CSC347 Introduction to Information Security
Assignment 1

Due: Wed October 11, 6:00 PM (Start of class)
Late penalty:20% if handed in up to 48 hours late. Not accepted after that.
Hand in: Electronic submit here
Marking: It is possible that some questions will not be marked.
Groups: Groups of size 2. Both students receive the same mark.
Note: All exploits are to take place under RH7.2
  1. Modify internalHack.c so that hacked is executed upon return from f()
    1. Draw a picture of the stack right after c[0]='A' is executed. Your picture should look like the one in last weeks tutorial.
    2. Find the address of function hacked
    3. Determine how to reference the return address on the stack via c[]
    4. Explain the following lines of code... ref=(int *)(c+99); printf("%x\n",ref); *ref=&hacked; including why 'Hacked' is printed when 99 is modified appropriately.
  2. Modify target1.c so that hacked is executed upon return from f(). Your modifications are limited to shellcode.
  3. Modify target1.c so that /bin/sh is executed upon return from f(). Your modifications are limited to shellcode. Hint: See my shellcode notes very bottom.
  4. For the last exploit, explain what would happen if target1 was running as root?
  5. Modify sploit3.c so that when it's executed it runs target3.c resulting in /bin/sh being executed.
  6. Create sploit7.c which, when executed, runs target7.c resulting in /bin/sh being executed.
  7. Consider CIA (Confidentiality, Integrity, Availability). Read Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security and find an good example incident which violates Confidentiality. Find another good example which violates Integrity. Find yet another good example which violates Availability. Justify each of your chosen examples (why it is a good example violator).

Questions and Answers

Question:
I was able to exploit target3 from the inside, but when I tried to transfer the shell code to sploit3.c it did not work.
Answer:
When sploit3 runs target3, part of the stack is taken up with the string pointed to by argv[1]. This means that your argument takes up space on the stack below the stack frame for main. You can't debug target3 when it is run from sploit3, so to gather information about parts of target3, you should add some key printfs (to target3) recompile and then run sploit3. For example, printf("%x\n", &buf); tells you where buf lives when you run target3.
Question:
Hi! Doesn't target7.c need to #include<stdlib.h> ? http://www.cs.toronto.edu/~arnold/347/06f/assignments/01/target7.c
Answer:
Yes!! Fixed.
Question:
Under what environment should the exploits run?
Answer:
Please make your solution run under RH7.2 on the lab machines, run under the command prompt (without X running).
Question:
Hello professor, When you say "Read Security Absurdity", do you mean http://www.securityabsurdity.com/ ?
Answer:
For question 7, please read... Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security Thanks for asking!!
Question:
What account should I be running my exploits as?
Answer:
All should be as hacker, with code compiled as hacker.
Question:
I can't submit.
Answer:
Yes, we are working on it.
Question:
For question 1, which picture of the stack?
Answer:
stack.c