CSC427 Assignment 1
Bufferoverruns
Investigate the service running on port 7778 of the RH7.2LabImage_A1 VM.
Show how a user can remotely (ie on the host machine)
gain unauthorized access to the RH7.2 VM. You will do this using
tcpclient.pl
Submit a modified tcpclient.pl (called tcpclientA.pl) which obtains a root
shell on the remote server running palindrome on port 7778.
The console user running tcpclientA.pl
should be able to interactively enter commands and see the result. Note: Entering
commands may not be as smooth as running a real console, this is ok. At the very least,
a user should be able to execute ls a couple of times.
Submit a modified tcpclient.pl called tcpclientChangeRootPasswd.pl
which changes the root password to 'compromised'.
You can find RH72LabImage_A1 on dh2026pc02. Download this to your
/virtual directory via...
<![CDATA[
#!/bin/bash
# $USER is your utorid
mkdir -p /virtual/$USER/csc427
cd /virtual/$USER/csc427/
scp -r $USER@dh2026pc02.utm.utoronto.ca:/virtual/csc427arnold/a1 .
cd a1
echo "149f96fa34f102d9e5ebd453f9344775 RH72LabImage_A1.zip" | md5sum -c -
echo "Did you check whether the md5sum worked out!!!!!"
echo "Below is the real md5sum!!"
echo "2c3ca1b93020a270acc99668417b2582 RH72LabImage_A1.zip" | md5sum -c -
unzip RH72LabImage_A1.zip
rm RH72LabImage_A1.zip
vmplayer RH72LabImage_A1/Red\ Hat\ Linux.vmx
# Choose: I copied it
# Choose: Remind me later
]]>
The VM is running an vulnerable service on port 7778.
You can telnet to this using something like
<![CDATA[
telnet 172.16.2.128 7778
Trying 172.16.2.128...
Connected to 172.16.2.128.
Escape character is '^]'.
Palindrome server, 'quit' to quit:
something
Your string is not a palindrome
radar
Your string is not a palindrome
quit
Your string is not a palindrome
Connection closed by foreign host.
]]>
As you can see, this application is somehow not supposed to be used in this way.
Instead I have prepared tcpclient.pl to
connect to this service. Make sure to fix the ip address in the tcpclient.pl script.
For convenience, when the VM boots, you can see its IP address.
To build the service, I used xinetd, the internet super server, it can turn
any unix program that reads stdin and writes stdout into a 'web service'.
Take a look at /etc/xinetd.d in the assignment
VM to see a collection of programs that are running under xinetd on your RH7.2 VM.
One of these is palindrome.c, please take a look at
/etc/xinetd.d/palindrome to see how this service is run (which port etc).
For convenience, I am having it run out of /root/a1 where you can find the
source code as well. Simply recompiling
/root/a1/palindrome.c will cause the online service to update. If you want to restart
xinetd you should execute /etc/rc.d/init.d/xinetd restart.
Ransomware
Scenario: Mr. Jones is an mid-level employee of a financial company.
He is a mid-level manager is the company and is going to be making a presentation to some potential clients.
Mr. Jones receives an email about an invoice from a new consultant.
He opens the email and downloads the attachment. Mr. Jones notices that there is a new file on the Desktop.
He opens it and reads the document RyukReadMe.txt. Mr. Jones no longer has access to his files.
The company calls in a computer security consulting company to deal with the situation. They cannot
afford to be locked out from the presentation details and potential client files.
Your job as the security consultant is to answer the ransomwareQuestions.txt
and report back via UTM submit.
Metasploit
Your job is to follow instructions in, and fill out
metasploitableQuestions.txt.