% tar xf stack.tgz top% cd stack top% make gcc -m32 -g -std=c99 -fno-stack-protector -Wall -D_GNU_SOURCE -c -o httpd.o httpd.c gcc -m32 -z execstack httpd.o -o httpd-ex gcc -m32 httpd.o -o httpd-nx gcc -m32 -c -o shellcode.o shellcode.S objcopy -S -O binary -j .text shellcode.o shellcode.bin top%You should get two web server binaries,
httpd-nx, and two incomplete exploit scripts,
exploit-nx.py. We will provide instructions to help you complete these exploit scripts.
httpd-ex web server in the top window.
top% ./run.sh setarch i386 -R ./httpd-ex Web server running at all-night-tool.mit.edu:4000Your web server may print a different address other than
all-night-tool.mit.edu:4000. In that case, replace all occurrences of
all-night-tool.mit.edu:4000with that printed address for the rest of this hands-on.
To test the web server,
open a web browser and type the URL
in the address bar.
If the web server is running,
you should see a “Grades” web page.
You can stop the web server at any time by pressing Ctrl+C in the
Again, if you saw a different web server address printed in the top window, use that address in the browser. Note that the address (especially the port number like 4000) may change every time you start the web server.
You can also view the web page via a command-line program called
Keep the web server running in the top window.
Run the following command in the bottom window.
bottom% curl http://all-night-tool.mit.edu:4000/app.py <h1>Grades</h1> <pre> Ben Bitdiddle F Alice Jones A </pre>
The web server and clients (e.g., your browser and
communicate using the HTTP protocol.
Here is a
of the HTTP protocol.
If you want to observe the details of HTTP requests and responses,
bottom% curl -v http://all-night-tool.mit.edu:4000/app.py * About to connect() to all-night-tool.mit.edu port 4000 (#0) * Trying 22.214.171.124... connected > GET /app.py HTTP/1.1 > User-Agent: curl/7.22.0 ... > Host: all-night-tool.mit.edu:4000 > Accept: */* > * HTTP 1.0, assume close after body < HTTP/1.0 200 OK < Content-Type: text/html < <h1>Grades</h1> <pre> Ben Bitdiddle F Alice Jones A </pre> * Closing connection #0
Ben Bitdiddle is unhappy with the grades.
He discovers that the content of the “Grades” web page is
loaded from a file named
grades.txt on the TA's web server.
Ben then decides to remove this
Since he doesn't have write access to the TA's web server,
Ben tries to send malicious HTTP requests over the network,
which will trick the web server into removing that file.
Your goal is to “help” Ben in this hands-on.
Now you're ready for this week's questions.
Like before, the questions are in a read-only google doc. Make sure to enter quesitons in the page indicated (please do not erase the question text) and upload them as a PDF to Gradescope. See more detailed instructions at the end of the first week's hands-on. If you are having Gradescope problems, please post a question on Piazza!
|Go to 6.033 Home Page|